suse-sles-15-sp6-v20260123-x86_64-llc CVE scan on 2026-01-23T05:44:23+00:00

CVE-2024-6174 Severity: Important CVSS3 score: 8.8

Description: When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
cloud-init > 0-0 (version in image is 23.3-150100.8.85.4).

CVE-2025-9187 Severity: Important CVSS3 score: 8.8

Description: Memory safety bugs present in Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142 and Thunderbird < 142.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
mozilla-nss-certs < 3.112.2-150400.3.60.1 (version in image is 3.112-150400.3.57.1).

CVE-2025-40778 Severity: Important CVSS3 score: 8.6

Description: Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache.This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
bind-utils < 9.18.33-150600.3.18.1 (version in image is 9.18.33-150600.3.9.1).

CVE-2025-40780 Severity: Important CVSS3 score: 8.6

Description: In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use.This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
bind-utils < 9.18.33-150600.3.18.1 (version in image is 9.18.33-150600.3.9.1).

CVE-2025-68973 Severity: Important CVSS3 score: 8.0

Description: In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
gpg2 > 0-0 (version in image is 2.4.4-150600.3.9.1).

CVE-2023-53676 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()The function lio_target_nacl_info_show() uses sprintf() in a loop to printdetails for every iSCSI connection in a session without checking for thebuffer length. With enough iSCSI connections it's possible to overflow thebuffer provided by configfs and corrupt the memory.This patch replaces sprintf() with sysfs_emit_at() that checks for bufferboundries.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53713 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:arm64: sme: Use STR P to clear FFR context field in streaming SVE modeThe FFR is a predicate register which can vary between 16 and 256 bitsin size depending upon the configured vector length. When saving theSVE state in streaming SVE mode, the FFR register is inaccessible andso commit 9f5848665788 ("arm64/sve: Make access to FFR optional") simplyclears the FFR field of the in-memory context structure. Unfortunately,it achieves this using an unconditional 8-byte store and so if the SMEvector length is anything other than 64 bytes in size we will eitherfail to clear the entire field or, worse, we will corrupt memoryimmediately following the structure. This has led to intermittent kfencesplats in CI [1] and can trigger kmalloc Redzone corruption messageswhen running the 'fp-stress' kselftest: | ============================================================================= | BUG kmalloc-1k (Not tainted): kmalloc Redzone overwritten | ----------------------------------------------------------------------------- | | 0xffff000809bf1e22-0xffff000809bf1e27 @offset=7714. First byte 0x0 instead of 0xcc | Allocated in do_sme_acc+0x9c/0x220 age=2613 cpu=1 pid=531 | __kmalloc+0x8c/0xcc | do_sme_acc+0x9c/0x220 | ...Replace the 8-byte store with a store of a predicate register which hasbeen zero-initialised with PFALSE, ensuring that the entire field iscleared in memory.[1] https://lore.kernel.org/r/CA+G9fYtU7HsV0R0dp4XEH5xXHSJFw8KyDf5VQrLLfMxWfxQkag@mail.gmail.com

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53722 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:md: raid1: fix potential OOB in raid1_remove_disk()If rddev->raid_disk is greater than mddev->raid_disks, there will bean out-of-bounds in raid1_remove_disk(). We have already foundsimilar reports as follows:1) commit d17f744e883b ("md-raid10: fix KASAN warning")2) commit 1ebc2cec0b7d ("dm raid: fix KASAN warning in raid5_remove_disk")Fix this bug by checking whether the "number" variable isvalid.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-31133 Severity: Important CVSS3 score: 7.8

Description: runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7 and below, 1.3.0-rc.1 through 1.3.1, 1.4.0-rc.1 and 1.4.0-rc.2 files, runc would not perform sufficient verification that the source of the bind-mount (i.e., the container's /dev/null) was actually a real /dev/null inode when using the container's /dev/null to mask. This exposes two methods of attack: an arbitrary mount gadget, leading to host information disclosure, host denial of service, container escape, or a bypassing of maskedPaths. This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
runc < 1.3.3-150000.85.1 (version in image is 1.2.6-150000.73.2).

CVE-2025-39978 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()This code calls kfree_rcu(new_node, rcu) and then dereferences "new_node"and then dereferences it on the next line. Two lines later, we takea mutex so I don't think this is an RCU safe region. Re-order it to dothe dereferences before queuing up the free.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40139 Severity: Important CVSS3 score: 7.8

Description: In the Linux kernel, the following vulnerability has been resolved:smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().smc_clc_prfx_set() is called during connect() and not under RCUnor RTNL.Using sk_dst_get(sk)->dev could trigger UAF.Let's use __sk_dst_get() and dev_dst_rcu() under rcu_read_lock()after kernel_getsockname().Note that the returned value of smc_clc_prfx_set() is not usedin the caller.While at it, we change the 1st arg of smc_clc_prfx_set[46]_rcu()not to touch dst there.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-45582 Severity: Important CVSS3 score: 7.8

Description: GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
tar > 0-0 (version in image is 1.34-150000.3.34.1).

CVE-2025-52565 Severity: Important CVSS3 score: 7.8

Description: runc is a CLI tool for spawning and running containers according to the OCI specification. Versions 1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2, due to insufficient checks when bind-mounting `/dev/pts/$n` to `/dev/console` inside the container, an attacker can trick runc into bind-mounting paths which would normally be made read-only or be masked onto a path that the attacker can write to. This attack is very similar in concept and application to CVE-2025-31133, except that it attacks a similar vulnerability in a different target (namely, the bind-mount of `/dev/pts/$n` to `/dev/console` as configured for all containers that allocate a console). This happens after `pivot_root(2)`, so this cannot be used to write to host files directly -- however, as with CVE-2025-31133, this can load to denial of service of the host or a container breakout by providing the attacker with a writable copy of `/proc/sysrq-trigger` or `/proc/sys/kernel/core_pattern` (respectively). This issue is fixed in versions 1.2.8, 1.3.3 and 1.4.0-rc.3.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
runc < 1.3.3-150000.85.1 (version in image is 1.2.6-150000.73.2).

CVE-2025-52881 Severity: Important CVSS3 score: 7.8

Description: runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2 and 1.4.0-rc.2, an attacker can trick runc into misdirecting writes to /proc to other procfs files through the use of a racing container with shared mounts (we have also verified this attack is possible to exploit using a standard Dockerfile with docker buildx build as that also permits triggering parallel execution of containers with custom shared mounts configured). This redirect could be through symbolic links in a tmpfs or theoretically other methods such as regular bind-mounts. While similar, the mitigation applied for the related CVE, CVE-2019-19921, was fairly limited and effectively only caused runc to verify that when LSM labels are written they are actually procfs files. This issue is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
runc < 1.3.3-150000.85.1 (version in image is 1.2.6-150000.73.2).

CVE-2025-56005 Severity: Important CVSS3 score: 7.8

Description: An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
python311-ply > 0-0 (version in image is 3.11-150400.12.6.1).

CVE-2026-0861 Severity: Important CVSS3 score: 7.8

Description: Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc.Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
glibc > 0-0 (version in image is 2.38-150600.14.37.1).

CVE-2025-13601 Severity: Important CVSS3 score: 7.7

Description: A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
glib2-tools > 0-0 (version in image is 2.78.6-150600.4.16.1).

CVE-2025-11468 Severity: Important CVSS3 score: 7.5

Description: When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
python311 > 0-0 (version in image is 3.11.13-150600.3.35.2).

CVE-2025-11731 Severity: Important CVSS3 score: 7.5

Description: A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes. While difficult to exploit, the flaw could lead to application instability or denial of service.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libxslt1 < 1.1.34-150400.3.13.1 (version in image is 1.1.34-150400.3.6.1).

CVE-2025-27144 Severity: Important CVSS3 score: 7.5

Description: Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
containerd > 0-0 (version in image is 1.7.27-150000.123.1).

CVE-2025-30204 Severity: Important CVSS3 score: 7.5

Description: golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
docker > 0-0 (version in image is 28.3.3_ce-150000.230.1).

CVE-2025-40129 Severity: Important CVSS3 score: 7.5

Description: In the Linux kernel, the following vulnerability has been resolved:sunrpc: fix null pointer dereference on zero-length checksumIn xdr_stream_decode_opaque_auth(), zero-length checksum.len causeschecksum.data to be set to NULL. This triggers a NPD when accessingchecksum.data in gss_krb5_verify_mic_v2(). This patch ensures thatthe value of checksum.len is not less than XDR_UNIT.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40204 Severity: Important CVSS3 score: 7.5

Description: In the Linux kernel, the following vulnerability has been resolved:sctp: Fix MAC comparison to be constant-timeTo prevent timing attacks, MACs need to be compared in constant time.Use the appropriate helper function for this.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-47913 Severity: Important CVSS3 score: 7.5

Description: SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
docker > 0-0 (version in image is 28.3.3_ce-150000.230.1).

CVE-2025-69223 Severity: Important CVSS3 score: 7.5

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2025-69227 Severity: Important CVSS3 score: 7.5

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2025-69228 Severity: Important CVSS3 score: 7.5

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2025-69229 Severity: Important CVSS3 score: 7.5

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2025-8677 Severity: Important CVSS3 score: 7.5

Description: Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion.This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
bind-utils < 9.18.33-150600.3.18.1 (version in image is 9.18.33-150600.3.9.1).

CVE-2026-0672 Severity: Important CVSS3 score: 7.5

Description: When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
python311 > 0-0 (version in image is 3.11.13-150600.3.35.2).

CVE-2026-23490 Severity: Important CVSS3 score: 7.5

Description: pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
python3-pyasn1 > 0-0 (version in image is 0.4.2-150000.3.8.1).

CVE-2025-45768 Severity: Important CVSS3 score: 7.4

Description: pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library (admittedly, library users may benefit from a minimum value and a mechanism for opting in to strict enforcement).

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
python3-PyJWT > 0-0 (version in image is 2.4.0-150200.3.8.1).

CVE-2024-25621 Severity: Important CVSS3 score: 7.3

Description: containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
containerd < 1.7.29-150000.128.1 (version in image is 1.7.27-150000.123.1).

CVE-2025-14087 Severity: Important CVSS3 score: 7.1

Description: A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
glib2-tools > 0-0 (version in image is 2.78.6-150600.4.16.1).

CVE-2025-66293 Severity: Important CVSS3 score: 7.1

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
libpng16-16 > 0-0 (version in image is 1.6.40-150600.1.3).

CVE-2023-53574 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: rtw88: delete timer and free skb queue when unloadingFix possible crash and memory leak on driver unload by deletingTX purge timer and freeing C2H queue in 'rtw_core_deinit()',shrink critical section in the latter by freeing COEX queueout of TX report lock scope.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53659 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:iavf: Fix out-of-bounds when setting channels on removeIf we set channels greater during iavf_remove(), and waiting reset donewould be timeout, then returned with error but changed num_active_queuesdirectly, that will lead to OOB like the following logs. Because thenum_active_queues is greater than tx/rx_rings[] allocated actually.Reproducer: [root@host ~]# cat repro.sh #!/bin/bash pf_dbsf="0000:41:00.0" vf0_dbsf="0000:41:02.0" g_pids=() function do_set_numvf() { echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs sleep $((RANDOM%3+1)) echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs sleep $((RANDOM%3+1)) } function do_set_channel() { local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } ifconfig $nic 192.168.18.5 netmask 255.255.255.0 ifconfig $nic up ethtool -L $nic combined 1 ethtool -L $nic combined 4 sleep $((RANDOM%3)) } function on_exit() { local pid for pid in "${g_pids[@]}"; do kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null done g_pids=() } trap "on_exit; exit" EXIT while :; do do_set_numvf ; done & g_pids+=($!) while :; do do_set_channel ; done & g_pids+=($!) waitResult:[ 3506.152887] iavf 0000:41:02.0: Removing device[ 3510.400799] ==================================================================[ 3510.400820] BUG: KASAN: slab-out-of-bounds in iavf_free_all_tx_resources+0x156/0x160 [iavf][ 3510.400823] Read of size 8 at addr ffff88b6f9311008 by task repro.sh/55536[ 3510.400823][ 3510.400830] CPU: 101 PID: 55536 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1[ 3510.400832] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021[ 3510.400835] Call Trace:[ 3510.400851] dump_stack+0x71/0xab[ 3510.400860] print_address_description+0x6b/0x290[ 3510.400865] ? iavf_free_all_tx_resources+0x156/0x160 [iavf][ 3510.400868] kasan_report+0x14a/0x2b0[ 3510.400873] iavf_free_all_tx_resources+0x156/0x160 [iavf][ 3510.400880] iavf_remove+0x2b6/0xc70 [iavf][ 3510.400884] ? iavf_free_all_rx_resources+0x160/0x160 [iavf][ 3510.400891] ? wait_woken+0x1d0/0x1d0[ 3510.400895] ? notifier_call_chain+0xc1/0x130[ 3510.400903] pci_device_remove+0xa8/0x1f0[ 3510.400910] device_release_driver_internal+0x1c6/0x460[ 3510.400916] pci_stop_bus_device+0x101/0x150[ 3510.400919] pci_stop_and_remove_bus_device+0xe/0x20[ 3510.400924] pci_iov_remove_virtfn+0x187/0x420[ 3510.400927] ? pci_iov_add_virtfn+0xe10/0xe10[ 3510.400929] ? pci_get_subsys+0x90/0x90[ 3510.400932] sriov_disable+0xed/0x3e0[ 3510.400936] ? bus_find_device+0x12d/0x1a0[ 3510.400953] i40e_free_vfs+0x754/0x1210 [i40e][ 3510.400966] ? i40e_reset_all_vfs+0x880/0x880 [i40e][ 3510.400968] ? pci_get_device+0x7c/0x90[ 3510.400970] ? pci_get_subsys+0x90/0x90[ 3510.400982] ? pci_vfs_assigned.part.7+0x144/0x210[ 3510.400987] ? __mutex_lock_slowpath+0x10/0x10[ 3510.400996] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e][ 3510.401001] sriov_numvfs_store+0x214/0x290[ 3510.401005] ? sriov_totalvfs_show+0x30/0x30[ 3510.401007] ? __mutex_lock_slowpath+0x10/0x10[ 3510.401011] ? __check_object_size+0x15a/0x350[ 3510.401018] kernfs_fop_write+0x280/0x3f0[ 3510.401022] vfs_write+0x145/0x440[ 3510.401025] ksys_write+0xab/0x160[ 3510.401028] ? __ia32_sys_read+0xb0/0xb0[ 3510.401031] ? fput_many+0x1a/0x120[ 3510.401032] ? filp_close+0xf0/0x130[ 3510.401038] do_syscall_64+0xa0/0x370[ 3510.401041] ? page_fault+0x8/0x30[ 3510.401043] entry_SYSCALL_64_after_hwframe+0x65/0xca[ 3510.401073] RIP: 0033:0x7f3a9bb842c0[ 3510.401079] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d ---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53673 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_event: call disconnect callback before deleting connIn hci_cs_disconnect, we do hci_conn_del even if disconnection failed.ISO, L2CAP and SCO connections refer to the hci_conn withouthci_conn_get, so disconn_cfm must be called so they can clean up theirconn, otherwise use-after-free occurs.ISO:==========================================================iso_sock_connect:880: sk 00000000eabd6557iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da...iso_conn_add:140: hcon 000000001696f1fd conn 00000000b6251073hci_dev_put:1487: hci0 orig refcnt 17__iso_chan_add:214: conn 00000000b6251073iso_sock_clear_timer:117: sock 00000000eabd6557 state 3...hci_rx_work:4085: hci0 Event packethci_event_packet:7601: hci0: event 0x0fhci_cmd_status_evt:4346: hci0: opcode 0x0406hci_cs_disconnect:2760: hci0: status 0x0chci_sent_cmd_data:3107: hci0 opcode 0x0406hci_conn_del:1151: hci0 hcon 000000001696f1fd handle 2560hci_conn_unlink:1102: hci0: hcon 000000001696f1fdhci_conn_drop:1451: hcon 00000000d8521aaf orig refcnt 2hci_chan_list_flush:2780: hcon 000000001696f1fdhci_dev_put:1487: hci0 orig refcnt 21hci_dev_put:1487: hci0 orig refcnt 20hci_req_cmd_complete:3978: opcode 0x0406 status 0x0c... ...iso_sock_sendmsg:1098: sock 00000000dea5e2e0, sk 00000000eabd6557BUG: kernel NULL pointer dereference, address: 0000000000000668PGD 0 P4D 0Oops: 0000 [#1] PREEMPT SMP PTIHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014RIP: 0010:iso_sock_sendmsg (net/bluetooth/iso.c:1112) bluetooth==========================================================L2CAP:==================================================================hci_cmd_status_evt:4359: hci0: opcode 0x0406hci_cs_disconnect:2760: hci0: status 0x0chci_sent_cmd_data:3085: hci0 opcode 0x0406hci_conn_del:1151: hci0 hcon ffff88800c999000 handle 3585hci_conn_unlink:1102: hci0: hcon ffff88800c999000hci_chan_list_flush:2780: hcon ffff88800c999000hci_chan_del:2761: hci0 hcon ffff88800c999000 chan ffff888018ddd280...BUG: KASAN: slab-use-after-free in hci_send_acl+0x2d/0x540 [bluetooth]Read of size 8 at addr ffff888018ddd298 by task bluetoothd/1175CPU: 0 PID: 1175 Comm: bluetoothd Tainted: G E 6.4.0-rc4+ #2Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014Call Trace: dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0xf8/0x180 ? hci_send_acl+0x2d/0x540 [bluetooth] kasan_report+0xa8/0xe0 ? hci_send_acl+0x2d/0x540 [bluetooth] hci_send_acl+0x2d/0x540 [bluetooth] ? __pfx___lock_acquire+0x10/0x10 l2cap_chan_send+0x1fd/0x1300 [bluetooth] ? l2cap_sock_sendmsg+0xf2/0x170 [bluetooth] ? __pfx_l2cap_chan_send+0x10/0x10 [bluetooth] ? lock_release+0x1d5/0x3c0 ? mark_held_locks+0x1a/0x90 l2cap_sock_sendmsg+0x100/0x170 [bluetooth] sock_write_iter+0x275/0x280 ? __pfx_sock_write_iter+0x10/0x10 ? __pfx___lock_acquire+0x10/0x10 do_iter_readv_writev+0x176/0x220 ? __pfx_do_iter_readv_writev+0x10/0x10 ? find_held_lock+0x83/0xa0 ? selinux_file_permission+0x13e/0x210 do_iter_write+0xda/0x340 vfs_writev+0x1b4/0x400 ? __pfx_vfs_writev+0x10/0x10 ? __seccomp_filter+0x112/0x750 ? populate_seccomp_data+0x182/0x220 ? __fget_light+0xdf/0x100 ? do_writev+0x19d/0x210 do_writev+0x19d/0x210 ? __pfx_do_writev+0x10/0x10 ? mark_held_locks+0x1a/0x90 do_syscall_64+0x60/0x90 ? lockdep_hardirqs_on_prepare+0x149/0x210 ? do_syscall_64+0x6c/0x90 ? lockdep_hardirqs_on_prepare+0x149/0x210 entry_SYSCALL_64_after_hwframe+0x72/0xdcRIP: 0033:0x7ff45cb23e64Code: 15 d1 1f 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d 9d a7 0d 00 00 74 13 b8 14 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89RSP: 002b:00007fff21ae09b8 EFLAGS: 00000202 ORIG_RAX: 0000000000000014RAX: ffffffffffffffda RBX: ---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39973 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:i40e: add validation for ring_len paramThe `ring_len` parameter provided by the virtual function (VF)is assigned directly to the hardware memory context (HMC) withoutany validation.To address this, introduce an upper boundary check for both Tx and Rxqueue lengths. The maximum number of descriptors supported by thehardware is 8k-32.Additionally, enforce alignment constraints: Tx rings must be a multipleof 8, and Rx rings must be a multiple of 32.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39981 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: MGMT: Fix possible UAFsThis attemps to fix possible UAFs caused by struct mgmt_pending beingfreed while still being processed like in the following trace, in orderto fix mgmt_pending_valid is introduce and use to check if themgmt_pending hasn't been removed from the pending list, on the completecallbacks it is used to check and in addtion remove the cmd from the listwhile holding mgmt_pending_lock to avoid TOCTOU problems since if the cmdis left on the list it can still be accessed and freed.BUG: KASAN: slab-use-after-free in mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223Read of size 8 at addr ffff8880709d4dc0 by task kworker/u11:0/55CPU: 0 UID: 0 PID: 55 Comm: kworker/u11:0 Not tainted 6.16.4 #2 PREEMPT(full)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014Workqueue: hci0 hci_cmd_sync_workCall Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 mgmt_add_adv_patterns_monitor_sync+0x35/0x50 net/bluetooth/mgmt.c:5223 hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16.4/arch/x86/entry/entry_64.S:245 Allocated by task 12210: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4364 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269 mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296 __add_adv_patterns_monitor+0x130/0x200 net/bluetooth/mgmt.c:5247 add_adv_patterns_monitor+0x214/0x360 net/bluetooth/mgmt.c:5364 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:729 sock_write_iter+0x258/0x330 net/socket.c:1133 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fFreed by task 12221: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4648 [inline] kfree+0x18e/0x440 mm/slub.c:4847 mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline] mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257 __mgmt_power_off+0x169/0x350 net/bluetooth/mgmt.c:9444 hci_dev_close_sync+0x754/0x1330 net/bluetooth/hci_sync.c:5290 hci_dev_do_close net/bluetooth/hci_core.c:501 [inline] hci_dev_close+0x108/0x200 net/bluetooth/hci_core.c:526 sock_do_ioctl+0xd9/0x300 net/socket.c:1192 sock_ioctl+0x576/0x790 net/socket.c:1313 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40018 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:ipvs: Defer ip_vs_ftp unregister during netns cleanupOn the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftpbefore connections with valid cp->app pointers are flushed, leading to ause-after-free.Fix this by introducing a global `exiting_module` flag, set to true inip_vs_ftp_exit() before unregistering the pernet subsystem. In__ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netnscleanup (when exiting_module is false) and defer it to__ip_vs_cleanup_batch(), which unregisters all apps after all connectionsare flushed. If called during module exit, unregister ip_vs_ftpimmediately.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40019 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: essiv - Check ssize for decryption and in-place encryptionMove the ssize check to the start in essiv_aead_crypt so thatit's also checked for decryption and in-place encryption.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40159 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:xsk: Harden userspace-supplied xdp_desc validationTurned out certain clearly invalid values passed in xdp_desc fromuserspace can pass xp_{,un}aligned_validate_desc() and then leadto UBs or just invalid frames to be queued for xmit.desc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_lencan cause positive integer overflow and wraparound, the same way lowenough desc->addr with a non-zero pool->tx_metadata_len can causenegative integer overflow. Both scenarios can then pass thevalidation successfully.This doesn't happen with valid XSk applications, but can be usedto perform attacks.Always promote desc->len to ``u64`` first to exclude positiveoverflows of it. Use explicit check_{add,sub}_overflow() whenvalidating desc->addr (which is ``u64`` already).bloat-o-meter reports a little growth of the code size:add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)Function old new deltaxskq_cons_peek_desc 299 330 +31xsk_tx_peek_release_desc_batch 973 1002 +29xsk_generic_xmit 3148 3132 -16but hopefully this doesn't hurt the performance much.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40176 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:tls: wait for pending async decryptions if tls_strp_msg_hold failsAsync decryption calls tls_strp_msg_hold to create a clone of theinput skb to hold references to the memory it uses. If we fail toallocate that clone, proceeding with async decryption can lead tovarious issues (UAF on the skb, writing into userspace memory afterthe recv() call has returned).In this case, wait for all pending decryption requests.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40186 Severity: Important CVSS3 score: 7.0

Description: In the Linux kernel, the following vulnerability has been resolved:tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().syzbot reported the splat below in tcp_conn_request(). [0]If a listener is close()d while a TFO socket is being processed intcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->skand calls inet_child_forget(), which calls tcp_disconnect() for theTFO socket.After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(),where reqsk_put() is called due to !reqsk->sk.Then, reqsk_fastopen_remove() in tcp_conn_request() decrements thelast req->rsk_refcnt and frees reqsk, and __reqsk_free() at thedrop_and_free label causes the refcount underflow for the listenerand double-free of the reqsk.Let's remove reqsk_fastopen_remove() in tcp_conn_request().Note that other callers make sure tp->fastopen_rsk is not NULL.[0]:refcount_t: underflow; use-after-free.WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28)Modules linked in:CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025RIP: 0010:refcount_warn_saturate (lib/refcount.c:28)Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8FS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0Call Trace: tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301) tcp_rcv_state_process (net/ipv4/tcp_input.c:6708) tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670) tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906) ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438) ip6_input (net/ipv6/ip6_input.c:500) ipv6_rcv (net/ipv6/ip6_input.c:311) __netif_receive_skb (net/core/dev.c:6104) process_backlog (net/core/dev.c:6456) __napi_poll (net/core/dev.c:7506) net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696) handle_softirqs (kernel/softirq.c:579) do_softirq (kernel/softirq.c:480)

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-58143 Severity: Important CVSS3 score: 7.0

Description: [This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.]There are multiple issues related to the handling and accessing of guestmemory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
xen-libs < 4.18.5_08-150600.3.34.2 (version in image is 4.18.5_04-150600.3.28.1).

CVE-2025-15444 Severity: Moderate CVSS3 score: 6.8

Description: Crypt::Sodium::XS module versions prior to 0.000042, for Perl, include a vulnerable version of libsodiumlibsodium <= 1.0.20 or a version of libsodium released before December 30, 2025 contains a vulnerability documented as CVE-2025-69277 https://www.cve.org/CVERecord?id=CVE-2025-69277 .The libsodium vulnerability states:In atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.0.000042 includes a version of libsodium updated to 1.0.20-stable, released January 3, 2026, which includes a fix for the vulnerability.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libsodium23 > 0-0 (version in image is 1.0.18-150000.4.8.1).

CVE-2025-26465 Severity: Moderate CVSS3 score: 6.8

Description: A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Packages affected:

sle-module-desktop-applications-release == 15.6 (version in image is 15.6-150600.37.2).
openssh > 0-0 (version in image is 9.6p1-150600.6.29.2).

CVE-2025-58147 Severity: Moderate CVSS3 score: 6.8

Description: [This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.]Some Viridian hypercalls can specify a mask of vCPU IDs as an input, inone of three formats. Xen has boundary checking bugs with all threeformats, which can cause out-of-bounds reads and writes while processingthe inputs. * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap to Xen's format. * CVE-2025-58148. Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
xen-libs < 4.18.5_08-150600.3.34.2 (version in image is 4.18.5_04-150600.3.28.1).

CVE-2025-58148 Severity: Moderate CVSS3 score: 6.8

Description: [This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.]Some Viridian hypercalls can specify a mask of vCPU IDs as an input, inone of three formats. Xen has boundary checking bugs with all threeformats, which can cause out-of-bounds reads and writes while processingthe inputs. * CVE-2025-58147. Hypercalls using the HV_VP_SET Sparse format can cause vpmask_set() to write out of bounds when converting the bitmap to Xen's format. * CVE-2025-58148. Hypercalls using any input format can cause send_ipi() to read d->vcpu[] out-of-bounds, and operate on a wild vCPU pointer.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
xen-libs < 4.18.5_08-150600.3.34.2 (version in image is 4.18.5_04-150600.3.28.1).

CVE-2025-64505 Severity: Moderate CVSS3 score: 6.8

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
libpng16-16 > 0-0 (version in image is 1.6.40-150600.1.3).

CVE-2025-64506 Severity: Moderate CVSS3 score: 6.8

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
libpng16-16 > 0-0 (version in image is 1.6.40-150600.1.3).

CVE-2025-64720 Severity: Moderate CVSS3 score: 6.8

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha x 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
libpng16-16 > 0-0 (version in image is 1.6.40-150600.1.3).

CVE-2025-65018 Severity: Moderate CVSS3 score: 6.8

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
libpng16-16 > 0-0 (version in image is 1.6.40-150600.1.3).

CVE-2026-22185 Severity: Moderate CVSS3 score: 6.8

Description: OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
libldap-2_4-2 > 0-0 (version in image is 2.4.46-150600.23.21).

CVE-2026-22801 Severity: Moderate CVSS3 score: 6.8

Description: LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libpng16-16 > 0-0 (version in image is 1.6.40-150600.1.3).

CVE-2023-53619 Severity: Moderate CVSS3 score: 6.7

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: conntrack: Avoid nf_ct_helper_hash uses after freeIf nf_conntrack_init_start() fails (for example due to aregister_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini()clean-up path frees the nf_ct_helper_hash map.When built with NF_CONNTRACK=y, further netfilter modules (e.g:netfilter_conntrack_ftp) can still be loaded and callnf_conntrack_helpers_register(), independently of whether nf_conntrackinitialized correctly. This accesses the nf_ct_helper_hash danglingpointer and causes a uaf, possibly leading to random memory corruption.This patch guards nf_conntrack_helper_register() from accessing a freedor uninitialized nf_ct_helper_hash pointer and fixes possibleuses-after-free when loading a conntrack module.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-15366 Severity: Moderate CVSS3 score: 6.7

Description: The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.97.2).

CVE-2025-15367 Severity: Moderate CVSS3 score: 6.7

Description: The poplib module, when passed a user-controlled command, can haveadditional commands injected using newlines. Mitigation rejects commandscontaining control characters.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.97.2).

CVE-2023-53616 Severity: Moderate CVSS3 score: 6.6

Description: In the Linux kernel, the following vulnerability has been resolved:jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmountsyzbot found an invalid-free in diUnmount:BUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline]BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674Free of addr ffff88806f410000 by task syz-executor131/3632 CPU: 0 PID: 3632 Comm: syz-executor131 Not tainted 6.1.0-rc7-syzkaller-00012-gca57f02295f1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:460 ____kasan_slab_free+0xfb/0x120 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1750 slab_free mm/slub.c:3661 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3674 diUnmount+0xef/0x100 fs/jfs/jfs_imap.c:195 jfs_umount+0x108/0x370 fs/jfs/jfs_umount.c:63 jfs_put_super+0x86/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x130/0x310 fs/super.c:492 kill_block_super+0x79/0xd0 fs/super.c:1428 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 cleanup_mnt+0x494/0x520 fs/namespace.c:1186 task_work_run+0x243/0x300 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x664/0x2070 kernel/exit.c:820 do_group_exit+0x1fd/0x2b0 kernel/exit.c:950 __do_sys_exit_group kernel/exit.c:961 [inline] __se_sys_exit_group kernel/exit.c:959 [inline] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:959 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd[...]JFS_IP(ipimap)->i_imap is not setting to NULL after free in diUnmount.If jfs_remount() free JFS_IP(ipimap)->i_imap but then failed at diMount().JFS_IP(ipimap)->i_imap will be freed once again.Fix this problem by setting JFS_IP(ipimap)->i_imap to NULL after free.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-13151 Severity: Moderate CVSS3 score: 6.6

Description: Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libtasn1 > 0-0 (version in image is 4.13-150000.4.11.1).

CVE-2025-38653 Severity: Moderate CVSS3 score: 6.6

Description: In the Linux kernel, the following vulnerability has been resolved:proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.alCheck pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario. It's a gap in proc_reg_open() after commit 654b33ada4ab("proc: fix UAF inproc_get_inode()"). Followed by AI Viro's suggestion, fix it in samemanner.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39952 Severity: Moderate CVSS3 score: 6.6

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: wilc1000: avoid buffer overflow in WID string configurationFix the following copy overflow warning identified by Smatch checker. drivers/net/wireless/microchip/wilc1000/wlan_cfg.c:184 wilc_wlan_parse_response_frame() error: '__memcpy()' 'cfg->s[i]->str' copy overflow (512 vs 65537)This patch introduces size check before accessing the memory buffer.The checks are base on the WID type of received data from the firmware.For WID string configuration, the size limit is determined by individualelement size in 'struct wilc_cfg_str_vals' that is maintained in 'len' fieldof 'struct wilc_cfg_str'.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39965 Severity: Moderate CVSS3 score: 6.6

Description: In the Linux kernel, the following vulnerability has been resolved:xfrm: xfrm_alloc_spi shouldn't use 0 as SPIx->id.spi == 0 means "no SPI assigned", but since commit94f39804d891 ("xfrm: Duplicate SPI Handling"), we now create statesand add them to the byspi list with this value.__xfrm_state_delete doesn't remove those states from the byspi list,since they shouldn't be there, and this shows up as a UAF the nexttime we go through the byspi list.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39971 Severity: Moderate CVSS3 score: 6.6

Description: In the Linux kernel, the following vulnerability has been resolved:i40e: fix idx validation in config queues msgEnsure idx is within range of active/initialized TCs when iterating overvf->ch[idx] in i40e_vc_config_queues_msg().

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-67499 Severity: Moderate CVSS3 score: 6.6

Description: The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftables backend, thus ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node. Containers that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. This issue is fixed in version 1.9.0. To workaround, configure the portmap plugin to use the iptables backend. It does not have this vulnerability.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
docker > 0-0 (version in image is 28.3.3_ce-150000.230.1).

CVE-2025-27466 Severity: Important CVSS3 score: 6.5

Description: [This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.]There are multiple issues related to the handling and accessing of guestmemory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
xen-libs < 4.18.5_08-150600.3.34.2 (version in image is 4.18.5_04-150600.3.28.1).

CVE-2025-58142 Severity: Important CVSS3 score: 6.5

Description: [This CNA information record relates to multiple CVEs; thetext explains which aspects/vulnerabilities correspond to which CVE.]There are multiple issues related to the handling and accessing of guestmemory pages in the viridian code: 1. A NULL pointer dereference in the updating of the reference TSC area. This is CVE-2025-27466. 2. A NULL pointer dereference by assuming the SIM page is mapped when a synthetic timer message has to be delivered. This is CVE-2025-58142. 3. A race in the mapping of the reference TSC page, where a guest can get Xen to free a page while still present in the guest physical to machine (p2m) page tables. This is CVE-2025-58143.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
xen-libs < 4.18.5_08-150600.3.34.2 (version in image is 4.18.5_04-150600.3.28.1).

CVE-2023-53539 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/rxe: Fix incomplete state save in rxe_requesterIf a send packet is dropped by the IP layer in rxe_requester()the call to rxe_xmit_packet() can fail with err == -EAGAIN.To recover, the state of the wqe is restored to the state beforethe packet was sent so it can be resent. However, the routinesthat save and restore the state miss a significnt part of thevariable state in the wqe, the dma struct which is used to processthrough the sge table. And, the state is not saved before the packetis built which modifies the dma struct.Under heavy stress testing with many QPs on a fast node sendinglarge messages to a slow node dropped packets are observed andthe resent packets are corrupted because the dma struct was notrestored. This patch fixes this behavior and allows the test casesto succeed.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53540 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: cfg80211: reject auth/assoc to AP with our addressIf the AP uses our own address as its MLD address or BSSID, thenclearly something's wrong. Reject such connections so we don'ttry and fail later.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53729 Severity: Moderate CVSS3 score: 6.5

Description: In the Linux kernel, the following vulnerability has been resolved:soc: qcom: qmi_encdec: Restrict string length in decodeThe QMI TLV value for strings in a lot of qmi element info structuresaccount for null terminated strings with MAX_LEN + 1. If a string isactually MAX_LEN + 1 length, this will cause an out of bounds accesswhen the NULL character is appended in decoding.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-11563 Severity: Moderate CVSS3 score: 6.5

Description: Unknown.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
curl < 8.14.1-150600.4.31.1 (version in image is 8.14.1-150600.4.28.1).

CVE-2025-13836 Severity: Moderate CVSS3 score: 6.5

Description: When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
python3 > 0-0 (version in image is 3.6.15-150300.10.97.2).

CVE-2025-14512 Severity: Moderate CVSS3 score: 6.5

Description: A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
glib2-tools > 0-0 (version in image is 2.78.6-150600.4.16.1).

CVE-2025-15282 Severity: Moderate CVSS3 score: 6.5

Description: User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.97.2).

CVE-2025-58149 Severity: Moderate CVSS3 score: 6.5

Description: When passing through PCI devices, the detach logic in libxl won't removeaccess permissions to any 64bit memory BARs the device might have. As aresult a domain can still have access any 64bit memory BAR when suchdevice is no longer assigned to the domain.For PV domains the permission leak allows the domain itself to map the memoryin the page-tables. For HVM it would require a compromised device model orstubdomain to map the leaked memory into the HVM domain p2m.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
xen-libs < 4.18.5_08-150600.3.34.2 (version in image is 4.18.5_04-150600.3.28.1).

CVE-2025-68468 Severity: Moderate CVSS3 score: 6.5

Description: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libavahi-client3 > 0-0 (version in image is 0.8-150600.15.9.1).

CVE-2025-68471 Severity: Moderate CVSS3 score: 6.5

Description: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libavahi-client3 > 0-0 (version in image is 0.8-150600.15.9.1).

CVE-2026-0865 Severity: Moderate CVSS3 score: 6.5

Description: User-controlled header names and values containing newlines can allow injecting HTTP headers.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
python3 > 0-0 (version in image is 3.6.15-150300.10.97.2).

CVE-2025-37916 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:pds_core: remove write-after-free of client_idA use-after-free error popped up in stress testing:[Mon Apr 21 21:21:33 2025] BUG: KFENCE: use-after-free write in pdsc_auxbus_dev_del+0xef/0x160 [pds_core][Mon Apr 21 21:21:33 2025] Use-after-free write at 0x000000007013ecd1 (in kfence-#47):[Mon Apr 21 21:21:33 2025] pdsc_auxbus_dev_del+0xef/0x160 [pds_core][Mon Apr 21 21:21:33 2025] pdsc_remove+0xc0/0x1b0 [pds_core][Mon Apr 21 21:21:33 2025] pci_device_remove+0x24/0x70[Mon Apr 21 21:21:33 2025] device_release_driver_internal+0x11f/0x180[Mon Apr 21 21:21:33 2025] driver_detach+0x45/0x80[Mon Apr 21 21:21:33 2025] bus_remove_driver+0x83/0xe0[Mon Apr 21 21:21:33 2025] pci_unregister_driver+0x1a/0x80The actual device uninit usually happens on a separate threadscheduled after this code runs, but there is no guarantee of orderof thread execution, so this could be a problem. There's noactual need to clear the client_id at this point, so simplyremove the offending code.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39866 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:fs: writeback: fix use-after-free in __mark_inode_dirty()An use-after-free issue occurred when __mark_inode_dirty() get thebdi_writeback that was in the progress of switching.CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1......pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : __mark_inode_dirty+0x124/0x418lr : __mark_inode_dirty+0x118/0x418sp : ffffffc08c9dbbc0........Call trace: __mark_inode_dirty+0x124/0x418 generic_update_time+0x4c/0x60 file_modified+0xcc/0xd0 ext4_buffered_write_iter+0x58/0x124 ext4_file_write_iter+0x54/0x704 vfs_write+0x1c0/0x308 ksys_write+0x74/0x10c __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x40/0xe4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x194/0x198Root cause is:systemd-random-seed kworker----------------------------------------------------------------------___mark_inode_dirty inode_switch_wbs_work_fn spin_lock(&inode->i_lock); inode_attach_wb locked_inode_to_wb_and_lock_list get inode->i_wb spin_unlock(&inode->i_lock); spin_lock(&wb->list_lock) spin_lock(&inode->i_lock) inode_io_list_move_locked spin_unlock(&wb->list_lock) spin_unlock(&inode->i_lock) spin_lock(&old_wb->list_lock) inode_do_switch_wbs spin_lock(&inode->i_lock) inode->i_wb = new_wb spin_unlock(&inode->i_lock) spin_unlock(&old_wb->list_lock) wb_put_many(old_wb, nr_switched) cgwb_release old wb released wb_wakeup_delayed() accesses wb, then trigger the use-after-free issueFix this race condition by holding inode spinlock untilwb_wakeup_delayed() finished.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39945 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:cnic: Fix use-after-free bugs in cnic_delete_taskThe original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(),which does not guarantee that the delayed work item 'delete_task' hasfully completed if it was already running. Additionally, the delayed workitem is cyclic, the flush_workqueue() in cnic_cm_stop_bnx2x_hw() onlyblocks and waits for work items that were already queued to theworkqueue prior to its invocation. Any work items submitted afterflush_workqueue() is called are not included in the set of tasks that theflush operation awaits. This means that after the cyclic work items havefinished executing, a delayed work item may still exist in the workqueue.This leads to use-after-free scenarios where the cnic_dev is deallocatedby cnic_free_dev(), while delete_task remains active and attempt todereference cnic_dev in cnic_delete_task().A typical race condition is illustrated below:CPU 0 (cleanup) | CPU 1 (delayed work callback)cnic_netdev_event() | cnic_stop_hw() | cnic_delete_task() cnic_cm_stop_bnx2x_hw() | ... cancel_delayed_work() | /* the queue_delayed_work() flush_workqueue() | executes after flush_workqueue()*/ | queue_delayed_work() cnic_free_dev(dev)//free | cnic_delete_task() //new instance | dev = cp->dev; //useReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensurethat the cyclic delayed work item is properly canceled and that anyongoing execution of the work item completes before the cnic_dev isdeallocated. Furthermore, since cancel_delayed_work_sync() uses__flush_work(work, true) to synchronously wait for any currentlyexecuting instance of the work item to finish, the flush_workqueue()becomes redundant and should be removed.This bug was identified through static analysis. To reproduce the issueand validate the fix, I simulated the cnic PCI device in QEMU andintroduced intentional delays - such as inserting calls to ssleep()within the cnic_delete_task() function - to increase the likelihoodof triggering the bug.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40121 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mappingWhen an invalid value is passed via quirk option, currentlybytcr_rt5640 driver just ignores and leaves as is, which may lead tounepxected results like OOB access.This patch adds the sanity check and corrects the input mapping to thecertain default value if an invalid value is passed.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40154 Severity: Moderate CVSS3 score: 6.4

Description: In the Linux kernel, the following vulnerability has been resolved:ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mappingWhen an invalid value is passed via quirk option, currentlybytcr_rt5640 driver only shows an error message but leaves as is.This may lead to unepxected results like OOB access.This patch corrects the input mapping to the certain default value ifan invalid value is passed.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-14017 Severity: Moderate CVSS3 score: 6.3

Description: When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,changing TLS options in one thread would inadvertently change them globallyand therefore possibly also affect other concurrently setup transfers.Disabling certificate verification for a specific transfer couldunintentionally disable the feature for other threads as well.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
curl > 0-0 (version in image is 8.14.1-150600.4.28.1).

