LSN-0116-1

Project Discussion Kernel LSN
, ,
1

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 24.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 22.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

  • linux - Linux kernel
  • linux-aws - Linux kernel for Amazon Web Services (AWS) systems
  • linux-azure - Linux kernel for Microsoft Azure Cloud systems
  • linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
  • linux-gke - Linux kernel for Google Container Engine (GKE) systems
  • linux-ibm - Linux kernel for IBM cloud systems
  • linux-oracle - Linux kernel for Oracle Cloud systems

Details

In the Linux kernel, the following vulnerability has been
resolved: net: atlantic: eliminate double free in error handling logic
Driver has a logic leak in ring data allocation/free, where aq_ring_free
could be called multiple times on same ring, if system is under stress and
got memory allocation error. (CVE-2023-52664)

In the Linux kernel, the following vulnerability has been
resolved: sctp: properly validate chunk size in sctp_sf_ootb() A size
validation fix similar to that in Commit 50619dbf8db7 (“sctp: add size
validation when walking chunks”) is also required in sctp_sf_ootb() to
address a crash reported by syzbot: BUG: KMSAN: uninit-value in
sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166
sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407
sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_rcv+0x3831/0x3b20
net/sctp/input.c:243 sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159
ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233.
(CVE-2024-50299)

In the Linux kernel, the following vulnerability has been
resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock
sources The current USB-audio driver code doesn’t check bLength of each
descriptor at traversing for clock descriptors. (CVE-2024-53150)

In the Linux kernel, the following vulnerability has been
resolved: ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit
After an insertion in TNC, the tree might split and cause a node to change
its znode->parent. (CVE-2024-53171)

In the Linux kernel, the following vulnerability has been
resolved: NFSD: Prevent NULL dereference in nfsd4_process_cb_update() @ses
is initialized to NULL. (CVE-2024-53217)

In the Linux kernel, the following vulnerability has been
resolved: padata: fix UAF in padata_reorder A bug was found when run ltp
test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read
of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0
PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+
Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace:
dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0
print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0
padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0
process_one_work+0x2ec/0x5a0 If ‘mdelay(10)’ is added before calling
‘padata_find_next’ in the ‘padata_reorder’ function, this issue could be
reproduced easily with ltp test (pcrypt_aead01). (CVE-2025-21727)

In the Linux kernel, the following vulnerability has been
resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and
posix_cpu_timer_del() If an exiting non-autoreaping task has already passed
exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be
reaped by its parent or debugger right after unlock_task_sighand().
(CVE-2025-38352)

Update instructions

The problem can be corrected by updating your kernel livepatch to the following
versions:

Ubuntu 20.04 LTS

  • aws - 116.1
  • azure - 116.1
  • gcp - 116.1
  • generic - 116.1
  • ibm - 116.1
  • lowlatency - 116.1
  • oracle - 116.1

Ubuntu 18.04 LTS

  • aws - 116.1
  • gcp - 116.1
  • generic - 116.1
  • lowlatency - 116.1
  • oracle - 116.1

Ubuntu 24.04 LTS

  • aws - 116.1
  • azure - 116.1
  • gcp - 116.1
  • generic - 116.1
  • ibm - 116.1
  • oracle - 116.1

Ubuntu 16.04 LTS

  • aws - 116.1
  • gcp - 116.1
  • generic - 116.1
  • lowlatency - 116.1

Ubuntu 22.04 LTS

  • aws - 116.1
  • azure - 116.1
  • gcp - 116.1
  • generic - 116.1
  • gke - 116.1
  • ibm - 116.1
  • oracle - 116.1

Ubuntu 14.04 LTS

  • generic - 116.1
  • lowlatency - 116.1

Support Information

Livepatches for supported LTS kernels will receive upgrades for
a period of up to 13 months after the build date of the kernel.

Livepatches for supported HWE kernels which are not based on
an LTS kernel version will receive upgrades for a period of
up to 9 months after the build date of the kernel, or until the end
of support for that kernel’s non-LTS distro release version,
whichever is sooner.

References