Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-38499 (GCVE-0-2025-38499)
Vulnerability from cvelistv5 – Published: 2025-08-11 16:01 – Updated: 2026-05-23 15:59
VLAI
EPSS
Title
clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns
Summary
In the Linux kernel, the following vulnerability has been resolved:
clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns
What we want is to verify there is that clone won't expose something
hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo"
may be a result of MNT_LOCKED on a child, but it may also come from
lacking admin rights in the userns of the namespace mount belongs to.
clone_private_mnt() checks the former, but not the latter.
There's a number of rather confusing CAP_SYS_ADMIN checks in various
userns during the mount, especially with the new mount API; they serve
different purposes and in case of clone_private_mnt() they usually,
but not always end up covering the missing check mentioned above.
Severity
5.5 (Medium)
Assigner
References
8 references
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
427215d85e8d1476da1a86b8d67aceb485eb3631 , < 36fecd740de2d542d2091d65d36554ee2bcf9c65
(git)
Affected: 427215d85e8d1476da1a86b8d67aceb485eb3631 , < d717325b5ecf2a40daca85c61923e17f32306179 (git) Affected: 427215d85e8d1476da1a86b8d67aceb485eb3631 , < dc6a664089f10eab0fb36b6e4f705022210191d2 (git) Affected: 427215d85e8d1476da1a86b8d67aceb485eb3631 , < e77078e52fbf018ab986efb3c79065ab35025607 (git) Affected: 427215d85e8d1476da1a86b8d67aceb485eb3631 , < 38628ae06e2a37770cd794802a3f1310cf9846e3 (git) Affected: 427215d85e8d1476da1a86b8d67aceb485eb3631 , < c28f922c9dcee0e4876a2c095939d77fe7e15116 (git) Affected: c6e8810d25295acb40a7b69ed3962ff181919571 (git) Affected: e3eee87c846dc47f6d8eb6d85e7271f24122a279 (git) Affected: 517b875dfbf58f0c6c9e32dc90f5cf42d71a42ce (git) Affected: 963d85d630dabe75a3cfde44a006fec3304d07b8 (git) Affected: 812f39ed5b0b7f34868736de3055c92c7c4cf459 (git) Affected: 6a002d48a66076524f67098132538bef17e8445e (git) Affected: 41812f4b84484530057513478c6770590347dc30 (git) Affected: 4.4.281 , < 4.5 (semver) Affected: 4.9.280 , < 4.10 (semver) Affected: 4.14.244 , < 4.15 (semver) Affected: 4.19.204 , < 4.20 (semver) Affected: 5.4.141 , < 5.5 (semver) Affected: 5.10.59 , < 5.11 (semver) Affected: 5.13.11 , < 5.14 (semver) |
|
| Linux | Linux |
Affected:
5.14
Unaffected: 0 , < 5.14 (semver) Unaffected: 5.15.190 , ≤ 5.15.* (semver) Unaffected: 6.1.147 , ≤ 6.1.* (semver) Unaffected: 6.6.100 , ≤ 6.6.* (semver) Unaffected: 6.12.40 , ≤ 6.12.* (semver) Unaffected: 6.15.3 , ≤ 6.15.* (semver) Unaffected: 6.16 , ≤ * (original_commit_for_fix) |
|
| Siemens | SIMATIC S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.5 , < *
(custom)
|
|
| Siemens | SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP |
Affected:
V3.1.5 , < *
(custom)
|
|
| Siemens | SIPLUS S7-1500 CPU 1518-4 PN/DP MFP |
Affected:
V3.1.5 , < *
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:39:08.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "V3.1.5",
"versionType": "custom"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:05:11.848Z",
"orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
"shortName": "siemens-SADP"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
}
],
"x_adpType": "supplier"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "36fecd740de2d542d2091d65d36554ee2bcf9c65",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"lessThan": "d717325b5ecf2a40daca85c61923e17f32306179",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"lessThan": "dc6a664089f10eab0fb36b6e4f705022210191d2",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"lessThan": "e77078e52fbf018ab986efb3c79065ab35025607",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"lessThan": "38628ae06e2a37770cd794802a3f1310cf9846e3",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"lessThan": "c28f922c9dcee0e4876a2c095939d77fe7e15116",
"status": "affected",
"version": "427215d85e8d1476da1a86b8d67aceb485eb3631",
"versionType": "git"
},
{
"status": "affected",
"version": "c6e8810d25295acb40a7b69ed3962ff181919571",
"versionType": "git"
},
{
"status": "affected",
"version": "e3eee87c846dc47f6d8eb6d85e7271f24122a279",
"versionType": "git"
},
{
"status": "affected",
"version": "517b875dfbf58f0c6c9e32dc90f5cf42d71a42ce",
"versionType": "git"
},
{
"status": "affected",
"version": "963d85d630dabe75a3cfde44a006fec3304d07b8",
"versionType": "git"
},
{
"status": "affected",
"version": "812f39ed5b0b7f34868736de3055c92c7c4cf459",
"versionType": "git"
},
{
"status": "affected",
"version": "6a002d48a66076524f67098132538bef17e8445e",
"versionType": "git"
},
{
"status": "affected",
"version": "41812f4b84484530057513478c6770590347dc30",
"versionType": "git"
},
{
"lessThan": "4.5",
"status": "affected",
"version": "4.4.281",
"versionType": "semver"
},
{
"lessThan": "4.10",
"status": "affected",
"version": "4.9.280",
"versionType": "semver"
},
{
"lessThan": "4.15",
"status": "affected",
"version": "4.14.244",
"versionType": "semver"
},
{
"lessThan": "4.20",
"status": "affected",
"version": "4.19.204",
"versionType": "semver"
},
{
"lessThan": "5.5",
"status": "affected",
"version": "5.4.141",
"versionType": "semver"
},
{
"lessThan": "5.11",
"status": "affected",
"version": "5.10.59",
"versionType": "semver"
},
{
"lessThan": "5.14",
"status": "affected",
"version": "5.13.11",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/namespace.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.14"
},
{
"lessThan": "5.14",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.190",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.190",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "5.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.4.281",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.9.280",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.14.244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "4.19.204",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.10.59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.13.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T15:59:54.010Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/36fecd740de2d542d2091d65d36554ee2bcf9c65"
},
{
"url": "https://git.kernel.org/stable/c/d717325b5ecf2a40daca85c61923e17f32306179"
},
{
"url": "https://git.kernel.org/stable/c/dc6a664089f10eab0fb36b6e4f705022210191d2"
},
{
"url": "https://git.kernel.org/stable/c/e77078e52fbf018ab986efb3c79065ab35025607"
},
{
"url": "https://git.kernel.org/stable/c/38628ae06e2a37770cd794802a3f1310cf9846e3"
},
{
"url": "https://git.kernel.org/stable/c/c28f922c9dcee0e4876a2c095939d77fe7e15116"
}
],
"title": "clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38499",
"datePublished": "2025-08-11T16:01:08.257Z",
"dateReserved": "2025-04-16T04:51:24.022Z",
"dateUpdated": "2026-05-23T15:59:54.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-38499",
"date": "2026-06-29",
"epss": "0.00137",
"percentile": "0.03466"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-38499\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-11T16:15:30.057\",\"lastModified\":\"2026-06-17T09:16:59.430\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\\n\\nWhat we want is to verify there is that clone won\u0027t expose something\\nhidden by a mount we wouldn\u0027t be able to undo. \\\"Wouldn\u0027t be able to undo\\\"\\nmay be a result of MNT_LOCKED on a child, but it may also come from\\nlacking admin rights in the userns of the namespace mount belongs to.\\n\\nclone_private_mnt() checks the former, but not the latter.\\n\\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\\nuserns during the mount, especially with the new mount API; they serve\\ndifferent purposes and in case of clone_private_mnt() they usually,\\nbut not always end up covering the missing check mentioned above.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: clone_private_mnt(): asegurar que el llamador tenga CAP_SYS_ADMIN en los usuarios correctos. Lo que queremos es verificar que clone no exponga algo oculto por un montaje que no podamos deshacer. \\\"No se puede deshacer\\\" puede ser el resultado de MNT_LOCKED en un hijo, pero tambi\u00e9n puede provenir de la falta de derechos de administrador en los usuarios del espacio de nombres al que pertenece el montaje. clone_private_mnt() comprueba lo primero, pero no lo segundo. Hay varias comprobaciones de CAP_SYS_ADMIN bastante confusas en varios usuarios durante el montaje, especialmente con la nueva API de montaje; tienen diferentes prop\u00f3sitos y, en el caso de clone_private_mnt(), generalmente, aunque no siempre, cubren la comprobaci\u00f3n faltante mencionada anteriormente.\"}],\"affected\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"affectedData\":[{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"unaffected\",\"programFiles\":[\"fs/namespace.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"427215d85e8d1476da1a86b8d67aceb485eb3631\",\"lessThan\":\"36fecd740de2d542d2091d65d36554ee2bcf9c65\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"427215d85e8d1476da1a86b8d67aceb485eb3631\",\"lessThan\":\"d717325b5ecf2a40daca85c61923e17f32306179\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"427215d85e8d1476da1a86b8d67aceb485eb3631\",\"lessThan\":\"dc6a664089f10eab0fb36b6e4f705022210191d2\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"427215d85e8d1476da1a86b8d67aceb485eb3631\",\"lessThan\":\"e77078e52fbf018ab986efb3c79065ab35025607\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"427215d85e8d1476da1a86b8d67aceb485eb3631\",\"lessThan\":\"38628ae06e2a37770cd794802a3f1310cf9846e3\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"427215d85e8d1476da1a86b8d67aceb485eb3631\",\"lessThan\":\"c28f922c9dcee0e4876a2c095939d77fe7e15116\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"c6e8810d25295acb40a7b69ed3962ff181919571\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"e3eee87c846dc47f6d8eb6d85e7271f24122a279\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"517b875dfbf58f0c6c9e32dc90f5cf42d71a42ce\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"963d85d630dabe75a3cfde44a006fec3304d07b8\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"812f39ed5b0b7f34868736de3055c92c7c4cf459\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"6a002d48a66076524f67098132538bef17e8445e\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"41812f4b84484530057513478c6770590347dc30\",\"versionType\":\"git\",\"status\":\"affected\"},{\"version\":\"4.4.281\",\"lessThan\":\"4.5\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"4.9.280\",\"lessThan\":\"4.10\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"4.14.244\",\"lessThan\":\"4.15\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"4.19.204\",\"lessThan\":\"4.20\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"5.4.141\",\"lessThan\":\"5.5\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"5.10.59\",\"lessThan\":\"5.11\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"5.13.11\",\"lessThan\":\"5.14\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Linux\",\"product\":\"Linux\",\"defaultStatus\":\"affected\",\"programFiles\":[\"fs/namespace.c\"],\"repo\":\"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\",\"versions\":[{\"version\":\"5.14\",\"status\":\"affected\"},{\"version\":\"0\",\"lessThan\":\"5.14\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"5.15.190\",\"lessThanOrEqual\":\"5.15.