CVE-2025-38008 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:mm/page_alloc: fix race condition in unaccepted memory handlingThe page allocator tracks the number of zones that have unaccepted memoryusing static_branch_enc/dec() and uses that static branch in hot paths todetermine if it needs to deal with unaccepted memory.Borislav and Thomas pointed out that the tracking is racy: operations onstatic_branch are not serialized against adding/removing unaccepted pagesto/from the zone.Sanity checks inside static_branch machinery detects it:WARNING: CPU: 0 PID: 10 at kernel/jump_label.c:276 __static_key_slow_dec_cpuslocked+0x8e/0xa0The comment around the WARN() explains the problem: /* * Warn about the '-1' case though; since that means a * decrement is concurrent with a first (0->1) increment. IOW * people are trying to disable something that wasn't yet fully * enabled. This suggests an ordering problem on the user side. */The effect of this static_branch optimization is only visible onmicrobenchmark.Instead of adding more complexity around it, remove it altogether.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40043 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:net: nfc: nci: Add parameter validation for packet dataSyzbot reported an uninitialized value bug in nci_init_req, which wasintroduced by commit 5aca7966d2a7 ("Merge tag'perf-tools-fixes-for-v6.17-2025-09-16' ofgit://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools").This bug arises due to very limited and poor input validationthat was done at nic_valid_size(). This validation onlyvalidates the skb->len (directly reflects size provided at theuserspace interface) with the length provided in the bufferitself (interpreted as NCI_HEADER). This leads to the processingof memory content at the address assuming the correct layoutper what opcode requires there. This leads to the accesses tobuffer of `skb_buff->data` which is not assigned anything yet.Following the same silent drop of packets of invalid sizes at`nic_valid_size()`, add validation of the data in the respectivehandlers and return error values in case of failure. Releasethe skb if error values are returned from handlers in`nci_nft_packet` and effectively do a silent dropPossible TODO: because we silently drop the packets, thecall to `nci_request` will be waiting for completion of requestand will face timeouts. These timeouts can get excessively loggedin the dmesg. A proper handling of them may require to export`nci_request_cancel` (or propagate error handling from thenft packets handlers).

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40044 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:fs: udf: fix OOB read in lengthAllocDescs handlingWhen parsing Allocation Extent Descriptor, lengthAllocDescs comes fromon-disk data and must be validated against the block size. Crafted orcorrupted images may set lengthAllocDescs so that the total descriptorlength (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer,leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory andtrigger a KASAN use-after-free read.BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60Read of size 1 at addr ffff888041e7d000 by task syz-executor317/5309CPU: 0 UID: 0 PID: 5309 Comm: syz-executor317 Not tainted 6.12.0-rc4-syzkaller-00261-g850925a8133c #0Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 crc_itu_t+0x1d5/0x2b0 lib/crc-itu-t.c:60 udf_update_tag+0x70/0x6a0 fs/udf/misc.c:261 udf_write_aext+0x4d8/0x7b0 fs/udf/inode.c:2179 extent_trunc+0x2f7/0x4a0 fs/udf/truncate.c:46 udf_truncate_tail_extent+0x527/0x7e0 fs/udf/truncate.c:106 udf_release_file+0xc1/0x120 fs/udf/file.c:185 __fput+0x23f/0x880 fs/file_table.c:431 task_work_run+0x24f/0x310 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0xa2f/0x28e0 kernel/exit.c:939 do_group_exit+0x207/0x2c0 kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1097 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Validate the computed total length against epos->bh->b_size.Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40141 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: ISO: Fix possible UAF on iso_conn_freeThis attempt to fix similar issue to sco_conn_free where if theconn->sk is not set to NULL may lead to UAF on iso_conn_free.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40149 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().get_netdev_for_sock() is called during setsockopt(),so not under RCU.Using sk_dst_get(sk)->dev could trigger UAF.Let's use __sk_dst_get() and dst_dev_rcu().Note that the only ->ndo_sk_get_lower_dev() user isbond_sk_get_lower_dev(), which uses RCU.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40168 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().smc_clc_prfx_match() is called from smc_listen_work() andnot under RCU nor RTNL.Using sk_dst_get(sk)->dev could trigger UAF.Let's use __sk_dst_get() and dst_dev_rcu().Note that the returned value of smc_clc_prfx_match() is notused in the caller.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40180 Severity: Moderate CVSS3 score: 6.3

Description: In the Linux kernel, the following vulnerability has been resolved:mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loopThe cleanup loop was starting at the wrong array index, causingout-of-bounds access.Start the loop at the correct index for zero-indexed arrays to preventaccessing memory beyond the allocated array bounds.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53541 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob writeWhen the oob buffer length is not in multiple of words, the oob writefunction does out-of-bounds read on the oob source buffer at the lastiteration. Fix that by always checking length limit on the oob bufferread and fill with 0xff when reaching the end of the buffer to the oobregisters.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53575 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: iwlwifi: mvm: fix potential array out of bounds accessAccount for IWL_SEC_WEP_KEY_OFFSET when needed while verifyingkey_len size in iwl_mvm_sec_key_add().

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53665 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:md: don't dereference mddev after export_rdev()Except for initial reference, mddev->kobject is referenced byrdev->kobject, and if the last rdev is freed, there is no guarantee thatmddev is still valid. Hence mddev should not be used anymore afterexport_rdev().This problem can be triggered by following test for mdadm at verylow rate:New file: mdadm/tests/23rdev-lifetimedevname=${dev0##*/}devt=`cat /sys/block/$devname/dev`pid=""runtime=2clean_up_test() { pill -9 $pid echo clear > /sys/block/md0/md/array_state}trap 'clean_up_test' EXITadd_by_sysfs() { while true; do echo $devt > /sys/block/md0/md/new_dev done}remove_by_sysfs(){ while true; do echo remove > /sys/block/md0/md/dev-${devname}/state done}echo md0 > /sys/module/md_mod/parameters/new_array || die "create md0 failed"add_by_sysfs &pid="$pid $!"remove_by_sysfs &pid="$pid $!"sleep $runtimeexit 0Test cmd:./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetimeTest result:general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6bcb: 0000 [#4] PREEMPT SMPCPU: 0 PID: 1292 Comm: test Tainted: G D W 6.5.0-rc2-00121-g01e55c376936 #562RIP: 0010:md_wakeup_thread+0x9e/0x320 [md_mod]Call Trace: mddev_unlock+0x1b6/0x310 [md_mod] rdev_attr_store+0xec/0x190 [md_mod] sysfs_kf_write+0x52/0x70 kernfs_fop_write_iter+0x19a/0x2a0 vfs_write+0x3b5/0x770 ksys_write+0x74/0x150 __x64_sys_write+0x22/0x30 do_syscall_64+0x40/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcdFix this problem by don't dereference mddev after export_rdev().

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-11412 Severity: Moderate CVSS3 score: 6.1

Description: A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-11413 Severity: Moderate CVSS3 score: 6.1

Description: A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-11414 Severity: Moderate CVSS3 score: 6.1

Description: A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-14104 Severity: Moderate CVSS3 score: 6.1

Description: A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.

Packages affected:

sle-module-server-applications-release == 15.6 (version in image is 15.6-150600.37.2).
util-linux > 0-0 (version in image is 2.39.3-150600.4.12.2).

CVE-2025-39949 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:qed: Don't collect too many protection override GRC elementsIn the protection override dump path, the firmware can return far toomany GRC elements, resulting in attempting to write past the end of thepreviously-kmalloc'ed dump buffer.This will result in a kernel panic with reason: BUG: unable to handle kernel paging request at ADDRESSwhere "ADDRESS" is just past the end of the protection override dumpbuffer. The start address of the buffer is: p_hwfn->cdev->dbg_features[DBG_FEATURE_PROTECTION_OVERRIDE].dump_bufand the size of the buffer is buf_size in the same data structure.The panic can be arrived at from either the qede Ethernet driver path: [exception RIP: qed_grc_dump_addr_range+0x108] qed_protection_override_dump at ffffffffc02662ed [qed] qed_dbg_protection_override_dump at ffffffffc0267792 [qed] qed_dbg_feature at ffffffffc026aa8f [qed] qed_dbg_all_data at ffffffffc026b211 [qed] qed_fw_fatal_reporter_dump at ffffffffc027298a [qed] devlink_health_do_dump at ffffffff82497f61 devlink_health_report at ffffffff8249cf29 qed_report_fatal_error at ffffffffc0272baf [qed] qede_sp_task at ffffffffc045ed32 [qede] process_one_work at ffffffff81d19783or the qedf storage driver path: [exception RIP: qed_grc_dump_addr_range+0x108] qed_protection_override_dump at ffffffffc068b2ed [qed] qed_dbg_protection_override_dump at ffffffffc068c792 [qed] qed_dbg_feature at ffffffffc068fa8f [qed] qed_dbg_all_data at ffffffffc0690211 [qed] qed_fw_fatal_reporter_dump at ffffffffc069798a [qed] devlink_health_do_dump at ffffffff8aa95e51 devlink_health_report at ffffffff8aa9ae19 qed_report_fatal_error at ffffffffc0697baf [qed] qed_hw_err_notify at ffffffffc06d32d7 [qed] qed_spq_post at ffffffffc06b1011 [qed] qed_fcoe_destroy_conn at ffffffffc06b2e91 [qed] qedf_cleanup_fcport at ffffffffc05e7597 [qedf] qedf_rport_event_handler at ffffffffc05e7bf7 [qedf] fc_rport_work at ffffffffc02da715 [libfc] process_one_work at ffffffff8a319663Resolve this by clamping the firmware's return value to the maximumnumber of legal elements the firmware should return.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39955 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rskin the TCP_ESTABLISHED state. [0]syzbot reused the server-side TCP Fast Open socket as a new client beforethe TFO socket completes 3WHS: 1. accept() 2. connect(AF_UNSPEC) 3. connect() to another destinationAs of accept(), sk->sk_state is TCP_SYN_RECV, and tcp_disconnect() changesit to TCP_CLOSE and makes connect() possible, which restarts timers.Since tcp_disconnect() forgot to clear tcp_sk(sk)->fastopen_rsk, theretransmit timer triggered the warning and the intended packet was notretransmitted.Let's call reqsk_fastopen_remove() in tcp_disconnect().[0]:WARNING: CPU: 2 PID: 0 at net/ipv4/tcp_timer.c:542 tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))Modules linked in:CPU: 2 UID: 0 PID: 0 Comm: swapper/2 Not tainted 6.17.0-rc5-g201825fb4278 #62 PREEMPT(voluntary)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014RIP: 0010:tcp_retransmit_timer (net/ipv4/tcp_timer.c:542 (discriminator 7))Code: 41 55 41 54 55 53 48 8b af b8 08 00 00 48 89 fb 48 85 ed 0f 84 55 01 00 00 0f b6 47 12 3c 03 74 0c 0f b6 47 12 3c 04 74 04 90 <0f> 0b 90 48 8b 85 c0 00 00 00 48 89 ef 48 8b 40 30 e8 6a 4f 06 3eRSP: 0018:ffffc900002f8d40 EFLAGS: 00010293RAX: 0000000000000002 RBX: ffff888106911400 RCX: 0000000000000017RDX: 0000000002517619 RSI: ffffffff83764080 RDI: ffff888106911400RBP: ffff888106d5c000 R08: 0000000000000001 R09: ffffc900002f8de8R10: 00000000000000c2 R11: ffffc900002f8ff8 R12: ffff888106911540R13: ffff888106911480 R14: ffff888106911840 R15: ffffc900002f8de0FS: 0000000000000000(0000) GS:ffff88907b768000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00007f8044d69d90 CR3: 0000000002c30003 CR4: 0000000000370ef0Call Trace: tcp_write_timer (net/ipv4/tcp_timer.c:738) call_timer_fn (kernel/time/timer.c:1747) __run_timers (kernel/time/timer.c:1799 kernel/time/timer.c:2372) timer_expire_remote (kernel/time/timer.c:2385 kernel/time/timer.c:2376 kernel/time/timer.c:2135) tmigr_handle_remote_up (kernel/time/timer_migration.c:944 kernel/time/timer_migration.c:1035) __walk_groups.isra.0 (kernel/time/timer_migration.c:533 (discriminator 1)) tmigr_handle_remote (kernel/time/timer_migration.c:1096) handle_softirqs (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/irq.h:142 kernel/softirq.c:580) irq_exit_rcu (kernel/softirq.c:614 kernel/softirq.c:453 kernel/softirq.c:680 kernel/softirq.c:696) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1050 (discriminator 35) arch/x86/kernel/apic/apic.c:1050 (discriminator 35))

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39967 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:fbcon: fix integer overflow in fbcon_do_set_fontFix integer overflow vulnerabilities in fbcon_do_set_font() where fontsize calculations could overflow when handling user-controlled fontparameters.The vulnerabilities occur when:1. CALC_FONTSZ(h, pitch, charcount) performs h * pith * charcount multiplication with user-controlled values that can overflow.2. FONT_EXTRA_WORDS * sizeof(int) + size addition can also overflow3. This results in smaller allocations than expected, leading to buffer overflows during font data copying.Add explicit overflow checking using check_mul_overflow() andcheck_add_overflow() kernel helpers to safety validate all sizecalculations before allocation.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39970 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:i40e: fix input validation logic for action_metaFix condition to check 'greater or equal' to prevent OOB dereference.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39972 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:i40e: fix idx validation in i40e_validate_queue_mapEnsure idx is within range of active/initialized TCs when iterating overvf->ch[idx] in i40e_validate_queue_map().

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40020 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:can: peak_usb: fix shift-out-of-bounds issueExplicitly uses a 64-bit constant when the number of bits used for itsshifting is 32 (which is the case for PC CAN FD interfaces supported bythis driver).[mkl: update subject, apply manually]

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40049 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:Squashfs: fix uninit-value in squashfs_get_parentSyzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug.This is caused by open_by_handle_at() being called with a file handlecontaining an invalid parent inode number. In particular the inode numberis that of a symbolic link, rather than a directory.Squashfs_get_parent() gets called with that symbolic link inode, andaccesses the parent member field. unsigned int parent_ino = squashfs_i(inode)->parent;Because non-directory inodes in Squashfs do not have a parent value, thisis uninitialised, and this causes an uninitialised value access.The fix is to initialise parent with the invalid inode 0, which will causean EINVAL error to be returned.Regular inodes used to share the parent field with the block_list_startfield. This is removed in this commit to enable the parent field tocontain the invalid inode number 0.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40056 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:vhost: vringh: Fix copy_to_iter return value checkThe return value of copy_to_iter can't be negative, check whether thecopied length is equal to the requested length instead of checking fornegative values.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40085 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:ALSA: usb-audio: Fix NULL pointer deference in try_to_register_cardIn try_to_register_card(), the return value of usb_ifnum_to_if() ispassed directly to usb_interface_claimed() without a NULL check, whichwill lead to a NULL pointer dereference when creating an invalidUSB audio device. Fix this by adding a check to ensure the interfacepointer is valid before passing it to usb_interface_claimed().

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40118 Severity: Moderate CVSS3 score: 6.1

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmodSince commit f7b705c238d1 ("scsi: pm80xx: Set phy_attached to zero whendevice is gone") UBSAN reports: UBSAN: array-index-out-of-bounds in drivers/scsi/pm8001/pm8001_sas.c:786:17 index 28 is out of range for type 'pm8001_phy [16]'on rmmod when using an expander.For a direct attached device, attached_phy contains the local phy id.For a device behind an expander, attached_phy contains the remote phyid, not the local phy id.I.e. while pm8001_ha will have pm8001_ha->chip->n_phy local phys, for adevice behind an expander, attached_phy can be much larger thanpm8001_ha->chip->n_phy (depending on the amount of phys of theexpander).E.g. on my system pm8001_ha has 8 phys with phy ids 0-7. One of theports has an expander connected. The expander has 31 phys with phy ids0-30.The pm8001_ha->phy array only contains the phys of the HBA. It does notcontain the phys of the expander. Thus, it is wrong to use attached_phyto index the pm8001_ha->phy array for a device behind an expander.Thus, we can only clear phy_attached for devices that are directlyattached.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-7545 Severity: Moderate CVSS3 score: 6.1

Description: A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-7546 Severity: Moderate CVSS3 score: 6.1

Description: A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2023-53663 Severity: Moderate CVSS3 score: 6.0

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: nSVM: Check instead of asserting on nested TSC scaling supportCheck for nested TSC scaling support on nested SVM VMRUN instead ofasserting that TSC scaling is exposed to L1 if L1's MSR_AMD64_TSC_RATIOhas diverged from KVM's default. Userspace can trigger the WARN at willby writing the MSR and then updating guest CPUID to hide the feature(modifying guest CPUID is allowed anytime before KVM_RUN). E.g. hackingKVM's state_test selftest to do vcpu_set_msr(vcpu, MSR_AMD64_TSC_RATIO, 0); vcpu_clear_cpuid_feature(vcpu, X86_FEATURE_TSCRATEMSR);after restoring state in a new VM+vCPU yields an endless supply of: ------------[ cut here ]------------ WARNING: CPU: 164 PID: 62565 at arch/x86/kvm/svm/nested.c:699 nested_vmcb02_prepare_control+0x3d6/0x3f0 [kvm_amd] Call Trace: enter_svm_guest_mode+0x114/0x560 [kvm_amd] nested_svm_vmrun+0x260/0x330 [kvm_amd] vmrun_interception+0x29/0x30 [kvm_amd] svm_invoke_exit_handler+0x35/0x100 [kvm_amd] svm_handle_exit+0xe7/0x180 [kvm_amd] kvm_arch_vcpu_ioctl_run+0x1eab/0x2570 [kvm] kvm_vcpu_ioctl+0x4c9/0x5b0 [kvm] __se_sys_ioctl+0x7a/0xc0 __x64_sys_ioctl+0x21/0x30 do_syscall_64+0x41/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x45ca1bNote, the nested #VMEXIT path has the same flaw, but needs a differentfix and will be handled separately.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2024-11584 Severity: Moderate CVSS3 score: 5.9

Description: cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
cloud-init > 0-0 (version in image is 23.3-150100.8.85.4).

CVE-2024-49761 Severity: Moderate CVSS3 score: 5.9

Description: REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
libruby2_5-2_5 > 0-0 (version in image is 2.5.9-150000.4.49.1).

CVE-2025-39797 Severity: Moderate CVSS3 score: 5.9

Description: In the Linux kernel, the following vulnerability has been resolved:xfrm: Duplicate SPI HandlingThe issue originates when Strongswan initiates an XFRM_MSG_ALLOCSPINetlink message, which triggers the kernel function xfrm_alloc_spi().This function is expected to ensure uniqueness of the Security ParameterIndex (SPI) for inbound Security Associations (SAs). However, it canreturn success even when the requested SPI is already in use, leadingto duplicate SPIs assigned to multiple inbound SAs, differentiatedonly by their destination addresses.This behavior causes inconsistencies during SPI lookups for inbound packets.Since the lookup may return an arbitrary SA among those with the same SPI,packet processing can fail, resulting in packet drops.According to RFC 4301 section 4.4.2 , for inbound processing a unicast SAis uniquely identified by the SPI and optionally protocol.Reproducing the Issue Reliably:To consistently reproduce the problem, restrict the available SPI range incharon.conf : spi_min = 0x10000000 spi_max = 0x10000002This limits the system to only 2 usable SPI values.Next, create more than 2 Child SA. each using unique pair of src/dst address.As soon as the 3rd Child SA is initiated, it will be assigned a duplicateSPI, since the SPI pool is already exhausted.With a narrow SPI range, the issue is consistently reproducible.With a broader/default range, it becomes rare and unpredictable.Current implementation:xfrm_spi_hash() lookup function computes hash using daddr, proto, and family.So if two SAs have the same SPI but different destination addresses, thenthey will:a. Hash into different bucketsb. Be stored in different linked lists (byspi + h)c. Not be seen in the same hlist_for_each_entry_rcu() iteration.As a result, the lookup will result in NULL and kernel allows that Duplicate SPIProposed Change:xfrm_state_lookup_spi_proto() does a truly global search - across all states,regardless of hash bucket and matches SPI and proto.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-68972 Severity: Moderate CVSS3 score: 5.9

Description: In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
gpg2 > 0-0 (version in image is 2.4.4-150600.3.9.1).

CVE-2023-53721 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: ath12k: Fix a NULL pointer dereference in ath12k_mac_op_hw_scan()In ath12k_mac_op_hw_scan(), the return value of kzalloc() is directlyused in memcpy(), which may lead to a NULL pointer dereference onfailure of kzalloc().Fix this bug by adding a check of arg.extraie.ptr.Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-38552 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:mptcp: plug races between subflow fail and subflow creationWe have races similar to the one addressed by the previous patch betweensubflow failing and additional subflow creation. They are just harder totrigger.The solution is similar. Use a separate flag to track the condition'socket state prevent any additional subflow creation' protected by thefallback lock.The socket fallback makes such flag true, and also receiving or sendingan MP_FAIL option.The field 'allow_infinite_fallback' is now always touched under therelevant lock, we can drop the ONCE annotation on write.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-38700 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocatedIn case of an ib_fast_reg_mr allocation failure during iSER setup, themachine hits a panic because iscsi_conn->dd_data is initializedunconditionally, even when no memory is allocated (dd_size == 0). Thisleads invalid pointer dereference during connection teardown.Fix by setting iscsi_conn->dd_data only if memory is actually allocated.Panic trace:------------ iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12 iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers BUG: unable to handle page fault for address: fffffffffffffff8 RIP: 0010:swake_up_locked.part.5+0xa/0x40 Call Trace: complete+0x31/0x40 iscsi_iser_conn_stop+0x88/0xb0 [ib_iser] iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi] iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi] iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi] ? netlink_lookup+0x12f/0x1b0 ? netlink_deliver_tap+0x2c/0x200 netlink_unicast+0x1ab/0x280 netlink_sendmsg+0x257/0x4f0 ? _copy_from_user+0x29/0x60 sock_sendmsg+0x5f/0x70

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40001 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: mvsas: Fix use-after-free bugs in mvs_work_queueDuring the detaching of Marvell's SAS/SATA controller, the original codecalls cancel_delayed_work() in mvs_free() to cancel the delayed workitem mwq->work_q. However, if mwq->work_q is already running, thecancel_delayed_work() may fail to cancel it. This can lead touse-after-free scenarios where mvs_free() frees the mvs_info whilemvs_work_queue() is still executing and attempts to access thealready-freed mvs_info.A typical race condition is illustrated below:CPU 0 (remove) | CPU 1 (delayed work callback)mvs_pci_remove() | mvs_free() | mvs_work_queue() cancel_delayed_work() | kfree(mvi) | | mvi-> // UAFReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensurethat the delayed work item is properly canceled and any executingdelayed work item completes before the mvs_info is deallocated.This bug was found by static analysis.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40005 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:spi: cadence-quadspi: Implement refcount to handle unbind during busydriver support indirect read and indirect write operation withassumption no force device removal(unbind) operation. Howeverforce device removal(removal) is still available to root superuser.Unbinding driver during operation causes kernel crash. This changesensure driver able to handle such operation for indirect read andindirect write by implementing refcount to track attached devicesto the controller and gracefully wait and until attached devicesremove operation completed before proceed with removal operation.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40096 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:drm/sched: Fix potential double free in drm_sched_job_add_resv_dependenciesWhen adding dependencies with drm_sched_job_add_dependency(), thatfunction consumes the fence reference both on success and failure, so inthe latter case the dma_fence_put() on the error path (xarray failed toexpand) is a double free.Interestingly this bug appears to have been present ever sincecommit ebd5f74255b9 ("drm/sched: Add dependency tracking"), since the codeback then looked like this:drm_sched_job_add_implicit_dependencies():... for (i = 0; i < fence_count; i++) { ret = drm_sched_job_add_dependency(job, fences[i]); if (ret) break; } for (; i < fence_count; i++) dma_fence_put(fences[i]);Which means for the failing 'i' the dma_fence_put was already a doublefree. Possibly there were no users at that time, or the test cases wereinsufficient to hit it.The bug was then only noticed and fixed aftercommit 9c2ba265352a ("drm/scheduler: use new iterator in drm_sched_job_add_implicit_dependencies v2")landed, with its fixup ofcommit 4eaf02d6076c ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies").At that point it was a slightly different flavour of a double free, whichcommit 963d0b356935 ("drm/scheduler: fix drm_sched_job_add_implicit_dependencies harder")noticed and attempted to fix.But it only moved the double free from happening inside thedrm_sched_job_add_dependency(), when releasing the reference not yetobtained, to the caller, when releasing the reference already released bythe former in the failure case.As such it is not easy to identify the right target for the fixes tag solets keep it simple and just continue the chain.While fixing we also improve the comment and explain the reason for takingthe reference and not dropping it.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40169 Severity: Moderate CVSS3 score: 5.8

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Reject negative offsets for ALU opsWhen verifying BPF programs, the check_alu_op() function validatesinstructions with ALU operations. The 'offset' field in theseinstructions is a signed 16-bit integer.The existing check 'insn->off > 1' was intended to ensure the offset iseither 0, or 1 for BPF_MOD/BPF_DIV. However, because 'insn->off' issigned, this check incorrectly accepts all negative values (e.g., -1).This commit tightens the validation by changing the condition to'(insn->off != 0 && insn->off != 1)'. This ensures that any valueother than the explicitly permitted 0 and 1 is rejected, hardening theverifier against malformed BPF programs.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2022-50253 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: make sure skb->len != 0 when redirecting to a tunneling devicesyzkaller managed to trigger another case where skb->len == 0when we enter __dev_queue_xmit:WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline]WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295Call Trace: dev_queue_xmit+0x17/0x20 net/core/dev.c:4406 __bpf_tx_skb net/core/filter.c:2115 [inline] __bpf_redirect_no_mac net/core/filter.c:2140 [inline] __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163 ____bpf_clone_redirect net/core/filter.c:2447 [inline] bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419 bpf_prog_48159a89cb4a9a16+0x59/0x5e bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline] __bpf_prog_run include/linux/filter.h:596 [inline] bpf_prog_run include/linux/filter.h:603 [inline] bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402 bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170 bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648 __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005 __do_sys_bpf kernel/bpf/syscall.c:5091 [inline] __se_sys_bpf kernel/bpf/syscall.c:5089 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089 do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x61/0xc6The reproducer doesn't really reproduce outside of syzkallerenvironment, so I'm taking a guess here. It looks like wedo generate correct ETH_HLEN-sized packet, but we redirectthe packet to the tunneling device. Before we do so, we__skb_pull l2 header and arrive again at skb->len == 0.Doesn't seem like we can do anything better than havingan explicit check after __skb_pull?

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53543 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length checkThe vdpa_nl_policy structure is used to validate the nlattr when parsingthe incoming nlmsg. It will ensure the attribute being described producesa valid nlattr pointer in info->attrs before entering into each handlerin vdpa_nl_ops.That is to say, the missing part in vdpa_nl_policy may lead to illegalnlattr after parsing, which could lead to OOB read just like CVE-2023-3773.This patch adds the missing nla_policy for vdpa max vqp attr to avoidsuch bugs.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53545 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: unmap and remove csa_va properlyRoot PD BO should be reserved before unmap and removea bo_va from VM otherwise lockdep will complain.v2: check fpriv->csa_va is not NULL instead of amdgpu_mcbp (christian)[14616.936827] WARNING: CPU: 6 PID: 1711 at drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c:1762 amdgpu_vm_bo_del+0x399/0x3f0 [amdgpu][14616.937096] Call Trace:[14616.937097] [14616.937102] amdgpu_driver_postclose_kms+0x249/0x2f0 [amdgpu][14616.937187] drm_file_free+0x1d6/0x300 [drm][14616.937207] drm_close_helper.isra.0+0x62/0x70 [drm][14616.937220] drm_release+0x5e/0x100 [drm][14616.937234] __fput+0x9f/0x280[14616.937239] ____fput+0xe/0x20[14616.937241] task_work_run+0x61/0x90[14616.937246] exit_to_user_mode_prepare+0x215/0x220[14616.937251] syscall_exit_to_user_mode+0x2a/0x60[14616.937254] do_syscall_64+0x48/0x90[14616.937257] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53546 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctxwhen mlx5_cmd_exec failed in mlx5dr_cmd_create_reformat_ctx, the memorypointed by 'in' is not released, which will cause memory leak. Move memoryrelease after mlx5_cmd_exec.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53548 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urbThe syzbot fuzzer identified a problem in the usbnet driver:usb 1-1: BOGUS urb xfer, pipe 3 != type 1WARNING: CPU: 0 PID: 754 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504Modules linked in:CPU: 0 PID: 754 Comm: kworker/0:2 Not tainted 6.4.0-rc7-syzkaller-00014-g692b7dc87ca6 #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023Workqueue: mld mld_ifc_workRIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504Code: 7c 24 18 e8 2c b4 5b fb 48 8b 7c 24 18 e8 42 07 f0 fe 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 c9 fc 8a e8 5a 6f 23 fb <0f> 0b e9 58 f8 ff ff e8 fe b3 5b fb 48 81 c5 c0 05 00 00 e9 84 f7RSP: 0018:ffffc9000463f568 EFLAGS: 00010086RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000RDX: ffff88801eb28000 RSI: ffffffff814c03b7 RDI: 0000000000000001RBP: ffff8881443b7190 R08: 0000000000000001 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000003R13: ffff88802a77cb18 R14: 0000000000000003 R15: ffff888018262500FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000556a99c15a18 CR3: 0000000028c71000 CR4: 0000000000350ef0Call Trace: usbnet_start_xmit+0xfe5/0x2190 drivers/net/usb/usbnet.c:1453 __netdev_start_xmit include/linux/netdevice.h:4918 [inline] netdev_start_xmit include/linux/netdevice.h:4932 [inline] xmit_one net/core/dev.c:3578 [inline] dev_hard_start_xmit+0x187/0x700 net/core/dev.c:3594...This bug is caused by the fact that usbnet trusts the bulk endpointaddresses its probe routine receives in the driver_info structure, andit does not check to see that these endpoints actually exist and havethe expected type and directions.The fix is simply to add such a check.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53550 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:cpufreq: amd-pstate: fix global sysfs attribute typeIn commit 3666062b87ec ("cpufreq: amd-pstate: move to use bus_get_dev_root()")the "amd_pstate" attributes where moved from a dedicated kobject to thecpu root kobject.While the dedicated kobject expects to contain kobj_attributes the rootkobject needs device_attributes.As the changed arguments are not used by the callbacks it works most ofthe time.However CFI will detect this issue:[ 4947.849350] CFI failure at dev_attr_show+0x24/0x60 (target: show_status+0x0/0x70; expected type: 0x8651b1de)...[ 4947.849409] Call Trace:[ 4947.849410] [ 4947.849411] ? __warn+0xcf/0x1c0[ 4947.849414] ? dev_attr_show+0x24/0x60[ 4947.849415] ? report_cfi_failure+0x4e/0x60[ 4947.849417] ? handle_cfi_failure+0x14c/0x1d0[ 4947.849419] ? __cfi_show_status+0x10/0x10[ 4947.849420] ? handle_bug+0x4f/0x90[ 4947.849421] ? exc_invalid_op+0x1a/0x60[ 4947.849422] ? asm_exc_invalid_op+0x1a/0x20[ 4947.849424] ? __cfi_show_status+0x10/0x10[ 4947.849425] ? dev_attr_show+0x24/0x60[ 4947.849426] sysfs_kf_seq_show+0xa6/0x110[ 4947.849433] seq_read_iter+0x16c/0x4b0[ 4947.849436] vfs_read+0x272/0x2d0[ 4947.849438] ksys_read+0x72/0xe0[ 4947.849439] do_syscall_64+0x76/0xb0[ 4947.849440] ? do_user_addr_fault+0x252/0x650[ 4947.849442] ? exc_page_fault+0x7a/0x1b0[ 4947.849443] entry_SYSCALL_64_after_hwframe+0x72/0xdc

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53552 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/i915: mark requests for GuC virtual engines to avoid use-after-freeReferences to i915_requests may be trapped by userspace inside async_file or dmabuf (dma-resv) and held indefinitely across differentproceses. To counter-act the memory leaks, we try to not to keepreferences from the request past their completion.On the other side on fence release we need to know if rq->engineis valid and points to hw engine (true for non-virtual requests).To make it possible extra bit has been added to rq->execution_mask,for marking virtual engines.(cherry picked from commit 280410677af763f3871b93e794a199cfcf6fb580)

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53553 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:HID: hyperv: avoid struct memcpy overrun warningA previous patch addressed the fortified memcpy warning for mostbuilds, but I still see this one with gcc-9:In file included from include/linux/string.h:254, from drivers/hid/hid-hyperv.c:8:In function 'fortify_memcpy_chk', inlined from 'mousevsc_on_receive' at drivers/hid/hid-hyperv.c:272:3:include/linux/fortify-string.h:583:4: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning] 583 | __write_overflow_field(p_size_field, size); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~My guess is that the WARN_ON() itself is what confuses gcc, so it nolonger sees that there is a correct range check. Rework the code in away that helps readability and avoids the warning.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53554 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext()The "exc->key_len" is a u16 that comes from the user. If it's overIW_ENCODING_TOKEN_MAX (64) that could lead to memory corruption.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53555 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mm/damon/core: initialize damo_filter->list from damos_new_filter()damos_new_filter() is not initializing the list field of newly allocatedfilter object. However, DAMON sysfs interface and DAMON_RECLAIM are notinitializing it after calling damos_new_filter(). As a result, accessinguninitialized memory is possible. Actually, adding multiple DAMOS filtersvia DAMON sysfs interface caused NULL pointer dereferencing. Initializethe field just after the allocation from damos_new_filter().

