{"schema_version":"1.7.2","id":"OESA-2025-2769","modified":"2025-11-28T12:53:15Z","published":"2025-11-28T12:53:15Z","upstream":["CVE-2023-53321","CVE-2025-22121","CVE-2025-39751","CVE-2025-40019","CVE-2025-40183","CVE-2025-40194"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211_hwsim: drop short frames\n\nWhile technically some control frames like ACK are shorter and\nend after Address 1, such frames shouldn't be forwarded through\nwmediumd or similar userspace, so require the full 3-address\nheader to avoid accessing invalid memory if shorter frames are\npassed in.(CVE-2023-53321)\n\nIn the Linux kernel, the following vulnerability has been resolved:ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()There s issue as follows:BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172CPU: 3 PID: 15172 Comm: syz-executor.0Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0xbe/0xfd lib/dump_stack.c:123 print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137 ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896 ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323 evict+0x39f/0x880 fs/inode.c:622 iput_final fs/inode.c:1746 [inline] iput fs/inode.c:1772 [inline] iput+0x525/0x6c0 fs/inode.c:1758 ext4_orphan_cleanup fs/ext4/super.c:3298 [inline] ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300 mount_bdev+0x355/0x410 fs/super.c:1446 legacy_get_tree+0xfe/0x220 fs/fs_context.c:611 vfs_get_tree+0x8d/0x2f0 fs/super.c:1576 do_new_mount fs/namespace.c:2983 [inline] path_mount+0x119a/0x1ad0 fs/namespace.c:3316 do_mount+0xfc/0x110 fs/namespace.c:3329 __do_sys_mount fs/namespace.c:3540 [inline] __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1Memory state around the buggy address: ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00>ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff                   ^ ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffAbove issue happens as ext4_xattr_delete_inode() isn t check xattris valid if xattr is in inode.To solve above issue call xattr_check_inode() check if xattr if validin inode. In fact, we can directly verify in ext4_iget_extra_inode(),so that there is no divergent verification.(CVE-2025-22121)\n\nRejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.(CVE-2025-39751)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: essiv - Check ssize for decryption and in-place encryption\n\nMove the ssize check to the start in essiv_aead_crypt so that\nit's also checked for decryption and in-place encryption.(CVE-2025-40019)\n\nIn the Linux kernel, a memory leak vulnerability exists. Cilium's BPF egress gateway feature redirects K8s Pod traffic through vxlan tunnels to dedicated egress gateways. When using the bpf_redirect_neigh() helper to forward packets, vxlan allocates metadata_dst objects and attaches them to skb through fake dst entries. However, since bpf_redirect_neigh() only sets new dst entries without first dropping existing ones, the metadata_dst objects are never released, causing continuous increase in kmalloc-256 slab usage.(CVE-2025-40183)\n\nIn the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request(). The cpufreq_cpu_put() call in update_qos_request() takes place too early because the latter subsequently calls freq_qos_update_request() that indirectly accesses the policy object in question through the QoS request object passed to it. Fortunately, update_qos_request() is called under intel_pstate_driver_lock, so this issue does not matter for changing the intel_pstate operation mode, but it theoretically can cause a crash to occur on CPU device hot removal (which currently can only happen in virt, but it is formally supported nevertheless). Address this issue by modifying update_qos_request() to drop the reference to the policy later.(CVE-2025-40194)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP3","name":"kernel","purl":"pkg:rpm/openEuler/kernel&distro=openEuler-22.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-292.0.0.194.oe2203sp3"}]}],"ecosystem_specific":{"aarch64":["kernel-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm","kernel-debuginfo-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm","kernel-debugsource-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm","kernel-devel-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm","kernel-headers-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm","kernel-source-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm","kernel-tools-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm","kernel-tools-debuginfo-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm","kernel-tools-devel-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm","perf-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm","perf-debuginfo-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm","python3-perf-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm","python3-perf-debuginfo-5.10.0-292.0.0.194.oe2203sp3.aarch64.rpm"],"src":["kernel-5.10.0-292.0.0.194.oe2203sp3.src.rpm"],"x86_64":["kernel-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm","kernel-debuginfo-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm","kernel-debugsource-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm","kernel-devel-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm","kernel-headers-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm","kernel-source-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm","kernel-tools-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm","kernel-tools-debuginfo-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm","kernel-tools-devel-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm","perf-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm","perf-debuginfo-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm","python3-perf-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm","python3-perf-debuginfo-5.10.0-292.0.0.194.oe2203sp3.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2769"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53321"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22121"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39751"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40019"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40183"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40194"}],"database_specific":{"severity":"High"}}