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.1.147\",\"lessThanOrEqual\":\"6.1.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.6.100\",\"lessThanOrEqual\":\"6.6.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.12.40\",\"lessThanOrEqual\":\"6.12.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.15.3\",\"lessThanOrEqual\":\"6.15.*\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"6.16\",\"lessThanOrEqual\":\"*\",\"versionType\":\"original_commit_for_fix\",\"status\":\"unaffected\"}]}]},{\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\",\"affectedData\":[{\"vendor\":\"Siemens\",\"product\":\"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"V3.1.5\",\"lessThan\":\"*\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"Siemens\",\"product\":\"SIMATIC S7-1500 CPU 1518-4 PN/DP MFP\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"V3.1.5\",\"lessThan\":\"*\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"Siemens\",\"product\":\"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"V3.1.5\",\"lessThan\":\"*\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"Siemens\",\"product\":\"SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"V3.1.5\",\"lessThan\":\"*\",\"versionType\":\"custom\",\"status\":\"affected\"}]},{\"vendor\":\"Siemens\",\"product\":\"SIPLUS S7-1500 CPU 1518-4 PN/DP MFP\",\"defaultStatus\":\"unknown\",\"versions\":[{\"version\":\"V3.1.5\",\"lessThan\":\"*\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.4.281\",\"versionEndExcluding\":\"4.5\",\"matchCriteriaId\":\"5535FC0D-74B0-40D6-9F0A-6613211BD394\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.9.280\",\"versionEndExcluding\":\"4.10\",\"matchCriteriaId\":\"DA4F8FAA-0A0A-4B05-9FD2-9B363CB18052\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.14.244\",\"versionEndExcluding\":\"4.15\",\"matchCriteriaId\":\"0BB634A6-F36F-476C-94DA-84A3ABF7A170\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.19.204\",\"versionEndExcluding\":\"4.20\",\"matchCriteriaId\":\"B955CF5A-B1F2-423D-B6CA-0D920E17DF1B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4.141\",\"versionEndExcluding\":\"5.5\",\"matchCriteriaId\":\"1418F9CC-F473-45C3-BECA-6717DB26D246\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.10.59\",\"versionEndExcluding\":\"5.11\",\"matchCriteriaId\":\"E50E0919-685C-4AEA-9CA2-9A611C3C1021\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.13.11\",\"versionEndExcluding\":\"5.14\",\"matchCriteriaId\":\"91EB0938-272F-4A6B-9615-988B8A8B0145\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.14.1\",\"versionEndExcluding\":\"5.15.190\",\"matchCriteriaId\":\"1A202E7B-1B3B-4A22-865A-DDFC127C9289\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.147\",\"matchCriteriaId\":\"A4FD62FC-0DAE-4ACE-8C9C-66156518C3E1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.100\",\"matchCriteriaId\":\"094B81E0-B756-4727-85CA-F3F8D1C9D116\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.40\",\"matchCriteriaId\":\"0099D5A4-B157-4D36-8858-982C7D579030\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.15.3\",\"matchCriteriaId\":\"0541C761-BD5E-4C1A-8432-83B375D7EB92\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.14:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"6A05198E-F8FA-4517-8D0E-8C95066AED38\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.14:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"15013998-4AF0-4CDC-AB13-829ECD8A8E66\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.14:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"376A25CF-C05B-48F1-99B1-8FB0314A8E06\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/36fecd740de2d542d2091d65d36554ee2bcf9c65\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/38628ae06e2a37770cd794802a3f1310cf9846e3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c28f922c9dcee0e4876a2c095939d77fe7e15116\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/d717325b5ecf2a40daca85c61923e17f32306179\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dc6a664089f10eab0fb36b6e4f705022210191d2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e77078e52fbf018ab986efb3c79065ab35025607\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-082556.html\",\"source\":\"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e\"}]}}"
}
}
SUSE-SU-2025:03636-1
Vulnerability from csaf_suse - Published: 2025-10-18 10:03 - Updated: 2025-10-18 10:03Summary
Security update for the Linux Kernel RT (Live Patch 3 for SLE 15 SP6)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel RT (Live Patch 3 for SLE 15 SP6)
Description of the patch: This update for the Linux Kernel 6.4.0-150600_10_11 fixes several issues.
The following security issues were fixed:
- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-38396: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (bsc#1247158).
- CVE-2025-38566: sunrpc: fix handling of server side tls alerts (bsc#1248376).
- CVE-2024-49974: NFSD: Force all NFSv4.2 COPY requests to be synchronous (bsc#1232384).
- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).
- CVE-2025-38110: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (bsc#1249458).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).
- CVE-2025-38471: tls: always refresh the queue when reading sock (bsc#1247452).
Patchnames: SUSE-2025-3636,SUSE-SLE-Module-Live-Patching-15-SP6-2025-3636
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.7 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.1 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
56 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel RT (Live Patch 3 for SLE 15 SP6)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 6.4.0-150600_10_11 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-38396: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (bsc#1247158).\n- CVE-2025-38566: sunrpc: fix handling of server side tls alerts (bsc#1248376).\n- CVE-2024-49974: NFSD: Force all NFSv4.2 COPY requests to be synchronous (bsc#1232384).\n- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).\n- CVE-2025-38110: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (bsc#1249458).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).\n- CVE-2025-38471: tls: always refresh the queue when reading sock (bsc#1247452).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3636,SUSE-SLE-Module-Live-Patching-15-SP6-2025-3636",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03636-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03636-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503636-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03636-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-October/022943.html"
},
{
"category": "self",
"summary": "SUSE Bug 1232384",
"url": "https://bugzilla.suse.com/1232384"
},
{
"category": "self",
"summary": "SUSE Bug 1245794",
"url": "https://bugzilla.suse.com/1245794"
},
{
"category": "self",
"summary": "SUSE Bug 1246075",
"url": "https://bugzilla.suse.com/1246075"
},
{
"category": "self",
"summary": "SUSE Bug 1247158",
"url": "https://bugzilla.suse.com/1247158"
},
{
"category": "self",
"summary": "SUSE Bug 1247452",
"url": "https://bugzilla.suse.com/1247452"
},
{
"category": "self",
"summary": "SUSE Bug 1248376",
"url": "https://bugzilla.suse.com/1248376"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1249458",
"url": "https://bugzilla.suse.com/1249458"
},
{
"category": "self",
"summary": "SUSE Bug 1249534",
"url": "https://bugzilla.suse.com/1249534"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-49974 page",
"url": "https://www.suse.com/security/cve/CVE-2024-49974/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21971 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21971/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38110 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38110/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38206 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38206/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38396 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38396/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38471 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38471/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38566 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38566/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38678 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38678/"
}
],
"title": "Security update for the Linux Kernel RT (Live Patch 3 for SLE 15 SP6)",
"tracking": {
"current_release_date": "2025-10-18T10:03:51Z",
"generator": {
"date": "2025-10-18T10:03:51Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03636-1",
"initial_release_date": "2025-10-18T10:03:51Z",
"revision_history": [
{
"date": "2025-10-18T10:03:51Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64",
"product": {
"name": "kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64",
"product_id": "kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP6",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP6",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
},