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53556 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:iavf: Fix use-after-free in free_netdevWe do netif_napi_add() for all allocated q_vectors[], but potentiallydo netif_napi_del() for part of them, then kfree q_vectors and leaveinvalid pointers at dev->napi_list.Reproducer: [root@host ~]# cat repro.sh #!/bin/bash pf_dbsf="0000:41:00.0" vf0_dbsf="0000:41:02.0" g_pids=() function do_set_numvf() { echo 2 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs sleep $((RANDOM%3+1)) echo 0 >/sys/bus/pci/devices/${pf_dbsf}/sriov_numvfs sleep $((RANDOM%3+1)) } function do_set_channel() { local nic=$(ls -1 --indicator-style=none /sys/bus/pci/devices/${vf0_dbsf}/net/) [ -z "$nic" ] && { sleep $((RANDOM%3)) ; return 1; } ifconfig $nic 192.168.18.5 netmask 255.255.255.0 ifconfig $nic up ethtool -L $nic combined 1 ethtool -L $nic combined 4 sleep $((RANDOM%3)) } function on_exit() { local pid for pid in "${g_pids[@]}"; do kill -0 "$pid" &>/dev/null && kill "$pid" &>/dev/null done g_pids=() } trap "on_exit; exit" EXIT while :; do do_set_numvf ; done & g_pids+=($!) while :; do do_set_channel ; done & g_pids+=($!) waitResult:[ 4093.900222] ==================================================================[ 4093.900230] BUG: KASAN: use-after-free in free_netdev+0x308/0x390[ 4093.900232] Read of size 8 at addr ffff88b4dc145640 by task repro.sh/6699[ 4093.900233][ 4093.900236] CPU: 10 PID: 6699 Comm: repro.sh Kdump: loaded Tainted: G O --------- -t - 4.18.0 #1[ 4093.900238] Hardware name: Powerleader PR2008AL/H12DSi-N6, BIOS 2.0 04/09/2021[ 4093.900239] Call Trace:[ 4093.900244] dump_stack+0x71/0xab[ 4093.900249] print_address_description+0x6b/0x290[ 4093.900251] ? free_netdev+0x308/0x390[ 4093.900252] kasan_report+0x14a/0x2b0[ 4093.900254] free_netdev+0x308/0x390[ 4093.900261] iavf_remove+0x825/0xd20 [iavf][ 4093.900265] pci_device_remove+0xa8/0x1f0[ 4093.900268] device_release_driver_internal+0x1c6/0x460[ 4093.900271] pci_stop_bus_device+0x101/0x150[ 4093.900273] pci_stop_and_remove_bus_device+0xe/0x20[ 4093.900275] pci_iov_remove_virtfn+0x187/0x420[ 4093.900277] ? pci_iov_add_virtfn+0xe10/0xe10[ 4093.900278] ? pci_get_subsys+0x90/0x90[ 4093.900280] sriov_disable+0xed/0x3e0[ 4093.900282] ? bus_find_device+0x12d/0x1a0[ 4093.900290] i40e_free_vfs+0x754/0x1210 [i40e][ 4093.900298] ? i40e_reset_all_vfs+0x880/0x880 [i40e][ 4093.900299] ? pci_get_device+0x7c/0x90[ 4093.900300] ? pci_get_subsys+0x90/0x90[ 4093.900306] ? pci_vfs_assigned.part.7+0x144/0x210[ 4093.900309] ? __mutex_lock_slowpath+0x10/0x10[ 4093.900315] i40e_pci_sriov_configure+0x1fa/0x2e0 [i40e][ 4093.900318] sriov_numvfs_store+0x214/0x290[ 4093.900320] ? sriov_totalvfs_show+0x30/0x30[ 4093.900321] ? __mutex_lock_slowpath+0x10/0x10[ 4093.900323] ? __check_object_size+0x15a/0x350[ 4093.900326] kernfs_fop_write+0x280/0x3f0[ 4093.900329] vfs_write+0x145/0x440[ 4093.900330] ksys_write+0xab/0x160[ 4093.900332] ? __ia32_sys_read+0xb0/0xb0[ 4093.900334] ? fput_many+0x1a/0x120[ 4093.900335] ? filp_close+0xf0/0x130[ 4093.900338] do_syscall_64+0xa0/0x370[ 4093.900339] ? page_fault+0x8/0x30[ 4093.900341] entry_SYSCALL_64_after_hwframe+0x65/0xca[ 4093.900357] RIP: 0033:0x7f16ad4d22c0[ 4093.900359] Code: 73 01 c3 48 8b 0d d8 cb 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 24 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe dd 01 00 48 89 04 24[ 4093.900360] RSP: 002b:00007ffd6491b7f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001[ 4093.900362] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f16ad4d22c0[ 4093.900363] RDX: 0000000000000002 RSI: 0000000001a41408 RDI: 0000000000000001[ 4093.900364] RBP: 0000000001a41408 R08: 00007f16ad7a1780 R09: 00007f16ae1f2700[ 4093.9003---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53557 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:fprobe: Release rethook after the ftrace_ops is unregisteredWhile running bpf selftests it's possible to get following fault: general protection fault, probably for non-canonical address \ 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC NOPTI ... Call Trace: fprobe_handler+0xc1/0x270 ? __pfx_bpf_testmod_init+0x10/0x10 ? __pfx_bpf_testmod_init+0x10/0x10 ? bpf_fentry_test1+0x5/0x10 ? bpf_fentry_test1+0x5/0x10 ? bpf_testmod_init+0x22/0x80 ? do_one_initcall+0x63/0x2e0 ? rcu_is_watching+0xd/0x40 ? kmalloc_trace+0xaf/0xc0 ? do_init_module+0x60/0x250 ? __do_sys_finit_module+0xac/0x120 ? do_syscall_64+0x37/0x90 ? entry_SYSCALL_64_after_hwframe+0x72/0xdc In unregister_fprobe function we can't release fp->rethook while it'spossible there are some of its users still running on another cpu.Moving rethook_free call after fp->ops is unregistered withunregister_ftrace_function call.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53558 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:rcu-tasks: Avoid pr_info() with spin lock in cblist_init_generic()pr_info() is called with rtp->cbs_gbl_lock spin lock locked. Becausepr_info() calls printk() that might sleep, this will result in BUGlike below:[ 0.206455] cblist_init_generic: Setting adjustable number of callback queues.[ 0.206463][ 0.206464] =============================[ 0.206464] [ BUG: Invalid wait context ][ 0.206465] 5.19.0-00428-g9de1f9c8ca51 #5 Not tainted[ 0.206466] -----------------------------[ 0.206466] swapper/0/1 is trying to lock:[ 0.206467] ffffffffa0167a58 (&port_lock_key){....}-{3:3}, at: serial8250_console_write+0x327/0x4a0[ 0.206473] other info that might help us debug this:[ 0.206473] context-{5:5}[ 0.206474] 3 locks held by swapper/0/1:[ 0.206474] #0: ffffffff9eb597e0 (rcu_tasks.cbs_gbl_lock){....}-{2:2}, at: cblist_init_generic.constprop.0+0x14/0x1f0[ 0.206478] #1: ffffffff9eb579c0 (console_lock){+.+.}-{0:0}, at: _printk+0x63/0x7e[ 0.206482] #2: ffffffff9ea77780 (console_owner){....}-{0:0}, at: console_emit_next_record.constprop.0+0x111/0x330[ 0.206485] stack backtrace:[ 0.206486] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.19.0-00428-g9de1f9c8ca51 #5[ 0.206488] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014[ 0.206489] Call Trace:[ 0.206490] [ 0.206491] dump_stack_lvl+0x6a/0x9f[ 0.206493] __lock_acquire.cold+0x2d7/0x2fe[ 0.206496] ? stack_trace_save+0x46/0x70[ 0.206497] lock_acquire+0xd1/0x2f0[ 0.206499] ? serial8250_console_write+0x327/0x4a0[ 0.206500] ? __lock_acquire+0x5c7/0x2720[ 0.206502] _raw_spin_lock_irqsave+0x3d/0x90[ 0.206504] ? serial8250_console_write+0x327/0x4a0[ 0.206506] serial8250_console_write+0x327/0x4a0[ 0.206508] console_emit_next_record.constprop.0+0x180/0x330[ 0.206511] console_unlock+0xf7/0x1f0[ 0.206512] vprintk_emit+0xf7/0x330[ 0.206514] _printk+0x63/0x7e[ 0.206516] cblist_init_generic.constprop.0.cold+0x24/0x32[ 0.206518] rcu_init_tasks_generic+0x5/0xd9[ 0.206522] kernel_init_freeable+0x15b/0x2a2[ 0.206523] ? rest_init+0x160/0x160[ 0.206526] kernel_init+0x11/0x120[ 0.206527] ret_from_fork+0x1f/0x30[ 0.206530] [ 0.207018] cblist_init_generic: Setting shift to 1 and lim to 1.This patch moves pr_info() so that it is called withoutrtp->cbs_gbl_lock locked.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53559 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ip_vti: fix potential slab-use-after-free in decode_session6When ip_vti device is set to the qdisc of the sfb type, the cb fieldof the sent skb may be modified during enqueuing. Then,slab-use-after-free may occur when ip_vti device sends IPv6 packets.As commit f855691975bb ("xfrm6: Fix the nexthdr offset in_decode_session6.") showed, xfrm_decode_session was originally intendedonly for the receive path. IP6CB(skb)->nhoff is not set duringtransmission. Therefore, set the cb field in the skb to 0 beforesending packets.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53560 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:tracing/histograms: Add histograms to hist_vars if they have referenced variablesHist triggers can have referenced variables without having directvariables fields. This can be the case if referenced variables are addedfor trigger actions. In this case the newly added references will nothave field variables. Not taking such referenced variables intoconsideration can result in a bug where it would be possible to removehist trigger with variables being refenced. This will result in a bugthat is easily reproducable like so$ cd /sys/kernel/tracing$ echo 'synthetic_sys_enter char[] comm; long id' >> synthetic_events$ echo 'hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger$ echo 'hist:keys=common_pid.execname,id.syscall:onmatch(raw_syscalls.sys_enter).synthetic_sys_enter($comm, id)' >> events/raw_syscalls/sys_enter/trigger$ echo '!hist:keys=common_pid.execname,id.syscall:vals=hitcount:comm=common_pid.execname' >> events/raw_syscalls/sys_enter/trigger[ 100.263533] ==================================================================[ 100.264634] BUG: KASAN: slab-use-after-free in resolve_var_refs+0xc7/0x180[ 100.265520] Read of size 8 at addr ffff88810375d0f0 by task bash/439[ 100.266320][ 100.266533] CPU: 2 PID: 439 Comm: bash Not tainted 6.5.0-rc1 #4[ 100.267277] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-20220807_005459-localhost 04/01/2014[ 100.268561] Call Trace:[ 100.268902] [ 100.269189] dump_stack_lvl+0x4c/0x70[ 100.269680] print_report+0xc5/0x600[ 100.270165] ? resolve_var_refs+0xc7/0x180[ 100.270697] ? kasan_complete_mode_report_info+0x80/0x1f0[ 100.271389] ? resolve_var_refs+0xc7/0x180[ 100.271913] kasan_report+0xbd/0x100[ 100.272380] ? resolve_var_refs+0xc7/0x180[ 100.272920] __asan_load8+0x71/0xa0[ 100.273377] resolve_var_refs+0xc7/0x180[ 100.273888] event_hist_trigger+0x749/0x860[ 100.274505] ? kasan_save_stack+0x2a/0x50[ 100.275024] ? kasan_set_track+0x29/0x40[ 100.275536] ? __pfx_event_hist_trigger+0x10/0x10[ 100.276138] ? ksys_write+0xd1/0x170[ 100.276607] ? do_syscall_64+0x3c/0x90[ 100.277099] ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8[ 100.277771] ? destroy_hist_data+0x446/0x470[ 100.278324] ? event_hist_trigger_parse+0xa6c/0x3860[ 100.278962] ? __pfx_event_hist_trigger_parse+0x10/0x10[ 100.279627] ? __kasan_check_write+0x18/0x20[ 100.280177] ? mutex_unlock+0x85/0xd0[ 100.280660] ? __pfx_mutex_unlock+0x10/0x10[ 100.281200] ? kfree+0x7b/0x120[ 100.281619] ? ____kasan_slab_free+0x15d/0x1d0[ 100.282197] ? event_trigger_write+0xac/0x100[ 100.282764] ? __kasan_slab_free+0x16/0x20[ 100.283293] ? __kmem_cache_free+0x153/0x2f0[ 100.283844] ? sched_mm_cid_remote_clear+0xb1/0x250[ 100.284550] ? __pfx_sched_mm_cid_remote_clear+0x10/0x10[ 100.285221] ? event_trigger_write+0xbc/0x100[ 100.285781] ? __kasan_check_read+0x15/0x20[ 100.286321] ? __bitmap_weight+0x66/0xa0[ 100.286833] ? _find_next_bit+0x46/0xe0[ 100.287334] ? task_mm_cid_work+0x37f/0x450[ 100.287872] event_triggers_call+0x84/0x150[ 100.288408] trace_event_buffer_commit+0x339/0x430[ 100.289073] ? ring_buffer_event_data+0x3f/0x60[ 100.292189] trace_event_raw_event_sys_enter+0x8b/0xe0[ 100.295434] syscall_trace_enter.constprop.0+0x18f/0x1b0[ 100.298653] syscall_enter_from_user_mode+0x32/0x40[ 100.301808] do_syscall_64+0x1a/0x90[ 100.304748] entry_SYSCALL_64_after_hwframe+0x6e/0xd8[ 100.307775] RIP: 0033:0x7f686c75c1cb[ 100.310617] Code: 73 01 c3 48 8b 0d 65 3c 10 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 21 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 3c 10 00 f7 d8 64 89 01 48[ 100.317847] RSP: 002b:00007ffc60137a38 EFLAGS: 00000246 ORIG_RAX: 0000000000000021[ 100.321200] RA---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53563 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:cpufreq: amd-pstate-ut: Fix kernel panic when loading the driverAfter loading the amd-pstate-ut driver, amd_pstate_ut_check_perf()and amd_pstate_ut_check_freq() use cpufreq_cpu_get() to get the policyof the CPU and mark it as busy.In these functions, cpufreq_cpu_put() should be used to release thepolicy, but it is not, so any other entity trying to access the policyis blocked indefinitely.One such scenario is when amd_pstate mode is changed, leading to thefollowing splat:[ 1332.103727] INFO: task bash:2929 blocked for more than 120 seconds.[ 1332.110001] Not tainted 6.5.0-rc2-amd-pstate-ut #5[ 1332.115315] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.[ 1332.123140] task:bash state:D stack:0 pid:2929 ppid:2873 flags:0x00004006[ 1332.123143] Call Trace:[ 1332.123145] [ 1332.123148] __schedule+0x3c1/0x16a0[ 1332.123154] ? _raw_read_lock_irqsave+0x2d/0x70[ 1332.123157] schedule+0x6f/0x110[ 1332.123160] schedule_timeout+0x14f/0x160[ 1332.123162] ? preempt_count_add+0x86/0xd0[ 1332.123165] __wait_for_common+0x92/0x190[ 1332.123168] ? __pfx_schedule_timeout+0x10/0x10[ 1332.123170] wait_for_completion+0x28/0x30[ 1332.123173] cpufreq_policy_put_kobj+0x4d/0x90[ 1332.123177] cpufreq_policy_free+0x157/0x1d0[ 1332.123178] ? preempt_count_add+0x58/0xd0[ 1332.123180] cpufreq_remove_dev+0xb6/0x100[ 1332.123182] subsys_interface_unregister+0x114/0x120[ 1332.123185] ? preempt_count_add+0x58/0xd0[ 1332.123187] ? __pfx_amd_pstate_change_driver_mode+0x10/0x10[ 1332.123190] cpufreq_unregister_driver+0x3b/0xd0[ 1332.123192] amd_pstate_change_driver_mode+0x1e/0x50[ 1332.123194] store_status+0xe9/0x180[ 1332.123197] dev_attr_store+0x1b/0x30[ 1332.123199] sysfs_kf_write+0x42/0x50[ 1332.123202] kernfs_fop_write_iter+0x143/0x1d0[ 1332.123204] vfs_write+0x2df/0x400[ 1332.123208] ksys_write+0x6b/0xf0[ 1332.123210] __x64_sys_write+0x1d/0x30[ 1332.123213] do_syscall_64+0x60/0x90[ 1332.123216] ? fpregs_assert_state_consistent+0x2e/0x50[ 1332.123219] ? exit_to_user_mode_prepare+0x49/0x1a0[ 1332.123223] ? irqentry_exit_to_user_mode+0xd/0x20[ 1332.123225] ? irqentry_exit+0x3f/0x50[ 1332.123226] ? exc_page_fault+0x8e/0x190[ 1332.123228] entry_SYSCALL_64_after_hwframe+0x6e/0xd8[ 1332.123232] RIP: 0033:0x7fa74c514a37[ 1332.123234] RSP: 002b:00007ffe31dd0788 EFLAGS: 00000246 ORIG_RAX: 0000000000000001[ 1332.123238] RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007fa74c514a37[ 1332.123239] RDX: 0000000000000008 RSI: 000055e27c447aa0 RDI: 0000000000000001[ 1332.123241] RBP: 000055e27c447aa0 R08: 00007fa74c5d1460 R09: 000000007fffffff[ 1332.123242] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000008[ 1332.123244] R13: 00007fa74c61a780 R14: 00007fa74c616600 R15: 00007fa74c615a00[ 1332.123247] Fix this by calling cpufreq_cpu_put() wherever necessary.[ rjw: Subject and changelog edits ]

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53568 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:s390/zcrypt: don't leak memory if dev_set_name() failsWhen dev_set_name() fails, zcdn_create() doesn't free the newlyallocated resources. Do it.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53570 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems()nl80211_parse_mbssid_elems() uses a u8 variable num_elems to count thenumber of MBSSID elements in the nested netlink attribute attrs, which canlead to an integer overflow if a user of the nl80211 interface specifies256 or more elements in the corresponding attribute in userspace. Theinteger overflow can lead to a heap buffer overflow as num_elems determinesthe size of the trailing array in elems, and this array is thereafterwritten to for each element in attrs.Note that this vulnerability only affects devices with thewiphy->mbssid_max_interfaces member set for the wireless physical devicestruct in the device driver, and can only be triggered by a process withCAP_NET_ADMIN capabilities.Fix this by checking for a maximum of 255 elements in attrs.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53572 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:clk: imx: scu: use _safe list iterator to avoid a use after freeThis loop is freeing "clk" so it needs to use list_for_each_entry_safe().Otherwise it dereferences a freed variable to get the next item on theloop.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53577 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf, cpumap: Make sure kthread is running before map update returnsThe following warning was reported when running stress-mode enabledxdp_redirect_cpu with some RT threads: ------------[ cut here ]------------ WARNING: CPU: 4 PID: 65 at kernel/bpf/cpumap.c:135 CPU: 4 PID: 65 Comm: kworker/4:1 Not tainted 6.5.0-rc2+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Workqueue: events cpu_map_kthread_stop RIP: 0010:put_cpu_map_entry+0xda/0x220 ...... Call Trace: ? show_regs+0x65/0x70 ? __warn+0xa5/0x240 ...... ? put_cpu_map_entry+0xda/0x220 cpu_map_kthread_stop+0x41/0x60 process_one_work+0x6b0/0xb80 worker_thread+0x96/0x720 kthread+0x1a5/0x1f0 ret_from_fork+0x3a/0x70 ret_from_fork_asm+0x1b/0x30 The root cause is the same as commit 436901649731 ("bpf: cpumap: Fix memoryleak in cpu_map_update_elem"). The kthread is stopped prematurely bykthread_stop() in cpu_map_kthread_stop(), and kthread() doesn't callcpu_map_kthread_run() at all but XDP program has already queued someframes or skbs into ptr_ring. So when __cpu_map_ring_cleanup() checksthe ptr_ring, it will find it was not emptied and report a warning.An alternative fix is to use __cpu_map_ring_cleanup() to drop thesepending frames or skbs when kthread_stop() returns -EINTR, but it mayconfuse the user, because these frames or skbs have been handledcorrectly by XDP program. So instead of dropping these frames or skbs,just make sure the per-cpu kthread is running before__cpu_map_entry_alloc() returns.After apply the fix, the error handle for kthread_stop() will beunnecessary because it will always return 0, so just remove it.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53579 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:gpio: mvebu: fix irq domain leakUwe Kleine-K?nig pointed out we still have one resource leak in the mvebudriver triggered on driver detach. Let's address it with a custom devmaction.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53580 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:USB: Gadget: core: Help prevent panic during UVC unconfigureAvichal Rakesh reported a kernel panic that occurred when the UVCgadget driver was removed from a gadget's configuration. The panicinvolves a somewhat complicated interaction between the kernel driverand a userspace component (as described in the Link tag below), butthe analysis did make one thing clear: The Gadget core shouldaccomodate gadget drivers calling usb_gadget_deactivate() as part oftheir unbind procedure.Currently this doesn't work. gadget_unbind_driver() callsdriver->unbind() while holding the udc->connect_lock mutex, andusb_gadget_deactivate() attempts to acquire that mutex, which willresult in a deadlock.The simple fix is for gadget_unbind_driver() to release the mutex wheninvoking the ->unbind() callback. There is no particular reason forit to be holding the mutex at that time, and the mutex isn't heldwhile the ->bind() callback is invoked. So we'll drop the mutexbefore performing the unbind callback and reacquire it afterward.We'll also add a couple of comments to usb_gadget_activate() andusb_gadget_deactivate(). Because they run in process context theymust not be called from a gadget driver's ->disconnect() callback,which (according to the kerneldoc for struct usb_gadget_driver ininclude/linux/usb/gadget.h) may run in interrupt context. This mayhelp prevent similar bugs from arising in the future.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53593 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:cifs: Release folio lock on fscache read hit.Under the current code, when cifs_readpage_worker is called, the callcontract is that the callee should unlock the page. This is documentedin the read_folio section of Documentation/filesystems/vfs.rst as:> The filesystem should unlock the folio once the read has completed,> whether it was successful or not.Without this change, when fscache is in use and cache hit occurs duringa read, the page lock is leaked, producing the following stack onsubsequent reads (via mmap) to the page:$ cat /proc/3890/task/12864/stack[<0>] folio_wait_bit_common+0x124/0x350[<0>] filemap_read_folio+0xad/0xf0[<0>] filemap_fault+0x8b1/0xab0[<0>] __do_fault+0x39/0x150[<0>] do_fault+0x25c/0x3e0[<0>] __handle_mm_fault+0x6ca/0xc70[<0>] handle_mm_fault+0xe9/0x350[<0>] do_user_addr_fault+0x225/0x6c0[<0>] exc_page_fault+0x84/0x1b0[<0>] asm_exc_page_fault+0x27/0x30This requires a reboot to resolve; it is a deadlock.Note however that the call to cifs_readpage_from_fscache does mark thepage clean, but does not free the folio lock. This happens in__cifs_readpage_from_fscache on success. Releasing the lock at thatpoint however is not appropriate as cifs_readahead also callscifs_readpage_from_fscache and *does* unconditionally release the lockafter its return. This change therefore effectively makescifs_readpage_worker work like cifs_readahead.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53596 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drivers: base: Free devm resources when unregistering a deviceIn the current code, devres_release_all() only gets called if the devicehas a bus and has been probed.This leads to issues when using bus-less or driver-less devices wherethe device might never get freed if a managed resource holds a referenceto the device. This is happening in the DRM framework for example.We should thus call devres_release_all() in the device_del() function tomake sure that the device-managed actions are properly executed when thedevice is unregistered, even if it has neither a bus nor a driver.This is effectively the same change than commit 2f8d16a996da ("devres:release resources on device_del()") that got reverted by commita525a3ddeaca ("driver core: free devres in device_release") overmemory leaks concerns.This patch effectively combines the two commits mentioned above torelease the resources both on device_del() and device_release() and getthe best of both worlds.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53597 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:cifs: fix mid leak during reconnection after timeout thresholdWhen the number of responses with status of STATUS_IO_TIMEOUTexceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnectthe connection. But we do not return the mid, or the creditsreturned for the mid, or reduce the number of in-flight requests.This bug could result in the server->in_flight count to go bad,and also cause a leak in the mids.This change moves the check to a few lines below where theresponse is decrypted, even of the response is read from thetransform header. This way, the code for returning the midscan be reused.Also, the cifs_reconnect was reconnecting just the transportconnection before. In case of multi-channel, this may not bewhat we want to do after several timeouts. Changed that toreconnect the session and the tree too.Also renamed NUM_STATUS_IO_TIMEOUT to a more appropriate nameMAX_STATUS_IO_TIMEOUT.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53599 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: af_alg - Fix missing initialisation affecting gcm-aes-s390Fix af_alg_alloc_areq() to initialise areq->first_rsgl.sgl.sgt.sgl to pointto the scatterlist array in areq->first_rsgl.sgl.sgl.Without this, the gcm-aes-s390 driver will oops when it tries to dogcm_walk_start() on req->dst because req->dst is set to the value ofareq->first_rsgl.sgl.sgl by _aead_recvmsg() callingaead_request_set_crypt().The problem comes if an empty ciphertext is passed: the loop inaf_alg_get_rsgl() just passes straight out and doesn't set areq->first_rsglup.This isn't a problem on x86_64 using gcmaes_crypt_by_sg() because, as faras I can tell, that ignores req->dst and only uses req->src[*].[*] Is this a bug in aesni-intel_glue.c?The s390x oops looks something like: Unable to handle kernel pointer dereference in virtual kernel address space Failing address: 0000000a00000000 TEID: 0000000a00000803 Fault in home space mode while using kernel ASCE. AS:00000000a43a0007 R3:0000000000000024 Oops: 003b ilc:2 [#1] SMP ... Call Trace: [<000003ff7fc3d47e>] gcm_walk_start+0x16/0x28 [aes_s390] [<00000000a2a342f2>] crypto_aead_decrypt+0x9a/0xb8 [<00000000a2a60888>] aead_recvmsg+0x478/0x698 [<00000000a2e519a0>] sock_recvmsg+0x70/0xb0 [<00000000a2e51a56>] sock_read_iter+0x76/0xa0 [<00000000a273e066>] vfs_read+0x26e/0x2a8 [<00000000a273e8c4>] ksys_read+0xbc/0x100 [<00000000a311d808>] __do_syscall+0x1d0/0x1f8 [<00000000a312ff30>] system_call+0x70/0x98 Last Breaking-Event-Address: [<000003ff7fc3e6b4>] gcm_aes_crypt+0x104/0xa68 [aes_s390]

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53600 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:tunnels: fix kasan splat when generating ipv4 pmtu errorIf we try to emit an icmp error in response to a nonliner skb, we getBUG: KASAN: slab-out-of-bounds in ip_compute_csum+0x134/0x220Read of size 4 at addr ffff88811c50db00 by task iperf3/1691CPU: 2 PID: 1691 Comm: iperf3 Not tainted 6.5.0-rc3+ #309[..] kasan_report+0x105/0x140 ip_compute_csum+0x134/0x220 iptunnel_pmtud_build_icmp+0x554/0x1020 skb_tunnel_check_pmtu+0x513/0xb80 vxlan_xmit_one+0x139e/0x2ef0 vxlan_xmit+0x1867/0x2760 dev_hard_start_xmit+0x1ee/0x4f0 br_dev_queue_push_xmit+0x4d1/0x660 [..]ip_compute_csum() cannot deal with nonlinear skbs, so avoid it.After this change, splat is gone and iperf3 is no longer stuck.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53601 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bonding: do not assume skb mac_header is setDrivers must not assume in their ndo_start_xmit() thatskbs have their mac_header set. skb->data is all what is needed.bonding seems to be one of the last offender as caught by syzbot:WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 skb_mac_offset include/linux/skbuff.h:2913 [inline]WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_xmit_hash drivers/net/bonding/bond_main.c:4170 [inline]WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5149 [inline]WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_3ad_xor_xmit drivers/net/bonding/bond_main.c:5186 [inline]WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 __bond_start_xmit drivers/net/bonding/bond_main.c:5442 [inline]WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:2907 bond_start_xmit+0x14ab/0x19d0 drivers/net/bonding/bond_main.c:5470Modules linked in:CPU: 1 PID: 12155 Comm: syz-executor.3 Not tainted 6.1.30-syzkaller #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023RIP: 0010:skb_mac_header include/linux/skbuff.h:2907 [inline]RIP: 0010:skb_mac_offset include/linux/skbuff.h:2913 [inline]RIP: 0010:bond_xmit_hash drivers/net/bonding/bond_main.c:4170 [inline]RIP: 0010:bond_xmit_3ad_xor_slave_get drivers/net/bonding/bond_main.c:5149 [inline]RIP: 0010:bond_3ad_xor_xmit drivers/net/bonding/bond_main.c:5186 [inline]RIP: 0010:__bond_start_xmit drivers/net/bonding/bond_main.c:5442 [inline]RIP: 0010:bond_start_xmit+0x14ab/0x19d0 drivers/net/bonding/bond_main.c:5470Code: 8b 7c 24 30 e8 76 dd 1a 01 48 85 c0 74 0d 48 89 c3 e8 29 67 2e fe e9 15 ef ff ff e8 1f 67 2e fe e9 10 ef ff ff e8 15 67 2e fe <0f> 0b e9 45 f8 ff ff e8 09 67 2e fe e9 dc fa ff ff e8 ff 66 2e feRSP: 0018:ffffc90002fff6e0 EFLAGS: 00010283RAX: ffffffff835874db RBX: 000000000000ffff RCX: 0000000000040000RDX: ffffc90004dcf000 RSI: 00000000000000b5 RDI: 00000000000000b6RBP: ffffc90002fff8b8 R08: ffffffff83586d16 R09: ffffffff83586584R10: 0000000000000007 R11: ffff8881599fc780 R12: ffff88811b6a7b7eR13: 1ffff110236d4f6f R14: ffff88811b6a7ac0 R15: 1ffff110236d4f76FS: 00007f2e9eb47700(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000001b2e421000 CR3: 000000010e6d4000 CR4: 00000000003526e0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400Call Trace:[] netdev_start_xmit include/linux/netdevice.h:4925 [inline][] __dev_direct_xmit+0x4ef/0x850 net/core/dev.c:4380[] dev_direct_xmit include/linux/netdevice.h:3043 [inline][] packet_direct_xmit+0x18b/0x300 net/packet/af_packet.c:284[] packet_snd net/packet/af_packet.c:3112 [inline][] packet_sendmsg+0x4a22/0x64d0 net/packet/af_packet.c:3143[] sock_sendmsg_nosec net/socket.c:716 [inline][] sock_sendmsg net/socket.c:736 [inline][] __sys_sendto+0x472/0x5f0 net/socket.c:2139[] __do_sys_sendto net/socket.c:2151 [inline][] __se_sys_sendto net/socket.c:2147 [inline][] __x64_sys_sendto+0xe5/0x100 net/socket.c:2147[] do_syscall_x64 arch/x86/entry/common.c:50 [inline][] do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80[] entry_SYSCALL_64_after_hwframe+0x63/0xcd

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53603 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: qla2xxx: Avoid fcport pointer dereferenceKlocwork reported warning of NULL pointer may be dereferenced. The routineexits when sa_ctl is NULL and fcport is allocated after the exit call thuscausing NULL fcport pointer to dereference at the time of exit.To avoid fcport pointer dereference, exit the routine when sa_ctl is NULL.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53611 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipmi_si: fix a memleak in try_smi_init()Kmemleak reported the following leak info in try_smi_init():unreferenced object 0xffff00018ecf9400 (size 1024): comm "modprobe", pid 2707763, jiffies 4300851415 (age 773.308s) backtrace: [<000000004ca5b312>] __kmalloc+0x4b8/0x7b0 [<00000000953b1072>] try_smi_init+0x148/0x5dc [ipmi_si] [<000000006460d325>] 0xffff800081b10148 [<0000000039206ea5>] do_one_initcall+0x64/0x2a4 [<00000000601399ce>] do_init_module+0x50/0x300 [<000000003c12ba3c>] load_module+0x7a8/0x9e0 [<00000000c246fffe>] __se_sys_init_module+0x104/0x180 [<00000000eea99093>] __arm64_sys_init_module+0x24/0x30 [<0000000021b1ef87>] el0_svc_common.constprop.0+0x94/0x250 [<0000000070f4f8b7>] do_el0_svc+0x48/0xe0 [<000000005a05337f>] el0_svc+0x24/0x3c [<000000005eb248d6>] el0_sync_handler+0x160/0x164 [<0000000030a59039>] el0_sync+0x160/0x180The problem was that when an error occurred before handlers registrationand after allocating `new_smi->si_sm`, the variable wouldn't be freed inthe error handling afterwards since `shutdown_smi()` hadn't beenregistered yet. Fix it by adding a `kfree()` in the error handling pathin `try_smi_init()`.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53613 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:dax: Fix dax_mapping_release() use after freeA CONFIG_DEBUG_KOBJECT_RELEASE test of removing a device-dax regionprovider (like modprobe -r dax_hmem) yields: kobject: 'mapping0' (ffff93eb460e8800): kobject_release, parent 0000000000000000 (delayed 2000) [..] DEBUG_LOCKS_WARN_ON(1) WARNING: CPU: 23 PID: 282 at kernel/locking/lockdep.c:232 __lock_acquire+0x9fc/0x2260 [..] RIP: 0010:__lock_acquire+0x9fc/0x2260 [..] Call Trace: [..] lock_acquire+0xd4/0x2c0 ? ida_free+0x62/0x130 _raw_spin_lock_irqsave+0x47/0x70 ? ida_free+0x62/0x130 ida_free+0x62/0x130 dax_mapping_release+0x1f/0x30 device_release+0x36/0x90 kobject_delayed_cleanup+0x46/0x150Due to attempting ida_free() on an ida object that has already beenfreed. Devices typically only hold a reference on their parent whileregistered. If a child needs a parent object to complete its release itneeds to hold a reference that it drops from its release callback.Arrange for a dax_mapping to pin its parent dev_dax instance untildax_mapping_release().

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53615 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: qla2xxx: Fix deletion race conditionSystem crash when using debug kernel due to link list corruption. The causeof the link list corruption is due to session deletion was allowed to queueup twice. Here's the internal trace that show the same port was allowed todouble queue for deletion on different cpu.20808683956 015 qla2xxx [0000:13:00.1]-e801:4: Scheduling sess ffff93ebf9306800 for deletion 50:06:0e:80:12:48:ff:50 fc4_type 120808683957 027 qla2xxx [0000:13:00.1]-e801:4: Scheduling sess ffff93ebf9306800 for deletion 50:06:0e:80:12:48:ff:50 fc4_type 1Move the clearing/setting of deleted flag lock.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53617 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:soc: aspeed: socinfo: Add kfree for kstrdupAdd kfree() in the later error handling in order to avoid memory leak.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53618 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: reject invalid reloc tree root keys with stack dump[BUG]Syzbot reported a crash that an ASSERT() got triggered insideprepare_to_merge().That ASSERT() makes sure the reloc tree is properly pointed back by itssubvolume tree.[CAUSE]After more debugging output, it turns out we had an invalid reloc tree: BTRFS error (device loop1): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17Note the above root key is (TREE_RELOC_OBJECTID, ROOT_ITEM,QUOTA_TREE_OBJECTID), meaning it's a reloc tree for quota tree.But reloc trees can only exist for subvolumes, as for non-subvolumetrees, we just COW the involved tree block, no need to create a reloctree since those tree blocks won't be shared with other trees.Only subvolumes tree can share tree blocks with other trees (thus theyhave BTRFS_ROOT_SHAREABLE flag).Thus this new debug output proves my previous assumption that corruptedon-disk data can trigger that ASSERT().[FIX]Besides the dedicated fix and the graceful exit, also let tree-checker tocheck such root keys, to make sure reloc trees can only exist for subvolumes.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53621 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:memcontrol: ensure memcg acquired by id is properly set upIn the eviction recency check, we attempt to retrieve the memcg to whichthe folio belonged when it was evicted, by the memcg id stored in theshadow entry. However, there is a chance that the retrieved memcg is notthe original memcg that has been killed, but a new one which happens tohave the same id.This is a somewhat unfortunate, but acceptable and rare inaccuracy in theheuristics. However, if we retrieve this new memcg between its allocationand when it is properly attached to the memcg hierarchy, we could run intothe following NULL pointer exception during the memcg hierarchy traversaldone in mem_cgroup_get_nr_swap_pages():[ 155757.793456] BUG: kernel NULL pointer dereference, address: 00000000000000c0[ 155757.807568] #PF: supervisor read access in kernel mode[ 155757.818024] #PF: error_code(0x0000) - not-present page[ 155757.828482] PGD 401f77067 P4D 401f77067 PUD 401f76067 PMD 0[ 155757.839985] Oops: 0000 [#1] SMP[ 155757.887870] RIP: 0010:mem_cgroup_get_nr_swap_pages+0x3d/0xb0[ 155757.899377] Code: 29 19 4a 02 48 39 f9 74 63 48 8b 97 c0 00 00 00 48 8b b7 58 02 00 00 48 2b b7 c0 01 00 00 48 39 f0 48 0f 4d c6 48 39 d1 74 42 <48> 8b b2 c0 00 00 00 48 8b ba 58 02 00 00 48 2b ba c0 01 00 00 48[ 155757.937125] RSP: 0018:ffffc9002ecdfbc8 EFLAGS: 00010286[ 155757.947755] RAX: 00000000003a3b1c RBX: 000007ffffffffff RCX: ffff888280183000[ 155757.962202] RDX: 0000000000000000 RSI: 0007ffffffffffff RDI: ffff888bbc2d1000[ 155757.976648] RBP: 0000000000000001 R08: 000000000000000b R09: ffff888ad9cedba0[ 155757.991094] R10: ffffea0039c07900 R11: 0000000000000010 R12: ffff888b23a7b000[ 155758.005540] R13: 0000000000000000 R14: ffff888bbc2d1000 R15: 000007ffffc71354[ 155758.019991] FS: 00007f6234c68640(0000) GS:ffff88903f9c0000(0000) knlGS:0000000000000000[ 155758.036356] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 155758.048023] CR2: 00000000000000c0 CR3: 0000000a83eb8004 CR4: 00000000007706e0[ 155758.062473] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000[ 155758.076924] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400[ 155758.091376] PKRU: 55555554[ 155758.096957] Call Trace:[ 155758.102016] [ 155758.106502] ? __die+0x78/0xc0[ 155758.112793] ? page_fault_oops+0x286/0x380[ 155758.121175] ? exc_page_fault+0x5d/0x110[ 155758.129209] ? asm_exc_page_fault+0x22/0x30[ 155758.137763] ? mem_cgroup_get_nr_swap_pages+0x3d/0xb0[ 155758.148060] workingset_test_recent+0xda/0x1b0[ 155758.157133] workingset_refault+0xca/0x1e0[ 155758.165508] filemap_add_folio+0x4d/0x70[ 155758.173538] page_cache_ra_unbounded+0xed/0x190[ 155758.182919] page_cache_sync_ra+0xd6/0x1e0[ 155758.191738] filemap_read+0x68d/0xdf0[ 155758.199495] ? mlx5e_napi_poll+0x123/0x940[ 155758.207981] ? __napi_schedule+0x55/0x90[ 155758.216095] __x64_sys_pread64+0x1d6/0x2c0[ 155758.224601] do_syscall_64+0x3d/0x80[ 155758.232058] entry_SYSCALL_64_after_hwframe+0x46/0xb0[ 155758.242473] RIP: 0033:0x7f62c29153b5[ 155758.249938] Code: e8 48 89 75 f0 89 7d f8 48 89 4d e0 e8 b4 e6 f7 ff 41 89 c0 4c 8b 55 e0 48 8b 55 e8 48 8b 75 f0 8b 7d f8 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 45 f8 e8 e7 e6 f7 ff 48 8b[ 155758.288005] RSP: 002b:00007f6234c5ffd0 EFLAGS: 00000293 ORIG_RAX: 0000000000000011[ 155758.303474] RAX: ffffffffffffffda RBX: 00007f628c4e70c0 RCX: 00007f62c29153b5[ 155758.318075] RDX: 000000000003c041 RSI: 00007f61d2986000 RDI: 0000000000000076[ 155758.332678] RBP: 00007f6234c5fff0 R08: 0000000000000000 R09: 0000000064d5230c[ 155758.347452] R10: 000000000027d450 R11: 0000000000000293 R12: 000000000003c041[ 155758.362044] R13: 00007f61d2986000 R14: 00007f629e11b060 R15: 000000000027d450[ 155758.376661] This patch fixes the issue by moving the memcg's id publication from thealloc stage to ---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53631 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:platform/x86: dell-sysman: Fix reference leakIf a duplicate attribute is found using kset_find_obj(),a reference to that attribute is returned. This meansthat we need to dispose it accordingly. Use kobject_put()to dispose the duplicate attribute in such a case.Compile-tested only.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53632 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: Take RTNL lock when needed before calling xdp_set_features()Hold RTNL lock when calling xdp_set_features() with a registered netdev,as the call triggers the netdev notifiers. This could happen whenswitching from uplink rep to nic profile for example.This resolves the following call trace:RTNL: assertion failed at net/core/dev.c (1953)WARNING: CPU: 6 PID: 112670 at net/core/dev.c:1953 call_netdevice_notifiers_info+0x7c/0x80Modules linked in: sch_mqprio sch_mqprio_lib act_tunnel_key act_mirred act_skbedit cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress bonding ib_umad ip_gre rdma_ucm mlx5_vfio_pci ipip tunnel4 ip6_gre gre mlx5_ib vfio_pci vfio_pci_core vfio_iommu_type1 ib_uverbs vfio mlx5_core ib_ipoib geneve nf_tables ip6_tunnel tunnel6 iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs]CPU: 6 PID: 112670 Comm: devlink Not tainted 6.4.0-rc7_for_upstream_min_debug_2023_06_28_17_02 #1Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014RIP: 0010:call_netdevice_notifiers_info+0x7c/0x80Code: 90 ff 80 3d 2d 6b f7 00 00 75 c5 ba a1 07 00 00 48 c7 c6 e4 ce 0b 82 48 c7 c7 c8 f4 04 82 c6 05 11 6b f7 00 01 e8 a4 7c 8e ff <0f> 0b eb a2 0f 1f 44 00 00 55 48 89 e5 41 54 48 83 e4 f0 48 83 ecRSP: 0018:ffff8882a21c3948 EFLAGS: 00010282RAX: 0000000000000000 RBX: ffffffff82e6f880 RCX: 0000000000000027RDX: ffff88885f99b5c8 RSI: 0000000000000001 RDI: ffff88885f99b5c0RBP: 0000000000000028 R08: ffff88887ffabaa8 R09: 0000000000000003R10: ffff88887fecbac0 R11: ffff88887ff7bac0 R12: ffff8882a21c3968R13: ffff88811c018940 R14: 0000000000000000 R15: ffff8881274401a0FS: 00007fe141c81800(0000) GS:ffff88885f980000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00007f787c28b948 CR3: 000000014bcf3005 CR4: 0000000000370ea0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400Call Trace: ? __warn+0x79/0x120 ? call_netdevice_notifiers_info+0x7c/0x80 ? report_bug+0x17c/0x190 ? handle_bug+0x3c/0x60 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? call_netdevice_notifiers_info+0x7c/0x80 ? call_netdevice_notifiers_info+0x7c/0x80 call_netdevice_notifiers+0x2e/0x50 mlx5e_set_xdp_feature+0x21/0x50 [mlx5_core] mlx5e_nic_init+0xf1/0x1a0 [mlx5_core] mlx5e_netdev_init_profile+0x76/0x110 [mlx5_core] mlx5e_netdev_attach_profile+0x1f/0x90 [mlx5_core] mlx5e_netdev_change_profile+0x92/0x160 [mlx5_core] mlx5e_netdev_attach_nic_profile+0x1b/0x30 [mlx5_core] mlx5e_vport_rep_unload+0xaa/0xc0 [mlx5_core] __esw_offloads_unload_rep+0x52/0x60 [mlx5_core] mlx5_esw_offloads_rep_unload+0x52/0x70 [mlx5_core] esw_offloads_unload_rep+0x34/0x70 [mlx5_core] esw_offloads_disable+0x2b/0x90 [mlx5_core] mlx5_eswitch_disable_locked+0x1b9/0x210 [mlx5_core] mlx5_devlink_eswitch_mode_set+0xf5/0x630 [mlx5_core] ? devlink_get_from_attrs_lock+0x9e/0x110 devlink_nl_cmd_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit.isra.0+0xc2/0x110 genl_rcv_msg+0x17d/0x2b0 ? devlink_get_from_attrs_lock+0x110/0x110 ? devlink_nl_cmd_eswitch_get_doit+0x290/0x290 ? devlink_pernet_pre_exit+0xf0/0xf0 ? genl_family_rcv_msg_doit.isra.0+0x110/0x110 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1f6/0x2c0 netlink_sendmsg+0x232/0x4a0 sock_sendmsg+0x38/0x60 ? _copy_from_user+0x2a/0x60 __sys_sendto+0x110/0x160 ? __count_memcg_events+0x48/0x90 ? handle_mm_fault+0x161/0x260 ? do_user_addr_fault+0x278/0x6e0 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0RIP: 0033---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53638 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:octeon_ep: cancel queued works in probe error pathIf it fails to get the devices's MAC address, octep_probe exits whileleaving the delayed work intr_poll_task queued. When the work laterruns, it's a use after free.Move the cancelation of intr_poll_task from octep_remove intooctep_device_cleanup. This does not change anything in the octep_removeflow, but octep_device_cleanup is called also in the octep_probe errorpath, where the cancelation is needed.Note that the cancelation of ctrl_mbox_task has to followintr_poll_task's, because the ctrl_mbox_task may be queued byintr_poll_task.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53645 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Make bpf_refcount_acquire fallible for non-owning refsThis patch fixes an incorrect assumption made in the originalbpf_refcount series [0], specifically that the BPF program callingbpf_refcount_acquire on some node can always guarantee that the node isalive. In that series, the patch adding failure behavior to rbtree_addand list_push_{front, back} breaks this assumption for non-owningreferences.Consider the following program: n = bpf_kptr_xchg(&mapval, NULL); /* skip error checking */ bpf_spin_lock(&l); if(bpf_rbtree_add(&t, &n->rb, less)) { bpf_refcount_acquire(n); /* Failed to add, do something else with the node */ } bpf_spin_unlock(&l);It's incorrect to assume that bpf_refcount_acquire will always succeed in thisscenario. bpf_refcount_acquire is being called in a critical sectionhere, but the lock being held is associated with rbtree t, which isn'tnecessarily the lock associated with the tree that the node is alreadyin. So after bpf_rbtree_add fails to add the node and calls bpf_obj_dropin it, the program has no ownership of the node's lifetime. Thereforethe node's refcount can be decr'd to 0 at any time after the failingrbtree_add. If this happens before the refcount_acquire above, the nodemight be free'd, and regardless refcount_acquire will be incrementing a0 refcount.Later patches in the series exercise this scenario, resulting in theexpected complaint from the kernel (without this patch's changes): refcount_t: addition on 0; use-after-free. WARNING: CPU: 1 PID: 207 at lib/refcount.c:25 refcount_warn_saturate+0xbc/0x110 Modules linked in: bpf_testmod(O) CPU: 1 PID: 207 Comm: test_progs Tainted: G O 6.3.0-rc7-02231-g723de1a718a2-dirty #371 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0xbc/0x110 Code: 6f 64 f6 02 01 e8 84 a3 5c ff 0f 0b eb 9d 80 3d 5e 64 f6 02 00 75 94 48 c7 c7 e0 13 d2 82 c6 05 4e 64 f6 02 01 e8 64 a3 5c ff <0f> 0b e9 7a ff ff ff 80 3d 38 64 f6 02 00 0f 85 6d ff ff ff 48 c7 RSP: 0018:ffff88810b9179b0 EFLAGS: 00010082 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 RDX: 0000000000000202 RSI: 0000000000000008 RDI: ffffffff857c3680 RBP: ffff88810027d3c0 R08: ffffffff8125f2a4 R09: ffff88810b9176e7 R10: ffffed1021722edc R11: 746e756f63666572 R12: ffff88810027d388 R13: ffff88810027d3c0 R14: ffffc900005fe030 R15: ffffc900005fe048 FS: 00007fee0584a700(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005634a96f6c58 CR3: 0000000108ce9002 CR4: 0000000000770ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: bpf_refcount_acquire_impl+0xb5/0xc0 (rest of output snipped)The patch addresses this by changing bpf_refcount_acquire_impl to userefcount_inc_not_zero instead of refcount_inc and markingbpf_refcount_acquire KF_RET_NULL.For owning references, though, we know the above scenario is not possibleand thus that bpf_refcount_acquire will always succeed. Some verifierbookkeeping is added to track "is input owning ref?" for bpf_refcount_acquirecalls and return false from is_kfunc_ret_null for bpf_refcount_acquire onowning refs despite it being marked KF_RET_NULL.Existing selftests using bpf_refcount_acquire are modified wherenecessary to NULL-check its return value. [0]: https://lore.kernel.org/bpf/20230415201811.343116-1-davemarchevsky@fb.com/