"product_reference": "kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-49974",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-49974"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Limit the number of concurrent async COPY operations\n\nNothing appears to limit the number of concurrent async COPY\noperations that clients can start. In addition, AFAICT each async\nCOPY can copy an unlimited number of 4MB chunks, so can run for a\nlong time. Thus IMO async COPY can become a DoS vector.\n\nAdd a restriction mechanism that bounds the number of concurrent\nbackground COPY operations. Start simple and try to be fair -- this\npatch implements a per-namespace limit.\n\nAn async COPY request that occurs while this limit is exceeded gets\nNFS4ERR_DELAY. The requesting client can choose to send the request\nagain after a delay or fall back to a traditional read/write style\ncopy.\n\nIf there is need to make the mechanism more sophisticated, we can\nvisit that in future patches.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-49974",
"url": "https://www.suse.com/security/cve/CVE-2024-49974"
},
{
"category": "external",
"summary": "SUSE Bug 1232383 for CVE-2024-49974",
"url": "https://bugzilla.suse.com/1232383"
},
{
"category": "external",
"summary": "SUSE Bug 1232384 for CVE-2024-49974",
"url": "https://bugzilla.suse.com/1232384"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:03:51Z",
"details": "important"
}
],
"title": "CVE-2024-49974"
},
{
"cve": "CVE-2025-21971",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21971"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21971",
"url": "https://www.suse.com/security/cve/CVE-2025-21971"
},
{
"category": "external",
"summary": "SUSE Bug 1240799 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1240799"
},
{
"category": "external",
"summary": "SUSE Bug 1245794 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1245794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:03:51Z",
"details": "important"
}
],
"title": "CVE-2025-21971"
},
{
"cve": "CVE-2025-38110",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38110"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mdiobus: Fix potential out-of-bounds clause 45 read/write access\n\nWhen using publicly available tools like \u0027mdio-tools\u0027 to read/write data\nfrom/to network interface and its PHY via C45 (clause 45) mdiobus,\nthere is no verification of parameters passed to the ioctl and\nit accepts any mdio address.\nCurrently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,\nbut it is possible to pass higher value than that via ioctl.\nWhile read/write operation should generally fail in this case,\nmdiobus provides stats array, where wrong address may allow out-of-bounds\nread/write.\n\nFix that by adding address verification before C45 read/write operation.\nWhile this excludes this access from any statistics, it improves security of\nread/write operation.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38110",
"url": "https://www.suse.com/security/cve/CVE-2025-38110"
},
{
"category": "external",
"summary": "SUSE Bug 1245665 for CVE-2025-38110",
"url": "https://bugzilla.suse.com/1245665"
},
{
"category": "external",
"summary": "SUSE Bug 1249458 for CVE-2025-38110",
"url": "https://bugzilla.suse.com/1249458"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:03:51Z",
"details": "important"
}
],
"title": "CVE-2025-38110"
},
{
"cve": "CVE-2025-38206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38206"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n exfat_create_upcase_table() : return error\n exfat_free_upcase_table() : free -\u003evol_utbl\n exfat_load_default_upcase_table : return error\n exfat_kill_sb()\n delayed_free()\n exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38206",
"url": "https://www.suse.com/security/cve/CVE-2025-38206"
},
{
"category": "external",
"summary": "SUSE Bug 1246073 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246073"
},
{
"category": "external",
"summary": "SUSE Bug 1246075 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246075"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:03:51Z",
"details": "important"
}
],
"title": "CVE-2025-38206"
},
{
"cve": "CVE-2025-38396",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38396"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass\n\nExport anon_inode_make_secure_inode() to allow KVM guest_memfd to create\nanonymous inodes with proper security context. This replaces the current\npattern of calling alloc_anon_inode() followed by\ninode_init_security_anon() for creating security context manually.\n\nThis change also fixes a security regression in secretmem where the\nS_PRIVATE flag was not cleared after alloc_anon_inode(), causing\nLSM/SELinux checks to be bypassed for secretmem file descriptors.\n\nAs guest_memfd currently resides in the KVM module, we need to export this\nsymbol for use outside the core kernel. In the future, guest_memfd might be\nmoved to core-mm, at which point the symbols no longer would have to be\nexported. When/if that happens is still unclear.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38396",
"url": "https://www.suse.com/security/cve/CVE-2025-38396"
},
{
"category": "external",
"summary": "SUSE Bug 1247156 for CVE-2025-38396",
"url": "https://bugzilla.suse.com/1247156"
},
{
"category": "external",
"summary": "SUSE Bug 1247158 for CVE-2025-38396",
"url": "https://bugzilla.suse.com/1247158"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:03:51Z",
"details": "important"
}
],
"title": "CVE-2025-38396"
},
{
"cve": "CVE-2025-38471",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38471"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: always refresh the queue when reading sock\n\nAfter recent changes in net-next TCP compacts skbs much more\naggressively. This unearthed a bug in TLS where we may try\nto operate on an old skb when checking if all skbs in the\nqueue have matching decrypt state and geometry.\n\n BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]\n (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544)\n Read of size 4 at addr ffff888013085750 by task tls/13529\n\n CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme\n Call Trace:\n kasan_report+0xca/0x100\n tls_strp_check_rcv+0x898/0x9a0 [tls]\n tls_rx_rec_wait+0x2c9/0x8d0 [tls]\n tls_sw_recvmsg+0x40f/0x1aa0 [tls]\n inet_recvmsg+0x1c3/0x1f0\n\nAlways reload the queue, fast path is to have the record in the queue\nwhen we wake, anyway (IOW the path going down \"if !strp-\u003estm.full_len\").",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38471",
"url": "https://www.suse.com/security/cve/CVE-2025-38471"
},
{
"category": "external",
"summary": "SUSE Bug 1247450 for CVE-2025-38471",
"url": "https://bugzilla.suse.com/1247450"
},
{
"category": "external",
"summary": "SUSE Bug 1247452 for CVE-2025-38471",
"url": "https://bugzilla.suse.com/1247452"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:03:51Z",
"details": "important"
}
],
"title": "CVE-2025-38471"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:03:51Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38566",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38566"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator\u0027s kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert\u0027s level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38566",
"url": "https://www.suse.com/security/cve/CVE-2025-38566"
},
{
"category": "external",
"summary": "SUSE Bug 1248374 for CVE-2025-38566",
"url": "https://bugzilla.suse.com/1248374"
},
{
"category": "external",
"summary": "SUSE Bug 1248376 for CVE-2025-38566",
"url": "https://bugzilla.suse.com/1248376"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:03:51Z",
"details": "important"
}
],
"title": "CVE-2025-38566"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1247374 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1247374"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "external",
"summary": "SUSE Bug 1253291 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1253291"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:03:51Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
},
{
"cve": "CVE-2025-38678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38678"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject duplicate device on updates\n\nA chain/flowtable update with duplicated devices in the same batch is\npossible. Unfortunately, netdev event path only removes the first\ndevice that is found, leaving unregistered the hook of the duplicated\ndevice.\n\nCheck if a duplicated device exists in the transaction batch, bail out\nwith EEXIST in such case.\n\nWARNING is hit when unregistering the hook:\n\n [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150\n [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)\n [...]\n [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38678",
"url": "https://www.suse.com/security/cve/CVE-2025-38678"
},
{
"category": "external",
"summary": "SUSE Bug 1249126 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249126"
},
{
"category": "external",
"summary": "SUSE Bug 1249534 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249534"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_11-rt-19-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:03:51Z",
"details": "important"
}
],
"title": "CVE-2025-38678"
}
]
}
SUSE-SU-2025:03638-1
Vulnerability from csaf_suse - Published: 2025-10-18 10:04 - Updated: 2025-10-18 10:04Summary
Security update for the Linux Kernel RT (Live Patch 5 for SLE 15 SP6)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel RT (Live Patch 5 for SLE 15 SP6)
Description of the patch: This update for the Linux Kernel 6.4.0-150600_10_17 fixes several issues.
The following security issues were fixed:
- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-38396: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (bsc#1247158).
- CVE-2025-38566: sunrpc: fix handling of server side tls alerts (bsc#1248376).
- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).
- CVE-2025-38110: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (bsc#1249458).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).
- CVE-2025-38471: tls: always refresh the queue when reading sock (bsc#1247452).
Patchnames: SUSE-2025-3638,SUSE-SLE-Module-Live-Patching-15-SP6-2025-3638
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.7 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.1 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
51 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel RT (Live Patch 5 for SLE 15 SP6)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 6.4.0-150600_10_17 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-38396: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (bsc#1247158).\n- CVE-2025-38566: sunrpc: fix handling of server side tls alerts (bsc#1248376).\n- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).\n- CVE-2025-38110: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (bsc#1249458).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).\n- CVE-2025-38471: tls: always refresh the queue when reading sock (bsc#1247452).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3638,SUSE-SLE-Module-Live-Patching-15-SP6-2025-3638",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03638-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03638-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503638-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03638-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-October/022942.html"
},
{
"category": "self",
"summary": "SUSE Bug 1245794",
"url": "https://bugzilla.suse.com/1245794"
},
{
"category": "self",
"summary": "SUSE Bug 1246075",
"url": "https://bugzilla.suse.com/1246075"
},
{
"category": "self",
"summary": "SUSE Bug 1247158",
"url": "https://bugzilla.suse.com/1247158"
},
{
"category": "self",
"summary": "SUSE Bug 1247452",
"url": "https://bugzilla.suse.com/1247452"
},
{
"category": "self",
"summary": "SUSE Bug 1248376",
"url": "https://bugzilla.suse.com/1248376"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1249458",
"url": "https://bugzilla.suse.com/1249458"
},
{
"category": "self",
"summary": "SUSE Bug 1249534",
"url": "https://bugzilla.suse.com/1249534"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21971 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21971/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38110 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38110/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38206 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38206/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38396 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38396/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38471 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38471/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38566 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38566/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38678 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38678/"
}
],
"title": "Security update for the Linux Kernel RT (Live Patch 5 for SLE 15 SP6)",
"tracking": {
"current_release_date": "2025-10-18T10:04:00Z",
"generator": {
"date": "2025-10-18T10:04:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03638-1",
"initial_release_date": "2025-10-18T10:04:00Z",
"revision_history": [
{
"date": "2025-10-18T10:04:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64",
"product": {
"name": "kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64",
"product_id": "kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP6",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP6",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
},
"product_reference": "kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-21971",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21971"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21971",
"url": "https://www.suse.com/security/cve/CVE-2025-21971"
},
{
"category": "external",
"summary": "SUSE Bug 1240799 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1240799"
},
{
"category": "external",
"summary": "SUSE Bug 1245794 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1245794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:00Z",
"details": "important"
}
],
"title": "CVE-2025-21971"
},
{
"cve": "CVE-2025-38110",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38110"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mdiobus: Fix potential out-of-bounds clause 45 read/write access\n\nWhen using publicly available tools like \u0027mdio-tools\u0027 to read/write data\nfrom/to network interface and its PHY via C45 (clause 45) mdiobus,\nthere is no verification of parameters passed to the ioctl and\nit accepts any mdio address.\nCurrently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,\nbut it is possible to pass higher value than that via ioctl.\nWhile read/write operation should generally fail in this case,\nmdiobus provides stats array, where wrong address may allow out-of-bounds\nread/write.\n\nFix that by adding address verification before C45 read/write operation.\nWhile this excludes this access from any statistics, it improves security of\nread/write operation.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38110",
"url": "https://www.suse.com/security/cve/CVE-2025-38110"
},
{
"category": "external",
"summary": "SUSE Bug 1245665 for CVE-2025-38110",
"url": "https://bugzilla.suse.com/1245665"
},
{
"category": "external",
"summary": "SUSE Bug 1249458 for CVE-2025-38110",
"url": "https://bugzilla.suse.com/1249458"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:00Z",
"details": "important"
}
],
"title": "CVE-2025-38110"
},
{
"cve": "CVE-2025-38206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38206"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n exfat_create_upcase_table() : return error\n exfat_free_upcase_table() : free -\u003evol_utbl\n exfat_load_default_upcase_table : return error\n exfat_kill_sb()\n delayed_free()\n exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38206",
"url": "https://www.suse.com/security/cve/CVE-2025-38206"
},
{
"category": "external",
"summary": "SUSE Bug 1246073 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246073"
},
{
"category": "external",
"summary": "SUSE Bug 1246075 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246075"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:00Z",
"details": "important"
}
],
"title": "CVE-2025-38206"
},
{
"cve": "CVE-2025-38396",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38396"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass\n\nExport anon_inode_make_secure_inode() to allow KVM guest_memfd to create\nanonymous inodes with proper security context. This replaces the current\npattern of calling alloc_anon_inode() followed by\ninode_init_security_anon() for creating security context manually.\n\nThis change also fixes a security regression in secretmem where the\nS_PRIVATE flag was not cleared after alloc_anon_inode(), causing\nLSM/SELinux checks to be bypassed for secretmem file descriptors.\n\nAs guest_memfd currently resides in the KVM module, we need to export this\nsymbol for use outside the core kernel. In the future, guest_memfd might be\nmoved to core-mm, at which point the symbols no longer would have to be\nexported. When/if that happens is still unclear.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38396",
"url": "https://www.suse.com/security/cve/CVE-2025-38396"
},
{
"category": "external",
"summary": "SUSE Bug 1247156 for CVE-2025-38396",
"url": "https://bugzilla.suse.com/1247156"
},
{
"category": "external",
"summary": "SUSE Bug 1247158 for CVE-2025-38396",
"url": "https://bugzilla.suse.com/1247158"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:00Z",
"details": "important"
}
],
"title": "CVE-2025-38396"
},
{
"cve": "CVE-2025-38471",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38471"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: always refresh the queue when reading sock\n\nAfter recent changes in net-next TCP compacts skbs much more\naggressively. This unearthed a bug in TLS where we may try\nto operate on an old skb when checking if all skbs in the\nqueue have matching decrypt state and geometry.\n\n BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]\n (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544)\n Read of size 4 at addr ffff888013085750 by task tls/13529\n\n CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme\n Call Trace:\n kasan_report+0xca/0x100\n tls_strp_check_rcv+0x898/0x9a0 [tls]\n tls_rx_rec_wait+0x2c9/0x8d0 [tls]\n tls_sw_recvmsg+0x40f/0x1aa0 [tls]\n inet_recvmsg+0x1c3/0x1f0\n\nAlways reload the queue, fast path is to have the record in the queue\nwhen we wake, anyway (IOW the path going down \"if !strp-\u003estm.full_len\").",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38471",
"url": "https://www.suse.com/security/cve/CVE-2025-38471"
},
{
"category": "external",
"summary": "SUSE Bug 1247450 for CVE-2025-38471",
"url": "https://bugzilla.suse.com/1247450"
},
{
"category": "external",
"summary": "SUSE Bug 1247452 for CVE-2025-38471",
"url": "https://bugzilla.suse.com/1247452"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:00Z",
"details": "important"
}
],
"title": "CVE-2025-38471"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:00Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38566",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38566"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator\u0027s kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert\u0027s level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38566",
"url": "https://www.suse.com/security/cve/CVE-2025-38566"
},
{
"category": "external",
"summary": "SUSE Bug 1248374 for CVE-2025-38566",
"url": "https://bugzilla.suse.com/1248374"
},
{
"category": "external",
"summary": "SUSE Bug 1248376 for CVE-2025-38566",
"url": "https://bugzilla.suse.com/1248376"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:00Z",
"details": "important"
}
],
"title": "CVE-2025-38566"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1247374 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1247374"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "external",
"summary": "SUSE Bug 1253291 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1253291"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:00Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
},
{
"cve": "CVE-2025-38678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38678"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject duplicate device on updates\n\nA chain/flowtable update with duplicated devices in the same batch is\npossible. Unfortunately, netdev event path only removes the first\ndevice that is found, leaving unregistered the hook of the duplicated\ndevice.\n\nCheck if a duplicated device exists in the transaction batch, bail out\nwith EEXIST in such case.\n\nWARNING is hit when unregistering the hook:\n\n [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150\n [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)\n [...]\n [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38678",
"url": "https://www.suse.com/security/cve/CVE-2025-38678"
},
{
"category": "external",
"summary": "SUSE Bug 1249126 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249126"
},
{
"category": "external",
"summary": "SUSE Bug 1249534 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249534"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_17-rt-17-150600.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:00Z",
"details": "important"
}
],
"title": "CVE-2025-38678"
}
]
}
SUSE-SU-2025:03643-1
Vulnerability from csaf_suse - Published: 2025-10-18 10:33 - Updated: 2025-10-18 10:33Summary
Security update for the Linux Kernel RT (Live Patch 3 for SLE 15 SP7)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel RT (Live Patch 3 for SLE 15 SP7)
Description of the patch: This update for the Linux Kernel 6.4.0-150700_7_13 fixes several issues.
The following security issues were fixed:
- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-38566: sunrpc: fix handling of server side tls alerts (bsc#1248376).
- kernel-livepatch.spec: Replace kernel-syms with kernel-<flavor>-specific dependencies (bsc#1248108) The commit ead79afe7cbfae ('kernel-livepatch.spec: Update build dependencies for non-default flavors') broke build of livepatches which were built with kernel-syms-rt. The problem is that livepatch packages for already released kernels are built in exactly the same build environment as the initial livepatch. The BS (Build Service) installs the build environment using the given _buildinfo-*.xml and ignores BuildRequires. But the BuildRequires are later checked by rpmbuild tool. It would complain when new dependencies were added. Unfortunately, kernel-syms-rt does not exist on SLE16. This was the main motivation for the above mentioned commit. But the package kernel-syms is empty. Its only purpose is to add other dependencies. Replace it by opencoding the dependencies. Note that the kernel devel files are historically split into various packages, kernel-<flavor>-devel, kernel-devel-<flavor>, and even kernel-devel. But it is enough to require kernel-<flavor>-devel because it requires the other devel files on its own. This seems to be true back to SLE15-SP4 at minimum.
Patchnames: SUSE-2025-3643,SUSE-SLE-Module-Live-Patching-15-SP6-2025-3643,SUSE-SLE-Module-Live-Patching-15-SP7-2025-3647
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.4 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.1 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
20 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel RT (Live Patch 3 for SLE 15 SP7)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 6.4.0-150700_7_13 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-38566: sunrpc: fix handling of server side tls alerts (bsc#1248376).\n- kernel-livepatch.spec: Replace kernel-syms with kernel-\u0026lt;flavor\u0026gt;-specific dependencies (bsc#1248108) The commit ead79afe7cbfae (\u0027kernel-livepatch.spec: Update build dependencies for non-default flavors\u0027) broke build of livepatches which were built with kernel-syms-rt. The problem is that livepatch packages for already released kernels are built in exactly the same build environment as the initial livepatch. The BS (Build Service) installs the build environment using the given _buildinfo-*.xml and ignores BuildRequires. But the BuildRequires are later checked by rpmbuild tool. It would complain when new dependencies were added. Unfortunately, kernel-syms-rt does not exist on SLE16. This was the main motivation for the above mentioned commit. But the package kernel-syms is empty. Its only purpose is to add other dependencies. Replace it by opencoding the dependencies. Note that the kernel devel files are historically split into various packages, kernel-\u0026lt;flavor\u0026gt;-devel, kernel-devel-\u0026lt;flavor\u0026gt;, and even kernel-devel. But it is enough to require kernel-\u0026lt;flavor\u0026gt;-devel because it requires the other devel files on its own. This seems to be true back to SLE15-SP4 at minimum.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3643,SUSE-SLE-Module-Live-Patching-15-SP6-2025-3643,SUSE-SLE-Module-Live-Patching-15-SP7-2025-3647",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03643-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03643-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503643-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03643-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042211.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248108",
"url": "https://bugzilla.suse.com/1248108"
},
{
"category": "self",
"summary": "SUSE Bug 1248376",
"url": "https://bugzilla.suse.com/1248376"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1249534",
"url": "https://bugzilla.suse.com/1249534"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38566 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38566/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38678 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38678/"
}
],
"title": "Security update for the Linux Kernel RT (Live Patch 3 for SLE 15 SP7)",
"tracking": {
"current_release_date": "2025-10-18T10:33:40Z",
"generator": {
"date": "2025-10-18T10:33:40Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03643-1",
"initial_release_date": "2025-10-18T10:33:40Z",
"revision_history": [
{
"date": "2025-10-18T10:33:40Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64",
"product": {
"name": "kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64",
"product_id": "kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64",
"product": {
"name": "kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64",
"product_id": "kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP6",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP7",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP6",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64"
},
"product_reference": "kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP7",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64"
},
"product_reference": "kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:33:40Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38566",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38566"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator\u0027s kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert\u0027s level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38566",
"url": "https://www.suse.com/security/cve/CVE-2025-38566"
},
{
"category": "external",
"summary": "SUSE Bug 1248374 for CVE-2025-38566",
"url": "https://bugzilla.suse.com/1248374"
},
{
"category": "external",
"summary": "SUSE Bug 1248376 for CVE-2025-38566",
"url": "https://bugzilla.suse.com/1248376"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:33:40Z",
"details": "important"
}
],
"title": "CVE-2025-38566"
},
{
"cve": "CVE-2025-38678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38678"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject duplicate device on updates\n\nA chain/flowtable update with duplicated devices in the same batch is\npossible. Unfortunately, netdev event path only removes the first\ndevice that is found, leaving unregistered the hook of the duplicated\ndevice.\n\nCheck if a duplicated device exists in the transaction batch, bail out\nwith EEXIST in such case.\n\nWARNING is hit when unregistering the hook:\n\n [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150\n [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)\n [...]\n [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38678",
"url": "https://www.suse.com/security/cve/CVE-2025-38678"
},
{
"category": "external",
"summary": "SUSE Bug 1249126 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249126"
},
{
"category": "external",
"summary": "SUSE Bug 1249534 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249534"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_49-rt-2-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_13-rt-2-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:33:40Z",
"details": "important"
}
],
"title": "CVE-2025-38678"
}
]
}
SUSE-SU-2025:03646-1
Vulnerability from csaf_suse - Published: 2025-10-18 11:03 - Updated: 2025-10-18 11:03Summary
Security update for the Linux Kernel RT (Live Patch 2 for SLE 15 SP7)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel RT (Live Patch 2 for SLE 15 SP7)
Description of the patch: This update for the Linux Kernel 6.4.0-150700_7_8 fixes several issues.