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53646 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/i915/perf: add sentinel to xehp_oa_b_countersArrays passed to reg_in_range_table should end with empty record.The patch solves KASAN detected bug with signature:BUG: KASAN: global-out-of-bounds in xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915]Read of size 4 at addr ffffffffa1555d90 by task perf/1518CPU: 4 PID: 1518 Comm: perf Tainted: G U 6.4.0-kasan_438-g3303d06107f3+ #1Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P DDR5 SODIMM SBS RVP, BIOS MTLPFWI1.R00.3223.D80.2305311348 05/31/2023Call Trace:...xehp_is_valid_b_counter_addr+0x2c7/0x350 [i915](cherry picked from commit 2f42c5afb34b5696cf5fe79e744f99be9b218798)

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53647 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Drivers: hv: vmbus: Don't dereference ACPI root object handleSince the commit referenced in the Fixes: tag below the VMBus client driveris walking the ACPI namespace up from the VMBus ACPI device to the ACPInamespace root object trying to find Hyper-V MMIO ranges.However, if it is not able to find them it ends trying to walk resources ofthe ACPI namespace root object itself.This object has all-ones handle, which causes a NULL pointer dereferencein the ACPI code (from dereferencing this pointer with an offset).This in turn causes an oops on boot with VMBus host implementations that donot provide Hyper-V MMIO ranges in their VMBus ACPI device or itsancestors.The QEMU VMBus implementation is an example of such implementation.I guess providing these ranges is optional, since all tested Windowsversions seem to be able to use VMBus devices without them.Fix this by explicitly terminating the lookup at the ACPI namespace rootobject.Note that Linux guests under KVM/QEMU do not use the Hyper-V PV interfaceby default - they only do so if the KVM PV interface is missing ordisabled.Example stack trace of such oops:[ 3.710827] ? __die+0x1f/0x60[ 3.715030] ? page_fault_oops+0x159/0x460[ 3.716008] ? exc_page_fault+0x73/0x170[ 3.716959] ? asm_exc_page_fault+0x22/0x30[ 3.717957] ? acpi_ns_lookup+0x7a/0x4b0[ 3.718898] ? acpi_ns_internalize_name+0x79/0xc0[ 3.720018] acpi_ns_get_node_unlocked+0xb5/0xe0[ 3.721120] ? acpi_ns_check_object_type+0xfe/0x200[ 3.722285] ? acpi_rs_convert_aml_to_resource+0x37/0x6e0[ 3.723559] ? down_timeout+0x3a/0x60[ 3.724455] ? acpi_ns_get_node+0x3a/0x60[ 3.725412] acpi_ns_get_node+0x3a/0x60[ 3.726335] acpi_ns_evaluate+0x1c3/0x2c0[ 3.727295] acpi_ut_evaluate_object+0x64/0x1b0[ 3.728400] acpi_rs_get_method_data+0x2b/0x70[ 3.729476] ? vmbus_platform_driver_probe+0x1d0/0x1d0 [hv_vmbus][ 3.730940] ? vmbus_platform_driver_probe+0x1d0/0x1d0 [hv_vmbus][ 3.732411] acpi_walk_resources+0x78/0xd0[ 3.733398] vmbus_platform_driver_probe+0x9f/0x1d0 [hv_vmbus][ 3.734802] platform_probe+0x3d/0x90[ 3.735684] really_probe+0x19b/0x400[ 3.736570] ? __device_attach_driver+0x100/0x100[ 3.737697] __driver_probe_device+0x78/0x160[ 3.738746] driver_probe_device+0x1f/0x90[ 3.739743] __driver_attach+0xc2/0x1b0[ 3.740671] bus_for_each_dev+0x70/0xc0[ 3.741601] bus_add_driver+0x10e/0x210[ 3.742527] driver_register+0x55/0xf0[ 3.744412] ? 0xffffffffc039a000[ 3.745207] hv_acpi_init+0x3c/0x1000 [hv_vmbus]

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53648 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixersmatch error:sound/pci/ac97/ac97_codec.c:2354 snd_ac97_mixer() error:we previously assumed 'rac97' could be null (see line 2072)remove redundant assignment, return error if rac97 is NULL.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53652 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:vdpa: Add features attr to vdpa_nl_policy for nlattr length checkThe vdpa_nl_policy structure is used to validate the nlattr when parsingthe incoming nlmsg. It will ensure the attribute being described producesa valid nlattr pointer in info->attrs before entering into each handlerin vdpa_nl_ops.That is to say, the missing part in vdpa_nl_policy may lead to illegalnlattr after parsing, which could lead to OOB read just like CVE-2023-3773.This patch adds the missing nla_policy for vdpa features attr to avoidsuch bugs.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53653 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: amphion: fix REVERSE_INULL issues reported by coveritynull-checking of a pointor is suggested before dereferencing it

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53657 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ice: Don't tx before switchdev is fully configuredThere is possibility that ice_eswitch_port_start_xmit might becalled while some resources are still not allocated which mightcause NULL pointer dereference. Fix this by checking if switchdevconfiguration was finished.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53658 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:spi: bcm-qspi: return error if neither hif_mspi nor mspi is availableIf neither a "hif_mspi" nor "mspi" resource is present, the driver willjust early exit in probe but still return success. Apart from not doinganything meaningful, this would then also lead to a null pointer accesson removal, as platform_get_drvdata() would return NULL, which it wouldthen try to dereference when trying to unregister the spi master.Fix this by unconditionally calling devm_ioremap_resource(), as it canhandle a NULL res and will then return a viable ERR_PTR() if we get one.The "return 0;" was previously a "goto qspi_resource_err;" where thenret was returned, but since ret was still initialized to 0 at this placethis was a valid conversion in 63c5395bb7a9 ("spi: bcm-qspi: Fixuse-after-free on unbind"). The issue was not introduced by this commit,only made more obvious.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53660 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf, cpumap: Handle skb as well when clean up ptr_ringThe following warning was reported when running xdp_redirect_cpu withboth skb-mode and stress-mode enabled: ------------[ cut here ]------------ Incorrect XDP memory type (-2128176192) usage WARNING: CPU: 7 PID: 1442 at net/core/xdp.c:405 Modules linked in: CPU: 7 PID: 1442 Comm: kworker/7:0 Tainted: G 6.5.0-rc2+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Workqueue: events __cpu_map_entry_free RIP: 0010:__xdp_return+0x1e4/0x4a0 ...... Call Trace: ? show_regs+0x65/0x70 ? __warn+0xa5/0x240 ? __xdp_return+0x1e4/0x4a0 ...... xdp_return_frame+0x4d/0x150 __cpu_map_entry_free+0xf9/0x230 process_one_work+0x6b0/0xb80 worker_thread+0x96/0x720 kthread+0x1a5/0x1f0 ret_from_fork+0x3a/0x70 ret_from_fork_asm+0x1b/0x30 The reason for the warning is twofold. One is due to the kthreadcpu_map_kthread_run() is stopped prematurely. Another one is__cpu_map_ring_cleanup() doesn't handle skb mode and treats skbs inptr_ring as XDP frames.Prematurely-stopped kthread will be fixed by the preceding patch andptr_ring will be empty when __cpu_map_ring_cleanup() is called. Butas the comments in __cpu_map_ring_cleanup() said, handling and freeingskbs in ptr_ring as well to "catch any broken behaviour gracefully".

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53666 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ASoC: codecs: wcd938x: fix missing mbhc init error handlingMBHC initialisation can fail so add the missing error handling to avoiddereferencing an error pointer when later configuring the jack: Unable to handle kernel paging request at virtual address fffffffffffffff8 pc : wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc] lr : wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x] Call trace: wcd_mbhc_start+0x28/0x380 [snd_soc_wcd_mbhc] wcd938x_codec_set_jack+0x28/0x48 [snd_soc_wcd938x] snd_soc_component_set_jack+0x28/0x8c [snd_soc_core] qcom_snd_wcd_jack_setup+0x7c/0x19c [snd_soc_qcom_common] sc8280xp_snd_init+0x20/0x2c [snd_soc_sc8280xp] snd_soc_link_init+0x28/0x90 [snd_soc_core] snd_soc_bind_card+0x628/0xbfc [snd_soc_core] snd_soc_register_card+0xec/0x104 [snd_soc_core] devm_snd_soc_register_card+0x4c/0xa4 [snd_soc_core] sc8280xp_platform_probe+0xf0/0x108 [snd_soc_sc8280xp]

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53672 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: output extra debug info if we failed to find an inline backref[BUG]Syzbot reported several warning triggered insidelookup_inline_extent_backref().[CAUSE]As usual, the reproducer doesn't reliably trigger locally here, but atleast we know the WARN_ON() is triggered when an inline backref can notbe found, and it can only be triggered when @insert is true. (I.e.inserting a new inline backref, which means the backref should alreadyexist)[ENHANCEMENT]After the WARN_ON(), dump all the parameters and the extent treeleaf to help debug.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53686 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/handshake: fix null-ptr-deref in handshake_nl_done_doit()We should not call trace_handshake_cmd_done_err() if socket lookup has failed.Also we should call trace_handshake_cmd_done_err() before releasing the file,otherwise dereferencing sock->sk can return garbage.This also reverts 7afc6d0a107f ("net/handshake: Fix uninitialized local variable")Unable to handle kernel paging request at virtual address dfff800000000003KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]Mem abort info:ESR = 0x0000000096000005EC = 0x25: DABT (current EL), IL = 32 bitsSET = 0, FnV = 0EA = 0, S1PTW = 0FSC = 0x05: level 1 translation faultData abort info:ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000CM = 0, WnR = 0, TnD = 0, TagAccess = 0GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0[dfff800000000003] address between user and kernel address rangesInternal error: Oops: 0000000096000005 [#1] PREEMPT SMPModules linked in:CPU: 1 PID: 5986 Comm: syz-executor292 Not tainted 6.5.0-rc7-syzkaller-gfe4469582053 #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : handshake_nl_done_doit+0x198/0x9c8 net/handshake/netlink.c:193lr : handshake_nl_done_doit+0x180/0x9c8sp : ffff800096e37180x29: ffff800096e37200 x28: 1ffff00012dc6e34 x27: dfff800000000000x26: ffff800096e373d0 x25: 0000000000000000 x24: 00000000ffffffa8x23: ffff800096e373f0 x22: 1ffff00012dc6e38 x21: 0000000000000000x20: ffff800096e371c0 x19: 0000000000000018 x18: 0000000000000000x17: 0000000000000000 x16: ffff800080516cc4 x15: 0000000000000001x14: 1fffe0001b14aa3b x13: 0000000000000000 x12: 0000000000000000x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000003x8 : 0000000000000003 x7 : ffff800080afe47c x6 : 0000000000000000x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800080a88078x2 : 0000000000000001 x1 : 00000000ffffffa8 x0 : 0000000000000000Call trace:handshake_nl_done_doit+0x198/0x9c8 net/handshake/netlink.c:193genl_family_rcv_msg_doit net/netlink/genetlink.c:970 [inline]genl_family_rcv_msg net/netlink/genetlink.c:1050 [inline]genl_rcv_msg+0x96c/0xc50 net/netlink/genetlink.c:1067netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2549genl_rcv+0x38/0x50 net/netlink/genetlink.c:1078netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1914sock_sendmsg_nosec net/socket.c:725 [inline]sock_sendmsg net/socket.c:748 [inline]____sys_sendmsg+0x56c/0x840 net/socket.c:2494___sys_sendmsg net/socket.c:2548 [inline]__sys_sendmsg+0x26c/0x33c net/socket.c:2577__do_sys_sendmsg net/socket.c:2586 [inline]__se_sys_sendmsg net/socket.c:2584 [inline]__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2584__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591Code: 12800108 b90043e8 910062b3 d343fe68 (387b6908)

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53693 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:USB: gadget: Fix the memory leak in raw_gadget driverCurrently, increasing raw_dev->count happens before invoke theraw_queue_event(), if the raw_queue_event() return error, invokeraw_release() will not trigger the dev_free() to be called.[ 268.905865][ T5067] raw-gadget.0 gadget.0: failed to queue event[ 268.912053][ T5067] udc dummy_udc.0: failed to start USB Raw Gadget: -12[ 268.918885][ T5067] raw-gadget.0: probe of gadget.0 failed with error -12[ 268.925956][ T5067] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy[ 268.934657][ T5067] misc raw-gadget: fail, usb_gadget_register_driver returned -16BUG: memory leak[] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076[] kmalloc include/linux/slab.h:582 [inline][] kzalloc include/linux/slab.h:703 [inline][] dev_new drivers/usb/gadget/legacy/raw_gadget.c:191 [inline][] raw_open+0x45/0x110 drivers/usb/gadget/legacy/raw_gadget.c:385[] misc_open+0x1a9/0x1f0 drivers/char/misc.c:165[] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076[] kmalloc include/linux/slab.h:582 [inline][] raw_ioctl_init+0xdf/0x410 drivers/usb/gadget/legacy/raw_gadget.c:460[] raw_ioctl+0x5f9/0x1120 drivers/usb/gadget/legacy/raw_gadget.c:1250[] vfs_ioctl fs/ioctl.c:51 [inline][] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076[] kmalloc include/linux/slab.h:582 [inline][] kzalloc include/linux/slab.h:703 [inline][] dummy_alloc_request+0x5a/0xe0 drivers/usb/gadget/udc/dummy_hcd.c:665[] usb_ep_alloc_request+0x22/0xd0 drivers/usb/gadget/udc/core.c:196[] gadget_bind+0x6d/0x370 drivers/usb/gadget/legacy/raw_gadget.c:292This commit therefore invoke kref_get() under the condition thatraw_queue_event() return success.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53707 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amdgpu: Fix integer overflow in amdgpu_cs_pass1The type of size is unsigned int, if size is 0x40000000, there willbe an integer overflow, size will be zero after size *= sizeof(uint32_t),will cause uninitialized memory to be referenced later.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53726 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:arm64: csum: Fix OoB access in IP checksum code for negative lengthsAlthough commit c2c24edb1d9c ("arm64: csum: Fix pathological zero-lengthcalls") added an early return for zero-length input, syzkaller haspopped up with an example of a _negative_ length which causes anundefined shift and an out-of-bounds read: | BUG: KASAN: slab-out-of-bounds in do_csum+0x44/0x254 arch/arm64/lib/csum.c:39 | Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975 | | CPU: 0 PID: 5975 Comm: syz-executor412 Not tainted 6.4.0-rc4-syzkaller-g908f31f2a05b #0 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 | Call trace: | dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233 | show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240 | __dump_stack lib/dump_stack.c:88 [inline] | dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 | print_address_description mm/kasan/report.c:351 [inline] | print_report+0x174/0x514 mm/kasan/report.c:462 | kasan_report+0xd4/0x130 mm/kasan/report.c:572 | kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187 | __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31 | do_csum+0x44/0x254 arch/arm64/lib/csum.c:39 | csum_partial+0x30/0x58 lib/checksum.c:128 | gso_make_checksum include/linux/skbuff.h:4928 [inline] | __udp_gso_segment+0xaf4/0x1bc4 net/ipv4/udp_offload.c:332 | udp6_ufo_fragment+0x540/0xca0 net/ipv6/udp_offload.c:47 | ipv6_gso_segment+0x5cc/0x1760 net/ipv6/ip6_offload.c:119 | skb_mac_gso_segment+0x2b4/0x5b0 net/core/gro.c:141 | __skb_gso_segment+0x250/0x3d0 net/core/dev.c:3401 | skb_gso_segment include/linux/netdevice.h:4859 [inline] | validate_xmit_skb+0x364/0xdbc net/core/dev.c:3659 | validate_xmit_skb_list+0x94/0x130 net/core/dev.c:3709 | sch_direct_xmit+0xe8/0x548 net/sched/sch_generic.c:327 | __dev_xmit_skb net/core/dev.c:3805 [inline] | __dev_queue_xmit+0x147c/0x3318 net/core/dev.c:4210 | dev_queue_xmit include/linux/netdevice.h:3085 [inline] | packet_xmit+0x6c/0x318 net/packet/af_packet.c:276 | packet_snd net/packet/af_packet.c:3081 [inline] | packet_sendmsg+0x376c/0x4c98 net/packet/af_packet.c:3113 | sock_sendmsg_nosec net/socket.c:724 [inline] | sock_sendmsg net/socket.c:747 [inline] | __sys_sendto+0x3b4/0x538 net/socket.c:2144Extend the early return to reject negative lengths as well, aligning ourimplementation with the generic code in lib/checksum.c

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53727 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: fq_pie: avoid stalls in fq_pie_timer()When setting a high number of flows (limit being 65536),fq_pie_timer() is currently using too much time as syzbot reported.Add logic to yield the cpu every 2048 flows (less than 150 usecon debug kernels).It should also help by not blocking qdisc fast paths for too long.Worst case (65536 flows) would need 31 jiffies for a complete scan.Relevant extract from syzbot report:rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: { 0-.... } 2663 jiffies s: 873 root: 0x1/.rcu: blocking rcu_node structures (internal RCU debug):Sending NMI from CPU 1 to CPUs 0:NMI backtrace for cpu 0CPU: 0 PID: 5177 Comm: syz-executor273 Not tainted 6.5.0-syzkaller-00453-g727dbda16b83 #0Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]RIP: 0010:write_comp_data+0x21/0x90 kernel/kcov.c:236Code: 2e 0f 1f 84 00 00 00 00 00 65 8b 05 01 b2 7d 7e 49 89 f1 89 c6 49 89 d2 81 e6 00 01 00 00 49 89 f8 65 48 8b 14 25 80 b9 03 00 00 01 ff 00 74 0e 85 f6 74 59 8b 82 04 16 00 00 85 c0 74 4f 8bRSP: 0018:ffffc90000007bb8 EFLAGS: 00000206RAX: 0000000000000101 RBX: ffffc9000dc0d140 RCX: ffffffff885893b0RDX: ffff88807c075940 RSI: 0000000000000100 RDI: 0000000000000001RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000000 R12: ffffc9000dc0d178R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000FS: 0000555555d54380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 00007f6b442f6130 CR3: 000000006fe1c000 CR4: 00000000003506f0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400Call Trace: pie_calculate_probability+0x480/0x850 net/sched/sch_pie.c:415 fq_pie_timer+0x1da/0x4f0 net/sched/sch_fq_pie.c:387 call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-10911 Severity: Moderate CVSS3 score: 5.5

Description: A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libxslt1 < 1.1.34-150400.3.13.1 (version in image is 1.1.34-150400.3.6.1).

CVE-2025-15281 Severity: Moderate CVSS3 score: 5.5

Description: Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
glibc > 0-0 (version in image is 2.38-150600.14.37.1).

CVE-2025-21710 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:tcp: correct handling of extreme memory squeezeTesting with iperf3 using the "pasta" protocol splicer has revealeda problem in the way tcp handles window advertising in extreme memorysqueeze situations.Under memory pressure, a socket endpoint may temporarily advertisea zero-sized window, but this is not stored as part of the socket data.The reasoning behind this is that it is considered a temporary settingwhich shouldn't influence any further calculations.However, if we happen to stall at an unfortunate value of the currentwindow size, the algorithm selecting a new value will consistently failto advertise a non-zero window once we have freed up enough memory.This means that this side's notion of the current window size isdifferent from the one last advertised to the peer, causing the latterto not send any data to resolve the sitution.The problem occurs on the iperf3 server side, and the socket in questionis a completely regular socket with the default settings for thefedora40 kernel. We do not use SO_PEEK or SO_RCVBUF on the socket.The following excerpt of a logging session, with own comments added,shows more in detail what is happening:// tcp_v4_rcv(->)// tcp_rcv_established(->)[5201<->39222]: ==== Activating log @ net/ipv4/tcp_input.c/tcp_data_queue()/5257 ====[5201<->39222]: tcp_data_queue(->)[5201<->39222]: DROPPING skb [265600160..265665640], reason: SKB_DROP_REASON_PROTO_MEM [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184] [copied_seq 259909392->260034360 (124968), unread 5565800, qlen 85, ofoq 0] [OFO queue: gap: 65480, len: 0][5201<->39222]: tcp_data_queue(<-)[5201<->39222]: __tcp_transmit_skb(->) [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160][5201<->39222]: tcp_select_window(->)[5201<->39222]: (inet_csk(sk)->icsk_ack.pending & ICSK_ACK_NOMEM) ? --> TRUE [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160] returning 0[5201<->39222]: tcp_select_window(<-)[5201<->39222]: ADVERTISING WIN 0, ACK_SEQ: 265600160[5201<->39222]: [__tcp_transmit_skb(<-)[5201<->39222]: tcp_rcv_established(<-)[5201<->39222]: tcp_v4_rcv(<-)// Receive queue is at 85 buffers and we are out of memory.// We drop the incoming buffer, although it is in sequence, and decide// to send an advertisement with a window of zero.// We don't update tp->rcv_wnd and tp->rcv_wup accordingly, which means// we unconditionally shrink the window.[5201<->39222]: tcp_recvmsg_locked(->)[5201<->39222]: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160[5201<->39222]: [new_win = 0, win_now = 131184, 2 * win_now = 262368][5201<->39222]: [new_win >= (2 * win_now) ? --> time_to_ack = 0][5201<->39222]: NOT calling tcp_send_ack() [tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160][5201<->39222]: __tcp_cleanup_rbuf(<-) [rcv_nxt 265600160, rcv_wnd 262144, snt_ack 265469200, win_now 131184] [copied_seq 260040464->260040464 (0), unread 5559696, qlen 85, ofoq 0] returning 6104 bytes[5201<->39222]: tcp_recvmsg_locked(<-)// After each read, the algorithm for calculating the new receive// window in __tcp_cleanup_rbuf() finds it is too small to advertise// or to update tp->rcv_wnd.// Meanwhile, the peer thinks the window is zero, and will not send// any more data to trigger an update from the interrupt mode side.[5201<->39222]: tcp_recvmsg_locked(->)[5201<->39222]: __tcp_cleanup_rbuf(->) tp->rcv_wup: 265469200, tp->rcv_wnd: 262144, tp->rcv_nxt 265600160[5201<->39222]: [new_win = 262144, win_now = 131184, 2 * win_n---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-38359 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:s390/mm: Fix in_atomic() handling in do_secure_storage_access()Kernel user spaces accesses to not exported pages in atomic contextincorrectly try to resolve the page fault.With debug options enabled call traces like this can be seen:BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1523in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 419074, name: qemu-system-s39preempt_count: 1, expected: 0RCU nest depth: 0, expected: 0INFO: lockdep is turned off.Preemption disabled at:[<00000383ea47cfa2>] copy_page_from_iter_atomic+0xa2/0x8a0CPU: 12 UID: 0 PID: 419074 Comm: qemu-system-s39Tainted: G W 6.16.0-20250531.rc0.git0.69b3a602feac.63.fc42.s390x+debug #1 PREEMPTTainted: [W]=WARNHardware name: IBM 3931 A01 703 (LPAR)Call Trace: [<00000383e990d282>] dump_stack_lvl+0xa2/0xe8 [<00000383e99bf152>] __might_resched+0x292/0x2d0 [<00000383eaa7c374>] down_read+0x34/0x2d0 [<00000383e99432f8>] do_secure_storage_access+0x108/0x360 [<00000383eaa724b0>] __do_pgm_check+0x130/0x220 [<00000383eaa842e4>] pgm_check_handler+0x114/0x160 [<00000383ea47d028>] copy_page_from_iter_atomic+0x128/0x8a0([<00000383ea47d016>] copy_page_from_iter_atomic+0x116/0x8a0) [<00000383e9c45eae>] generic_perform_write+0x16e/0x310 [<00000383e9eb87f4>] ext4_buffered_write_iter+0x84/0x160 [<00000383e9da0de4>] vfs_write+0x1c4/0x460 [<00000383e9da123c>] ksys_write+0x7c/0x100 [<00000383eaa7284e>] __do_syscall+0x15e/0x280 [<00000383eaa8417e>] system_call+0x6e/0x90INFO: lockdep is turned off.It is not allowed to take the mmap_lock while in atomic context. Thereforehandle such a secure storage access fault as if the accessed page is notmapped: the uaccess function will return -EFAULT, and the caller has todeal with this. Usually this means that the access is retried in processcontext, which allows to resolve the page fault (or in this case export thepage).

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-38361 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/amd/display: Check dce_hwseq before dereferencing it[WHAT]hws was checked for null earlier in dce110_blank_stream, indicating hwscan be null, and should be checked whenever it is used.(cherry picked from commit 79db43611ff61280b6de58ce1305e0b2ecf675ad)

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-38718 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:sctp: linearize cloned gso packets in sctp_rcvA cloned head skb still shares these frag skbs in fraglist with theoriginal head skb. It's not safe to access these frag skbs.syzbot reported two use-of-uninitialized-memory bugs caused by this: BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x397/0xdb0 net/sctp/input.c:331 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1122 __release_sock+0x1da/0x330 net/core/sock.c:3106 release_sock+0x6b/0x250 net/core/sock.c:3660 sctp_wait_for_connect+0x487/0x820 net/sctp/socket.c:9360 sctp_sendmsg_to_asoc+0x1ec1/0x1f00 net/sctp/socket.c:1885 sctp_sendmsg+0x32b9/0x4a80 net/sctp/socket.c:2031 inet_sendmsg+0x25a/0x280 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:718 [inline]and BUG: KMSAN: uninit-value in sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_assoc_bh_rcv+0x34e/0xbc0 net/sctp/associola.c:987 sctp_inq_push+0x2a3/0x350 net/sctp/inqueue.c:88 sctp_backlog_rcv+0x3c7/0xda0 net/sctp/input.c:331 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 sctp_wait_for_connect+0x458/0x820 net/sctp/socket.c:9367 sctp_sendmsg_to_asoc+0x223a/0x2260 net/sctp/socket.c:1886 sctp_sendmsg+0x3910/0x49f0 net/sctp/socket.c:2032 inet_sendmsg+0x269/0x2a0 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline]This patch fixes it by linearizing cloned gso packets in sctp_rcv().

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39673 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ppp: fix race conditions in ppp_fill_forward_pathppp_fill_forward_path() has two race conditions:1. The ppp->channels list can change between list_empty() and list_first_entry(), as ppp_lock() is not held. If the only channel is deleted in ppp_disconnect_channel(), list_first_entry() may access an empty head or a freed entry, and trigger a panic.2. pch->chan can be NULL. When ppp_unregister_channel() is called, pch->chan is set to NULL before pch is removed from ppp->channels.Fix these by using a lockless RCU approach:- Use list_first_or_null_rcu() to safely test and access the first list entry.- Convert list modifications on ppp->channels to their RCU variants and add synchronize_net() after removal.- Check for a NULL pch->chan before dereferencing it.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39676 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: qla4xxx: Prevent a potential error pointer dereferenceThe qla4xxx_get_ep_fwdb() function is supposed to return NULL on error,but qla4xxx_ep_connect() returns error pointers. Propagating the errorpointers will lead to an Oops in the caller, so change the error pointersto NULL.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39683 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:tracing: Limit access to parser->buffer when trace_get_user failedWhen the length of the string written to set_ftrace_filter exceedsFTRACE_BUFF_MAX, the following KASAN alarm will be triggered:BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0Read of size 1 at addr ffff0000d00bd5ba by task ash/165CPU: 1 UID: 0 PID: 165 Comm: ash Not tainted 6.16.0-g6bcdbd62bd56-dirtyHardware name: linux,dummy-virt (DT)Call trace: show_stack+0x34/0x50 (C) dump_stack_lvl+0xa0/0x158 print_address_description.constprop.0+0x88/0x398 print_report+0xb0/0x280 kasan_report+0xa4/0xf0 __asan_report_load1_noabort+0x20/0x30 strsep+0x18c/0x1b0 ftrace_process_regex.isra.0+0x100/0x2d8 ftrace_regex_release+0x484/0x618 __fput+0x364/0xa58 ____fput+0x28/0x40 task_work_run+0x154/0x278 do_notify_resume+0x1f0/0x220 el0_svc+0xec/0xf0 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1ac/0x1b0The reason is that trace_get_user will fail when processing a stringlonger than FTRACE_BUFF_MAX, but not set the end of parser->buffer to 0.Then an OOB access will be triggered in ftrace_regex_release->ftrace_process_regex->strsep->strpbrk. We can solve this problem bylimiting access to parser->buffer when trace_get_user failed.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39697 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:NFS: Fix a race when updating an existing writeAfter nfs_lock_and_join_requests() tests for whether the request isstill attached to the mapping, nothing prevents a call tonfs_inode_remove_request() from succeeding until we actually lock thepage group.The reason is that whoever called nfs_inode_remove_request() doesn'tnecessarily have a lock on the page group head.So in order to avoid races, let's take the page group lock earlier innfs_lock_and_join_requests(), and hold it across the removal of therequest in nfs_inode_remove_request().

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39702 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv6: sr: Fix MAC comparison to be constant-timeTo prevent timing attacks, MACs need to be compared in constant time.Use the appropriate helper function for this.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39756 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:fs: Prevent file descriptor table allocations exceeding INT_MAXWhen sysctl_nr_open is set to a very high value (for example, 1073741816as set by systemd), processes attempting to use file descriptors nearthe limit can trigger massive memory allocation attempts that exceedINT_MAX, resulting in a WARNING in mm/slub.c: WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288This happens because kvmalloc_array() and kvmalloc() check if therequested size exceeds INT_MAX and emit a warning when the allocation isnot flagged with __GFP_NOWARN.Specifically, when nr_open is set to 1073741816 (0x3ffffff8) and aprocess calls dup2(oldfd, 1073741880), the kernel attempts to allocate:- File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes- Multiple bitmaps: ~400MB- Total allocation size: > 8GB (exceeding INT_MAX = 2,147,483,647)Reproducer:1. Set /proc/sys/fs/nr_open to 1073741816: # echo 1073741816 > /proc/sys/fs/nr_open2. Run a program that uses a high file descriptor: #include #include int main() { struct rlimit rlim = {1073741824, 1073741824}; setrlimit(RLIMIT_NOFILE, &rlim); dup2(2, 1073741880); // Triggers the warning return 0; }3. Observe WARNING in dmesg at mm/slub.c:5027systemd commit a8b627a introduced automatic bumping of fs.nr_open to themaximum possible value. The rationale was that systems with memorycontrol groups (memcg) no longer need separate file descriptor limitssince memory is properly accounted. However, this change overlookedthat:1. The kernel's allocation functions still enforce INT_MAX as a maximum size regardless of memcg accounting2. Programs and tests that legitimately test file descriptor limits can inadvertently trigger massive allocations3. The resulting allocations (>8GB) are impractical and will always failsystemd's algorithm starts with INT_MAX and keeps halving the valueuntil the kernel accepts it. On most systems, this results in nr_openbeing set to 1073741816 (0x3ffffff8), which is just under 1GB of filedescriptors.While processes rarely use file descriptors near this limit in normaloperation, certain selftests (liketools/testing/selftests/core/unshare_test.c) and programs that test filedescriptor limits can trigger this issue.Fix this by adding a check in alloc_fdtable() to ensure the requestedallocation size does not exceed INT_MAX. This causes the operation tofail with -EMFILE instead of triggering a kernel warning and avoids theimpractical >8GB memory allocation request.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39794 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ARM: tegra: Use I/O memcpy to write to IRAMKasan crashes the kernel trying to check boundaries when using thenormal memcpy.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39805 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: macb: fix unregister_netdev call order in macb_remove()When removing a macb device, the driver calls phy_exit() beforeunregister_netdev(). This leads to a WARN from kernfs: ------------[ cut here ]------------ kernfs: can not remove 'attached_dev', no directory WARNING: CPU: 1 PID: 27146 at fs/kernfs/dir.c:1683 Call trace: kernfs_remove_by_name_ns+0xd8/0xf0 sysfs_remove_link+0x24/0x58 phy_detach+0x5c/0x168 phy_disconnect+0x4c/0x70 phylink_disconnect_phy+0x6c/0xc0 [phylink] macb_close+0x6c/0x170 [macb] ... macb_remove+0x60/0x168 [macb] platform_remove+0x5c/0x80 ...The warning happens because the PHY is being exited while the netdevis still registered. The correct order is to unregister the netdevbefore shutting down the PHY and cleaning up the MDIO bus.Fix this by moving unregister_netdev() ahead of phy_exit() inmacb_remove().