The following security issues were fixed:
- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-38396: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (bsc#1247158).
- CVE-2025-38566: sunrpc: fix handling of server side tls alerts (bsc#1248376).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).
- CVE-2025-38471: tls: always refresh the queue when reading sock (bsc#1247452).
Patchnames: SUSE-2025-3646,SUSE-SLE-Module-Live-Patching-15-SP6-2025-3646,SUSE-SLE-Module-Live-Patching-15-SP7-2025-3651
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.7 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.1 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
41 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel RT (Live Patch 2 for SLE 15 SP7)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 6.4.0-150700_7_8 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-38396: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (bsc#1247158).\n- CVE-2025-38566: sunrpc: fix handling of server side tls alerts (bsc#1248376).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).\n- CVE-2025-38471: tls: always refresh the queue when reading sock (bsc#1247452).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3646,SUSE-SLE-Module-Live-Patching-15-SP6-2025-3646,SUSE-SLE-Module-Live-Patching-15-SP7-2025-3651",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03646-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03646-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503646-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03646-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042210.html"
},
{
"category": "self",
"summary": "SUSE Bug 1246075",
"url": "https://bugzilla.suse.com/1246075"
},
{
"category": "self",
"summary": "SUSE Bug 1247158",
"url": "https://bugzilla.suse.com/1247158"
},
{
"category": "self",
"summary": "SUSE Bug 1247452",
"url": "https://bugzilla.suse.com/1247452"
},
{
"category": "self",
"summary": "SUSE Bug 1248376",
"url": "https://bugzilla.suse.com/1248376"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1249534",
"url": "https://bugzilla.suse.com/1249534"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38206 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38206/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38396 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38396/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38471 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38471/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38566 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38566/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38678 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38678/"
}
],
"title": "Security update for the Linux Kernel RT (Live Patch 2 for SLE 15 SP7)",
"tracking": {
"current_release_date": "2025-10-18T11:03:50Z",
"generator": {
"date": "2025-10-18T11:03:50Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03646-1",
"initial_release_date": "2025-10-18T11:03:50Z",
"revision_history": [
{
"date": "2025-10-18T11:03:50Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"product": {
"name": "kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"product_id": "kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64",
"product": {
"name": "kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64",
"product_id": "kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP6",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP7",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP6",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64"
},
"product_reference": "kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP7",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
},
"product_reference": "kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-38206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38206"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n exfat_create_upcase_table() : return error\n exfat_free_upcase_table() : free -\u003evol_utbl\n exfat_load_default_upcase_table : return error\n exfat_kill_sb()\n delayed_free()\n exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38206",
"url": "https://www.suse.com/security/cve/CVE-2025-38206"
},
{
"category": "external",
"summary": "SUSE Bug 1246073 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246073"
},
{
"category": "external",
"summary": "SUSE Bug 1246075 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246075"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T11:03:50Z",
"details": "important"
}
],
"title": "CVE-2025-38206"
},
{
"cve": "CVE-2025-38396",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38396"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass\n\nExport anon_inode_make_secure_inode() to allow KVM guest_memfd to create\nanonymous inodes with proper security context. This replaces the current\npattern of calling alloc_anon_inode() followed by\ninode_init_security_anon() for creating security context manually.\n\nThis change also fixes a security regression in secretmem where the\nS_PRIVATE flag was not cleared after alloc_anon_inode(), causing\nLSM/SELinux checks to be bypassed for secretmem file descriptors.\n\nAs guest_memfd currently resides in the KVM module, we need to export this\nsymbol for use outside the core kernel. In the future, guest_memfd might be\nmoved to core-mm, at which point the symbols no longer would have to be\nexported. When/if that happens is still unclear.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38396",
"url": "https://www.suse.com/security/cve/CVE-2025-38396"
},
{
"category": "external",
"summary": "SUSE Bug 1247156 for CVE-2025-38396",
"url": "https://bugzilla.suse.com/1247156"
},
{
"category": "external",
"summary": "SUSE Bug 1247158 for CVE-2025-38396",
"url": "https://bugzilla.suse.com/1247158"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T11:03:50Z",
"details": "important"
}
],
"title": "CVE-2025-38396"
},
{
"cve": "CVE-2025-38471",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38471"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: always refresh the queue when reading sock\n\nAfter recent changes in net-next TCP compacts skbs much more\naggressively. This unearthed a bug in TLS where we may try\nto operate on an old skb when checking if all skbs in the\nqueue have matching decrypt state and geometry.\n\n BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]\n (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544)\n Read of size 4 at addr ffff888013085750 by task tls/13529\n\n CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme\n Call Trace:\n kasan_report+0xca/0x100\n tls_strp_check_rcv+0x898/0x9a0 [tls]\n tls_rx_rec_wait+0x2c9/0x8d0 [tls]\n tls_sw_recvmsg+0x40f/0x1aa0 [tls]\n inet_recvmsg+0x1c3/0x1f0\n\nAlways reload the queue, fast path is to have the record in the queue\nwhen we wake, anyway (IOW the path going down \"if !strp-\u003estm.full_len\").",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38471",
"url": "https://www.suse.com/security/cve/CVE-2025-38471"
},
{
"category": "external",
"summary": "SUSE Bug 1247450 for CVE-2025-38471",
"url": "https://bugzilla.suse.com/1247450"
},
{
"category": "external",
"summary": "SUSE Bug 1247452 for CVE-2025-38471",
"url": "https://bugzilla.suse.com/1247452"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T11:03:50Z",
"details": "important"
}
],
"title": "CVE-2025-38471"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T11:03:50Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38566",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38566"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator\u0027s kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert\u0027s level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38566",
"url": "https://www.suse.com/security/cve/CVE-2025-38566"
},
{
"category": "external",
"summary": "SUSE Bug 1248374 for CVE-2025-38566",
"url": "https://bugzilla.suse.com/1248374"
},
{
"category": "external",
"summary": "SUSE Bug 1248376 for CVE-2025-38566",
"url": "https://bugzilla.suse.com/1248376"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T11:03:50Z",
"details": "important"
}
],
"title": "CVE-2025-38566"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1247374 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1247374"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "external",
"summary": "SUSE Bug 1253291 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1253291"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T11:03:50Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
},
{
"cve": "CVE-2025-38678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38678"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject duplicate device on updates\n\nA chain/flowtable update with duplicated devices in the same batch is\npossible. Unfortunately, netdev event path only removes the first\ndevice that is found, leaving unregistered the hook of the duplicated\ndevice.\n\nCheck if a duplicated device exists in the transaction batch, bail out\nwith EEXIST in such case.\n\nWARNING is hit when unregistering the hook:\n\n [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150\n [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)\n [...]\n [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38678",
"url": "https://www.suse.com/security/cve/CVE-2025-38678"
},
{
"category": "external",
"summary": "SUSE Bug 1249126 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249126"
},
{
"category": "external",
"summary": "SUSE Bug 1249534 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249534"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_44-rt-6-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_7_8-rt-6-150700.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T11:03:50Z",
"details": "important"
}
],
"title": "CVE-2025-38678"
}
]
}
SUSE-SU-2025:03650-1
Vulnerability from csaf_suse - Published: 2025-10-18 10:04 - Updated: 2025-10-18 10:04Summary
Security update for the Linux Kernel RT (Live Patch 0 for SLE 15 SP7)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel RT (Live Patch 0 for SLE 15 SP7)
Description of the patch: This update for the Linux Kernel 6.4.0-150700_5 fixes several issues.
The following security issues were fixed:
- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-38396: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (bsc#1247158).
- CVE-2025-38566: sunrpc: fix handling of server side tls alerts (bsc#1248376).
- CVE-2025-38110: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (bsc#1249458).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).
- CVE-2025-38471: tls: always refresh the queue when reading sock (bsc#1247452).
Patchnames: SUSE-2025-3650,SUSE-SLE-Module-Live-Patching-15-SP6-2025-3650,SUSE-SLE-Module-Live-Patching-15-SP7-2025-3644
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.7 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.1 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
46 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel RT (Live Patch 0 for SLE 15 SP7)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 6.4.0-150700_5 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-38396: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (bsc#1247158).\n- CVE-2025-38566: sunrpc: fix handling of server side tls alerts (bsc#1248376).\n- CVE-2025-38110: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (bsc#1249458).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).\n- CVE-2025-38471: tls: always refresh the queue when reading sock (bsc#1247452).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3650,SUSE-SLE-Module-Live-Patching-15-SP6-2025-3650,SUSE-SLE-Module-Live-Patching-15-SP7-2025-3644",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03650-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03650-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503650-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03650-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042212.html"
},
{
"category": "self",
"summary": "SUSE Bug 1246075",
"url": "https://bugzilla.suse.com/1246075"
},
{
"category": "self",
"summary": "SUSE Bug 1247158",
"url": "https://bugzilla.suse.com/1247158"
},
{
"category": "self",
"summary": "SUSE Bug 1247452",
"url": "https://bugzilla.suse.com/1247452"
},
{
"category": "self",
"summary": "SUSE Bug 1248376",
"url": "https://bugzilla.suse.com/1248376"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1249458",
"url": "https://bugzilla.suse.com/1249458"
},
{
"category": "self",
"summary": "SUSE Bug 1249534",
"url": "https://bugzilla.suse.com/1249534"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38110 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38110/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38206 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38206/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38396 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38396/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38471 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38471/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38566 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38566/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38678 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38678/"
}
],
"title": "Security update for the Linux Kernel RT (Live Patch 0 for SLE 15 SP7)",
"tracking": {
"current_release_date": "2025-10-18T10:04:27Z",
"generator": {
"date": "2025-10-18T10:04:27Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03650-1",
"initial_release_date": "2025-10-18T10:04:27Z",
"revision_history": [
{
"date": "2025-10-18T10:04:27Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"product": {
"name": "kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"product_id": "kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64",
"product": {
"name": "kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64",
"product_id": "kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP6",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP6",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP6",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp6"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP7",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP6",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64"
},
"product_reference": "kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP7",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
},
"product_reference": "kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-38110",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38110"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mdiobus: Fix potential out-of-bounds clause 45 read/write access\n\nWhen using publicly available tools like \u0027mdio-tools\u0027 to read/write data\nfrom/to network interface and its PHY via C45 (clause 45) mdiobus,\nthere is no verification of parameters passed to the ioctl and\nit accepts any mdio address.\nCurrently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,\nbut it is possible to pass higher value than that via ioctl.\nWhile read/write operation should generally fail in this case,\nmdiobus provides stats array, where wrong address may allow out-of-bounds\nread/write.\n\nFix that by adding address verification before C45 read/write operation.\nWhile this excludes this access from any statistics, it improves security of\nread/write operation.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38110",
"url": "https://www.suse.com/security/cve/CVE-2025-38110"
},
{
"category": "external",
"summary": "SUSE Bug 1245665 for CVE-2025-38110",
"url": "https://bugzilla.suse.com/1245665"
},
{
"category": "external",
"summary": "SUSE Bug 1249458 for CVE-2025-38110",
"url": "https://bugzilla.suse.com/1249458"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:27Z",
"details": "important"
}
],
"title": "CVE-2025-38110"
},
{
"cve": "CVE-2025-38206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38206"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n exfat_create_upcase_table() : return error\n exfat_free_upcase_table() : free -\u003evol_utbl\n exfat_load_default_upcase_table : return error\n exfat_kill_sb()\n delayed_free()\n exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38206",
"url": "https://www.suse.com/security/cve/CVE-2025-38206"
},
{
"category": "external",
"summary": "SUSE Bug 1246073 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246073"
},
{
"category": "external",
"summary": "SUSE Bug 1246075 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246075"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:27Z",
"details": "important"
}
],
"title": "CVE-2025-38206"
},
{
"cve": "CVE-2025-38396",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38396"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass\n\nExport anon_inode_make_secure_inode() to allow KVM guest_memfd to create\nanonymous inodes with proper security context. This replaces the current\npattern of calling alloc_anon_inode() followed by\ninode_init_security_anon() for creating security context manually.\n\nThis change also fixes a security regression in secretmem where the\nS_PRIVATE flag was not cleared after alloc_anon_inode(), causing\nLSM/SELinux checks to be bypassed for secretmem file descriptors.\n\nAs guest_memfd currently resides in the KVM module, we need to export this\nsymbol for use outside the core kernel. In the future, guest_memfd might be\nmoved to core-mm, at which point the symbols no longer would have to be\nexported. When/if that happens is still unclear.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38396",
"url": "https://www.suse.com/security/cve/CVE-2025-38396"
},
{
"category": "external",
"summary": "SUSE Bug 1247156 for CVE-2025-38396",
"url": "https://bugzilla.suse.com/1247156"
},
{
"category": "external",
"summary": "SUSE Bug 1247158 for CVE-2025-38396",
"url": "https://bugzilla.suse.com/1247158"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:27Z",
"details": "important"
}
],
"title": "CVE-2025-38396"
},
{
"cve": "CVE-2025-38471",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38471"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\ntls: always refresh the queue when reading sock\n\nAfter recent changes in net-next TCP compacts skbs much more\naggressively. This unearthed a bug in TLS where we may try\nto operate on an old skb when checking if all skbs in the\nqueue have matching decrypt state and geometry.\n\n BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls]\n (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544)\n Read of size 4 at addr ffff888013085750 by task tls/13529\n\n CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme\n Call Trace:\n kasan_report+0xca/0x100\n tls_strp_check_rcv+0x898/0x9a0 [tls]\n tls_rx_rec_wait+0x2c9/0x8d0 [tls]\n tls_sw_recvmsg+0x40f/0x1aa0 [tls]\n inet_recvmsg+0x1c3/0x1f0\n\nAlways reload the queue, fast path is to have the record in the queue\nwhen we wake, anyway (IOW the path going down \"if !strp-\u003estm.full_len\").",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38471",
"url": "https://www.suse.com/security/cve/CVE-2025-38471"
},
{
"category": "external",
"summary": "SUSE Bug 1247450 for CVE-2025-38471",
"url": "https://bugzilla.suse.com/1247450"
},
{
"category": "external",
"summary": "SUSE Bug 1247452 for CVE-2025-38471",
"url": "https://bugzilla.suse.com/1247452"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:27Z",
"details": "important"
}
],
"title": "CVE-2025-38471"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:27Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38566",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38566"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: fix handling of server side tls alerts\n\nScott Mayhew discovered a security exploit in NFS over TLS in\ntls_alert_recv() due to its assumption it can read data from\nthe msg iterator\u0027s kvec..\n\nkTLS implementation splits TLS non-data record payload between\nthe control message buffer (which includes the type such as TLS\naler or TLS cipher change) and the rest of the payload (say TLS\nalert\u0027s level/description) which goes into the msg payload buffer.\n\nThis patch proposes to rework how control messages are setup and\nused by sock_recvmsg().\n\nIf no control message structure is setup, kTLS layer will read and\nprocess TLS data record types. As soon as it encounters a TLS control\nmessage, it would return an error. At that point, NFS can setup a\nkvec backed msg buffer and read in the control message such as a\nTLS alert. Msg iterator can advance the kvec pointer as a part of\nthe copy process thus we need to revert the iterator before calling\ninto the tls_alert_recv.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38566",
"url": "https://www.suse.com/security/cve/CVE-2025-38566"
},
{
"category": "external",
"summary": "SUSE Bug 1248374 for CVE-2025-38566",
"url": "https://bugzilla.suse.com/1248374"
},
{
"category": "external",
"summary": "SUSE Bug 1248376 for CVE-2025-38566",
"url": "https://bugzilla.suse.com/1248376"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:27Z",
"details": "important"
}
],
"title": "CVE-2025-38566"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1247374 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1247374"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "external",
"summary": "SUSE Bug 1253291 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1253291"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:27Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
},
{
"cve": "CVE-2025-38678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38678"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject duplicate device on updates\n\nA chain/flowtable update with duplicated devices in the same batch is\npossible. Unfortunately, netdev event path only removes the first\ndevice that is found, leaving unregistered the hook of the duplicated\ndevice.\n\nCheck if a duplicated device exists in the transaction batch, bail out\nwith EEXIST in such case.\n\nWARNING is hit when unregistering the hook:\n\n [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150\n [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)\n [...]\n [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38678",
"url": "https://www.suse.com/security/cve/CVE-2025-38678"
},
{
"category": "external",
"summary": "SUSE Bug 1249126 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249126"
},
{
"category": "external",
"summary": "SUSE Bug 1249534 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249534"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP6:kernel-livepatch-6_4_0-150600_10_34-rt-8-150600.2.1.x86_64",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_5-rt-6-150700.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T10:04:27Z",
"details": "important"
}
],
"title": "CVE-2025-38678"
}
]
}
SUSE-SU-2025:03652-1
Vulnerability from csaf_suse - Published: 2025-10-18 19:04 - Updated: 2025-10-18 19:04Summary
Security update for the Linux Kernel (Live Patch 60 for SLE 12 SP5)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel (Live Patch 60 for SLE 12 SP5)
Description of the patch: This update for the Linux Kernel 4.12.14-122_228 fixes several issues.