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39813 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ftrace: Fix potential warning in trace_printk_seq during ftrace_dumpWhen calling ftrace_dump_one() concurrently with reading trace_pipe,a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a racecondition.The issue occurs because:CPU0 (ftrace_dump) CPU1 (reader)echo z > /proc/sysrq-trigger!trace_empty(&iter)trace_iterator_reset(&iter) <- len = size = 0 cat /sys/kernel/tracing/trace_pipetrace_find_next_entry_inc(&iter) __find_next_entry ring_buffer_empty_cpu <- all empty return NULLtrace_printk_seq(&iter.seq) WARN_ON_ONCE(s->seq.len >= s->seq.size)In the context between trace_empty() and trace_find_next_entry_inc()during ftrace_dump, the ring buffer data was consumed by other readers.This caused trace_find_next_entry_inc to return NULL, failing to populate`iter.seq`. At this point, due to the prior trace_iterator_reset, both`iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal,the WARN_ON_ONCE condition is triggered.Move the trace_printk_seq() into the if block that checks to make sure thereturn value of trace_find_next_entry_inc() is non-NULL inftrace_dump_one(), ensuring the 'iter.seq' is properly populated beforesubsequent operations.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39819 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:fs/smb: Fix inconsistent refcnt updateA possible inconsistent update of refcount was identified in `smb2_compound_op`.Such inconsistent update could lead to possible resource leaks.Why it is a possible bug:1. In the comment section of the function, it clearly states that thereference to `cfile` should be dropped after calling this function.2. Every control flow path would check and drop the reference to`cfile`, except the patched one.3. Existing callers would not handle refcount update of `cfile` if-ENOMEM is returned.To fix the bug, an extra goto label "out" is added, to make sure that thecleanup logic would always be respected. As the problem is caused by theallocation failure of `vars`, the cleanup logic between label "finished"and "out" can be safely ignored. According to the definition of function`is_replayable_error`, the error code of "-ENOMEM" is not recoverable.Therefore, the replay logic also gets ignored.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39841 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: lpfc: Fix buffer free/clear order in deferred receive pathFix a use-after-free window by correcting the buffer release sequence inthe deferred receive path. The code freed the RQ buffer first and onlythen cleared the context pointer under the lock. Concurrent paths (e.g.,ABTS and the repost path) also inspect and release the same pointer underthe lock, so the old order could lead to double-free/UAF.Note that the repost path already uses the correct pattern: detach thepointer under the lock, then free it after dropping the lock. Thedeferred path should do the same.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39851 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:vxlan: Fix NPD when refreshing an FDB entry with a nexthop objectVXLAN FDB entries can point to either a remote destination or an FDBnexthop group. The latter is usually used in EVPN deployments wherelearning is disabled.However, when learning is enabled, an incoming packet might try torefresh an FDB entry that points to an FDB nexthop group and thereforedoes not have a remote. Such packets should be dropped, but they areonly dropped after dereferencing the non-existent remote, resulting in aNPD [1] which can be reproduced using [2].Fix by dropping such packets earlier. Remove the misleading comment fromfirst_remote_rcu().[1]BUG: kernel NULL pointer dereference, address: 0000000000000000[...]CPU: 13 UID: 0 PID: 361 Comm: mausezahn Not tainted 6.17.0-rc1-virtme-g9f6b606b6b37 #1 PREEMPT(voluntary)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014RIP: 0010:vxlan_snoop+0x98/0x1e0[...]Call Trace: vxlan_encap_bypass+0x209/0x240 encap_bypass_if_local+0xb1/0x100 vxlan_xmit_one+0x1375/0x17e0 vxlan_xmit+0x6b4/0x15f0 dev_hard_start_xmit+0x5d/0x1c0 __dev_queue_xmit+0x246/0xfd0 packet_sendmsg+0x113a/0x1850 __sock_sendmsg+0x38/0x70 __sys_sendto+0x126/0x180 __x64_sys_sendto+0x24/0x30 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x4b/0x53[2] #!/bin/bash ip address add 192.0.2.1/32 dev lo ip address add 192.0.2.2/32 dev lo ip nexthop add id 1 via 192.0.2.3 fdb ip nexthop add id 10 group 1 fdb ip link add name vx0 up type vxlan id 10010 local 192.0.2.1 dstport 12345 localbypass ip link add name vx1 up type vxlan id 10020 local 192.0.2.2 dstport 54321 learning bridge fdb add 00:11:22:33:44:55 dev vx0 self static dst 192.0.2.2 port 54321 vni 10020 bridge fdb add 00:aa:bb:cc:dd:ee dev vx1 self static nhid 10 mausezahn vx0 -a 00:aa:bb:cc:dd:ee -b 00:11:22:33:44:55 -c 1 -q

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39859 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdogThe ptp_ocp_detach() only shuts down the watchdog timer if it ispending. However, if the timer handler is already running, thetimer_delete_sync() is not called. This leads to race conditionswhere the devlink that contains the ptp_ocp is deallocated whilethe timer handler is still accessing it, resulting in use-after-freebugs. The following details one of the race scenarios.(thread 1) | (thread 2)ptp_ocp_remove() | ptp_ocp_detach() | ptp_ocp_watchdog() if (timer_pending(&bp->watchdog))| bp = timer_container_of() timer_delete_sync() | | devlink_free(devlink) //free | | bp-> //useResolve this by unconditionally calling timer_delete_sync() to ensurethe timer is reliably deactivated, preventing any access after free.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39876 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()The function of_phy_find_device may return NULL, so we need to takecare before dereferencing phy_dev.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39881 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:kernfs: Fix UAF in polling when open file is releasedA use-after-free (UAF) vulnerability was identified in the PSI (PressureStall Information) monitoring mechanism:BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140Read of size 8 at addr ffff3de3d50bd308 by task systemd/1psi_trigger_poll+0x3c/0x140cgroup_pressure_poll+0x70/0xa0cgroup_file_poll+0x8c/0x100kernfs_fop_poll+0x11c/0x1c0ep_item_poll.isra.0+0x188/0x2c0Allocated by task 1:cgroup_file_open+0x88/0x388kernfs_fop_open+0x73c/0xaf0do_dentry_open+0x5fc/0x1200vfs_open+0xa0/0x3f0do_open+0x7e8/0xd08path_openat+0x2fc/0x6b0do_filp_open+0x174/0x368Freed by task 8462:cgroup_file_release+0x130/0x1f8kernfs_drain_open_files+0x17c/0x440kernfs_drain+0x2dc/0x360kernfs_show+0x1b8/0x288cgroup_file_show+0x150/0x268cgroup_pressure_write+0x1dc/0x340cgroup_file_write+0x274/0x548Reproduction Steps:1. Open test/cpu.pressure and establish epoll monitoring2. Disable monitoring: echo 0 > test/cgroup.pressure3. Re-enable monitoring: echo 1 > test/cgroup.pressureThe race condition occurs because:1. When cgroup.pressure is disabled (echo 0 > cgroup.pressure), it: - Releases PSI triggers via cgroup_file_release() - Frees of->priv through kernfs_drain_open_files()2. While epoll still holds reference to the file and continues polling3. Re-enabling (echo 1 > cgroup.pressure) accesses freed of->privepolling disable/enable cgroup.pressurefd=open(cpu.pressure)while(1)...epoll_waitkernfs_fop_pollkernfs_get_active = true echo 0 > cgroup.pressure... cgroup_file_show kernfs_show // inactive kn kernfs_drain_open_files cft->release(of); kfree(ctx); ...kernfs_get_active = false echo 1 > cgroup.pressure kernfs_show kernfs_activate_one(kn);kernfs_fop_pollkernfs_get_active = truecgroup_file_pollpsi_trigger_poll// UAF...end: close(fd)To address this issue, introduce kernfs_get_active_of() for kernfs openfiles to obtain active references. This function will fail if the open filehas been released. Replace kernfs_get_active() with kernfs_get_active_of()to prevent further operations on released file descriptors.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39895 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:sched: Fix sched_numa_find_nth_cpu() if mask offlinesched_numa_find_nth_cpu() uses a bsearch to look for the 'closest'CPU in sched_domains_numa_masks and given cpus mask. However theymight not intersect if all CPUs in the cpus mask are offline. bsearchwill return NULL in that case, bail out instead of dereferencing abogus pointer.The previous behaviour lead to this bug when using maxcpus=4 on anrk3399 (LLLLbb) (i.e. booting with all big CPUs offline):[ 1.422922] Unable to handle kernel paging request at virtual address ffffff8000000000[ 1.423635] Mem abort info:[ 1.423889] ESR = 0x0000000096000006[ 1.424227] EC = 0x25: DABT (current EL), IL = 32 bits[ 1.424715] SET = 0, FnV = 0[ 1.424995] EA = 0, S1PTW = 0[ 1.425279] FSC = 0x06: level 2 translation fault[ 1.425735] Data abort info:[ 1.425998] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000[ 1.426499] CM = 0, WnR = 0, TnD = 0, TagAccess = 0[ 1.426952] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0[ 1.427428] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000004a9f000[ 1.428038] [ffffff8000000000] pgd=18000000f7fff403, p4d=18000000f7fff403, pud=18000000f7fff403, pmd=0000000000000000[ 1.429014] Internal error: Oops: 0000000096000006 [#1] SMP[ 1.429525] Modules linked in:[ 1.429813] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.0-rc4-dirty #343 PREEMPT[ 1.430559] Hardware name: Pine64 RockPro64 v2.1 (DT)[ 1.431012] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)[ 1.431634] pc : sched_numa_find_nth_cpu+0x2a0/0x488[ 1.432094] lr : sched_numa_find_nth_cpu+0x284/0x488[ 1.432543] sp : ffffffc084e1b960[ 1.432843] x29: ffffffc084e1b960 x28: ffffff80078a8800 x27: ffffffc0846eb1d0[ 1.433495] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000[ 1.434144] x23: 0000000000000000 x22: fffffffffff7f093 x21: ffffffc081de6378[ 1.434792] x20: 0000000000000000 x19: 0000000ffff7f093 x18: 00000000ffffffff[ 1.435441] x17: 3030303866666666 x16: 66663d736b73616d x15: ffffffc104e1b5b7[ 1.436091] x14: 0000000000000000 x13: ffffffc084712860 x12: 0000000000000372[ 1.436739] x11: 0000000000000126 x10: ffffffc08476a860 x9 : ffffffc084712860[ 1.437389] x8 : 00000000ffffefff x7 : ffffffc08476a860 x6 : 0000000000000000[ 1.438036] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000[ 1.438683] x2 : 0000000000000000 x1 : ffffffc0846eb000 x0 : ffffff8000407b68[ 1.439332] Call trace:[ 1.439559] sched_numa_find_nth_cpu+0x2a0/0x488 (P)[ 1.440016] smp_call_function_any+0xc8/0xd0[ 1.440416] armv8_pmu_init+0x58/0x27c[ 1.440770] armv8_cortex_a72_pmu_init+0x20/0x2c[ 1.441199] arm_pmu_device_probe+0x1e4/0x5e8[ 1.441603] armv8_pmu_device_probe+0x1c/0x28[ 1.442007] platform_probe+0x5c/0xac[ 1.442347] really_probe+0xbc/0x298[ 1.442683] __driver_probe_device+0x78/0x12c[ 1.443087] driver_probe_device+0xdc/0x160[ 1.443475] __driver_attach+0x94/0x19c[ 1.443833] bus_for_each_dev+0x74/0xd4[ 1.444190] driver_attach+0x24/0x30[ 1.444525] bus_add_driver+0xe4/0x208[ 1.444874] driver_register+0x60/0x128[ 1.445233] __platform_driver_register+0x24/0x30[ 1.445662] armv8_pmu_driver_init+0x28/0x4c[ 1.446059] do_one_initcall+0x44/0x25c[ 1.446416] kernel_init_freeable+0x1dc/0x3bc[ 1.446820] kernel_init+0x20/0x1d8[ 1.447151] ret_from_fork+0x10/0x20[ 1.447493] Code: 90022e21 f000e5f5 910de2b5 2a1703e2 (f8767803)[ 1.448040] ---[ end trace 0000000000000000 ]---[ 1.448483] note: swapper/0[1] exited with preempt_count 1[ 1.449047] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b[ 1.449741] SMP: stopping secondary CPUs[ 1.450105] Kernel Offset: disabled[ 1.450419] CPU features: 0x000000,00080000,20002001,0400421b[ ---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39902 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mm/slub: avoid accessing metadata when pointer is invalid in object_err()object_err() reports details of an object for further debugging, such asthe freelist pointer, redzone, etc. However, if the pointer is invalid,attempting to access object metadata can lead to a crash since it doesnot point to a valid object.One known path to the crash is when alloc_consistency_checks()determines the pointer to the allocated object is invalid because of afreelist corruption, and calls object_err() to report it. The debug codeshould report and handle the corruption gracefully and not crash in theprocess.In case the pointer is NULL or check_valid_pointer() returns false forthe pointer, only print the pointer value and skip accessing metadata.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39911 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error pathIf request_irq() in i40e_vsi_request_irq_msix() fails in an iterationlater than the first, the error path wants to free the IRQs requestedso far. However, it uses the wrong dev_id argument for free_irq(), soit does not free the IRQs correctly and instead triggers the warning: Trying to free already-free IRQ 173 WARNING: CPU: 25 PID: 1091 at kernel/irq/manage.c:1829 __free_irq+0x192/0x2c0 Modules linked in: i40e(+) [...] CPU: 25 UID: 0 PID: 1091 Comm: NetworkManager Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy) Hardware name: [...] RIP: 0010:__free_irq+0x192/0x2c0 [...] Call Trace: free_irq+0x32/0x70 i40e_vsi_request_irq_msix.cold+0x63/0x8b [i40e] i40e_vsi_request_irq+0x79/0x80 [i40e] i40e_vsi_open+0x21f/0x2f0 [i40e] i40e_open+0x63/0x130 [i40e] __dev_open+0xfc/0x210 __dev_change_flags+0x1fc/0x240 netif_change_flags+0x27/0x70 do_setlink.isra.0+0x341/0xc70 rtnl_newlink+0x468/0x860 rtnetlink_rcv_msg+0x375/0x450 netlink_rcv_skb+0x5c/0x110 netlink_unicast+0x288/0x3c0 netlink_sendmsg+0x20d/0x430 ____sys_sendmsg+0x3a2/0x3d0 ___sys_sendmsg+0x99/0xe0 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x82/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] ---[ end trace 0000000000000000 ]---Use the same dev_id for free_irq() as for request_irq().I tested this with inserting code to fail intentionally.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39931 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: af_alg - Set merge to zero early in af_alg_sendmsgIf an error causes af_alg_sendmsg to abort, ctx->merge may containa garbage value from the previous loop. This may then trigger acrash on the next entry into af_alg_sendmsg when it attempts to doa merge that can't be done.Fix this by setting ctx->merge to zero near the start of the loop.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39934 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm: bridge: anx7625: Fix NULL pointer dereference with early IRQIf the interrupt occurs before resource initialization is complete, theinterrupt handler/worker may access uninitialized data such as the I2Ctcpc_client device, potentially leading to NULL pointer dereference.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39937 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointerSince commit 7d5e9737efda ("net: rfkill: gpio: get the name and type fromdevice property") rfkill_find_type() gets called with the possiblyuninitialized "const char *type_name;" local variable.On x86 systems when rfkill-gpio binds to a "BCM4752" or "LNV4752"acpi_device, the rfkill->type is set based on the ACPI acpi_device_id: rfkill->type = (unsigned)id->driver_data;and there is no "type" property so device_property_read_string() will failand leave type_name uninitialized, leading to a potential crash.rfkill_find_type() does accept a NULL pointer, fix the potential crashby initializing type_name to NULL.Note likely sofar this has not been caught because:1. Not many x86 machines actually have a "BCM4752"/"LNV4752" acpi_device2. The stack happened to contain NULL where type_name is stored

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39938 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failedIf earlier opening of source graph fails (e.g. ADSP rejects due toincorrect audioreach topology), the graph is closed and"dai_data->graph[dai->id]" is assigned NULL. Preparing the DAI for sinkgraph continues though and next call to q6apm_lpass_dai_prepare()receives dai_data->graph[dai->id]=NULL leading to NULL pointerexception: qcom-apm gprsvc:service:2:1: Error (1) Processing 0x01001002 cmd qcom-apm gprsvc:service:2:1: DSP returned error[1001002] 1 q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: fail to start APM port 78 q6apm-lpass-dais 30000000.remoteproc:glink-edge:gpr:service@1:bedais: ASoC: error at snd_soc_pcm_dai_prepare on TX_CODEC_DMA_TX_3: -22 Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8 ... Call trace: q6apm_graph_media_format_pcm+0x48/0x120 (P) q6apm_lpass_dai_prepare+0x110/0x1b4 snd_soc_pcm_dai_prepare+0x74/0x108 __soc_pcm_prepare+0x44/0x160 dpcm_be_dai_prepare+0x124/0x1c0

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39944 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp()The original code relies on cancel_delayed_work() in otx2_ptp_destroy(),which does not ensure that the delayed work item synctstamp_work has fullycompleted if it was already running. This leads to use-after-free scenarioswhere otx2_ptp is deallocated by otx2_ptp_destroy(), while synctstamp_workremains active and attempts to dereference otx2_ptp in otx2_sync_tstamp().Furthermore, the synctstamp_work is cyclic, the likelihood of triggeringthe bug is nonnegligible.A typical race condition is illustrated below:CPU 0 (cleanup) | CPU 1 (delayed work callback)otx2_remove() | otx2_ptp_destroy() | otx2_sync_tstamp() cancel_delayed_work() | kfree(ptp) | | ptp = container_of(...); //UAF | ptp-> //UAFThis is confirmed by a KASAN report:BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0Write of size 8 at addr ffff88800aa09a18 by task bash/136...Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 run_timer_softirq+0xd1/0x190 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ...Allocated by task 1: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 otx2_ptp_init+0xb1/0x860 otx2_probe+0x4eb/0xc30 local_pci_probe+0xdc/0x190 pci_device_probe+0x2fe/0x470 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __driver_attach+0xd2/0x310 bus_for_each_dev+0xed/0x170 bus_add_driver+0x208/0x500 driver_register+0x132/0x460 do_one_initcall+0x89/0x300 kernel_init_freeable+0x40d/0x720 kernel_init+0x1a/0x150 ret_from_fork+0x10c/0x1a0 ret_from_fork_asm+0x1a/0x30Freed by task 136: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 otx2_ptp_destroy+0x38/0x80 otx2_remove+0x10d/0x4c0 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0xf8/0x210 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device_locked+0x15/0x30 remove_store+0xcc/0xe0 kernfs_fop_write_iter+0x2c3/0x440 vfs_write+0x871/0xd70 ksys_write+0xee/0x1c0 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f...Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensurethat the delayed work item is properly canceled before the otx2_ptp isdeallocated.This bug was initially identified through static analysis. To reproduceand test it, I simulated the OcteonTX2 PCI device in QEMU and introducedartificial delays within the otx2_sync_tstamp() function to increase thelikelihood of triggering the bug.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39946 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:tls: make sure to abort the stream if headers are bogusNormally we wait for the socket to buffer up the whole recordbefore we service it. If the socket has a tiny buffer, however,we read out the data sooner, to prevent connection stalls.Make sure that we abort the connection when we find out latethat the record is actually invalid. Retrying the parsing isfine in itself but since we copy some more data each timebefore we parse we can overflow the allocated skb space.Constructing a scenario in which we're under pressure withoutenough data in the socket to parse the length upfront is quitehard. syzbot figured out a way to do this by serving us the headerin small OOB sends, and then filling in the recvbuf with a largenormal send.Make sure that tls_rx_msg_size() aborts strp, if we reachan invalid record there's really no way to recover.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39982 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_syncThis fixes the following UFA in hci_acl_create_conn_sync where aconnection still pending is command submission (conn->state == BT_OPEN)maybe freed, also since this also can happen with the likes ofhci_le_create_conn_sync fix it as well:BUG: KASAN: slab-use-after-free in hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861Write of size 2 at addr ffff88805ffcc038 by task kworker/u11:2/9541CPU: 1 UID: 0 PID: 9541 Comm: kworker/u11:2 Not tainted 6.16.0-rc7 #3 PREEMPT(full)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014Workqueue: hci3 hci_cmd_sync_workCall Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x230 mm/kasan/report.c:480 kasan_report+0x118/0x150 mm/kasan/report.c:593 hci_acl_create_conn_sync+0x5ef/0x790 net/bluetooth/hci_sync.c:6861 hci_cmd_sync_work+0x210/0x3a0 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 home/kwqcheii/source/fuzzing/kernel/kasan/linux-6.16-rc7/arch/x86/entry/entry_64.S:245 Allocated by task 123736: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] __hci_conn_add+0x233/0x1b30 net/bluetooth/hci_conn.c:939 hci_conn_add_unset net/bluetooth/hci_conn.c:1051 [inline] hci_connect_acl+0x16c/0x4e0 net/bluetooth/hci_conn.c:1634 pair_device+0x418/0xa70 net/bluetooth/mgmt.c:3556 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 sock_write_iter+0x258/0x330 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x54b/0xa90 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fFreed by task 103680: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4643 [inline] kfree+0x18e/0x440 mm/slub.c:4842 device_release+0x9c/0x1c0 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x22b/0x480 lib/kobject.c:737 hci_conn_cleanup net/bluetooth/hci_conn.c:175 [inline] hci_conn_del+0x8ff/0xcb0 net/bluetooth/hci_conn.c:1173 hci_conn_complete_evt+0x3c7/0x1040 net/bluetooth/hci_event.c:3199 hci_event_func net/bluetooth/hci_event.c:7477 [inline] hci_event_packet+0x7e0/0x1200 net/bluetooth/hci_event.c:7531 hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4070 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 home/kwqcheii/sour---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39985 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflowSending an PF_PACKET allows to bypass the CAN framework logic and todirectly reach the xmit() function of a CAN driver. The only checkwhich is performed by the PF_PACKET framework is to make sure thatskb->len fits the interface's MTU.Unfortunately, because the mcba_usb driver does not populate itsnet_device_ops->ndo_change_mtu(), it is possible for an attacker toconfigure an invalid MTU by doing, for example: $ ip link set can0 mtu 9999After doing so, the attacker could open a PF_PACKET socket using theETH_P_CANXL protocol: socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))to inject a malicious CAN XL frames. For example: struct canxl_frame frame = { .flags = 0xff, .len = 2048, };The CAN drivers' xmit() function are calling can_dev_dropped_skb() tocheck that the skb is valid, unfortunately under above conditions, themalicious packet is able to go through can_dev_dropped_skb() checks: 1. the skb->protocol is set to ETH_P_CANXL which is valid (the function does not check the actual device capabilities). 2. the length is a valid CAN XL length.And so, mcba_usb_start_xmit() receives a CAN XL frame which it is notable to correctly handle and will thus misinterpret it as a CAN frame.This can result in a buffer overflow. The driver will consume cf->lenas-is with no further checks on these lines: usb_msg.dlc = cf->len; memcpy(usb_msg.data, cf->data, usb_msg.dlc);Here, cf->len corresponds to the flags field of the CAN XL frame. Inour previous example, we set canxl_frame->flags to 0xff. Because themaximum expected length is 8, a buffer overflow of 247 bytes occurs!Populate net_device_ops->ndo_change_mtu() to ensure that theinterface's MTU can not be set to anything bigger than CAN_MTU. Byfixing the root cause, this prevents the buffer overflow.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39986 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflowSending an PF_PACKET allows to bypass the CAN framework logic and todirectly reach the xmit() function of a CAN driver. The only checkwhich is performed by the PF_PACKET framework is to make sure thatskb->len fits the interface's MTU.Unfortunately, because the sun4i_can driver does not populate itsnet_device_ops->ndo_change_mtu(), it is possible for an attacker toconfigure an invalid MTU by doing, for example: $ ip link set can0 mtu 9999After doing so, the attacker could open a PF_PACKET socket using theETH_P_CANXL protocol: socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))to inject a malicious CAN XL frames. For example: struct canxl_frame frame = { .flags = 0xff, .len = 2048, };The CAN drivers' xmit() function are calling can_dev_dropped_skb() tocheck that the skb is valid, unfortunately under above conditions, themalicious packet is able to go through can_dev_dropped_skb() checks: 1. the skb->protocol is set to ETH_P_CANXL which is valid (the function does not check the actual device capabilities). 2. the length is a valid CAN XL length.And so, sun4ican_start_xmit() receives a CAN XL frame which it is notable to correctly handle and will thus misinterpret it as a CAN frame.This can result in a buffer overflow. The driver will consume cf->lenas-is with no further checks on this line: dlc = cf->len;Here, cf->len corresponds to the flags field of the CAN XL frame. Inour previous example, we set canxl_frame->flags to 0xff. Because themaximum expected length is 8, a buffer overflow of 247 bytes occurs acouple line below when doing: for (i = 0; i < dlc; i++) writel(cf->data[i], priv->base + (dreg + i * 4));Populate net_device_ops->ndo_change_mtu() to ensure that theinterface's MTU can not be set to anything bigger than CAN_MTU. Byfixing the root cause, this prevents the buffer overflow.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39987 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:can: hi311x: populate ndo_change_mtu() to prevent buffer overflowSending an PF_PACKET allows to bypass the CAN framework logic and todirectly reach the xmit() function of a CAN driver. The only checkwhich is performed by the PF_PACKET framework is to make sure thatskb->len fits the interface's MTU.Unfortunately, because the sun4i_can driver does not populate itsnet_device_ops->ndo_change_mtu(), it is possible for an attacker toconfigure an invalid MTU by doing, for example: $ ip link set can0 mtu 9999After doing so, the attacker could open a PF_PACKET socket using theETH_P_CANXL protocol: socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL))to inject a malicious CAN XL frames. For example: struct canxl_frame frame = { .flags = 0xff, .len = 2048, };The CAN drivers' xmit() function are calling can_dev_dropped_skb() tocheck that the skb is valid, unfortunately under above conditions, themalicious packet is able to go through can_dev_dropped_skb() checks: 1. the skb->protocol is set to ETH_P_CANXL which is valid (the function does not check the actual device capabilities). 2. the length is a valid CAN XL length.And so, hi3110_hard_start_xmit() receives a CAN XL frame which it isnot able to correctly handle and will thus misinterpret it as a CANframe. The driver will consume frame->len as-is with no furtherchecks.This can result in a buffer overflow later on in hi3110_hw_tx() onthis line: memcpy(buf + HI3110_FIFO_EXT_DATA_OFF, frame->data, frame->len);Here, frame->len corresponds to the flags field of the CAN XL frame.In our previous example, we set canxl_frame->flags to 0xff. Becausethe maximum expected length is 8, a buffer overflow of 247 bytesoccurs!Populate net_device_ops->ndo_change_mtu() to ensure that theinterface's MTU can not be set to anything bigger than CAN_MTU. Byfixing the root cause, this prevents the buffer overflow.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39988 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflowSending an PF_PACKET allows to bypass the CAN framework logic and todirectly reach the xmit() function of a CAN driver. The only checkwhich is performed by the PF_PACKET framework is to make sure thatskb->len fits the interface's MTU.Unfortunately, because the etas_es58x driver does not populate itsnet_device_ops->ndo_change_mtu(), it is possible for an attacker toconfigure an invalid MTU by doing, for example: $ ip link set can0 mtu 9999After doing so, the attacker could open a PF_PACKET socket using theETH_P_CANXL protocol: socket(PF_PACKET, SOCK_RAW, htons(ETH_P_CANXL));to inject a malicious CAN XL frames. For example: struct canxl_frame frame = { .flags = 0xff, .len = 2048, };The CAN drivers' xmit() function are calling can_dev_dropped_skb() tocheck that the skb is valid, unfortunately under above conditions, themalicious packet is able to go through can_dev_dropped_skb() checks: 1. the skb->protocol is set to ETH_P_CANXL which is valid (the function does not check the actual device capabilities). 2. the length is a valid CAN XL length.And so, es58x_start_xmit() receives a CAN XL frame which it is notable to correctly handle and will thus misinterpret it as a CAN(FD)frame.This can result in a buffer overflow. For example, using the es581.4variant, the frame will be dispatched to es581_4_tx_can_msg(), gothrough the last check at the beginning of this function: if (can_is_canfd_skb(skb)) return -EMSGSIZE;and reach this line: memcpy(tx_can_msg->data, cf->data, cf->len);Here, cf->len corresponds to the flags field of the CAN XL frame. Inour previous example, we set canxl_frame->flags to 0xff. Because themaximum expected length is 8, a buffer overflow of 247 bytes occurs!Populate net_device_ops->ndo_change_mtu() to ensure that theinterface's MTU can not be set to anything bigger than CAN_MTU orCANFD_MTU (depending on the device capabilities). By fixing the rootcause, this prevents the buffer overflow.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39991 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()If ab->fw.m3_data points to data, then fw pointer remains null.Further, if m3_mem is not allocated, then fw is dereferenced to bepassed to ath11k_err function.Replace fw->size by m3_len.Found by Linux Verification Center (linuxtesting.org) with SVACE.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39993 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: rc: fix races with imon_disconnect()Syzbot reports a KASAN issue as below:BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline]BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014Call Trace: __dump_stack lib/dump_stack.c:88 [inline]dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106print_address_description mm/kasan/report.c:317 [inline]print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433kasan_report+0xb1/0x1e0 mm/kasan/report.c:495__create_pipe include/linux/usb.h:1945 [inline]send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991vfs_write+0x2d7/0xdd0 fs/read_write.c:576ksys_write+0x127/0x250 fs/read_write.c:631do_syscall_x64 arch/x86/entry/common.c:50 [inline]do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80entry_SYSCALL_64_after_hwframe+0x63/0xcdThe iMON driver improperly releases the usb_device reference inimon_disconnect without coordinating with active users of thedevice.Specifically, the fields usbdev_intf0 and usbdev_intf1 are notprotected by the users counter (ictx->users). During probe,imon_init_intf0 or imon_init_intf1 increments the usb_devicereference count depending on the interface. However, duringdisconnect, usb_put_dev is called unconditionally, regardless ofactual usage.As a result, if vfd_write or other operations are still inprogress after disconnect, this can lead to a use-after-free ofthe usb_device pointer.Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1)...while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAFGuard access to usbdev_intf0 and usbdev_intf1 after disconnect bychecking ictx->disconnected in all writer paths. Add early returnwith -ENODEV in send_packet(), vfd_write(), lcd_write() anddisplay_open() if the device is no longer present.Set and read ictx->disconnected under ictx->lock to ensure memorysynchronization. Acquire the lock in imon_disconnect() before settingthe flag to synchronize with any ongoing operations.Ensure writers exit early and safely after disconnect before the USBcore proceeds with cleanup.Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39994 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: tuner: xc5000: Fix use-after-free in xc5000_releaseThe original code uses cancel_delayed_work() in xc5000_release(), whichdoes not guarantee that the delayed work item timer_sleep has fullycompleted if it was already running. This leads to use-after-free scenarioswhere xc5000_release() may free the xc5000_priv while timer_sleep is stillactive and attempts to dereference the xc5000_priv.A typical race condition is illustrated below:CPU 0 (release thread) | CPU 1 (delayed work callback)xc5000_release() | xc5000_do_timer_sleep() cancel_delayed_work() | hybrid_tuner_release_state(priv) | kfree(priv) | | priv = container_of() // UAFReplace cancel_delayed_work() with cancel_delayed_work_sync() to ensurethat the timer_sleep is properly canceled before the xc5000_priv memoryis deallocated.A deadlock concern was considered: xc5000_release() is called in a processcontext and is not holding any locks that the timer_sleep work item mightalso need. Therefore, the use of the _sync() variant is safe here.This bug was initially identified through static analysis.[hverkuil: fix typo in Subject: tunner -> tuner]

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39995 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probeThe state->timer is a cyclic timer that schedules work_i2c_poll anddelayed_work_enable_hotplug, while rearming itself. Using timer_delete()fails to guarantee the timer isn't still running when destroyed, similarlycancel_delayed_work() cannot ensure delayed_work_enable_hotplug hasterminated if already executing. During probe failure after timerinitialization, these may continue running as orphans and reference thealready-freed tc358743_state object through tc358743_irq_poll_timer.The following is the trace captured by KASAN.BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0...Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __pfx_sched_balance_find_src_group+0x10/0x10 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? rcu_sched_clock_irq+0xb06/0x27d0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? try_to_wake_up+0xb15/0x1960 ? tmigr_update_events+0x280/0x740 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 tmigr_handle_remote_up+0x603/0x7e0 ? __pfx_tmigr_handle_remote_up+0x10/0x10 ? sched_balance_trigger+0x98/0x9f0 ? sched_tick+0x221/0x5a0 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? tick_nohz_handler+0x339/0x440 ? __pfx_tmigr_handle_remote_up+0x10/0x10 __walk_groups.isra.0+0x42/0x150 tmigr_handle_remote+0x1f4/0x2e0 ? __pfx_tmigr_handle_remote+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 ? hrtimer_interrupt+0x322/0x780 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ...Allocated by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_node_track_caller_noprof+0x198/0x430 devm_kmalloc+0x7b/0x1e0 tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7fFreed by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 release_nodes+0xa4/0x100 devres_release_group+0x1b2/0x380 i2c_device_probe+0x694/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f...Replace timer_delete() with timer_delete_sync() and cancel_delayed_work()with cancel_delayed_work_sync() to ensure proper termination of timer andwork items before resource cleanup.This bug was initially identified through static analysis. For reproductionand testing, I created a functional emulation of the tc358743 device via akernel module and introduced faults through the debugfs interface.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39996 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_removeThe original code uses cancel_delayed_work() in flexcop_pci_remove(), whichdoes not guarantee that the delayed work item irq_check_work has fullycompleted if it was already running. This leads to use-after-free scenarioswhere flexcop_pci_remove() may free the flexcop_device while irq_check_workis still active and attempts to dereference the device.A typical race condition is illustrated below:CPU 0 (remove) | CPU 1 (delayed work callback)flexcop_pci_remove() | flexcop_pci_irq_check_work() cancel_delayed_work() | flexcop_device_kfree(fc_pci->fc_dev) | | fc = fc_pci->fc_dev; // UAFThis is confirmed by a KASAN report:==================================================================BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0Write of size 8 at addr ffff8880093aa8c8 by task bash/135...Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 run_timer_softirq+0xd1/0x190 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ...Allocated by task 1: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x1be/0x460 flexcop_device_kmalloc+0x54/0xe0 flexcop_pci_probe+0x1f/0x9d0 local_pci_probe+0xdc/0x190 pci_device_probe+0x2fe/0x470 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __driver_attach+0xd2/0x310 bus_for_each_dev+0xed/0x170 bus_add_driver+0x208/0x500 driver_register+0x132/0x460 do_one_initcall+0x89/0x300 kernel_init_freeable+0x40d/0x720 kernel_init+0x1a/0x150 ret_from_fork+0x10c/0x1a0 ret_from_fork_asm+0x1a/0x30Freed by task 135: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 flexcop_device_kfree+0x32/0x50 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0xf8/0x210 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device_locked+0x15/0x30 remove_store+0xcc/0xe0 kernfs_fop_write_iter+0x2c3/0x440 vfs_write+0x871/0xd70 ksys_write+0xee/0x1c0 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f...Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensurethat the delayed work item is properly canceled and any executing delayedwork has finished before the device memory is deallocated.This bug was initially identified through static analysis. To reproduceand test it, I simulated the B2C2 FlexCop PCI device in QEMU and introducedartificial delays within the flexcop_pci_irq_check_work() function toincrease the likelihood of triggering the bug.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39997 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_freeThe previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly atremoval") patched a UAF issue caused by the error timer.However, because the error timer kill added in this patch occurs after theendpoint delete, a race condition to UAF still occurs, albeit rarely.Additionally, since kill-cleanup for urb is also missing, freed memory canbe accessed in interrupt context related to urb, which can cause UAF.Therefore, to prevent this, error timer and urb must be killed beforefreeing the heap memory.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40000 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries toaccess already freed skb_data: BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025 Workqueue: events_unbound cfg80211_wiphy_work [cfg80211] Use-after-free write at 0x0000000020309d9d (in kfence-#251): rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago): __alloc_skb net/core/skbuff.c:659 __netdev_alloc_skb net/core/skbuff.c:734 ieee80211_nullfunc_get net/mac80211/tx.c:5844 rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago): ieee80211_tx_status_skb net/mac80211/status.c:1117 rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564 rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651 rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676 rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238 __napi_poll net/core/dev.c:7495 net_rx_action net/core/dev.c:7557 net/core/dev.c:7684 handle_softirqs kernel/softirq.c:580 do_softirq.part.0 kernel/softirq.c:480 __local_bh_enable_ip kernel/softirq.c:407 rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927 irq_thread_fn kernel/irq/manage.c:1133 irq_thread kernel/irq/manage.c:1257 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258It is a consequence of a race between the waiting and the signaling sideof the completion: Waiting thread Completing threadrtw89_core_tx_kick_off_and_wait() rcu_assign_pointer(skb_data->wait, wait) /* start waiting */ wait_for_completion_timeout() rtw89_pci_tx_status() rtw89_core_tx_wait_complete() rcu_read_lock() /* signals completion and ---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40010 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:afs: Fix potential null pointer dereference in afs_put_serverafs_put_server() accessed server->debug_id before the NULL check, whichcould lead to a null pointer dereference. Move the debug_id assignment,ensuring we never dereference a NULL server pointer.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40011 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:drm/gma500: Fix null dereference in hdmi teardownpci_set_drvdata sets the value of pdev->driver_data to NULL,after which the driver_data obtained from the same dev isdereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev isextracted from it. To prevent this, swap these calls.Found by Linux Verification Center (linuxtesting.org) with Svacer.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40013 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ASoC: qcom: audioreach: fix potential null pointer dereferenceIt is possible that the topology parsing functionaudioreach_widget_load_module_common() could return NULL or an errorpointer. Add missing NULL check so that we do not dereference it.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40029 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bus: fsl-mc: Check return value of platform_get_resource()platform_get_resource() returns NULL in case of failure, so check itsreturn value and propagate the error in order to prevent NULL pointerdereference.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40030 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:pinctrl: check the return value of pinmux_ops::get_function_name()While the API contract in docs doesn't specify it explicitly, thegeneric implementation of the get_function_name() callback from structpinmux_ops - pinmux_generic_get_function_name() - can fail and returnNULL. This is already checked in pinmux_check_ops() so add a similarcheck in pinmux_func_name_to_selector() instead of passing the returnedpointer right down to strcmp() where the NULL can get dereferenced. Thisis normal operation when adding new pinfunctions.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40035 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leakStruct ff_effect_compat is embedded twice insideuinput_ff_upload_compat, contains internal padding. In particular, thereis a hole after struct ff_replay to satisfy alignment requirements forthe following union member. Without clearing the structure,copy_to_user() may leak stack data to userspace.Initialize ff_up_compat to zero before filling valid fields.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40036 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:misc: fastrpc: fix possible map leak in fastrpc_put_argscopy_to_user() failure would cause an early return without cleaning upthe fdlist, which has been updated by the DSP. This could lead to mapleak. Fix this by redirecting to a cleanup path on failure, ensuringthat all mapped buffers are properly released before returning.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40038 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't validSkip the WRMSR and HLT fastpaths in SVM's VM-Exit handler if the next RIPisn't valid, e.g. because KVM is running with nrips=false. SVM mustdecode and emulate to skip the instruction if the CPU doesn't provide thenext RIP, and getting the instruction bytes to decode requires readingguest memory. Reading guest memory through the emulator can fault, i.e.can sleep, which is disallowed since the fastpath handlers run with IRQsdisabled. BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:106 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 32611, name: qemu preempt_count: 1, expected: 0 INFO: lockdep is turned off. irq event stamp: 30580 hardirqs last enabled at (30579): [] vcpu_run+0x1787/0x1db0 [kvm] hardirqs last disabled at (30580): [] __schedule+0x1e2/0xed0 softirqs last enabled at (30570): [] fpu_swap_kvm_fpstate+0x44/0x210 softirqs last disabled at (30568): [] fpu_swap_kvm_fpstate+0x44/0x210 CPU: 298 UID: 0 PID: 32611 Comm: qemu Tainted: G U 6.16.0-smp--e6c618b51cfe-sleep #782 NONE Tainted: [U]=USER Hardware name: Google Astoria-Turin/astoria, BIOS 0.20241223.2-0 01/17/2025 Call Trace: dump_stack_lvl+0x7d/0xb0 __might_resched+0x271/0x290 __might_fault+0x28/0x80 kvm_vcpu_read_guest_page+0x8d/0xc0 [kvm] kvm_fetch_guest_virt+0x92/0xc0 [kvm] __do_insn_fetch_bytes+0xf3/0x1e0 [kvm] x86_decode_insn+0xd1/0x1010 [kvm] x86_emulate_instruction+0x105/0x810 [kvm] __svm_skip_emulated_instruction+0xc4/0x140 [kvm_amd] handle_fastpath_invd+0xc4/0x1a0 [kvm] vcpu_run+0x11a1/0x1db0 [kvm] kvm_arch_vcpu_ioctl_run+0x5cc/0x730 [kvm] kvm_vcpu_ioctl+0x578/0x6a0 [kvm] __se_sys_ioctl+0x6d/0xb0 do_syscall_64+0x8a/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f479d57a94b Note, this is essentially a reapply of commit 5c30e8101e8d ("KVM: SVM:Skip WRMSR fastpath on VM-Exit if next RIP isn't valid"), but withdifferent justification (KVM now grabs SRCU when skipping the instructionfor other reasons).

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40040 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:mm/ksm: fix flag-dropping behavior in ksm_madvisesyzkaller discovered the following crash: (kernel BUG)[ 44.607039] ------------[ cut here ]------------[ 44.607422] kernel BUG at mm/userfaultfd.c:2067![ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI[ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none)[ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014[ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460[ 44.617726] Call Trace:[ 44.617926] [ 44.619284] userfaultfd_release+0xef/0x1b0[ 44.620976] __fput+0x3f9/0xb60[ 44.621240] fput_close_sync+0x110/0x210[ 44.622222] __x64_sys_close+0x8f/0x120[ 44.622530] do_syscall_64+0x5b/0x2f0[ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e[ 44.623244] RIP: 0033:0x7f365bb3f227Kernel panics because it detects UFFD inconsistency duringuserfaultfd_release_all(). Specifically, a VMA which has a valid pointerto vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags.The inconsistency is caused in ksm_madvise(): when user calls madvise()with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode,it accidentally clears all flags stored in the upper 32 bits ofvma->vm_flags.Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int andint are 32-bit wide. This setup causes the following mishap during the &=~VM_MERGEABLE assignment.VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000. After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is thenpromoted to unsigned long before the & operation. This promotion fillsupper 32 bits with leading 0s, as we're doing unsigned conversion (andeven for a signed conversion, this wouldn't help as the leading bit is 0).& operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffffinstead of intended 0xffff'ffff'7fff'ffff and hence accidentally clearsthe upper 32-bits of its value.Fix it by changing `VM_MERGEABLE` constant to unsigned long, using theBIT() macro.Note: other VM_* flags are not affected: This only happens to theVM_MERGEABLE flag, as the other VM_* flags are all constants of type intand after ~ operation, they end up with leading 1 and are thus convertedto unsigned long with leading 1s.Note 2:After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this isno longer a kernel BUG, but a WARNING at the same place:[ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067but the root-cause (flag-drop) remains the same.[akpm@linux-foundation.org: rust bindgen wasn't able to handle BIT(), from Miguel]

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40048 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:uio_hv_generic: Let userspace take care of interrupt maskRemove the logic to set interrupt mask by default in uio_hv_genericdriver as the interrupt mask value is supposed to be controlledcompletely by the user space. If the mask bit gets changedby the driver, concurrently with user mode operating on the ring,the mask bit may be set when it is supposed to be clear, and theuser-mode driver will miss an interrupt which will cause a hang.For eg- when the driver sets inbound ring buffer interrupt mask to 1,the host does not interrupt the guest on the UIO VMBus channel.However, setting the mask does not prevent the host from putting amessage in the inbound ring buffer. So let's assume that happens,the host puts a message into the ring buffer but does not interrupt.Subsequently, the user space code in the guest sets the inbound ringbuffer interrupt mask to 0, saying "Hey, I'm ready for interrupts".User space code then calls pread() to wait for an interrupt.Then one of two things happens:* The host never sends another message. So the pread() waits forever.* The host does send another message. But because there's already a message in the ring buffer, it doesn't generate an interrupt. This is the correct behavior, because the host should only send an interrupt when the inbound ring buffer transitions from empty to not-empty. Adding an additional message to a ring buffer that is not empty is not supposed to generate an interrupt on the guest. Since the guest is waiting in pread() and not removing messages from the ring buffer, the pread() waits forever.This could be easily reproduced in hv_fcopy_uio_daemon if we delaysetting interrupt mask to 0.Similarly if hv_uio_channel_cb() sets the interrupt_mask to 1,there's a race condition. Once user space empties the inbound ringbuffer, but before user space sets interrupt_mask to 0, the host couldput another message in the ring buffer but it wouldn't interrupt.Then the next pread() would hang.Fix these by removing all instances where interrupt_mask is changed,while keeping the one in set_event() unchanged to enable userspacecontrol the interrupt mask by writing 0/1 to /dev/uioX.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40051 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:vhost: vringh: Modify the return value checkThe return value of copy_from_iter and copy_to_iter can't be negative,check whether the copied lengths are equal.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40052 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:smb: client: fix crypto buffers in non-linear memoryThe crypto API, through the scatterlist API, expects input buffers to bein linear memory. We handle this with the cifs_sg_set_buf() helperthat converts vmalloc'd memory to their corresponding pages.However, when we allocate our aead_request buffer (@creq insmb2ops.c::crypt_message()), we do so with kvzalloc(), which possiblyputs aead_request->__ctx in vmalloc area.AEAD algorithm then uses ->__ctx for its private/internal data andoperations, and uses sg_set_buf() for such data on a few places.This works fine as long as @creq falls into kmalloc zone (smallrequests) or vmalloc'd memory is still within linear range.Tasks' stacks are vmalloc'd by default (CONFIG_VMAP_STACK=y), so toomany tasks will increment the base stacks' addresses to a point wherevirt_addr_valid(buf) will fail (BUG() in sg_set_buf()) when thathappens.In practice: too many parallel reads and writes on an encrypted mountwill trigger this bug.To fix this, always alloc @creq with kmalloc() instead.Also drop the @sensitive_size variable/arguments sincekfree_sensitive() doesn't need it.Backtrace:[ 945.272081] ------------[ cut here ]------------[ 945.272774] kernel BUG at include/linux/scatterlist.h:209![ 945.273520] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI[ 945.274412] CPU: 7 UID: 0 PID: 56 Comm: kworker/u33:0 Kdump: loaded Not tainted 6.15.0-lku-11779-g8e9d6efccdd7-dirty #1 PREEMPT(voluntary)[ 945.275736] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014[ 945.276877] Workqueue: writeback wb_workfn (flush-cifs-2)[ 945.277457] RIP: 0010:crypto_gcm_init_common+0x1f9/0x220[ 945.278018] Code: b0 00 00 00 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 48 c7 c0 00 00 00 80 48 2b 05 5c 58 e5 00 e9 58 ff ff ff <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b 0f 0b 48 c7 04 24 01 00 00 00 48 8b[ 945.279992] RSP: 0018:ffffc90000a27360 EFLAGS: 00010246[ 945.280578] RAX: 0000000000000000 RBX: ffffc90001d85060 RCX: 0000000000000030[ 945.281376] RDX: 0000000000080000 RSI: 0000000000000000 RDI: ffffc90081d85070[ 945.282145] RBP: ffffc90001d85010 R08: ffffc90001d85000 R09: 0000000000000000[ 945.282898] R10: ffffc90001d85090 R11: 0000000000001000 R12: ffffc90001d85070[ 945.283656] R13: ffff888113522948 R14: ffffc90001d85060 R15: ffffc90001d85010[ 945.284407] FS: 0000000000000000(0000) GS:ffff8882e66cf000(0000) knlGS:0000000000000000[ 945.285262] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 945.285884] CR2: 00007fa7ffdd31f4 CR3: 000000010540d000 CR4: 0000000000350ef0[ 945.286683] Call Trace:[ 945.286952] [ 945.287184] ? crypt_message+0x33f/0xad0 [cifs][ 945.287719] crypto_gcm_encrypt+0x36/0xe0[ 945.288152] crypt_message+0x54a/0xad0 [cifs][ 945.288724] smb3_init_transform_rq+0x277/0x300 [cifs][ 945.289300] smb_send_rqst+0xa3/0x160 [cifs][ 945.289944] cifs_call_async+0x178/0x340 [cifs][ 945.290514] ? __pfx_smb2_writev_callback+0x10/0x10 [cifs][ 945.291177] smb2_async_writev+0x3e3/0x670 [cifs][ 945.291759] ? find_held_lock+0x32/0x90[ 945.292212] ? netfs_advance_write+0xf2/0x310[ 945.292723] netfs_advance_write+0xf2/0x310[ 945.293210] netfs_write_folio+0x346/0xcc0[ 945.293689] ? __pfx__raw_spin_unlock_irq+0x10/0x10[ 945.294250] netfs_writepages+0x117/0x460[ 945.294724] do_writepages+0xbe/0x170[ 945.295152] ? find_held_lock+0x32/0x90[ 945.295600] ? kvm_sched_clock_read+0x11/0x20[ 945.296103] __writeback_single_inode+0x56/0x4b0[ 945.296643] writeback_sb_inodes+0x229/0x550[ 945.297140] __writeback_inodes_wb+0x4c/0xe0[ 945.297642] wb_writeback+0x2f1/0x3f0[ 945.298069] wb_workfn+0x300/0x490[ 945.298472] process_one_work+0x1fe/0x590[ 945.298949] worker_thread+0x1ce/0x3c0[ 945.299397] ? __pfx_worker_thread+0x10/0x10[ 945.299900] kthr---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40055 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ocfs2: fix double free in user_cluster_connect()user_cluster_disconnect() frees "conn->cc_private" which is "lc" but thenthe error handling frees "lc" a second time. Set "lc" to NULL on thispath to avoid a double free.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40058 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:iommu/vt-d: Disallow dirty tracking if incoherent page walkDirty page tracking relies on the IOMMU atomically updating the dirty bitin the paging-structure entry. For this operation to succeed, the paging-structure memory must be coherent between the IOMMU and the CPU. Inanother word, if the iommu page walk is incoherent, dirty page trackingdoesn't work.The Intel VT-d specification, Section 3.10 "Snoop Behavior" states:"Remapping hardware encountering the need to atomically update A/EA/D bits in a paging-structure entry that is not snooped will result in a non- recoverable fault."To prevent an IOMMU from being incorrectly configured for dirty pagetracking when it is operating in an incoherent mode, mark SSADS assupported only when both ecap_slads and ecap_smpwc are supported.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40059 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:coresight: Fix incorrect handling for return value of devm_kzallocThe return value of devm_kzalloc could be an null pointer,use "!desc.pdata" to fix incorrect handling return valueof devm_kzalloc.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40060 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:coresight: trbe: Return NULL pointer for allocation failuresWhen the TRBE driver fails to allocate a buffer, it currently returnsthe error code "-ENOMEM". However, the caller etm_setup_aux() onlychecks for a NULL pointer, so it misses the error. As a result, thedriver continues and eventually causes a kernel panic.Fix this by returning a NULL pointer from arm_trbe_alloc_buffer() onallocation failures. This allows that the callers can properly handlethe failure.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40061 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:RDMA/rxe: Fix race in do_task() when drainingWhen do_task() exhausts its iteration budget (!ret), it sets the stateto TASK_STATE_IDLE to reschedule, without a secondary check on thecurrent task->state. This can overwrite the TASK_STATE_DRAINING stateset by a concurrent call to rxe_cleanup_task() or rxe_disable_task().While state changes are protected by a spinlock, both rxe_cleanup_task()and rxe_disable_task() release the lock while waiting for the task tofinish draining in the while(!is_done(task)) loop. The race occurs ifdo_task() hits its iteration limit and acquires the lock in this window.The cleanup logic may then proceed while the task incorrectlyreschedules itself, leading to a potential use-after-free.This bug was introduced during the migration from tasklets to workqueues,where the special handling for the draining case was lost.Fix this by restoring the original pre-migration behavior. If the state isTASK_STATE_DRAINING when iterations are exhausted, set cont to 1 toforce a new loop iteration. This allows the task to finish its work, sothat a subsequent iteration can reach the switch statement and correctlytransition the state to TASK_STATE_DRAINED, stopping the task as intended.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40062 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regsWhen the initialization of qm->debug.acc_diff_reg fails,the probe process does not exit. However, after qm->debug.qm_diff_regs isfreed, it is not set to NULL. This can lead to a double free when theremove process attempts to free it again. Therefore, qm->debug.qm_diff_regsshould be set to NULL after it is freed.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40064 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:smc: Fix use-after-free in __pnet_find_base_ndev().syzbot reported use-after-free of net_device in __pnet_find_base_ndev(),which was called during connect(). [0]smc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passesdown to pnet_find_base_ndev(), where RTNL is held. Then, UAF happenedat __pnet_find_base_ndev() when the dev is first used.This means dev had already been freed before acquiring RTNL inpnet_find_base_ndev().While dev is going away, dst->dev could be swapped with blackhole_netdev,and the dev's refcnt by dst will be released.We must hold dev's refcnt before calling smc_pnet_find_ism_resource().Also, smc_pnet_find_roce_resource() has the same problem.Let's use __sk_dst_get() and dst_dev_rcu() in the two functions.[0]:BUG: KASAN: use-after-free in __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926Read of size 1 at addr ffff888036bac33a by task syz.0.3632/18609CPU: 1 UID: 0 PID: 18609 Comm: syz.0.3632 Not tainted syzkaller #0 PREEMPT(full)Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __pnet_find_base_ndev+0x1b1/0x1c0 net/smc/smc_pnet.c:926 pnet_find_base_ndev net/smc/smc_pnet.c:946 [inline] smc_pnet_find_ism_by_pnetid net/smc/smc_pnet.c:1103 [inline] smc_pnet_find_ism_resource+0xef/0x390 net/smc/smc_pnet.c:1154 smc_find_ism_device net/smc/af_smc.c:1030 [inline] smc_find_proposal_devices net/smc/af_smc.c:1115 [inline] __smc_connect+0x372/0x1890 net/smc/af_smc.c:1545 smc_connect+0x877/0xd90 net/smc/af_smc.c:1715 __sys_connect_file net/socket.c:2086 [inline] __sys_connect+0x313/0x440 net/socket.c:2105 __do_sys_connect net/socket.c:2111 [inline] __se_sys_connect net/socket.c:2108 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2108 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7f47cbf8eba9Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007f47ccdb1038 EFLAGS: 00000246 ORIG_RAX: 000000000000002aRAX: ffffffffffffffda RBX: 00007f47cc1d5fa0 RCX: 00007f47cbf8eba9RDX: 0000000000000010 RSI: 0000200000000280 RDI: 000000000000000bRBP: 00007f47cc011e19 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000R13: 00007f47cc1d6038 R14: 00007f47cc1d5fa0 R15: 00007ffc512f8aa8 The buggy address belongs to the physical page:page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036bacd00 pfn:0x36bacflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)raw: 00fff00000000000 ffffea0001243d08 ffff8880b863fdc0 0000000000000000raw: ffff888036bacd00 0000000000000000 00000000ffffffff 0000000000000000page dumped because: kasan: bad access detectedpage_owner tracks the page as freedpage last allocated via order 2, migratetype Unmovable, gfp_mask 0x446dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_COMP), pid 16741, tgid 16741 (syz-executor), ts 343313197788, free_ts 380670750466 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 ___kmalloc_large_node+0x5f/0x1b0 mm/slub.c:4317 __kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:4348 __do_kmalloc_node mm/slub.c:4364 [inline] __kvmalloc_node---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40070 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:pps: fix warning in pps_register_cdev when register device failSimilar to previous commit 2a934fdb01db ("media: v4l2-dev: fix errorhandling in __video_register_device()"), the release hook should be setbefore device_register(). Otherwise, when device_register() return errorand put_device() try to callback the release function, the below warningmay happen. ------------[ cut here ]------------ WARNING: CPU: 1 PID: 4760 at drivers/base/core.c:2567 device_release+0x1bd/0x240 drivers/base/core.c:2567 Modules linked in: CPU: 1 UID: 0 PID: 4760 Comm: syz.4.914 Not tainted 6.17.0-rc3+ #1 NONE RIP: 0010:device_release+0x1bd/0x240 drivers/base/core.c:2567 Call Trace: kobject_cleanup+0x136/0x410 lib/kobject.c:689 kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0xe9/0x130 lib/kobject.c:737 put_device+0x24/0x30 drivers/base/core.c:3797 pps_register_cdev+0x2da/0x370 drivers/pps/pps.c:402 pps_register_source+0x2f6/0x480 drivers/pps/kapi.c:108 pps_tty_open+0x190/0x310 drivers/pps/clients/pps-ldisc.c:57 tty_ldisc_open+0xa7/0x120 drivers/tty/tty_ldisc.c:432 tty_set_ldisc+0x333/0x780 drivers/tty/tty_ldisc.c:563 tiocsetd drivers/tty/tty_io.c:2429 [inline] tty_ioctl+0x5d1/0x1700 drivers/tty/tty_io.c:2728 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:598 [inline] __se_sys_ioctl fs/ioctl.c:584 [inline] __x64_sys_ioctl+0x194/0x210 fs/ioctl.c:584 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x5f/0x2a0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e Before commit c79a39dc8d06 ("pps: Fix a use-after-free"),pps_register_cdev() call device_create() to create pps->dev, which willinit dev->release to device_create_release(). Now the comment is outdated,just remove it.Thanks for the reminder from Calvin Owens, 'kfree_pps' should be removedin pps_register_source() to avoid a double free in the failure case.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40071 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:tty: n_gsm: Don't block input queue by waiting MSCCurrently gsm_queue() processes incoming frames and when openinga DLC channel it calls gsm_dlci_open() which calls gsm_modem_update().If basic mode is used it calls gsm_modem_upd_via_msc() and itcannot block the input queue by waiting the response to comeinto the same input queue.Instead allow sending Modem Status Command without waiting for remoteend to respond. Define a new function gsm_modem_send_initial_msc()for this purpose. As MSC is only valid for basic encoding, it doesnot do anything for advanced or when convergence layer type 2 is used.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40074 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ipv4: start using dst_dev_rcu()Change icmpv4_xrlim_allow(), ip_defrag() to prevent possible UAF.Change ipmr_prepare_xmit(), ipmr_queue_fwd_xmit(), ip_mr_output(),ipv4_neigh_lookup() to use lockdep enabled dst_dev_rcu().

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40075 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:tcp_metrics: use dst_dev_net_rcu()Replace three dst_dev() with a lockdep enabled helper.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40078 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Explicitly check accesses to bpf_sock_addrSyzkaller found a kernel warning on the following sock_addr program: 0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exitwhich triggers: verifier bug: error during ctx access conversion (0)This is happening because offset 60 in bpf_sock_addr corresponds to animplicit padding of 4 bytes, right after msg_src_ip4. Access to thispadding isn't rejected in sock_addr_is_valid_access and it thus laterfails to convert the access.This patch fixes it by explicitly checking the various fields ofbpf_sock_addr in sock_addr_is_valid_access.I checked the other ctx structures and is_valid_access functions anddidn't find any other similar cases. Other cases of (properly handled)padding are covered in new tests in a subsequent patch.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40080 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:nbd: restrict sockets to TCP and UDPRecently, syzbot started to abuse NBD with all kinds of sockets.Commit cf1b2326b734 ("nbd: verify socket is supported during setup")made sure the socket supported a shutdown() method.Explicitely accept TCP and UNIX stream sockets.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40082 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186Read of size 2 at addr ffff8880289ef218 by task syz.6.248/14290CPU: 0 UID: 0 PID: 14290 Comm: syz.6.248 Not tainted 6.16.4 #1 PREEMPT(full)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x5f0 mm/kasan/report.c:482 kasan_report+0xca/0x100 mm/kasan/report.c:595 hfsplus_uni2asc+0xa71/0xb90 fs/hfsplus/unicode.c:186 hfsplus_listxattr+0x5b6/0xbd0 fs/hfsplus/xattr.c:738 vfs_listxattr+0xbe/0x140 fs/xattr.c:493 listxattr+0xee/0x190 fs/xattr.c:924 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x143/0x360 fs/xattr.c:988 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fRIP: 0033:0x7fe0e9fae16dCode: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48RSP: 002b:00007fe0eae67f98 EFLAGS: 00000246 ORIG_RAX: 00000000000000c3RAX: ffffffffffffffda RBX: 00007fe0ea205fa0 RCX: 00007fe0e9fae16dRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000000RBP: 00007fe0ea0480f0 R08: 0000000000000000 R09: 0000000000000000R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000R13: 00007fe0ea206038 R14: 00007fe0ea205fa0 R15: 00007fe0eae48000 Allocated by task 14290: kasan_save_stack+0x24/0x50 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4333 [inline] __kmalloc_noprof+0x219/0x540 mm/slub.c:4345 kmalloc_noprof include/linux/slab.h:909 [inline] hfsplus_find_init+0x95/0x1f0 fs/hfsplus/bfind.c:21 hfsplus_listxattr+0x331/0xbd0 fs/hfsplus/xattr.c:697 vfs_listxattr+0xbe/0x140 fs/xattr.c:493 listxattr+0xee/0x190 fs/xattr.c:924 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x143/0x360 fs/xattr.c:988 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fWhen hfsplus_uni2asc is called from hfsplus_listxattr,it actually passes in a struct hfsplus_attr_unistr*.The size of the corresponding structure is different from that of hfsplus_unistr,so the previous fix (94458781aee6) is insufficient.The pointer on the unicode buffer is still going beyond the allocated memory.This patch introduces two warpper functions hfsplus_uni2asc_xattr_str andhfsplus_uni2asc_str to process two unicode buffers,struct hfsplus_attr_unistr* and struct hfsplus_unistr* respectively.When ustrlen value is bigger than the allocated memory size,the ustrlen value is limited to an safe size.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40083 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net/sched: sch_qfq: Fix null-deref in agg_dequeueTo prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the returnvalue before using it, similar to the existing approach in sch_hfsc.c.To avoid code duplication, the following changes are made:1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a staticinline function.2. Moved qdisc_peek_len from net/sched/sch_hfsc.c toinclude/net/pkt_sched.h so that sch_qfq can reuse it.3. Applied qdisc_peek_len in agg_dequeue to avoid crashing.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40087 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:NFSD: Define a proc_layoutcommit for the FlexFiles layout typeAvoid a crash if a pNFS client should happen to send a LAYOUTCOMMIToperation on a FlexFiles layout.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40098 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state()Return value of a function acpi_evaluate_dsm() is dereferenced withoutchecking for NULL, but it is usually checked for this function.acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returnsacpi_status other than ACPI_SUCCESS, so add a check to prevent the crach.Found by Linux Verification Center (linuxtesting.org) with SVACE.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40100 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: do not assert we found block group item when creating free space treeCurrently, when building a free space tree at populate_free_space_tree(),if we are not using the block group tree feature, we always expect to findblock group items (either extent items or a block group item with key typeBTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree withbtrfs_search_slot_for_read(), so we assert that we found an item. Howeverthis expectation is wrong since we can have a new block group created inthe current transaction which is still empty and for which we still havenot added the block group's item to the extent tree, in which case we donot have any items in the extent tree associated to the block group.The insertion of a new block group's block group item in the extent treehappens at btrfs_create_pending_block_groups() when it calls the helperinsert_block_group_item(). This typically is done when a transactionhandle is released, committed or when running delayed refs (either aspart of a transaction commit or when serving tickets for space reservationif we are low on free space).So remove the assertion at populate_free_space_tree() even when the blockgroup tree feature is not enabled and update the comment to mention thiscase.Syzbot reported this with the following stack trace: BTRFS info (device loop3 state M): rebuilding free space tree assertion failed: ret == 0 :: 0, in fs/btrfs/free-space-tree.c:1115 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1115! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6352 Comm: syz.3.25 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:populate_free_space_tree+0x700/0x710 fs/btrfs/free-space-tree.c:1115 Code: ff ff e8 d3 (...) RSP: 0018:ffffc9000430f780 EFLAGS: 00010246 RAX: 0000000000000043 RBX: ffff88805b709630 RCX: fea61d0e2e79d000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: ffffc9000430f8b0 R08: ffffc9000430f4a7 R09: 1ffff92000861e94 R10: dffffc0000000000 R11: fffff52000861e95 R12: 0000000000000001 R13: 1ffff92000861f00 R14: dffffc0000000000 R15: 0000000000000000 FS: 00007f424d9fe6c0(0000) GS:ffff888125afc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd78ad212c0 CR3: 0000000076d68000 CR4: 00000000003526f0 Call Trace: btrfs_rebuild_free_space_tree+0x1ba/0x6d0 fs/btrfs/free-space-tree.c:1364 btrfs_start_pre_rw_mount+0x128f/0x1bf0 fs/btrfs/disk-io.c:3062 btrfs_remount_rw fs/btrfs/super.c:1334 [inline] btrfs_reconfigure+0xaed/0x2160 fs/btrfs/super.c:1559 reconfigure_super+0x227/0x890 fs/super.c:1076 do_remount fs/namespace.c:3279 [inline] path_mount+0xd1a/0xfe0 fs/namespace.c:4027 do_mount fs/namespace.c:4048 [inline] __do_sys_mount fs/namespace.c:4236 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4213 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f424e39066a Code: d8 64 89 02 (...) RSP: 002b:00007f424d9fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f424d9fdef0 RCX: 00007f424e39066a RDX: 0000200000000180 RSI: 0000200000000380 RDI: 0000000000000000 RBP: 0000200000000180 R08: 00007f424d9fdef0 R09: 0000000000000020 R10: 0000000000000020 R11: 0000000000000246 R12: 0000200000000380 R13: 00007f424d9fdeb0 R14: 0000000000000000 R15: 00002000000002c0 Modules linked in: ---[ end trace 0000000000000000 ]---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40107 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabledThis issue is similar to the vulnerability in the `mcp251x` driver,which was fixed in commit 03c427147b2d ("can: mcp251x: fix resume fromsleep before interface was brought up").In the `hi311x` driver, when the device resumes from sleep, the driverschedules `priv->restart_work`. However, if the network interface wasnot previously enabled, the `priv->wq` (workqueue) is not allocated andinitialized, leading to a null pointer dereference.To fix this, we move the allocation and initialization of the workqueuefrom the `hi3110_open` function to the `hi3110_can_probe` function.This ensures that the workqueue is properly initialized before it isused during device resume. And added logic to destroy the workqueuein the error handling paths of `hi3110_can_probe` and in the`hi3110_can_remove` function to prevent resource leaks.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40109 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:crypto: rng - Ensure set_ent is always presentEnsure that set_ent is always set since only drbg provides it.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40115 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()During mpt3sas_transport_port_remove(), messages were logged withdev_printk() against &mpt3sas_port->port->dev. At this point the SAStransport device may already be partially unregistered or freed, leadingto a crash when accessing its struct device.Using ioc_info(), which logs via the PCI device (ioc->pdev->dev),guaranteed to remain valid until driver removal.[83428.295776] Oops: general protection fault, probably for non-canonical address 0x6f702f323a33312d: 0000 [#1] SMP NOPTI[83428.295785] CPU: 145 UID: 0 PID: 113296 Comm: rmmod Kdump: loaded Tainted: G OE 6.16.0-rc1+ #1 PREEMPT(voluntary)[83428.295792] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE[83428.295795] Hardware name: Dell Inc. Precision 7875 Tower/, BIOS 89.1.67 02/23/2024[83428.295799] RIP: 0010:__dev_printk+0x1f/0x70[83428.295805] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 49 89 d1 48 85 f6 74 52 4c 8b 46 50 4d 85 c0 74 1f 48 8b 46 68 48 85 c0 74 22 <48> 8b 08 0f b6 7f 01 48 c7 c2 db e8 42 ad 83 ef 30 e9 7b f8 ff ff[83428.295813] RSP: 0018:ff85aeafc3137bb0 EFLAGS: 00010206[83428.295817] RAX: 6f702f323a33312d RBX: ff4290ee81292860 RCX: 5000cca25103be32[83428.295820] RDX: ff85aeafc3137bb8 RSI: ff4290eeb1966c00 RDI: ffffffffc1560845[83428.295823] RBP: ff85aeafc3137c18 R08: 74726f702f303a33 R09: ff85aeafc3137bb8[83428.295826] R10: ff85aeafc3137b18 R11: ff4290f5bd60fe68 R12: ff4290ee81290000[83428.295830] R13: ff4290ee6e345de0 R14: ff4290ee81290000 R15: ff4290ee6e345e30[83428.295833] FS: 00007fd9472a6740(0000) GS:ff4290f5ce96b000(0000) knlGS:0000000000000000[83428.295837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[83428.295840] CR2: 00007f242b4db238 CR3: 00000002372b8006 CR4: 0000000000771ef0[83428.295844] PKRU: 55555554[83428.295846] Call Trace:[83428.295848] [83428.295850] _dev_printk+0x5c/0x80[83428.295857] ? srso_alias_return_thunk+0x5/0xfbef5[83428.295863] mpt3sas_transport_port_remove+0x1c7/0x420 [mpt3sas][83428.295882] _scsih_remove_device+0x21b/0x280 [mpt3sas][83428.295894] ? _scsih_expander_node_remove+0x108/0x140 [mpt3sas][83428.295906] ? srso_alias_return_thunk+0x5/0xfbef5[83428.295910] mpt3sas_device_remove_by_sas_address.part.0+0x8f/0x110 [mpt3sas][83428.295921] _scsih_expander_node_remove+0x129/0x140 [mpt3sas][83428.295933] _scsih_expander_node_remove+0x6a/0x140 [mpt3sas][83428.295944] scsih_remove+0x3f0/0x4a0 [mpt3sas][83428.295957] pci_device_remove+0x3b/0xb0[83428.295962] device_release_driver_internal+0x193/0x200[83428.295968] driver_detach+0x44/0x90[83428.295971] bus_remove_driver+0x69/0xf0[83428.295975] pci_unregister_driver+0x2a/0xb0[83428.295979] _mpt3sas_exit+0x1f/0x300 [mpt3sas][83428.295991] __do_sys_delete_module.constprop.0+0x174/0x310[83428.295997] ? srso_alias_return_thunk+0x5/0xfbef5[83428.296000] ? __x64_sys_getdents64+0x9a/0x110[83428.296005] ? srso_alias_return_thunk+0x5/0xfbef5[83428.296009] ? syscall_trace_enter+0xf6/0x1b0[83428.296014] do_syscall_64+0x7b/0x2c0[83428.296019] ? srso_alias_return_thunk+0x5/0xfbef5[83428.296023] entry_SYSCALL_64_after_hwframe+0x76/0x7e

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40116 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:usb: host: max3421-hcd: Fix error pointer dereference in probe cleanupThe kthread_run() function returns error pointers so themax3421_hcd->spi_thread pointer can be either error pointers or NULL.Check for both before dereferencing it.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40120 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlockPrevent USB runtime PM (autosuspend) for AX88772* in bind.usbnet enables runtime PM (autosuspend) by default, so disabling it viathe usb_driver flag is ineffective. On AX88772B, autosuspend shows nomeasurable power saving with current driver (no link partner, adminup/down). The ~0.453 W -> ~0.248 W drop on v6.1 comes from phylib poweringthe PHY off on admin-down, not from USB autosuspend.The real hazard is that with runtime PM enabled, ndo_open() (under RTNL)may synchronously trigger autoresume (usb_autopm_get_interface()) intoasix_resume() while the USB PM lock is held. Resume paths then invokephylink/phylib and MDIO, which also expect RTNL, leading to possibledeadlocks or PM lock vs MDIO wake issues.To avoid this, keep the device runtime-PM active by taking a usagereference in ax88772_bind() and dropping it in unbind(). A non-zero PMusage count blocks runtime suspend regardless of userspace policy(.../power/control - pm_runtime_allow/forbid), making this approachrobust against sysfs overrides.Holding a runtime-PM usage ref does not affect system-wide suspend;system sleep/resume callbacks continue to run as before.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40127 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:hwrng: ks-sa - fix division by zero in ks_sa_rng_initFix division by zero in ks_sa_rng_init caused by missing clockpointer initialization. The clk_get_rate() call is performed onan uninitialized clk pointer, resulting in division by zero whencalculating delay values.Add clock initialization code before using the clock. drivers/char/hw_random/ks-sa-rng.c | 7 +++++++ 1 file changed, 7 insertions(+)

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40156 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:PM / devfreq: mtk-cci: Fix potential error pointer dereference in probe()The drv->sram_reg pointer could be set to ERR_PTR(-EPROBE_DEFER) whichwould lead to a error pointer dereference. Use IS_ERR_OR_NULL() to checkthat the pointer is valid.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40172 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:accel/qaic: Treat remaining == 0 as error in find_and_map_user_pages()Currently, if find_and_map_user_pages() takes a DMA xfer request from theuser with a length field set to 0, or in a rare case, the host receivesQAIC_TRANS_DMA_XFER_CONT from the device where resources->xferred_dma_sizeis equal to the requested transaction size, the function will return 0before allocating an sgt or setting the fields of the dma_xfer struct.In that case, encode_addr_size_pairs() will try to access the sgt whichwill lead to a general protection fault.Return an EINVAL in case the user provides a zero-sized ALP, or the devicerequests continuation after all of the bytes have been transferred.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40188 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:pwm: berlin: Fix wrong register in suspend/resumeThe 'enable' register should be BERLIN_PWM_EN rather thanBERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, therewill be cpu exception then kernel panic during suspend/resume.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40198 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()Unlike other strings in the ext4 superblock, we rely on tune2fs tomake sure s_mount_opts is NUL terminated. Hardenparse_apply_sb_mount_options() by treating s_mount_opts as a potential__nonstring.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40200 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:Squashfs: reject negative file sizes in squashfs_read_inode()Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs.This warning is ultimately caused because the underlying Squashfs filesystem returns a file with a negative file size.This commit checks for a negative file size and returns EINVAL.[phillip@squashfs.org.uk: only need to check 64 bit quantity]

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40205 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: avoid potential out-of-bounds in btrfs_encode_fh()The function btrfs_encode_fh() does not properly account for the threecases it handles.Before writing to the file handle (fh), the function only returns to theuser BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) orBTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).However, when a parent exists and the root ID of the parent and theinode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT(10 dwords, 40 bytes).If *max_len is not large enough, this write goes out of bounds becauseBTRFS_FID_SIZE_CONNECTABLE_ROOT is greater thanBTRFS_FID_SIZE_CONNECTABLE originally returned.This results in an 8-byte out-of-bounds write atfid->parent_root_objectid = parent_root_id.A previous attempt to fix this issue was made but was lost.https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/Although this issue does not seem to be easily triggerable, it is apotential memory corruption bug that should be fixed. This patchresolves the issue by ensuring the function returns the appropriate sizefor all three cases and validates that *max_len is large enough beforewriting any data.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40207 Severity: Moderate CVSS3 score: 5.5

Description: In the Linux kernel, the following vulnerability has been resolved:media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()v4l2_subdev_call_state_try() macro allocates a subdev state with__v4l2_subdev_state_alloc(), but does not check the returned value. If__v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that wouldcause v4l2_subdev_call_state_try() to crash.Add proper error handling to v4l2_subdev_call_state_try().

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-68276 Severity: Moderate CVSS3 score: 5.5

Description: Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either callingthe RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libavahi-client3 > 0-0 (version in image is 0.8-150600.15.9.1).

CVE-2026-0990 Severity: Moderate CVSS3 score: 5.5

Description: A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
libxml2-2 > 0-0 (version in image is 2.10.3-150500.5.32.1).

CVE-2025-7709 Severity: Moderate CVSS3 score: 5.4

Description: An integer overflow exists in the FTS5 https://sqlite.org/fts5.html extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libsqlite3-0 > 0-0 (version in image is 3.50.2-150000.3.33.1).

CVE-2023-53622 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:gfs2: Fix possible data races in gfs2_show_options()Some fields such as gt_logd_secs of the struct gfs2_tune are accessedwithout holding the lock gt_spin in gfs2_show_options(): val = sdp->sd_tune.gt_logd_secs; if (val != 30) seq_printf(s, ",commit=%d", val);And thus can cause data races when gfs2_show_options() and other functionssuch as gfs2_reconfigure() are concurrently executed: spin_lock(>->gt_spin); gt->gt_logd_secs = newargs->ar_commit;To fix these possible data races, the lock sdp->sd_tune.gt_spin isacquired before accessing the fields of gfs2_tune and released after theseaccesses.Further changes by Andreas:- Don't hold the spin lock over the seq_printf operations.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53703 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:HID: amd_sfh: Fix for shift-out-of-boundsShift operation of 'exp' and 'shift' variables exceeds the maximum numberof shift values in the u32 range leading to UBSAN shift-out-of-bounds....[ 6.120512] UBSAN: shift-out-of-bounds in drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_desc.c:149:50[ 6.120598] shift exponent 104 is too large for 64-bit type 'long unsigned int'[ 6.120659] CPU: 4 PID: 96 Comm: kworker/4:1 Not tainted 6.4.0amd_1-next-20230519-dirty #10[ 6.120665] Hardware name: AMD Birman-PHX/Birman-PHX, BIOS SFH_with_HPD_SEN.FD 04/05/2023[ 6.120667] Workqueue: events amd_sfh_work_buffer [amd_sfh][ 6.120687] Call Trace:[ 6.120690] [ 6.120694] dump_stack_lvl+0x48/0x70[ 6.120704] dump_stack+0x10/0x20[ 6.120707] ubsan_epilogue+0x9/0x40[ 6.120716] __ubsan_handle_shift_out_of_bounds+0x10f/0x170[ 6.120720] ? psi_group_change+0x25f/0x4b0[ 6.120729] float_to_int.cold+0x18/0xba [amd_sfh][ 6.120739] get_input_rep+0x57/0x340 [amd_sfh][ 6.120748] ? __schedule+0xba7/0x1b60[ 6.120756] ? __pfx_get_input_rep+0x10/0x10 [amd_sfh][ 6.120764] amd_sfh_work_buffer+0x91/0x180 [amd_sfh][ 6.120772] process_one_work+0x229/0x430[ 6.120780] worker_thread+0x4a/0x3c0[ 6.120784] ? __pfx_worker_thread+0x10/0x10[ 6.120788] kthread+0xf7/0x130[ 6.120792] ? __pfx_kthread+0x10/0x10[ 6.120795] ret_from_fork+0x29/0x50[ 6.120804] ...Fix this by adding the condition to validate shift ranges.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53711 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:NFS: Fix a potential data corruptionWe must ensure that the subrequests are joined back into the head beforewe can retransmit a request. If the head was not on the commit lists,because the server wrote it synchronously, we still need to add it backto the retransmission list.Add a call that mirrors the effect of nfs_cancel_remove_inode() forO_DIRECT.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53718 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:ring-buffer: Do not swap cpu_buffer during resize processWhen ring_buffer_swap_cpu was called during resize process,the cpu buffer was swapped in the middle, resulting in incorrect state.Continuing to run in the wrong state will result in oops.This issue can be easily reproduced using the following two scripts:/tmp # cat test1.sh//#! /bin/shfor i in `seq 0 100000`do echo 2000 > /sys/kernel/debug/tracing/buffer_size_kb sleep 0.5 echo 5000 > /sys/kernel/debug/tracing/buffer_size_kb sleep 0.5done/tmp # cat test2.sh//#! /bin/shfor i in `seq 0 100000`do echo irqsoff > /sys/kernel/debug/tracing/current_tracer sleep 1 echo nop > /sys/kernel/debug/tracing/current_tracer sleep 1done/tmp # ./test1.sh &/tmp # ./test2.sh &A typical oops log is as follows, sometimes with other different oops logs.[ 231.711293] WARNING: CPU: 0 PID: 9 at kernel/trace/ring_buffer.c:2026 rb_update_pages+0x378/0x3f8[ 231.713375] Modules linked in:[ 231.714735] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W 6.5.0-rc1-00276-g20edcec23f92 #15[ 231.716750] Hardware name: linux,dummy-virt (DT)[ 231.718152] Workqueue: events update_pages_handler[ 231.719714] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)[ 231.721171] pc : rb_update_pages+0x378/0x3f8[ 231.722212] lr : rb_update_pages+0x25c/0x3f8[ 231.723248] sp : ffff800082b9bd50[ 231.724169] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 0000000000000000[ 231.726102] x26: 0000000000000001 x25: fffffffffffff010 x24: 0000000000000ff0[ 231.728122] x23: ffff0000c3a0b600 x22: ffff0000c3a0b5c0 x21: fffffffffffffe0a[ 231.730203] x20: ffff0000c3a0b600 x19: ffff0000c0102400 x18: 0000000000000000[ 231.732329] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffe7aa8510[ 231.734212] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000002[ 231.736291] x11: ffff8000826998a8 x10: ffff800082b9baf0 x9 : ffff800081137558[ 231.738195] x8 : fffffc00030e82c8 x7 : 0000000000000000 x6 : 0000000000000001[ 231.740192] x5 : ffff0000ffbafe00 x4 : 0000000000000000 x3 : 0000000000000000[ 231.742118] x2 : 00000000000006aa x1 : 0000000000000001 x0 : ffff0000c0007208[ 231.744196] Call trace:[ 231.744892] rb_update_pages+0x378/0x3f8[ 231.745893] update_pages_handler+0x1c/0x38[ 231.746893] process_one_work+0x1f0/0x468[ 231.747852] worker_thread+0x54/0x410[ 231.748737] kthread+0x124/0x138[ 231.749549] ret_from_fork+0x10/0x20[ 231.750434] ---[ end trace 0000000000000000 ]---[ 233.720486] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000[ 233.721696] Mem abort info:[ 233.721935] ESR = 0x0000000096000004[ 233.722283] EC = 0x25: DABT (current EL), IL = 32 bits[ 233.722596] SET = 0, FnV = 0[ 233.722805] EA = 0, S1PTW = 0[ 233.723026] FSC = 0x04: level 0 translation fault[ 233.723458] Data abort info:[ 233.723734] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000[ 233.724176] CM = 0, WnR = 0, TnD = 0, TagAccess = 0[ 233.724589] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0[ 233.725075] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000104943000[ 233.725592] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000[ 233.726231] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP[ 233.726720] Modules linked in:[ 233.727007] CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W 6.5.0-rc1-00276-g20edcec23f92 #15[ 233.727777] Hardware name: linux,dummy-virt (DT)[ 233.728225] Workqueue: events update_pages_handler[ 233.728655] pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)[ 233.729054] pc : rb_update_pages+0x1a8/0x3f8[ 233.729334] lr : rb_update_pages+0x154/0x3f8[ 233.729592] sp : ffff800082b9bd50[ 233.729792] x29: ffff800082b9bd50 x28: ffff8000825f7000 x27: 00000000---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53728 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:posix-timers: Ensure timer ID search-loop limit is validposix_timer_add() tries to allocate a posix timer ID by starting from thecached ID which was stored by the last successful allocation.This is done in a loop searching the ID space for a free slot one byone. The loop has to terminate when the search wrapped around to thestarting point.But that's racy vs. establishing the starting point. That is read outlockless, which leads to the following problem:CPU0 CPU1posix_timer_add() start = sig->posix_timer_id; lock(hash_lock); ... posix_timer_add() if (++sig->posix_timer_id < 0) start = sig->posix_timer_id; sig->posix_timer_id = 0;So CPU1 can observe a negative start value, i.e. -1, and the loop breaknever happens because the condition can never be true: if (sig->posix_timer_id == start) break;While this is unlikely to ever turn into an endless loop as the ID space ishuge (INT_MAX), the racy read of the start value caught the attention ofKCSAN and Dmitry unearthed that incorrectness.Rewrite it so that all id operations are under the hash lock.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-11083 Severity: Moderate CVSS3 score: 5.3

Description: A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with "[f]ixed for 2.46".

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-14524 Severity: Moderate CVSS3 score: 5.3

Description: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transferperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the newtarget host.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
curl > 0-0 (version in image is 8.14.1-150600.4.28.1).

CVE-2025-14819 Severity: Moderate CVSS3 score: 5.3

Description: When doing TLS related transfers with reused easy or multi handles andaltering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentallyreuse a CA store cached in memory for which the partial chain option wasreversed. Contrary to the user's wishes and expectations. This could makelibcurl find and accept a trust chain that it otherwise would not.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
curl > 0-0 (version in image is 8.14.1-150600.4.28.1).

CVE-2025-15079 Severity: Moderate CVSS3 score: 5.3

Description: When doing SSH-based transfers using either SCP or SFTP, and setting theknown_hosts file, libcurl could still mistakenly accept connecting to hosts*not present* in the specified file if they were added as recognized in thelibssh *global* known_hosts file.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
curl > 0-0 (version in image is 8.14.1-150600.4.28.1).

CVE-2025-24294 Severity: Moderate CVSS3 score: 5.3

Description: The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libruby2_5-2_5 < 2.5.9-150000.4.54.1 (version in image is 2.5.9-150000.4.49.1).