The following security issues were fixed:
- CVE-2022-50386: Bluetooth: L2CAP: Fix user-after-free (bsc#1250302).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
Patchnames: SUSE-2025-3652,SUSE-SLE-Live-Patching-12-SP5-2025-3652
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
27 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 60 for SLE 12 SP5)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 4.12.14-122_228 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2022-50386: Bluetooth: L2CAP: Fix user-after-free (bsc#1250302).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3652,SUSE-SLE-Live-Patching-12-SP5-2025-3652",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03652-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03652-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503652-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03652-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042208.html"
},
{
"category": "self",
"summary": "SUSE Bug 1245794",
"url": "https://bugzilla.suse.com/1245794"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1250302",
"url": "https://bugzilla.suse.com/1250302"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-50386 page",
"url": "https://www.suse.com/security/cve/CVE-2022-50386/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21971 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21971/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 60 for SLE 12 SP5)",
"tracking": {
"current_release_date": "2025-10-18T19:04:01Z",
"generator": {
"date": "2025-10-18T19:04:01Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03652-1",
"initial_release_date": "2025-10-18T19:04:01Z",
"revision_history": [
{
"date": "2025-10-18T19:04:01Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le",
"product": {
"name": "kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le",
"product_id": "kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kgraft-patch-4_12_14-122_228-default-18-2.1.s390x",
"product": {
"name": "kgraft-patch-4_12_14-122_228-default-18-2.1.s390x",
"product_id": "kgraft-patch-4_12_14-122_228-default-18-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64",
"product": {
"name": "kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64",
"product_id": "kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-live-patching:12:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le"
},
"product_reference": "kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kgraft-patch-4_12_14-122_228-default-18-2.1.s390x as component of SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x"
},
"product_reference": "kgraft-patch-4_12_14-122_228-default-18-2.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64"
},
"product_reference": "kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-50386",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-50386"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix user-after-free\n\nThis uses l2cap_chan_hold_unless_zero() after calling\n__l2cap_get_chan_blah() to prevent the following trace:\n\nBluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref\n*kref)\nBluetooth: chan 0000000023c4974d\nBluetooth: parent 00000000ae861c08\n==================================================================\nBUG: KASAN: use-after-free in __mutex_waiter_is_first\nkernel/locking/mutex.c:191 [inline]\nBUG: KASAN: use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:671 [inline]\nBUG: KASAN: use-after-free in __mutex_lock+0x278/0x400\nkernel/locking/mutex.c:729\nRead of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-50386",
"url": "https://www.suse.com/security/cve/CVE-2022-50386"
},
{
"category": "external",
"summary": "SUSE Bug 1247374 for CVE-2022-50386",
"url": "https://bugzilla.suse.com/1247374"
},
{
"category": "external",
"summary": "SUSE Bug 1250301 for CVE-2022-50386",
"url": "https://bugzilla.suse.com/1250301"
},
{
"category": "external",
"summary": "SUSE Bug 1250302 for CVE-2022-50386",
"url": "https://bugzilla.suse.com/1250302"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T19:04:01Z",
"details": "important"
}
],
"title": "CVE-2022-50386"
},
{
"cve": "CVE-2025-21971",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21971"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21971",
"url": "https://www.suse.com/security/cve/CVE-2025-21971"
},
{
"category": "external",
"summary": "SUSE Bug 1240799 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1240799"
},
{
"category": "external",
"summary": "SUSE Bug 1245794 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1245794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T19:04:01Z",
"details": "important"
}
],
"title": "CVE-2025-21971"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T19:04:01Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1247374 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1247374"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "external",
"summary": "SUSE Bug 1253291 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1253291"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_228-default-18-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T19:04:01Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
}
]
}
SUSE-SU-2025:03653-1
Vulnerability from csaf_suse - Published: 2025-10-18 21:04 - Updated: 2025-10-18 21:04Summary
Security update for the Linux Kernel (Live Patch 61 for SLE 12 SP5)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel (Live Patch 61 for SLE 12 SP5)
Description of the patch: This update for the Linux Kernel 4.12.14-122_231 fixes several issues.
The following security issues were fixed:
- CVE-2022-50386: Bluetooth: L2CAP: Fix user-after-free (bsc#1250302).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
Patchnames: SUSE-2025-3653,SUSE-SLE-Live-Patching-12-SP5-2025-3653
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
27 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 61 for SLE 12 SP5)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 4.12.14-122_231 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2022-50386: Bluetooth: L2CAP: Fix user-after-free (bsc#1250302).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3653,SUSE-SLE-Live-Patching-12-SP5-2025-3653",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03653-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03653-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503653-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03653-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042207.html"
},
{
"category": "self",
"summary": "SUSE Bug 1245794",
"url": "https://bugzilla.suse.com/1245794"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1250302",
"url": "https://bugzilla.suse.com/1250302"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-50386 page",
"url": "https://www.suse.com/security/cve/CVE-2022-50386/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21971 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21971/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 61 for SLE 12 SP5)",
"tracking": {
"current_release_date": "2025-10-18T21:04:34Z",
"generator": {
"date": "2025-10-18T21:04:34Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03653-1",
"initial_release_date": "2025-10-18T21:04:34Z",
"revision_history": [
{
"date": "2025-10-18T21:04:34Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le",
"product": {
"name": "kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le",
"product_id": "kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kgraft-patch-4_12_14-122_231-default-17-2.1.s390x",
"product": {
"name": "kgraft-patch-4_12_14-122_231-default-17-2.1.s390x",
"product_id": "kgraft-patch-4_12_14-122_231-default-17-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64",
"product": {
"name": "kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64",
"product_id": "kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-live-patching:12:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le"
},
"product_reference": "kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kgraft-patch-4_12_14-122_231-default-17-2.1.s390x as component of SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x"
},
"product_reference": "kgraft-patch-4_12_14-122_231-default-17-2.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64"
},
"product_reference": "kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-50386",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-50386"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix user-after-free\n\nThis uses l2cap_chan_hold_unless_zero() after calling\n__l2cap_get_chan_blah() to prevent the following trace:\n\nBluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref\n*kref)\nBluetooth: chan 0000000023c4974d\nBluetooth: parent 00000000ae861c08\n==================================================================\nBUG: KASAN: use-after-free in __mutex_waiter_is_first\nkernel/locking/mutex.c:191 [inline]\nBUG: KASAN: use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:671 [inline]\nBUG: KASAN: use-after-free in __mutex_lock+0x278/0x400\nkernel/locking/mutex.c:729\nRead of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-50386",
"url": "https://www.suse.com/security/cve/CVE-2022-50386"
},
{
"category": "external",
"summary": "SUSE Bug 1247374 for CVE-2022-50386",
"url": "https://bugzilla.suse.com/1247374"
},
{
"category": "external",
"summary": "SUSE Bug 1250301 for CVE-2022-50386",
"url": "https://bugzilla.suse.com/1250301"
},
{
"category": "external",
"summary": "SUSE Bug 1250302 for CVE-2022-50386",
"url": "https://bugzilla.suse.com/1250302"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T21:04:34Z",
"details": "important"
}
],
"title": "CVE-2022-50386"
},
{
"cve": "CVE-2025-21971",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21971"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21971",
"url": "https://www.suse.com/security/cve/CVE-2025-21971"
},
{
"category": "external",
"summary": "SUSE Bug 1240799 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1240799"
},
{
"category": "external",
"summary": "SUSE Bug 1245794 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1245794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T21:04:34Z",
"details": "important"
}
],
"title": "CVE-2025-21971"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T21:04:34Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1247374 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1247374"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "external",
"summary": "SUSE Bug 1253291 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1253291"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_231-default-17-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-18T21:04:34Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
}
]
}
SUSE-SU-2025:03656-1
Vulnerability from csaf_suse - Published: 2025-10-19 09:33 - Updated: 2025-10-19 09:33Summary
Security update for the Linux Kernel (Live Patch 62 for SLE 12 SP5)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel (Live Patch 62 for SLE 12 SP5)
Description of the patch: This update for the Linux Kernel 4.12.14-122_234 fixes several issues.
The following security issues were fixed:
- CVE-2022-50386: Bluetooth: L2CAP: Fix user-after-free (bsc#1250302).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
Patchnames: SUSE-2025-3656,SUSE-SLE-Live-Patching-12-SP5-2025-3656
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
27 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 62 for SLE 12 SP5)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 4.12.14-122_234 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2022-50386: Bluetooth: L2CAP: Fix user-after-free (bsc#1250302).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3656,SUSE-SLE-Live-Patching-12-SP5-2025-3656",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03656-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03656-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503656-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03656-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042206.html"
},
{
"category": "self",
"summary": "SUSE Bug 1245794",
"url": "https://bugzilla.suse.com/1245794"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1250302",
"url": "https://bugzilla.suse.com/1250302"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-50386 page",
"url": "https://www.suse.com/security/cve/CVE-2022-50386/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21971 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21971/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 62 for SLE 12 SP5)",
"tracking": {
"current_release_date": "2025-10-19T09:33:41Z",
"generator": {
"date": "2025-10-19T09:33:41Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03656-1",
"initial_release_date": "2025-10-19T09:33:41Z",
"revision_history": [
{
"date": "2025-10-19T09:33:41Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le",
"product": {
"name": "kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le",
"product_id": "kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kgraft-patch-4_12_14-122_234-default-17-2.1.s390x",
"product": {
"name": "kgraft-patch-4_12_14-122_234-default-17-2.1.s390x",
"product_id": "kgraft-patch-4_12_14-122_234-default-17-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64",
"product": {
"name": "kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64",
"product_id": "kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-live-patching:12:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le"
},
"product_reference": "kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kgraft-patch-4_12_14-122_234-default-17-2.1.s390x as component of SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x"
},
"product_reference": "kgraft-patch-4_12_14-122_234-default-17-2.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64"
},
"product_reference": "kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-50386",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-50386"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix user-after-free\n\nThis uses l2cap_chan_hold_unless_zero() after calling\n__l2cap_get_chan_blah() to prevent the following trace:\n\nBluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref\n*kref)\nBluetooth: chan 0000000023c4974d\nBluetooth: parent 00000000ae861c08\n==================================================================\nBUG: KASAN: use-after-free in __mutex_waiter_is_first\nkernel/locking/mutex.c:191 [inline]\nBUG: KASAN: use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:671 [inline]\nBUG: KASAN: use-after-free in __mutex_lock+0x278/0x400\nkernel/locking/mutex.c:729\nRead of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-50386",
"url": "https://www.suse.com/security/cve/CVE-2022-50386"
},
{
"category": "external",
"summary": "SUSE Bug 1247374 for CVE-2022-50386",
"url": "https://bugzilla.suse.com/1247374"
},
{
"category": "external",
"summary": "SUSE Bug 1250301 for CVE-2022-50386",
"url": "https://bugzilla.suse.com/1250301"
},
{
"category": "external",
"summary": "SUSE Bug 1250302 for CVE-2022-50386",
"url": "https://bugzilla.suse.com/1250302"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-19T09:33:41Z",
"details": "important"
}
],
"title": "CVE-2022-50386"
},
{
"cve": "CVE-2025-21971",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21971"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21971",
"url": "https://www.suse.com/security/cve/CVE-2025-21971"
},
{
"category": "external",
"summary": "SUSE Bug 1240799 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1240799"
},
{
"category": "external",
"summary": "SUSE Bug 1245794 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1245794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-19T09:33:41Z",
"details": "important"
}
],
"title": "CVE-2025-21971"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-19T09:33:41Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1247374 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1247374"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "external",
"summary": "SUSE Bug 1253291 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1253291"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_234-default-17-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-19T09:33:41Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
}
]
}
SUSE-SU-2025:03662-1
Vulnerability from csaf_suse - Published: 2025-10-19 09:34 - Updated: 2025-10-19 09:34Summary
Security update for the Linux Kernel (Live Patch 70 for SLE 12 SP5)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel (Live Patch 70 for SLE 12 SP5)
Description of the patch: This update for the Linux Kernel 4.12.14-122_266 fixes several issues.