CVE-2025-38539 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:tracing: Add down_write(trace_event_sem) when adding trace eventWhen a module is loaded, it adds trace events defined by the module. Itmay also need to modify the modules trace printk formats to replace enumnames with their values.If two modules are loaded at the same time, the adding of the event to theftrace_events list can corrupt the walking of the list in the code that ismodifying the printk format strings and crash the kernel.The addition of the event should take the trace_event_sem for write whileit adds the new event.Also add a lockdep_assert_held() on that semaphore in__trace_add_event_dirs() as it iterates the list.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39788 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPEOn Google gs101, the number of UTP transfer request slots (nutrs) is 32,and in this case the driver ends up programming the UTRL_NEXUS_TYPEincorrectly as 0.This is because the left hand side of the shift is 1, which is of typeint, i.e. 31 bits wide. Shifting by more than that width results inundefined behaviour.Fix this by switching to the BIT() macro, which applies correct typecasting as required. This ensures the correct value is written toUTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shiftwarning: UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21 shift exponent 32 is too large for 32-bit type 'int'For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPEwrite.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39812 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:sctp: initialize more fields in sctp_v6_from_sk()syzbot found that sin6_scope_id was not properly initialized,leading to undefined behavior.Clear sin6_scope_id and sin6_flowinfo.BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649 __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649 sctp_inet6_cmp_addr+0x4f2/0x510 net/sctp/ipv6.c:983 sctp_bind_addr_conflict+0x22a/0x3b0 net/sctp/bind_addr.c:390 sctp_get_port_local+0x21eb/0x2440 net/sctp/socket.c:8452 sctp_get_port net/sctp/socket.c:8523 [inline] sctp_listen_start net/sctp/socket.c:8567 [inline] sctp_inet_listen+0x710/0xfd0 net/sctp/socket.c:8636 __sys_listen_socket net/socket.c:1912 [inline] __sys_listen net/socket.c:1927 [inline] __do_sys_listen net/socket.c:1932 [inline] __se_sys_listen net/socket.c:1930 [inline] __x64_sys_listen+0x343/0x4c0 net/socket.c:1930 x64_sys_call+0x271d/0x3e20 arch/x86/include/generated/asm/syscalls_64.h:51 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fLocal variable addr.i.i created at: sctp_get_port net/sctp/socket.c:8515 [inline] sctp_listen_start net/sctp/socket.c:8567 [inline] sctp_inet_listen+0x650/0xfd0 net/sctp/socket.c:8636 __sys_listen_socket net/socket.c:1912 [inline] __sys_listen net/socket.c:1927 [inline] __do_sys_listen net/socket.c:1932 [inline] __se_sys_listen net/socket.c:1930 [inline] __x64_sys_listen+0x343/0x4c0 net/socket.c:1930

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40027 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:net/9p: fix double req put in p9_fd_cancelledSyzkaller reports a KASAN issue as below:general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTIKASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f]CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014RIP: 0010:__list_del include/linux/list.h:114 [inline]RIP: 0010:__list_del_entry include/linux/list.h:137 [inline]RIP: 0010:list_del include/linux/list.h:148 [inline]RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734Call Trace: p9_client_flush+0x351/0x440 net/9p/client.c:614 p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734 p9_client_version net/9p/client.c:920 [inline] p9_client_create+0xb51/0x1240 net/9p/client.c:1027 v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408 v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126 legacy_get_tree+0x108/0x220 fs/fs_context.c:632 vfs_get_tree+0x8e/0x300 fs/super.c:1573 do_new_mount fs/namespace.c:3056 [inline] path_mount+0x6a6/0x1e90 fs/namespace.c:3386 do_mount fs/namespace.c:3399 [inline] __do_sys_mount fs/namespace.c:3607 [inline] __se_sys_mount fs/namespace.c:3584 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:3584 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8This happens because of a race condition between:- The 9p client sending an invalid flush request and later cleaning it up;- The 9p client in p9_read_work() canceled all pending requests. Thread 1 Thread 2 ... p9_client_create() ... p9_fd_create() ... p9_conn_create() ... // start Thread 2 INIT_WORK(&m->rq, p9_read_work); p9_read_work() ... p9_client_rpc() ... ... p9_conn_cancel() ... spin_lock(&m->req_lock); ... p9_fd_cancelled() ... ... spin_unlock(&m->req_lock); // status rewrite p9_client_cb(m->client, req, REQ_STATUS_ERROR) // first remove list_del(&req->req_list); ... spin_lock(&m->req_lock) ... // second remove list_del(&req->req_list); spin_unlock(&m->req_lock) ...Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list inp9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystemclient where the req_list could be deleted simultaneously by bothp9_read_work and p9_fd_cancelled functions, but for the case where req->statusequals REQ_STATUS_RCVD.Update the check for req->status in p9_fd_cancelled to skip processing notjust received requests, but anything that is not SENT, as whateverchanged the state from SENT also removed the request from its list.Found by Linux Verification Center (linuxtesting.org) with Syzkaller.[updated the check from status == RECV || status == ERROR to status != SENT]

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40088 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()The hfsplus_strcasecmp() logic can trigger the issue:[ 117.317703][ T9855] ==================================================================[ 117.318353][ T9855] BUG: KASAN: slab-out-of-bounds in hfsplus_strcasecmp+0x1bc/0x490[ 117.318991][ T9855] Read of size 2 at addr ffff88802160f40c by task repro/9855[ 117.319577][ T9855][ 117.319773][ T9855] CPU: 0 UID: 0 PID: 9855 Comm: repro Not tainted 6.17.0-rc6 #33 PREEMPT(full)[ 117.319780][ T9855] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014[ 117.319783][ T9855] Call Trace:[ 117.319785][ T9855] [ 117.319788][ T9855] dump_stack_lvl+0x1c1/0x2a0[ 117.319795][ T9855] ? __virt_addr_valid+0x1c8/0x5c0[ 117.319803][ T9855] ? __pfx_dump_stack_lvl+0x10/0x10[ 117.319808][ T9855] ? rcu_is_watching+0x15/0xb0[ 117.319816][ T9855] ? lock_release+0x4b/0x3e0[ 117.319821][ T9855] ? __kasan_check_byte+0x12/0x40[ 117.319828][ T9855] ? __virt_addr_valid+0x1c8/0x5c0[ 117.319835][ T9855] ? __virt_addr_valid+0x4a5/0x5c0[ 117.319842][ T9855] print_report+0x17e/0x7e0[ 117.319848][ T9855] ? __virt_addr_valid+0x1c8/0x5c0[ 117.319855][ T9855] ? __virt_addr_valid+0x4a5/0x5c0[ 117.319862][ T9855] ? __phys_addr+0xd3/0x180[ 117.319869][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490[ 117.319876][ T9855] kasan_report+0x147/0x180[ 117.319882][ T9855] ? hfsplus_strcasecmp+0x1bc/0x490[ 117.319891][ T9855] hfsplus_strcasecmp+0x1bc/0x490[ 117.319900][ T9855] ? __pfx_hfsplus_cat_case_cmp_key+0x10/0x10[ 117.319906][ T9855] hfs_find_rec_by_key+0xa9/0x1e0[ 117.319913][ T9855] __hfsplus_brec_find+0x18e/0x470[ 117.319920][ T9855] ? __pfx_hfsplus_bnode_find+0x10/0x10[ 117.319926][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10[ 117.319933][ T9855] ? __pfx___hfsplus_brec_find+0x10/0x10[ 117.319942][ T9855] hfsplus_brec_find+0x28f/0x510[ 117.319949][ T9855] ? __pfx_hfs_find_rec_by_key+0x10/0x10[ 117.319956][ T9855] ? __pfx_hfsplus_brec_find+0x10/0x10[ 117.319963][ T9855] ? __kmalloc_noprof+0x2a9/0x510[ 117.319969][ T9855] ? hfsplus_find_init+0x8c/0x1d0[ 117.319976][ T9855] hfsplus_brec_read+0x2b/0x120[ 117.319983][ T9855] hfsplus_lookup+0x2aa/0x890[ 117.319990][ T9855] ? __pfx_hfsplus_lookup+0x10/0x10[ 117.320003][ T9855] ? d_alloc_parallel+0x2f0/0x15e0[ 117.320008][ T9855] ? __lock_acquire+0xaec/0xd80[ 117.320013][ T9855] ? __pfx_d_alloc_parallel+0x10/0x10[ 117.320019][ T9855] ? __raw_spin_lock_init+0x45/0x100[ 117.320026][ T9855] ? __init_waitqueue_head+0xa9/0x150[ 117.320034][ T9855] __lookup_slow+0x297/0x3d0[ 117.320039][ T9855] ? __pfx___lookup_slow+0x10/0x10[ 117.320045][ T9855] ? down_read+0x1ad/0x2e0[ 117.320055][ T9855] lookup_slow+0x53/0x70[ 117.320065][ T9855] walk_component+0x2f0/0x430[ 117.320073][ T9855] path_lookupat+0x169/0x440[ 117.320081][ T9855] filename_lookup+0x212/0x590[ 117.320089][ T9855] ? __pfx_filename_lookup+0x10/0x10[ 117.320098][ T9855] ? strncpy_from_user+0x150/0x290[ 117.320105][ T9855] ? getname_flags+0x1e5/0x540[ 117.320112][ T9855] user_path_at+0x3a/0x60[ 117.320117][ T9855] __x64_sys_umount+0xee/0x160[ 117.320123][ T9855] ? __pfx___x64_sys_umount+0x10/0x10[ 117.320129][ T9855] ? do_syscall_64+0xb7/0x3a0[ 117.320135][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f[ 117.320141][ T9855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f[ 117.320145][ T9855] do_syscall_64+0xf3/0x3a0[ 117.320150][ T9855] ? exc_page_fault+0x9f/0xf0[ 117.320154][ T9855] entry_SYSCALL_64_after_hwframe+0x77/0x7f[ 117.320158][ T9855] RIP: 0033:0x7f7dd7908b07[ 117.320163][ T9855] Code: 23 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 08[ 117.320167][ T9855] RSP: 002b:00007ffd5ebd9698 EFLAGS: 00000202 ---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40171 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:nvmet-fc: move lsop put work to nvmet_fc_ls_req_opIt's possible for more than one async command to be in flight from__nvmet_fc_send_ls_req. For each command, a tgtport reference is taken.In the current code, only one put work item is queued at a time, whichresults in a leaked reference.To fix this, move the work item to the nvmet_fc_ls_req_op struct, whichalready tracks all resources related to the command.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40183 Severity: Moderate CVSS3 score: 5.3

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}Cilium has a BPF egress gateway feature which forces outgoing K8s Podtraffic to pass through dedicated egress gateways which then SNAT thetraffic in order to interact with stable IPs outside the cluster.The traffic is directed to the gateway via vxlan tunnel in collect mdmode. A recent BPF change utilized the bpf_redirect_neigh() helper toforward packets after the arrival and decap on vxlan, which turned outover time that the kmalloc-256 slab usage in kernel was ever-increasing.The issue was that vxlan allocates the metadata_dst object and attachesit through a fake dst entry to the skb. The latter was never releasedthough given bpf_redirect_neigh() was merely setting the new dst entryvia skb_dst_set() without dropping an existing one first.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-47911 Severity: Moderate CVSS3 score: 5.3

Description: Unknown.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
docker > 0-0 (version in image is 28.3.3_ce-150000.230.1).

CVE-2025-47914 Severity: Moderate CVSS3 score: 5.3

Description: SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
docker > 0-0 (version in image is 28.3.3_ce-150000.230.1).

CVE-2025-58181 Severity: Moderate CVSS3 score: 5.3

Description: SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
docker > 0-0 (version in image is 28.3.3_ce-150000.230.1).

CVE-2025-58190 Severity: Moderate CVSS3 score: 5.3

Description: Unknown.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
docker > 0-0 (version in image is 28.3.3_ce-150000.230.1).

CVE-2025-61984 Severity: Moderate CVSS3 score: 5.3

Description: ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
openssh < 9.6p1-150600.6.34.1 (version in image is 9.6p1-150600.6.29.2).

CVE-2025-61985 Severity: Moderate CVSS3 score: 5.3

Description: ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
openssh < 9.6p1-150600.6.34.1 (version in image is 9.6p1-150600.6.29.2).

CVE-2025-66418 Severity: Moderate CVSS3 score: 5.3

Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
python3-urllib3 > 0-0 (version in image is 1.25.10-150300.4.18.1).

CVE-2025-66471 Severity: Moderate CVSS3 score: 5.3

Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
python3-urllib3 > 0-0 (version in image is 1.25.10-150300.4.18.1).

CVE-2025-68480 Severity: Moderate CVSS3 score: 5.3

Description: Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
python311-marshmallow > 0-0 (version in image is 3.20.2-150400.9.7.1).

CVE-2025-69225 Severity: Moderate CVSS3 score: 5.3

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. This issue is fixed in version 3.13.3.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2025-69226 Severity: Moderate CVSS3 score: 5.3

Description: AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
python311-aiohttp > 0-0 (version in image is 3.9.3-150400.10.33.1).

CVE-2025-9390 Severity: Moderate CVSS3 score: 5.3

Description: A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be exploited. Upgrading to version 9.1.1616 addresses this issue. The patch is identified as eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
vim > 0-0 (version in image is 9.1.1629-150500.20.33.1).

CVE-2026-0915 Severity: Moderate CVSS3 score: 5.3

Description: Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
glibc > 0-0 (version in image is 2.38-150600.14.37.1).

CVE-2025-40157 Severity: Moderate CVSS3 score: 5.2

Description: In the Linux kernel, the following vulnerability has been resolved:EDAC/i10nm: Skip DIMM enumeration on a disabled memory controllerWhen loading the i10nm_edac driver on some Intel Granite Rapids servers,a call trace may appear as follows: UBSAN: shift-out-of-bounds in drivers/edac/skx_common.c:453:16 shift exponent -66 is negative ... __ubsan_handle_shift_out_of_bounds+0x1e3/0x390 skx_get_dimm_info.cold+0x47/0xd40 [skx_edac_common] i10nm_get_dimm_config+0x23e/0x390 [i10nm_edac] skx_register_mci+0x159/0x220 [skx_edac_common] i10nm_init+0xcb0/0x1ff0 [i10nm_edac] ...This occurs because some BIOS may disable a memory controller if therearen't any memory DIMMs populated on this memory controller. The DIMMMTRregister of this disabled memory controller contains the invalid value~0, resulting in the call trace above.Fix this call trace by skipping DIMM enumeration on a disabled memorycontroller.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-38699 Severity: Moderate CVSS3 score: 5.1

Description: In the Linux kernel, the following vulnerability has been resolved:scsi: bfa: Double-free fixWhen the bfad_im_probe() function fails during initialization, the memorypointed to by bfad->im is freed without setting bfad->im to NULL.Subsequently, during driver uninstallation, when the state machine entersthe bfad_sm_stopping state and calls the bfad_im_probe_undo() function,it attempts to free the memory pointed to by bfad->im again, therebytriggering a double-free vulnerability.Set bfad->im to NULL if probing fails.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40206 Severity: Moderate CVSS3 score: 5.1

Description: In the Linux kernel, the following vulnerability has been resolved:netfilter: nft_objref: validate objref and objrefmap expressionsReferencing a synproxy stateful object from OUTPUT hook causes kernelcrash due to infinite recursive calls:BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12)[...]Call Trace: __find_rr_leaf+0x99/0x230 fib6_table_lookup+0x13b/0x2d0 ip6_pol_route+0xa4/0x400 fib6_rule_lookup+0x156/0x240 ip6_route_output_flags+0xc6/0x150 __nf_ip6_route+0x23/0x50 synproxy_send_tcp_ipv6+0x106/0x200 synproxy_send_client_synack_ipv6+0x1aa/0x1f0 nft_synproxy_do_eval+0x263/0x310 nft_do_chain+0x5a8/0x5f0 [nf_tables nft_do_chain_inet+0x98/0x110 nf_hook_slow+0x43/0xc0 __ip6_local_out+0xf0/0x170 ip6_local_out+0x17/0x70 synproxy_send_tcp_ipv6+0x1a2/0x200 synproxy_send_client_synack_ipv6+0x1aa/0x1f0[...]Implement objref and objrefmap expression validate functions.Currently, only NFT_OBJECT_SYNPROXY object type requires validation.This will also handle a jump to a chain using a synproxy object from theOUTPUT hook.Now when trying to reference a synproxy object in the OUTPUT hook, nftwill produce the following error:synproxy_crash.nft: Error: Could not process rule: Operation not supported synproxy name mysynproxy ^^^^^^^^^^^^^^^^^^^^^^^^

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-64329 Severity: Moderate CVSS3 score: 5.1

Description: containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
containerd < 1.7.29-150000.128.1 (version in image is 1.7.27-150000.123.1).

CVE-2025-54770 Severity: Moderate CVSS3 score: 4.9

Description: A vulnerability has been identified in the GRUB2 bootloader's network module that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the net_set_vlan command is not properly unregistered when the network module is unloaded from memory. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
grub2 < 2.12-150600.8.44.2 (version in image is 2.12-150600.8.37.1).

CVE-2025-54771 Severity: Moderate CVSS3 score: 4.9

Description: A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
grub2 < 2.12-150600.8.44.2 (version in image is 2.12-150600.8.37.1).

CVE-2025-61662 Severity: Moderate CVSS3 score: 4.9

Description: A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
grub2 < 2.12-150600.8.44.2 (version in image is 2.12-150600.8.37.1).

CVE-2025-61663 Severity: Moderate CVSS3 score: 4.9

Description: A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloaded. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability. Impact on the data integrity and confidentiality is also not discarded.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
grub2 < 2.12-150600.8.44.2 (version in image is 2.12-150600.8.37.1).

CVE-2025-61664 Severity: Moderate CVSS3 score: 4.9

Description: A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
grub2 < 2.12-150600.8.44.2 (version in image is 2.12-150600.8.37.1).

CVE-2025-7039 Severity: Moderate CVSS3 score: 4.9

Description: A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
glib2-tools < 2.78.6-150600.4.22.1 (version in image is 2.78.6-150600.4.16.1).

CVE-2025-61661 Severity: Moderate CVSS3 score: 4.8

Description: A vulnerability has been identified in the GRUB (Grand Unified Bootloader) component. This flaw occurs because the bootloader mishandles string conversion when reading information from a USB device, allowing an attacker to exploit inconsistent length values. A local attacker can connect a maliciously configured USB device during the boot sequence to trigger this issue. A successful exploitation may lead GRUB to crash, leading to a Denial of Service. Data corruption may be also possible, although given the complexity of the exploit the impact is most likely limited.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
grub2 < 2.12-150600.8.44.2 (version in image is 2.12-150600.8.37.1).

CVE-2023-53538 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:btrfs: insert tree mod log move in push_node_leftThere is a fairly unlikely race condition in tree mod log rewind thatcan result in a kernel panic which has the following trace: [530.569] BTRFS critical (device sda3): unable to find logical 0 length 4096 [530.585] BTRFS critical (device sda3): unable to find logical 0 length 4096 [530.602] BUG: kernel NULL pointer dereference, address: 0000000000000002 [530.618] #PF: supervisor read access in kernel mode [530.629] #PF: error_code(0x0000) - not-present page [530.641] PGD 0 P4D 0 [530.647] Oops: 0000 [#1] SMP [530.654] CPU: 30 PID: 398973 Comm: below Kdump: loaded Tainted: G S O K 5.12.0-0_fbk13_clang_7455_gb24de3bdb045 #1 [530.680] Hardware name: Quanta Mono Lake-M.2 SATA 1HY9U9Z001G/Mono Lake-M.2 SATA, BIOS F20_3A15 08/16/2017 [530.703] RIP: 0010:__btrfs_map_block+0xaa/0xd00 [530.755] RSP: 0018:ffffc9002c2f7600 EFLAGS: 00010246 [530.767] RAX: ffffffffffffffea RBX: ffff888292e41000 RCX: f2702d8b8be15100 [530.784] RDX: ffff88885fda6fb8 RSI: ffff88885fd973c8 RDI: ffff88885fd973c8 [530.800] RBP: ffff888292e410d0 R08: ffffffff82fd7fd0 R09: 00000000fffeffff [530.816] R10: ffffffff82e57fd0 R11: ffffffff82e57d70 R12: 0000000000000000 [530.832] R13: 0000000000001000 R14: 0000000000001000 R15: ffffc9002c2f76f0 [530.848] FS: 00007f38d64af000(0000) GS:ffff88885fd80000(0000) knlGS:0000000000000000 [530.866] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [530.880] CR2: 0000000000000002 CR3: 00000002b6770004 CR4: 00000000003706e0 [530.896] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [530.912] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [530.928] Call Trace: [530.934] ? btrfs_printk+0x13b/0x18c [530.943] ? btrfs_bio_counter_inc_blocked+0x3d/0x130 [530.955] btrfs_map_bio+0x75/0x330 [530.963] ? kmem_cache_alloc+0x12a/0x2d0 [530.973] ? btrfs_submit_metadata_bio+0x63/0x100 [530.984] btrfs_submit_metadata_bio+0xa4/0x100 [530.995] submit_extent_page+0x30f/0x360 [531.004] read_extent_buffer_pages+0x49e/0x6d0 [531.015] ? submit_extent_page+0x360/0x360 [531.025] btree_read_extent_buffer_pages+0x5f/0x150 [531.037] read_tree_block+0x37/0x60 [531.046] read_block_for_search+0x18b/0x410 [531.056] btrfs_search_old_slot+0x198/0x2f0 [531.066] resolve_indirect_ref+0xfe/0x6f0 [531.076] ? ulist_alloc+0x31/0x60 [531.084] ? kmem_cache_alloc_trace+0x12e/0x2b0 [531.095] find_parent_nodes+0x720/0x1830 [531.105] ? ulist_alloc+0x10/0x60 [531.113] iterate_extent_inodes+0xea/0x370 [531.123] ? btrfs_previous_extent_item+0x8f/0x110 [531.134] ? btrfs_search_path_in_tree+0x240/0x240 [531.146] iterate_inodes_from_logical+0x98/0xd0 [531.157] ? btrfs_search_path_in_tree+0x240/0x240 [531.168] btrfs_ioctl_logical_to_ino+0xd9/0x180 [531.179] btrfs_ioctl+0xe2/0x2eb0This occurs when logical inode resolution takes a tree mod log sequencenumber, and then while backref walking hits a rewind on a busy nodewhich has the following sequence of tree mod log operations (numbersfilled in from a specific example, but they are somewhat arbitrary) REMOVE_WHILE_FREEING slot 532 REMOVE_WHILE_FREEING slot 531 REMOVE_WHILE_FREEING slot 530 ... REMOVE_WHILE_FREEING slot 0 REMOVE slot 455 REMOVE slot 454 REMOVE slot 453 ... REMOVE slot 0 ADD slot 455 ADD slot 454 ADD slot 453 ... ADD slot 0 MOVE src slot 0 -> dst slot 456 nritems 533 REMOVE slot 455 REMOVE slot 454 REMOVE slot 453 ... REMOVE slot 0When this sequence gets applied via btrfs_tree_mod_log_rewind, itallocates a fresh rewind eb, and first inserts the correct key info forthe 533 elements, then overwrites the first 456 of them, then decrementsthe count by 456 via the add ops, then rewinds the move by doing amemmove from 456:988->0:532. We have never written anything past 532,---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53581 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: Check for NOT_READY flag state after lockingCurrently the check for NOT_READY flag is performed before obtaining thenecessary lock. This opens a possibility for race condition when the flowis concurrently removed from unready_flows list by the workqueue task,which causes a double-removal from the list and a crash[0]. Fix the issueby moving the flag check inside the section protected byuplink_priv->unready_flows_lock mutex.[0]:[44376.389654] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP[44376.391665] CPU: 7 PID: 59123 Comm: tc Not tainted 6.4.0-rc4+ #1[44376.392984] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014[44376.395342] RIP: 0010:mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core][44376.396857] Code: 00 48 8b b8 68 ce 02 00 e8 8a 4d 02 00 4c 8d a8 a8 01 00 00 4c 89 ef e8 8b 79 88 e1 48 8b 83 98 06 00 00 48 8b 93 90 06 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 83 90 06[44376.399167] RSP: 0018:ffff88812cc97570 EFLAGS: 00010246[44376.399680] RAX: dead000000000122 RBX: ffff8881088e3800 RCX: ffff8881881bac00[44376.400337] RDX: dead000000000100 RSI: ffff88812cc97500 RDI: ffff8881242f71b0[44376.401001] RBP: ffff88811cbb0940 R08: 0000000000000400 R09: 0000000000000001[44376.401663] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88812c944000[44376.402342] R13: ffff8881242f71a8 R14: ffff8881222b4000 R15: 0000000000000000[44376.402999] FS: 00007f0451104800(0000) GS:ffff88852cb80000(0000) knlGS:0000000000000000[44376.403787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[44376.404343] CR2: 0000000000489108 CR3: 0000000123a79003 CR4: 0000000000370ea0[44376.405004] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000[44376.405665] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400[44376.406339] Call Trace:[44376.406651] [44376.406939] ? die_addr+0x33/0x90[44376.407311] ? exc_general_protection+0x192/0x390[44376.407795] ? asm_exc_general_protection+0x22/0x30[44376.408292] ? mlx5e_tc_del_fdb_flow+0xb3/0x340 [mlx5_core][44376.408876] __mlx5e_tc_del_fdb_peer_flow+0xbc/0xe0 [mlx5_core][44376.409482] mlx5e_tc_del_flow+0x42/0x210 [mlx5_core][44376.410055] mlx5e_flow_put+0x25/0x50 [mlx5_core][44376.410529] mlx5e_delete_flower+0x24b/0x350 [mlx5_core][44376.411043] tc_setup_cb_reoffload+0x22/0x80[44376.411462] fl_reoffload+0x261/0x2f0 [cls_flower][44376.411907] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core][44376.412481] ? mlx5e_rep_indr_setup_ft_cb+0x160/0x160 [mlx5_core][44376.413044] tcf_block_playback_offloads+0x76/0x170[44376.413497] tcf_block_unbind+0x7b/0xd0[44376.413881] tcf_block_setup+0x17d/0x1c0[44376.414269] tcf_block_offload_cmd.isra.0+0xf1/0x130[44376.414725] tcf_block_offload_unbind+0x43/0x70[44376.415153] __tcf_block_put+0x82/0x150[44376.415532] ingress_destroy+0x22/0x30 [sch_ingress][44376.415986] qdisc_destroy+0x3b/0xd0[44376.416343] qdisc_graft+0x4d0/0x620[44376.416706] tc_get_qdisc+0x1c9/0x3b0[44376.417074] rtnetlink_rcv_msg+0x29c/0x390[44376.419978] ? rep_movs_alternative+0x3a/0xa0[44376.420399] ? rtnl_calcit.isra.0+0x120/0x120[44376.420813] netlink_rcv_skb+0x54/0x100[44376.421192] netlink_unicast+0x1f6/0x2c0[44376.421573] netlink_sendmsg+0x232/0x4a0[44376.421980] sock_sendmsg+0x38/0x60[44376.422328] ____sys_sendmsg+0x1d0/0x1e0[44376.422709] ? copy_msghdr_from_user+0x6d/0xa0[44376.423127] ___sys_sendmsg+0x80/0xc0[44376.423495] ? ___sys_recvmsg+0x8b/0xc0[44376.423869] __sys_sendmsg+0x51/0x90[44376.424226] do_syscall_64+0x3d/0x90[44376.424587] entry_SYSCALL_64_after_hwframe+0x46/0xb0[44376.425046] RIP: 0033:0x7f045134f887[44376.425403] Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53602 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: ath11k: fix memory leak in WMI firmware statsMemory allocated for firmware pdev, vdev and beacon statisticsare not released during rmmod.Fix it by calling ath11k_fw_stats_free() function before hardwareunregister.While at it, avoid calling ath11k_fw_stats_free() while processingthe firmware stats received in the WMI event because the local listis getting spliced and reinitialised and hence there are no elementsin the list after splicing.Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53650 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()If 'mipid_detect()' fails, we must free 'md' to avoid a memory leak.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53662 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}If the filename casefolding fails, we'll be leaking memory from thefscrypt_name struct, namely from the 'crypto_buf.name' member.Make sure we free it in the error path on both ext4_fname_setup_filename()and ext4_fname_prepare_lookup() functions.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53730 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_costadjust_inuse_and_calc_cost() use spin_lock_irq() and IRQ will be enabledwhen unlock. DEADLOCK might happen if we have held other locks and disabledIRQ before invoking it.Fix it by using spin_lock_irqsave() instead, which can keep IRQ stateconsistent with before when unlock. ================================ WARNING: inconsistent lock state 5.10.0-02758-g8e5f91fd772f #26 Not tainted -------------------------------- inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. kworker/2:3/388 [HC0[0]:SC0[0]:HE0:SE1] takes: ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: spin_lock_irq ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390 {IN-HARDIRQ-W} state was registered at: __lock_acquire+0x3d7/0x1070 lock_acquire+0x197/0x4a0 __raw_spin_lock_irqsave _raw_spin_lock_irqsave+0x3b/0x60 bfq_idle_slice_timer_body bfq_idle_slice_timer+0x53/0x1d0 __run_hrtimer+0x477/0xa70 __hrtimer_run_queues+0x1c6/0x2d0 hrtimer_interrupt+0x302/0x9e0 local_apic_timer_interrupt __sysvec_apic_timer_interrupt+0xfd/0x420 run_sysvec_on_irqstack_cond sysvec_apic_timer_interrupt+0x46/0xa0 asm_sysvec_apic_timer_interrupt+0x12/0x20 irq event stamp: 837522 hardirqs last enabled at (837521): [] __raw_spin_unlock_irqrestore hardirqs last enabled at (837521): [] _raw_spin_unlock_irqrestore+0x3d/0x40 hardirqs last disabled at (837522): [] __raw_spin_lock_irq hardirqs last disabled at (837522): [] _raw_spin_lock_irq+0x43/0x50 softirqs last enabled at (835852): [] __do_softirq+0x558/0x8ec softirqs last disabled at (835845): [] asm_call_irq_on_stack+0xf/0x20 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&bfqd->lock); lock(&bfqd->lock); *** DEADLOCK *** 3 locks held by kworker/2:3/388: #0: ffff888107af0f38 ((wq_completion)kthrotld){+.+.}-{0:0}, at: process_one_work+0x742/0x13f0 #1: ffff8881176bfdd8 ((work_completion)(&td->dispatch_work)){+.+.}-{0:0}, at: process_one_work+0x777/0x13f0 #2: ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: spin_lock_irq #2: ffff888118c00c28 (&bfqd->lock){?.-.}-{2:2}, at: bfq_bio_merge+0x141/0x390 stack backtrace: CPU: 2 PID: 388 Comm: kworker/2:3 Not tainted 5.10.0-02758-g8e5f91fd772f #26 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: kthrotld blk_throtl_dispatch_work_fn Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x167 print_usage_bug valid_state mark_lock_irq.cold+0x32/0x3a mark_lock+0x693/0xbc0 mark_held_locks+0x9e/0xe0 __trace_hardirqs_on_caller lockdep_hardirqs_on_prepare.part.0+0x151/0x360 trace_hardirqs_on+0x5b/0x180 __raw_spin_unlock_irq _raw_spin_unlock_irq+0x24/0x40 spin_unlock_irq adjust_inuse_and_calc_cost+0x4fb/0x970 ioc_rqos_merge+0x277/0x740 __rq_qos_merge+0x62/0xb0 rq_qos_merge bio_attempt_back_merge+0x12c/0x4a0 blk_mq_sched_try_merge+0x1b6/0x4d0 bfq_bio_merge+0x24a/0x390 __blk_mq_sched_bio_merge+0xa6/0x460 blk_mq_sched_bio_merge blk_mq_submit_bio+0x2e7/0x1ee0 __submit_bio_noacct_mq+0x175/0x3b0 submit_bio_noacct+0x1fb/0x270 blk_throtl_dispatch_work_fn+0x1ef/0x2b0 process_one_work+0x83e/0x13f0 process_scheduled_works worker_thread+0x7e3/0xd80 kthread+0x353/0x470 ret_from_fork+0x1f/0x30

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53731 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:netlink: fix potential deadlock in netlink_set_err()syzbot reported a possible deadlock in netlink_set_err() [1]A similar issue was fixed in commit 1d482e666b8e ("netlink: disable IRQsfor netlink_lock_table()") in netlink_lock_table()This patch adds IRQ safety to netlink_set_err() and __netlink_diag_dump()which were not covered by cited commit.[1]WARNING: possible irq lock inversion dependency detected6.4.0-rc6-syzkaller-00240-g4e9f0ec38852 #0 Not taintedsyz-executor.2/23011 just changed the state of lock:ffffffff8e1a7a58 (nl_table_lock){.+.?}-{2:2}, at: netlink_set_err+0x2e/0x3a0 net/netlink/af_netlink.c:1612but this lock was taken by another, SOFTIRQ-safe lock in the past: (&local->queue_stop_reason_lock){..-.}-{2:2}and interrupts could create inverse lock ordering between them.other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(nl_table_lock); local_irq_disable(); lock(&local->queue_stop_reason_lock); lock(nl_table_lock); lock(&local->queue_stop_reason_lock); *** DEADLOCK ***

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40111 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:drm/vmwgfx: Fix Use-after-free in validationNodes stored in the validation duplicates hashtable come from an arenaallocator that is cleared at the end of vmw_execbuf_process. All nodesare expected to be cleared in vmw_validation_drop_ht but this node escapedbecause its resource was destroyed prematurely.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40164 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:usbnet: Fix using smp_processor_id() in preemptible code warningsSyzbot reported the following warning:BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7fFor historical and portability reasons, the netif_rx() is usuallyrun in the softirq or interrupt context, this commit therefore addlocal_bh_disable/enable() protection in the usbnet_resume_rx().

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40173 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:net/ip6_tunnel: Prevent perpetual tunnel growthSimilarly to ipv4 tunnel, ipv6 version updates dev->needed_headroom, too.While ipv4 tunnel headroom adjustment growth was limited incommit 5ae1e9922bbd ("net: ip_tunnel: prevent perpetual headroom growth"),ipv6 tunnel yet increases the headroom without any ceiling.Reflect ipv4 tunnel headroom adjustment limit on ipv6 version.Credits to Francesco Ruggeri, who was originally debugging this issueand wrote local Arista-specific patch and a reproducer.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40194 Severity: Moderate CVSS3 score: 4.7

Description: In the Linux kernel, the following vulnerability has been resolved:cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()The cpufreq_cpu_put() call in update_qos_request() takes place too earlybecause the latter subsequently calls freq_qos_update_request() thatindirectly accesses the policy object in question through the QoS requestobject passed to it.Fortunately, update_qos_request() is called under intel_pstate_driver_lock,so this issue does not matter for changing the intel_pstate operationmode, but it theoretically can cause a crash to occur on CPU device hotremoval (which currently can only happen in virt, but it is formallysupported nevertheless).Address this issue by modifying update_qos_request() to drop thereference to the policy later.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-0840 Severity: Moderate CVSS3 score: 4.5

Description: A vulnerability, which was classified as problematic, was found in GNU Binutils up to 2.43. This affects the function disassemble_bytes of the file binutils/objdump.c. The manipulation of the argument buf leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 2.44 is able to address this issue. The identifier of the patch is baac6c221e9d69335bf41366a1c7d87d8ab2f893. It is recommended to upgrade the affected component.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-11065 Severity: Moderate CVSS3 score: 4.5

Description: Unknown.

Packages affected:

sle-module-containers-release == 15.6 (version in image is 15.6-150600.37.2).
docker > 0-0 (version in image is 28.3.3_ce-150000.230.1).

CVE-2025-1176 Severity: Moderate CVSS3 score: 4.5

Description: A vulnerability was found in GNU Binutils 2.43 and classified as critical. This issue affects the function _bfd_elf_gc_mark_rsec of the file elflink.c of the component ld. The manipulation leads to heap-based buffer overflow. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The patch is named f9978defb6fab0bd8583942d97c112b0932ac814. It is recommended to apply a patch to fix this issue.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-1182 Severity: Moderate CVSS3 score: 4.5

Description: A vulnerability, which was classified as critical, was found in GNU Binutils 2.43. Affected is the function bfd_elf_reloc_symbol_deleted_p of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as b425859021d17adf62f06fb904797cf8642986ad. It is recommended to apply a patch to fix this issue.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2023-53588 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: mac80211: check for station first in client probeWhen probing a client, first check if we have it, and thencheck for the channel context, otherwise you can triggerthe warning there easily by probing when the AP isn't evenstarted yet. Since a client existing means the AP is alsooperating, we can then keep the warning.Also simplify the moved code a bit.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53654 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:octeontx2-af: Add validation before accessing cgx and lmacwith the addition of new MAC blocks like CN10K RPM and CN10KBRPM_USX, LMACs are noncontiguous and CGX blocks are alsononcontiguous. But during RVU driver initialization, the driveris assuming they are contiguous and trying to accesscgx or lmac with their id which is resulting in kernel panic.This patch fixes the issue by adding proper checks.[ 23.219150] pc : cgx_lmac_read+0x38/0x70[ 23.219154] lr : rvu_program_channels+0x3f0/0x498[ 23.223852] sp : ffff000100d6fc80[ 23.227158] x29: ffff000100d6fc80 x28: ffff00010009f880 x27:000000000000005a[ 23.234288] x26: ffff000102586768 x25: 0000000000002500 x24:fffffffffff0f000

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53656 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:drivers/perf: hisi: Don't migrate perf to the CPU going to teardownThe driver needs to migrate the perf context if the current using CPU goingto teardown. By the time calling the cpuhp::teardown() callback thecpu_online_mask() hasn't updated yet and still includes the CPU going toteardown. In current driver's implementation we may migrate the contextto the teardown CPU and leads to the below calltrace:...[ 368.104662][ T932] task:cpuhp/0 state:D stack: 0 pid: 15 ppid: 2 flags:0x00000008[ 368.113699][ T932] Call trace:[ 368.116834][ T932] __switch_to+0x7c/0xbc[ 368.120924][ T932] __schedule+0x338/0x6f0[ 368.125098][ T932] schedule+0x50/0xe0[ 368.128926][ T932] schedule_preempt_disabled+0x18/0x24[ 368.134229][ T932] __mutex_lock.constprop.0+0x1d4/0x5dc[ 368.139617][ T932] __mutex_lock_slowpath+0x1c/0x30[ 368.144573][ T932] mutex_lock+0x50/0x60[ 368.148579][ T932] perf_pmu_migrate_context+0x84/0x2b0[ 368.153884][ T932] hisi_pcie_pmu_offline_cpu+0x90/0xe0 [hisi_pcie_pmu][ 368.160579][ T932] cpuhp_invoke_callback+0x2a0/0x650[ 368.165707][ T932] cpuhp_thread_fun+0xe4/0x190[ 368.170316][ T932] smpboot_thread_fn+0x15c/0x1a0[ 368.175099][ T932] kthread+0x108/0x13c[ 368.179012][ T932] ret_from_fork+0x10/0x18...Use function cpumask_any_but() to find one correct active cpu to fixesthis issue.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53668 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:ring-buffer: Fix deadloop issue on reading trace_pipeSoft lockup occurs when reading file 'trace_pipe': watchdog: BUG: soft lockup - CPU#6 stuck for 22s! [cat:4488] [...] RIP: 0010:ring_buffer_empty_cpu+0xed/0x170 RSP: 0018:ffff88810dd6fc48 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000246 RCX: ffffffff93d1aaeb RDX: ffff88810a280040 RSI: 0000000000000008 RDI: ffff88811164b218 RBP: ffff88811164b218 R08: 0000000000000000 R09: ffff88815156600f R10: ffffed102a2acc01 R11: 0000000000000001 R12: 0000000051651901 R13: 0000000000000000 R14: ffff888115e49500 R15: 0000000000000000 [...] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8d853c2000 CR3: 000000010dcd8000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __find_next_entry+0x1a8/0x4b0 ? peek_next_entry+0x250/0x250 ? down_write+0xa5/0x120 ? down_write_killable+0x130/0x130 trace_find_next_entry_inc+0x3b/0x1d0 tracing_read_pipe+0x423/0xae0 ? tracing_splice_read_pipe+0xcb0/0xcb0 vfs_read+0x16b/0x490 ksys_read+0x105/0x210 ? __ia32_sys_pwrite64+0x200/0x200 ? switch_fpu_return+0x108/0x220 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x61/0xc6Through the vmcore, I found it's because in tracing_read_pipe(),ring_buffer_empty_cpu() found some buffer is not empty but then itcannot read anything due to "rb_num_of_entries() == 0" always true,Then it infinitely loop the procedure due to user buffer not beenfilled, see following code path: tracing_read_pipe() { ... ... waitagain: tracing_wait_pipe() // 1. find non-empty buffer here trace_find_next_entry_inc() // 2. loop here try to find an entry __find_next_entry() ring_buffer_empty_cpu(); // 3. find non-empty buffer peek_next_entry() // 4. but peek always return NULL ring_buffer_peek() rb_buffer_peek() rb_get_reader_page() // 5. because rb_num_of_entries() == 0 always true here // then return NULL // 6. user buffer not been filled so goto 'waitgain' // and eventually leads to an deadloop in kernel!!! }By some analyzing, I found that when resetting ringbuffer, the 'entries'of its pages are not all cleared (see rb_reset_cpu()). Then when reducingthe ringbuffer, and if some reduced pages exist dirty 'entries' data, theywill be added into 'cpu_buffer->overrun' (see rb_remove_pages()), whichcause wrong 'overrun' count and eventually cause the deadloop issue.To fix it, we need to clear every pages in rb_reset_cpu().