The following security issues were fixed:
- CVE-2022-50386: Bluetooth: L2CAP: Fix user-after-free (bsc#1250302).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
Patchnames: SUSE-2025-3662,SUSE-SLE-Live-Patching-12-SP5-2025-3662
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
22 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 70 for SLE 12 SP5)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 4.12.14-122_266 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2022-50386: Bluetooth: L2CAP: Fix user-after-free (bsc#1250302).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3662,SUSE-SLE-Live-Patching-12-SP5-2025-3662",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03662-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03662-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503662-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03662-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042205.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1250302",
"url": "https://bugzilla.suse.com/1250302"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-50386 page",
"url": "https://www.suse.com/security/cve/CVE-2022-50386/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 70 for SLE 12 SP5)",
"tracking": {
"current_release_date": "2025-10-19T09:34:19Z",
"generator": {
"date": "2025-10-19T09:34:19Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03662-1",
"initial_release_date": "2025-10-19T09:34:19Z",
"revision_history": [
{
"date": "2025-10-19T09:34:19Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le",
"product": {
"name": "kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le",
"product_id": "kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kgraft-patch-4_12_14-122_266-default-6-2.1.s390x",
"product": {
"name": "kgraft-patch-4_12_14-122_266-default-6-2.1.s390x",
"product_id": "kgraft-patch-4_12_14-122_266-default-6-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64",
"product": {
"name": "kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64",
"product_id": "kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-live-patching:12:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le"
},
"product_reference": "kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kgraft-patch-4_12_14-122_266-default-6-2.1.s390x as component of SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.s390x"
},
"product_reference": "kgraft-patch-4_12_14-122_266-default-6-2.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64"
},
"product_reference": "kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-50386",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-50386"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix user-after-free\n\nThis uses l2cap_chan_hold_unless_zero() after calling\n__l2cap_get_chan_blah() to prevent the following trace:\n\nBluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref\n*kref)\nBluetooth: chan 0000000023c4974d\nBluetooth: parent 00000000ae861c08\n==================================================================\nBUG: KASAN: use-after-free in __mutex_waiter_is_first\nkernel/locking/mutex.c:191 [inline]\nBUG: KASAN: use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:671 [inline]\nBUG: KASAN: use-after-free in __mutex_lock+0x278/0x400\nkernel/locking/mutex.c:729\nRead of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-50386",
"url": "https://www.suse.com/security/cve/CVE-2022-50386"
},
{
"category": "external",
"summary": "SUSE Bug 1247374 for CVE-2022-50386",
"url": "https://bugzilla.suse.com/1247374"
},
{
"category": "external",
"summary": "SUSE Bug 1250301 for CVE-2022-50386",
"url": "https://bugzilla.suse.com/1250301"
},
{
"category": "external",
"summary": "SUSE Bug 1250302 for CVE-2022-50386",
"url": "https://bugzilla.suse.com/1250302"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-19T09:34:19Z",
"details": "important"
}
],
"title": "CVE-2022-50386"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-19T09:34:19Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1247374 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1247374"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "external",
"summary": "SUSE Bug 1253291 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1253291"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_266-default-6-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-19T09:34:19Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
}
]
}
SUSE-SU-2025:03663-1
Vulnerability from csaf_suse - Published: 2025-10-19 11:04 - Updated: 2025-10-19 11:04Summary
Security update for the Linux Kernel (Live Patch 48 for SLE 15 SP3)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel (Live Patch 48 for SLE 15 SP3)
Description of the patch: This update for the Linux Kernel 5.3.18-150300_59_174 fixes several issues.
The following security issues were fixed:
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2024-49974: NFSD: Force all NFSv4.2 COPY requests to be synchronous (bsc#1232384).
- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).
Patchnames: SUSE-2025-3663,SUSE-SLE-Module-Live-Patching-15-SP3-2025-3663
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
31 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 48 for SLE 15 SP3)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 5.3.18-150300_59_174 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2024-49974: NFSD: Force all NFSv4.2 COPY requests to be synchronous (bsc#1232384).\n- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3663,SUSE-SLE-Module-Live-Patching-15-SP3-2025-3663",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03663-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03663-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503663-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03663-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042204.html"
},
{
"category": "self",
"summary": "SUSE Bug 1232384",
"url": "https://bugzilla.suse.com/1232384"
},
{
"category": "self",
"summary": "SUSE Bug 1245794",
"url": "https://bugzilla.suse.com/1245794"
},
{
"category": "self",
"summary": "SUSE Bug 1246075",
"url": "https://bugzilla.suse.com/1246075"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-49974 page",
"url": "https://www.suse.com/security/cve/CVE-2024-49974/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21971 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21971/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38206 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38206/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 48 for SLE 15 SP3)",
"tracking": {
"current_release_date": "2025-10-19T11:04:03Z",
"generator": {
"date": "2025-10-19T11:04:03Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03663-1",
"initial_release_date": "2025-10-19T11:04:03Z",
"revision_history": [
{
"date": "2025-10-19T11:04:03Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"product_id": "kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"product_id": "kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64",
"product_id": "kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_3_18-150300_59_174-preempt-19-150300.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_3_18-150300_59_174-preempt-19-150300.2.1.x86_64",
"product_id": "kernel-livepatch-5_3_18-150300_59_174-preempt-19-150300.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP3",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP3",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP3",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le"
},
"product_reference": "kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP3",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x"
},
"product_reference": "kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP3",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
},
"product_reference": "kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-49974",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-49974"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Limit the number of concurrent async COPY operations\n\nNothing appears to limit the number of concurrent async COPY\noperations that clients can start. In addition, AFAICT each async\nCOPY can copy an unlimited number of 4MB chunks, so can run for a\nlong time. Thus IMO async COPY can become a DoS vector.\n\nAdd a restriction mechanism that bounds the number of concurrent\nbackground COPY operations. Start simple and try to be fair -- this\npatch implements a per-namespace limit.\n\nAn async COPY request that occurs while this limit is exceeded gets\nNFS4ERR_DELAY. The requesting client can choose to send the request\nagain after a delay or fall back to a traditional read/write style\ncopy.\n\nIf there is need to make the mechanism more sophisticated, we can\nvisit that in future patches.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-49974",
"url": "https://www.suse.com/security/cve/CVE-2024-49974"
},
{
"category": "external",
"summary": "SUSE Bug 1232383 for CVE-2024-49974",
"url": "https://bugzilla.suse.com/1232383"
},
{
"category": "external",
"summary": "SUSE Bug 1232384 for CVE-2024-49974",
"url": "https://bugzilla.suse.com/1232384"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-19T11:04:03Z",
"details": "important"
}
],
"title": "CVE-2024-49974"
},
{
"cve": "CVE-2025-21971",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21971"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21971",
"url": "https://www.suse.com/security/cve/CVE-2025-21971"
},
{
"category": "external",
"summary": "SUSE Bug 1240799 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1240799"
},
{
"category": "external",
"summary": "SUSE Bug 1245794 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1245794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-19T11:04:03Z",
"details": "important"
}
],
"title": "CVE-2025-21971"
},
{
"cve": "CVE-2025-38206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38206"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n exfat_create_upcase_table() : return error\n exfat_free_upcase_table() : free -\u003evol_utbl\n exfat_load_default_upcase_table : return error\n exfat_kill_sb()\n delayed_free()\n exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38206",
"url": "https://www.suse.com/security/cve/CVE-2025-38206"
},
{
"category": "external",
"summary": "SUSE Bug 1246073 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246073"
},
{
"category": "external",
"summary": "SUSE Bug 1246075 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246075"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-19T11:04:03Z",
"details": "important"
}
],
"title": "CVE-2025-38206"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-19T11:04:03Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1247374 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1247374"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "external",
"summary": "SUSE Bug 1253291 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1253291"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_174-default-19-150300.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-19T11:04:03Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…