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53681 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:bcache: Fix __bch_btree_node_alloc to make the failure behavior consistentIn some specific situations, the return value of __bch_btree_node_allocmay be NULL. This may lead to a potential NULL pointer dereference incaller function like a calling chain :btree_split->bch_btree_node_alloc->__bch_btree_node_alloc.Fix it by initializing the return value in __bch_btree_node_alloc.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53699 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:riscv: move memblock_allow_resize() after linear mapping is readyThe initial memblock metadata is accessed from kernel image mapping. Theregions arrays need to "reallocated" from memblock and accessed throughlinear mapping to cover more memblock regions. So the resizing shouldnot be allowed until linear mapping is ready. Note that there arememblock allocations when building linear mapping.This patch is similar to 24cc61d8cb5a ("arm64: memblock: don't permitmemblock resizing until linear mapping is up").In following log, many memblock regions are reserved beforecreate_linear_mapping_page_table(). And then it triggered reallocationof memblock.reserved.regions and memcpy the old array in kernel imagemapping to the new array in linear mapping which caused a page fault.[ 0.000000] memblock_reserve: [0x00000000bf01f000-0x00000000bf01ffff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[ 0.000000] memblock_reserve: [0x00000000bf021000-0x00000000bf021fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[ 0.000000] memblock_reserve: [0x00000000bf023000-0x00000000bf023fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[ 0.000000] memblock_reserve: [0x00000000bf025000-0x00000000bf025fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[ 0.000000] memblock_reserve: [0x00000000bf027000-0x00000000bf027fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[ 0.000000] memblock_reserve: [0x00000000bf029000-0x00000000bf029fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[ 0.000000] memblock_reserve: [0x00000000bf02b000-0x00000000bf02bfff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[ 0.000000] memblock_reserve: [0x00000000bf02d000-0x00000000bf02dfff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[ 0.000000] memblock_reserve: [0x00000000bf02f000-0x00000000bf02ffff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[ 0.000000] memblock_reserve: [0x00000000bf030000-0x00000000bf030fff] early_init_fdt_scan_reserved_mem+0x28c/0x2c6[ 0.000000] OF: reserved mem: 0x0000000080000000..0x000000008007ffff (512 KiB) map non-reusable mmode_resv0@80000000[ 0.000000] memblock_reserve: [0x00000000bf000000-0x00000000bf001fed] paging_init+0x19a/0x5ae[ 0.000000] memblock_phys_alloc_range: 4096 bytes align=0x1000 from=0x0000000000000000 max_addr=0x0000000000000000 alloc_pmd_fixmap+0x14/0x1c[ 0.000000] memblock_reserve: [0x000000017ffff000-0x000000017fffffff] memblock_alloc_range_nid+0xb8/0x128[ 0.000000] memblock: reserved is doubled to 256 at [0x000000017fffd000-0x000000017fffe7ff][ 0.000000] Unable to handle kernel paging request at virtual address ff600000ffffd000[ 0.000000] Oops [#1][ 0.000000] Modules linked in:[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.4.0-rc1-00011-g99a670b2069c #66[ 0.000000] Hardware name: riscv-virtio,qemu (DT)[ 0.000000] epc : __memcpy+0x60/0xf8[ 0.000000] ra : memblock_double_array+0x192/0x248[ 0.000000] epc : ffffffff8081d214 ra : ffffffff80a3dfc0 sp : ffffffff81403bd0[ 0.000000] gp : ffffffff814fbb38 tp : ffffffff8140dac0 t0 : 0000000001600000[ 0.000000] t1 : 0000000000000000 t2 : 000000008f001000 s0 : ffffffff81403c60[ 0.000000] s1 : ffffffff80c0bc98 a0 : ff600000ffffd000 a1 : ffffffff80c0bcd8[ 0.000000] a2 : 0000000000000c00 a3 : ffffffff80c0c8d8 a4 : 0000000080000000[ 0.000000] a5 : 0000000000080000 a6 : 0000000000000000 a7 : 0000000080200000[ 0.000000] s2 : ff600000ffffd000 s3 : 0000000000002000 s4 : 0000000000000c00[ 0.000000] s5 : ffffffff80c0bc60 s6 : ffffffff80c0bcc8 s7 : 0000000000000000[ 0.000000] s8 : ffffffff814fd0a8 s9 : 000000017fffe7ff s10: 0000000000000000[ 0.000000] s11: 0000000000001000 t3 : 0000000000001000 t4 : 0000000000000000[ 0.000000] t5 : 000000008f003000 t6 : ff600000ffffd000[ 0.000000] status: 0000000200000100 badaddr: ff600000ffffd000 cause: 000000000000000f[ 0.000000] [

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-22870 Severity: Moderate CVSS3 score: 4.4

Description: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
containerd > 0-0 (version in image is 1.7.27-150000.123.1).

CVE-2025-39969 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:i40e: fix validation of VF state in get resourcesVF state I40E_VF_STATE_ACTIVE is not the only state in whichVF is actually active so it should not be used to determineif a VF is allowed to obtain resources.Use I40E_VF_STATE_RESOURCES_LOADED that is set only ini40e_vc_get_vf_resources_msg() and cleared during reset.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39980 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:nexthop: Forbid FDB status change while nexthop is in a groupThe kernel forbids the creation of non-FDB nexthop groups with FDBnexthops: # ip nexthop add id 1 via 192.0.2.1 fdb # ip nexthop add id 2 group 1 Error: Non FDB nexthop group cannot have fdb nexthops.And vice versa: # ip nexthop add id 3 via 192.0.2.2 dev dummy1 # ip nexthop add id 4 group 3 fdb Error: FDB nexthop group can only have fdb nexthops.However, as long as no routes are pointing to a non-FDB nexthop group,the kernel allows changing the type of a nexthop from FDB to non-FDB andvice versa: # ip nexthop add id 5 via 192.0.2.2 dev dummy1 # ip nexthop add id 6 group 5 # ip nexthop replace id 5 via 192.0.2.2 fdb # echo $? 0This configuration is invalid and can result in a NPD [1] since FDBnexthops are not associated with a nexthop device: # ip route add 198.51.100.1/32 nhid 6 # ping 198.51.100.1Fix by preventing nexthop FDB status change while the nexthop is in agroup: # ip nexthop add id 7 via 192.0.2.2 dev dummy1 # ip nexthop add id 8 group 7 # ip nexthop replace id 7 via 192.0.2.2 fdb Error: Cannot change nexthop FDB status while in a group.[1]BUG: kernel NULL pointer dereference, address: 00000000000003c0[...]Oops: Oops: 0000 [#1] SMPCPU: 6 UID: 0 PID: 367 Comm: ping Not tainted 6.17.0-rc6-virtme-gb65678cacc03 #1 PREEMPT(voluntary)Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-4.fc41 04/01/2014RIP: 0010:fib_lookup_good_nhc+0x1e/0x80[...]Call Trace: fib_table_lookup+0x541/0x650 ip_route_output_key_hash_rcu+0x2ea/0x970 ip_route_output_key_hash+0x55/0x80 __ip4_datagram_connect+0x250/0x330 udp_connect+0x2b/0x60 __sys_connect+0x9c/0xd0 __x64_sys_connect+0x18/0x20 do_syscall_64+0xa4/0x2a0 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40021 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:tracing: dynevent: Add a missing lockdown check on dyneventSince dynamic_events interface on tracefs is compatible withkprobe_events and uprobe_events, it should also check the lockdownstatus and reject if it is set.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40032 Severity: Moderate CVSS3 score: 4.4

Description: In the Linux kernel, the following vulnerability has been resolved:PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before releaseThe fields dma_chan_tx and dma_chan_rx of the struct pci_epf_test can beNULL even after EPF initialization. Then it is prudent to check thatthey have non-NULL values before releasing the channels. Add the checksin pci_epf_test_clean_dma_chan().Without the checks, NULL pointer dereferences happen and they can leadto a kernel panic in some cases: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050 Call trace: dma_release_channel+0x2c/0x120 (P) pci_epf_test_epc_deinit+0x94/0xc0 [pci_epf_test] pci_epc_deinit_notify+0x74/0xc0 tegra_pcie_ep_pex_rst_irq+0x250/0x5d8 irq_thread_fn+0x34/0xb8 irq_thread+0x18c/0x2e8 kthread+0x14c/0x210 ret_from_fork+0x10/0x20[mani: trimmed the stack trace]

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-69277 Severity: Moderate CVSS3 score: 4.4

Description: libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libsodium23 > 0-0 (version in image is 1.0.18-150000.4.8.1).

CVE-2025-10158 Severity: Moderate CVSS3 score: 4.3

Description: A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
rsync > 0-0 (version in image is 3.2.7-150600.3.11.1).

CVE-2025-12084 Severity: Moderate CVSS3 score: 4.3

Description: When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
python3 > 0-0 (version in image is 3.6.15-150300.10.97.2).

CVE-2025-32728 Severity: Moderate CVSS3 score: 4.3

Description: In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.

Packages affected:

sle-module-desktop-applications-release == 15.6 (version in image is 15.6-150600.37.2).
openssh > 0-0 (version in image is 9.6p1-150600.6.29.2).

CVE-2025-39948 Severity: Moderate CVSS3 score: 4.3

Description: In the Linux kernel, the following vulnerability has been resolved:ice: fix Rx page leak on multi-buffer framesThe ice_put_rx_mbuf() function handles calling ice_put_rx_buf() for eachbuffer in the current frame. This function was introduced as part ofhandling multi-buffer XDP support in the ice driver.It works by iterating over the buffers from first_desc up to 1 plus thetotal number of fragments in the frame, cached from before the XDP programwas executed.If the hardware posts a descriptor with a size of 0, the logic used inice_put_rx_mbuf() breaks. Such descriptors get skipped and don't get addedas fragments in ice_add_xdp_frag. Since the buffer isn't counted as afragment, we do not iterate over it in ice_put_rx_mbuf(), and thus we don'tcall ice_put_rx_buf().Because we don't call ice_put_rx_buf(), we don't attempt to re-use thepage or free it. This leaves a stale page in the ring, as we don'tincrement next_to_alloc.The ice_reuse_rx_page() assumes that the next_to_alloc has been incrementedproperly, and that it always points to a buffer with a NULL page. Sincethis function doesn't check, it will happily recycle a page over the topof the next_to_alloc buffer, losing track of the old page.Note that this leak only occurs for multi-buffer frames. Theice_put_rx_mbuf() function always handles at least one buffer, so asingle-buffer frame will always get handled correctly. It is not clearprecisely why the hardware hands us descriptors with a size of 0 sometimes,but it happens somewhat regularly with "jumbo frames" used by 9K MTU.To fix ice_put_rx_mbuf(), we need to make sure to call ice_put_rx_buf() onall buffers between first_desc and next_to_clean. Borrow the logic of asimilar function in i40e used for this same purpose. Use the same logicalso in ice_get_pgcnts().Instead of iterating over just the number of fragments, use a loop whichiterates until the current index reaches to the next_to_clean element justpast the current frame. Unlike i40e, the ice_put_rx_mbuf() function doescall ice_put_rx_buf() on the last buffer of the frame indicating the end ofpacket.For non-linear (multi-buffer) frames, we need to take care when adjustingthe pagecnt_bias. An XDP program might release fragments from the tail ofthe frame, in which case that fragment page is already released. Onlyupdate the pagecnt_bias for the first descriptor and fragments stillremaining post-XDP program. Take care to only access the shared info forfragmented buffers, as this avoids a significant cache miss.The xdp_xmit value only needs to be updated if an XDP program is run, andonly once per packet. Drop the xdp_xmit pointer argument fromice_put_rx_mbuf(). Instead, set xdp_xmit in the ice_clean_rx_irq() functiondirectly. This avoids needing to pass the argument and avoids an extrabit-wise OR for each buffer in the frame.Move the increment of the ntc local variable to ensure its updated *before*all calls to ice_get_pgcnts() or ice_put_rx_mbuf(), as the loop logicrequires the index of the element just after the current frame.Now that we use an index pointer in the ring to identify the packet, we nolonger need to track or cache the number of fragments in the rx_ring.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2026-21441 Severity: Moderate CVSS3 score: 4.3

Description: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
python3-urllib3 > 0-0 (version in image is 1.25.10-150300.4.18.1).

CVE-2025-39947 Severity: Moderate CVSS3 score: 4.1

Description: In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: Harden uplink netdev access against device unbindThe function mlx5_uplink_netdev_get() gets the uplink netdevicepointer from mdev->mlx5e_res.uplink_netdev. However, the netdevice canbe removed and its pointer cleared when unbound from the mlx5_core.ethdriver. This results in a NULL pointer, causing a kernel panic. BUG: unable to handle page fault for address: 0000000000001300 at RIP: 0010:mlx5e_vport_rep_load+0x22a/0x270 [mlx5_core] Call Trace: mlx5_esw_offloads_rep_load+0x68/0xe0 [mlx5_core] esw_offloads_enable+0x593/0x910 [mlx5_core] mlx5_eswitch_enable_locked+0x341/0x420 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x17e/0x3a0 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xd0 genl_family_rcv_msg_doit+0xe0/0x130 genl_rcv_msg+0x183/0x290 netlink_rcv_skb+0x4b/0xf0 genl_rcv+0x24/0x40 netlink_unicast+0x255/0x380 netlink_sendmsg+0x1f3/0x420 __sock_sendmsg+0x38/0x60 __sys_sendto+0x119/0x180 do_syscall_64+0x53/0x1d0 entry_SYSCALL_64_after_hwframe+0x4b/0x53Ensure the pointer is valid before use by checking it for NULL. If itis valid, immediately call netdev_hold() to take a reference, andpreventing the netdevice from being freed while it is in use.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40110 Severity: Moderate CVSS3 score: 4.1

Description: In the Linux kernel, the following vulnerability has been resolved:drm/vmwgfx: Fix a null-ptr access in the cursor snooperCheck that the resource which is converted to a surface exists beforetrying to use the cursor snooper on it.vmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiersbecause some svga commands accept SVGA3D_INVALID_ID to mean "no surface",unfortunately functions that accept the actual surfaces as objects might(and in case of the cursor snooper, do not) be able to handle nullobjects. Make sure that we validate not only the identifier (via thevmw_cmd_res_check) but also check that the actual resource exists beforetrying to do something with it.Fixes unchecked null-ptr reference in the snooping code.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-13837 Severity: Moderate CVSS3 score: 4.0

Description: When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues

Packages affected:

sle-module-development-tools-release == 15.6 (version in image is 15.6-150600.37.2).
python3 > 0-0 (version in image is 3.6.15-150300.10.97.2).

CVE-2025-5244 Severity: Moderate CVSS3 score: 4.0

Description: A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-5245 Severity: Moderate CVSS3 score: 4.0

Description: A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-66382 Severity: Moderate CVSS3 score: 4.0

Description: In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
libexpat1 > 0-0 (version in image is 2.7.1-150400.3.31.1).

CVE-2025-9820 Severity: Moderate CVSS3 score: 4.0

Description: Unknown.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libgnutls30 < 3.8.3-150600.4.12.1 (version in image is 3.8.3-150600.4.9.1).

CVE-2026-0988 Severity: Low CVSS3 score: 3.7

Description: A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
glib2-tools > 0-0 (version in image is 2.78.6-150600.4.16.1).

CVE-2025-1147 Severity: Low CVSS3 score: 3.6

Description: A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2023-53649 Severity: Moderate CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:perf trace: Really free the evsel->priv areaIn 3cb4d5e00e037c70 ("perf trace: Free syscall tp fields inevsel->priv") it only was freeing if strcmp(evsel->tp_format->system,"syscalls") returned zero, while the corresponding initialization ofevsel->priv was being performed if it was _not_ zero, i.e. if the tpsystem wasn't 'syscalls'.Just stop looking for that and free it if evsel->priv was set, whichshould be equivalent.Also use the pre-existing evsel_trace__delete() function.This resolves these leaks, detected with: $ make EXTRA_CFLAGS="-fsanitize=address" BUILD_BPF_SKEL=1 CORESIGHT=1 O=/tmp/build/perf-tools-next -C tools/perf install-bin ================================================================= ==481565==ERROR: LeakSanitizer: detected memory leaks Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097) #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966) #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307 #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333 #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458 #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480 #6 0x540e8b in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3212 #7 0x540e8b in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891 #8 0x540e8b in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156 #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323 #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377 #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421 #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537 #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) Direct leak of 40 byte(s) in 1 object(s) allocated from: #0 0x7f7343cba097 in calloc (/lib64/libasan.so.8+0xba097) #1 0x987966 in zalloc (/home/acme/bin/perf+0x987966) #2 0x52f9b9 in evsel_trace__new /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:307 #3 0x52f9b9 in evsel__syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:333 #4 0x52f9b9 in evsel__init_raw_syscall_tp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:458 #5 0x52f9b9 in perf_evsel__raw_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:480 #6 0x540dd1 in trace__add_syscall_newtp /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3205 #7 0x540dd1 in trace__run /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:3891 #8 0x540dd1 in cmd_trace /home/acme/git/perf-tools-next/tools/perf/builtin-trace.c:5156 #9 0x5ef262 in run_builtin /home/acme/git/perf-tools-next/tools/perf/perf.c:323 #10 0x4196da in handle_internal_command /home/acme/git/perf-tools-next/tools/perf/perf.c:377 #11 0x4196da in run_argv /home/acme/git/perf-tools-next/tools/perf/perf.c:421 #12 0x4196da in main /home/acme/git/perf-tools-next/tools/perf/perf.c:537 #13 0x7f7342c4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) SUMMARY: AddressSanitizer: 80 byte(s) leaked in 2 allocation(s). [root@quaco ~]#With this we plug all leaks with "perf trace sleep 1".

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-1372 Severity: Moderate CVSS3 score: 3.3

Description: A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
elfutils > 0-0 (version in image is 0.185-150400.5.3.1).

CVE-2025-3198 Severity: Moderate CVSS3 score: 3.3

Description: A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2026-0989 Severity: Moderate CVSS3 score: 3.3

Description: A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
libxml2-2 > 0-0 (version in image is 2.10.3-150500.5.32.1).

CVE-2026-0992 Severity: Moderate CVSS3 score: 3.3

Description: A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
libxml2-2 > 0-0 (version in image is 2.10.3-150500.5.32.1).

CVE-2023-53633 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:accel/qaic: Fix a leak in map_user_pages()If get_user_pages_fast() allocates some pages but not as many as wewanted, then the current code leaks those pages. Call put_page() onthe pages before returning.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53670 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:nvme-core: fix dev_pm_qos memleakCall dev_pm_qos_hide_latency_tolerance() in the error unwind patch toavoid following kmemleak:-blktests (master) # kmemleak-clear; ./check nvme/044;blktests (master) # kmemleak-scan ; kmemleak-shownvme/044 (Test bi-directional authentication) [passed] runtime 2.111s ... 2.124sunreferenced object 0xffff888110c46240 (size 96): comm "nvme", pid 33461, jiffies 4345365353 (age 75.586s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000069ac2cec>] kmalloc_trace+0x25/0x90 [<000000006acc66d5>] dev_pm_qos_update_user_latency_tolerance+0x6f/0x100 [<00000000cc376ea7>] nvme_init_ctrl+0x38e/0x410 [nvme_core] [<000000007df61b4b>] 0xffffffffc05e88b3 [<00000000d152b985>] 0xffffffffc05744cb [<00000000f04a4041>] vfs_write+0xc5/0x3c0 [<00000000f9491baf>] ksys_write+0x5f/0xe0 [<000000001c46513d>] do_syscall_64+0x3b/0x90 [<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53674 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:clk: Fix memory leak in devm_clk_notifier_register()devm_clk_notifier_register() allocates a devres resource for clknotifier but didn't register that to the device, so the notifier didn'tget unregistered on device detach and the allocated resource was leaked.Fix the issue by registering the resource through devres_add().This issue was found with kmemleak on a Chromebook.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53687 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clkWhen the best clk is searched, we iterate over all possible clk.If we find a better match, the previous one, if any, needs to be freed.If a better match has already been found, we still need to free the newone, otherwise it leaks.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53704 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe()Replace of_iomap() and kzalloc() with devm_of_iomap() and devm_kzalloc()which can automatically release the related memory when the deviceor driver is removed or unloaded to avoid potential memory leak.In this case, iounmap(anatop_base) in line 427,433 are removedas manual release is not required.Besides, referring to clk-imx8mq.c, check the return code ofof_clk_add_hw_provider, if it returns negtive, print error infoand unregister hws, which makes the program more robust.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53708 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:ACPI: x86: s2idle: Catch multiple ACPI_TYPE_PACKAGE objectsIf a badly constructed firmware includes multiple `ACPI_TYPE_PACKAGE`objects while evaluating the AMD LPS0 _DSM, there will be a memoryleak. Explicitly guard against this.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53725 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probeSmatch reports:drivers/clocksource/timer-cadence-ttc.c:529 ttc_timer_probe()warn: 'timer_baseaddr' from of_iomap() not released on lines: 498,508,516.timer_baseaddr may have the problem of not being released after use,I replaced it with the devm_of_iomap() function and added the clk_put()function to cleanup the "clk_ce" and "clk_cs".

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53733 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:net: sched: cls_u32: Undo tcf_bind_filter if u32_replace_hw_knodeWhen u32_replace_hw_knode fails, we need to undo the tcf_bind_filteroperation done at u32_set_parms.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2024-58251 Severity: Low CVSS3 score: 3.3

Description: In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
iproute2 > 0-0 (version in image is 6.4-150600.7.9.1).

CVE-2025-11494 Severity: Low CVSS3 score: 3.3

Description: A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-11495 Severity: Low CVSS3 score: 3.3

Description: A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-11839 Severity: Low CVSS3 score: 3.3

Description: A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be exploited.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
binutils > 0-0 (version in image is 2.43-150100.7.52.1).

CVE-2025-11840 Severity: Low CVSS3 score: 3.3

Description: A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be exploited. This patch is called 16357. It is best practice to apply a patch to resolve this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
binutils > 0-0 (version in image is 2.43-150100.7.52.1).

CVE-2025-11961 Severity: Low CVSS3 score: 3.3

Description: pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer. The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented. If an application calls the function with an argument that deviates from the expected format, the function can read data beyond the end of the provided string and write data beyond the end of the allocated buffer.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libpcap1 > 0-0 (version in image is 1.10.4-150600.3.6.2).

CVE-2025-39957 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:wifi: mac80211: increase scan_ies_len for S1GCurrently the S1G capability element is not taken into accountfor the scan_ies_len, which leads to a buffer length validationfailure in ieee80211_prep_hw_scan() and subsequent WARN in__ieee80211_start_scan(). This prevents hw scanning from functioning.To fix ensure we accommodate for the S1G capability length.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-39968 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:i40e: add max boundary check for VF filtersThere is no check for max filters that VF can request. Add it.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40016 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_IDPer UVC 1.1+ specification 3.7.2, units and terminals must have a non-zerounique ID.```Each Unit and Terminal within the video function is assigned a uniqueidentification number, the Unit ID (UID) or Terminal ID (TID), contained inthe bUnitID or bTerminalID field of the descriptor. The value 0x00 isreserved for undefined ID,```If we add a new entity with id 0 or a duplicated ID, it will be markedas UVC_INVALID_ENTITY_ID.In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Requireentities to have a non-zero unique ID"), we ignored all the invalid units,this broke a lot of non-compatible cameras. Hopefully we are more luckythis time.This also prevents some syzkaller reproducers from triggering warnings dueto a chain of entities referring to themselves. In one particular case, anOutput Unit is connected to an Input Unit, both with the same ID of 1. Butwhen looking up for the source ID of the Output Unit, that same entity isfound instead of the input entity, which leads to such warnings.In another case, a backward chain was considered finished as the source IDwas 0. Later on, that entity was found, but its pads were not valid.Here is a sample stack trace for one of those cases.[ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd[ 20.830206] usb 1-1: Using ep0 maxpacket: 8[ 20.833501] usb 1-1: config 0 descriptor??[ 21.038518] usb 1-1: string descriptor 0 read error: -71[ 21.038893] usb 1-1: Found UVC 0.00 device (2833:0201)[ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized![ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized![ 21.042218] ------------[ cut here ]------------[ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0[ 21.043195] Modules linked in:[ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444[ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014[ 21.044639] Workqueue: usb_hub_wq hub_event[ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0[ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00[ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246[ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1[ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290[ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000[ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003[ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000[ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000[ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0[ 21.051136] PKRU: 55555554[ 21.051331] Call Trace:[ 21.051480] [ 21.051611] ? __warn+0xc4/0x210[ 21.051861] ? media_create_pad_link+0x2c4/0x2e0[ 21.052252] ? report_bug+0x11b/0x1a0[ 21.052540] ? trace_hardirqs_on+0x31/0x40[ 21.052901] ? handle_bug+0x3d/0x70[ 21.053197] ? exc_invalid_op+0x1a/0x50[ 21.053511] ? asm_exc_invalid_op+0x1a/0x20[ 21.053924] ? media_create_pad_link+0x91/0x2e0[ 21.054364] ? media_create_pad_link+0x2c4/0x2e0[ 21.054834] ? media_create_pad_link+0x91/0x2e0[ 21.055131] ? _raw_spin_unlock+0x1e/0x40[ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210[ 21.055837] uvc_mc_register_entities+0x358/0x400[ 21.056144] uvc_register_chains+0x1---truncated---

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40105 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:vfs: Don't leak disconnected dentries on umountWhen user calls open_by_handle_at() on some inode that is not cached, wewill create disconnected dentry for it. If such dentry is a directory,exportfs_decode_fh_raw() will then try to connect this dentry to thedentry tree through reconnect_path(). It may happen for various reasons(such as corrupted fs or race with rename) that the call tolookup_one_unlocked() in reconnect_one() will fail to find the dentry weare trying to reconnect and instead create a new dentry under theparent. Now this dentry will not be marked as disconnected although theparent still may well be disconnected (at least in case thisinconsistency happened because the fs is corrupted and .. doesn't pointto the real parent directory). This creates inconsistency indisconnected flags but AFAICS it was mostly harmless. At least untilcommit f1ee616214cb ("VFS: don't keep disconnected dentries on d_anon")which removed adding of most disconnected dentries to sb->s_anon list.Thus after this commit cleanup of disconnected dentries implicitelyrelies on the fact that dput() will immediately reclaim such dentries.However when some leaf dentry isn't marked as disconnected, as in thescenario described above, the reclaim doesn't happen and the dentriesare "leaked". Memory reclaim can eventually reclaim them but otherwisethey stay in memory and if umount comes first, we hit infamous "Busyinodes after unmount" bug. Make sure all dentries created under adisconnected parent are marked as disconnected as well.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-40140 Severity: Low CVSS3 score: 3.3

Description: In the Linux kernel, the following vulnerability has been resolved:net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicastsyzbot reported WARNING in rtl8150_start_xmit/usb_submit_urb.This is the sequence of events that leads to the warning:rtl8150_start_xmit() { netif_stop_queue(); usb_submit_urb(dev->tx_urb);}rtl8150_set_multicast() { netif_stop_queue(); netif_wake_queue(); <-- wakes up TX queue before URB is done}rtl8150_start_xmit() { netif_stop_queue(); usb_submit_urb(dev->tx_urb); <-- double submission}rtl8150_set_multicast being the ndo_set_rx_mode callback should not becalling netif_stop_queue and notif_start_queue as these handleTX queue synchronization.The net core function dev_set_rx_mode handles the synchronizationfor rtl8150_set_multicast making it safe to remove these locks.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.58.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-8224 Severity: Low CVSS3 score: 3.3

Description: A vulnerability has been found in GNU Binutils 2.44 and classified as problematic. This vulnerability affects the function bfd_elf_get_str_section of the file bfd/elf.c of the component BFD Library. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The name of the patch is db856d41004301b3a56438efd957ef5cabb91530. It is recommended to apply a patch to fix this issue.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-8225 Severity: Low CVSS3 score: 3.3

Description: A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-8291 Severity: Low CVSS3 score: 3.3

Description: The 'zipfile' module would not check the validity of the ZIP64 End ofCentral Directory (EOCD) Locator record offset value would not be used tolocate the ZIP64 EOCD record, instead the ZIP64 EOCD record would beassumed to be the previous record in the ZIP archive. This could be abusedto create ZIP archives that are handled differently by the 'zipfile' modulecompared to other ZIP implementations.Remediation maintains this behavior, but checks that the offset specifiedin the ZIP64 EOCD Locator record matches the expected value.

Packages affected:

sle-module-python3-release == 15.6 (version in image is 15.6-150600.37.2).
python311 < 3.11.14-150600.3.38.1 (version in image is 3.11.13-150600.3.35.2).

CVE-2025-8732 Severity: Low CVSS3 score: 3.3

Description: A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
gettext-runtime > 0-0 (version in image is 0.21.1-150600.3.3.2).

CVE-2025-15224 Severity: Moderate CVSS3 score: 3.1

Description: When doing SSH-based transfers using either SCP or SFTP, and asked to dopublic key authentication, curl would wrongly still ask and authenticate usinga locally running SSH agent.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
curl > 0-0 (version in image is 8.14.1-150600.4.28.1).

CVE-2025-58767 Severity: Low CVSS3 score: 2.9

Description: REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches to fix these vulnerabilities.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
libruby2_5-2_5 > 0-0 (version in image is 2.5.9-150000.4.49.1).

CVE-2025-66861 Severity: Moderate CVSS3 score: 2.5

Description: An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
binutils > 0-0 (version in image is 2.43-150100.7.52.1).

CVE-2025-66863 Severity: Moderate CVSS3 score: 2.5

Description: An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
binutils > 0-0 (version in image is 2.43-150100.7.52.1).

CVE-2025-66866 Severity: Moderate CVSS3 score: 2.5

Description: An issue was discovered in function d_abi_tags in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
binutils > 0-0 (version in image is 2.43-150100.7.52.1).

CVE-2023-53698 Severity: Low CVSS3 score: 2.5

Description: In the Linux kernel, the following vulnerability has been resolved:xsk: fix refcount underflow in error pathFix a refcount underflow problem reported by syzbot that can happenwhen a system is running out of memory. If xp_alloc_tx_descs() fails,and it can only fail due to not having enough memory, then the errorpath is triggered. In this error path, the refcount of the pool isdecremented as it has incremented before. However, the reference tothe pool in the socket was not nulled. This means that when the socketis closed later, the socket teardown logic will think that there is apool attached to the socket and try to decrease the refcount again,leading to a refcount underflow.I chose this fix as it involved adding just a single line. Anotheroption would have been to move xp_get_pool() and the assignment ofxs->pool to after the if-statement and using xs_umem->pool instead ofxs->pool in the whole if-statement resulting in somewhat simpler code,but this would have led to much more churn in the code base perhapsmaking it harder to backport.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-1150 Severity: Low CVSS3 score: 2.5

Description: A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. This vulnerability affects the function bfd_malloc of the file libbfd.c of the component ld. The manipulation leads to memory leak. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-1352 Severity: Low CVSS3 score: 2.5

Description: A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
elfutils < 0.185-150400.5.8.3 (version in image is 0.185-150400.5.3.1).

CVE-2025-1376 Severity: Low CVSS3 score: 2.5

Description: A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
elfutils > 0-0 (version in image is 0.185-150400.5.3.1).

CVE-2025-6075 Severity: Low CVSS3 score: 2.5

Description: If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.

Packages affected:

sle-module-python3-release == 15.6 (version in image is 15.6-150600.37.2).
python311 < 3.11.14-150600.3.38.1 (version in image is 3.11.13-150600.3.35.2).

CVE-2025-66864 Severity: Low CVSS3 score: 2.5

Description: An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
binutils > 0-0 (version in image is 2.43-150100.7.52.1).

CVE-2025-66865 Severity: Low CVSS3 score: 2.5

Description: An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
binutils > 0-0 (version in image is 2.43-150100.7.52.1).

CVE-2023-53585 Severity: Low CVSS3 score: 2.3

Description: In the Linux kernel, the following vulnerability has been resolved:bpf: reject unhashed sockets in bpf_sk_assignThe semantics for bpf_sk_assign are as follows: sk = some_lookup_func() bpf_sk_assign(skb, sk) bpf_sk_release(sk)That is, the sk is not consumed by bpf_sk_assign. The functiontherefore needs to make sure that sk lives long enough to beconsumed from __inet_lookup_skb. The path through the stack for aTCPv4 packet is roughly: netif_receive_skb_core: takes RCU read lock __netif_receive_skb_core: sch_handle_ingress: tcf_classify: bpf_sk_assign() deliver_ptype_list_skb: deliver_skb: ip_packet_type->func == ip_rcv: ip_rcv_core: ip_rcv_finish_core: dst_input: ip_local_deliver: ip_local_deliver_finish: ip_protocol_deliver_rcu: tcp_v4_rcv: __inet_lookup_skb: skb_steal_sockThe existing helper takes advantage of the fact that everythinghappens in the same RCU critical section: for sockets withSOCK_RCU_FREE set bpf_sk_assign never takes a reference.skb_steal_sock then checks SOCK_RCU_FREE again and does sock_putif necessary.This approach assumes that SOCK_RCU_FREE is never set on a skbetween bpf_sk_assign and skb_steal_sock, but this invariant isviolated by unhashed UDP sockets. A new UDP socket is createdin TCP_CLOSE state but without SOCK_RCU_FREE set. That flag is onlyadded in udp_lib_get_port() which happens when a socket is bound.When bpf_sk_assign was added it wasn't possible to access unhashedUDP sockets from BPF, so this wasn't a problem. This changedin commit 0c48eefae712 ("sock_map: Lift socket state restrictionfor datagram sockets"), but the helper wasn't adjusted accordingly.The following sequence of events will therefore lead to a refcountleak:1. Add socket(AF_INET, SOCK_DGRAM) to a sockmap.2. Pull socket out of sockmap and bpf_sk_assign it. Since SOCK_RCU_FREE is not set we increment the refcount.3. bind() or connect() the socket, setting SOCK_RCU_FREE.4. skb_steal_sock will now set refcounted = false due to SOCK_RCU_FREE.5. tcp_v4_rcv() skips sock_put().Fix the problem by rejecting unhashed sockets in bpf_sk_assign().This matches the behaviour of __inet_lookup_skb which is ultimatelythe goal of bpf_sk_assign().

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53697 Severity: Low CVSS3 score: 2.3

Description: In the Linux kernel, the following vulnerability has been resolved:nvdimm: Fix memleak of pmu attr_groups in unregister_nvdimm_pmu()Memory pointed by 'nd_pmu->pmu.attr_groups' is allocated in function'register_nvdimm_pmu' and is lost after 'kfree(nd_pmu)' call in function'unregister_nvdimm_pmu'.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2023-53583 Severity: Moderate CVSS3 score: 0.0

Description: In the Linux kernel, the following vulnerability has been resolved:perf: RISC-V: Remove PERF_HES_STOPPED flag checking in riscv_pmu_start()Since commit 096b52fd2bb4 ("perf: RISC-V: throttle perf events") theperf_sample_event_took() function was added to report time spent inoverflow interrupts. If the interrupt takes too long, the perf frameworkwill lower the sysctl_perf_event_sample_rate and max_samples_per_tick.When hwc->interrupts is larger than max_samples_per_tick, thehwc->interrupts will be set to MAX_INTERRUPTS, and events will bethrottled within the __perf_event_account_interrupt() function.However, the RISC-V PMU driver doesn't call riscv_pmu_stop() to update thePERF_HES_STOPPED flag after perf_event_overflow() in pmu_sbi_ovf_handler()function to avoid throttling. When the perf framework unthrottled the eventin the timer interrupt handler, it triggers riscv_pmu_start() functionand causes a WARN_ON_ONCE() warning, as shown below: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 240 at drivers/perf/riscv_pmu.c:184 riscv_pmu_start+0x7c/0x8e Modules linked in: CPU: 0 PID: 240 Comm: ls Not tainted 6.4-rc4-g19d0788e9ef2 #1 Hardware name: SiFive (DT) epc : riscv_pmu_start+0x7c/0x8e ra : riscv_pmu_start+0x28/0x8e epc : ffffffff80aef864 ra : ffffffff80aef810 sp : ffff8f80004db6f0 gp : ffffffff81c83750 tp : ffffaf80069f9bc0 t0 : ffff8f80004db6c0 t1 : 0000000000000000 t2 : 000000000000001f s0 : ffff8f80004db720 s1 : ffffaf8008ca1068 a0 : 0000ffffffffffff a1 : 0000000000000000 a2 : 0000000000000001 a3 : 0000000000000870 a4 : 0000000000000000 a5 : 0000000000000000 a6 : 0000000000000840 a7 : 0000000000000030 s2 : 0000000000000000 s3 : ffffaf8005165800 s4 : ffffaf800424da00 s5 : ffffffffffffffff s6 : ffffffff81cc7590 s7 : 0000000000000000 s8 : 0000000000000006 s9 : 0000000000000001 s10: ffffaf807efbc340 s11: ffffaf807efbbf00 t3 : ffffaf8006a16028 t4 : 00000000dbfbb796 t5 : 0000000700000000 t6 : ffffaf8005269870 status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003 [] riscv_pmu_start+0x7c/0x8e [] perf_adjust_freq_unthr_context+0x15e/0x174 [] perf_event_task_tick+0x88/0x9c [] scheduler_tick+0xfe/0x27c [] update_process_times+0x9a/0xba [] tick_sched_handle+0x32/0x66 [] tick_sched_timer+0x64/0xb0 [] __hrtimer_run_queues+0x156/0x2f4 [] hrtimer_interrupt+0xe2/0x1fe [] riscv_timer_interrupt+0x38/0x42 [] handle_percpu_devid_irq+0x90/0x1d2 [] generic_handle_domain_irq+0x28/0x36After referring other PMU drivers like Arm, Loongarch, Csky, and Mips,they don't call *_pmu_stop() to update with PERF_HES_STOPPED flagafter perf_event_overflow() function nor do they add PERF_HES_STOPPEDflag checking in *_pmu_start() which don't cause this warning.Thus, it's recommended to remove this unnecessary check inriscv_pmu_start() function to prevent this warning.

Packages affected:

sle-module-public-cloud-release == 15.6 (version in image is 15.6-150600.37.2).
kernel-azure < 6.4.0-150600.8.55.1 (version in image is 6.4.0-150600.8.52.1).

CVE-2025-1149 Severity: Moderate CVSS3 score: 0.0

Description: A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-1178 Severity: Moderate CVSS3 score: 0.0

Description: A vulnerability was found in GNU Binutils 2.43. It has been declared as problematic. Affected by this vulnerability is the function bfd_putl64 of the file libbfd.c of the component ld. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 75086e9de1707281172cc77f178e7949a4414ed0. It is recommended to apply a patch to fix this issue.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-1179 Severity: Moderate CVSS3 score: 0.0

Description: A vulnerability was found in GNU Binutils 2.43. It has been rated as critical. Affected by this issue is the function bfd_putl64 of the file bfd/libbfd.c of the component ld. The manipulation leads to memory corruption. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 2.44 is able to address this issue. It is recommended to upgrade the affected component. The code maintainer explains, that "[t]his bug has been fixed at some point between the 2.43 and 2.44 releases".

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-1181 Severity: Moderate CVSS3 score: 0.0

Description: A vulnerability classified as critical was found in GNU Binutils 2.43. This vulnerability affects the function _bfd_elf_gc_mark_rsec of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 931494c9a89558acb36a03a340c01726545eef24. It is recommended to apply a patch to fix this issue.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-1148 Severity: Low CVSS3 score: 0.0

Description: A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-1151 Severity: Low CVSS3 score: 0.0

Description: A vulnerability was found in GNU Binutils 2.43. It has been rated as problematic. This issue affects the function xmemdup of the file xmemdup.c of the component ld. The manipulation leads to memory leak. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-1152 Severity: Low CVSS3 score: 0.0

Description: A vulnerability classified as problematic has been found in GNU Binutils 2.43. Affected is the function xstrdup of the file xstrdup.c of the component ld. The manipulation leads to memory leak. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-1153 Severity: Low CVSS3 score: 0.0

Description: A vulnerability classified as problematic was found in GNU Binutils 2.43/2.44. Affected by this vulnerability is the function bfd_set_format of the file format.c. The manipulation leads to memory corruption. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 2.45 is able to address this issue. The identifier of the patch is 8d97c1a53f3dc9fd8e1ccdb039b8a33d50133150. It is recommended to upgrade the affected component.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-1180 Severity: Low CVSS3 score: 0.0

Description: A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.

Packages affected:

sle-module-basesystem-release == 15.6 (version in image is 15.6-150600.37.2).
binutils < 2.45-150100.7.57.1 (version in image is 2.43-150100.7.52.1).

CVE-2025-1377 Severity: Low CVSS3 score: 0.0

Description: A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue.

Packages affected:

sles-release == 15.6 (version in image is 15.6-150600.64.3.1).
elfutils > 0-0 (version in image is 0.185-150400.5.3.1).

CVE scan

Summary of CVEs affecting the image: