Security update for the Linux Kernel SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20498-1 Final 1 1 2026-02-24T09:10:01Z current 2026-02-24T09:10:01Z 2026-02-24T09:10:01Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel The SUSE Linux Enterprise Micro 6.0 and Micro 6.1 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2023-54013: interconnect: Fix locking for runpm vs reclaim (bsc#1256280). - CVE-2025-38321: smb: Log an error when close_all_cached_dirs fails (bsc#1246328). - CVE-2025-38728: smb3: fix for slab out of bounds on mount to ksmbd (bsc#1249256). - CVE-2025-39880: libceph: fix invalid accesses to ceph_connection_v1_info (bsc#1250388). - CVE-2025-39890: wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event (bsc#1250334). - CVE-2025-39977: futex: Prevent use-after-free during requeue-PI (bsc#1252046). - CVE-2025-40006: mm/hugetlb: fix folio is still mapped when deleted (bsc#1252342). - CVE-2025-40024: vhost: Take a reference on the task in struct vhost_task (bsc#1252686). - CVE-2025-40033: remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable() (bsc#1252824). - CVE-2025-40042: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference (bsc#1252861). - CVE-2025-40053: net: dlink: handle copy_thresh allocation failure (bsc#1252808). - CVE-2025-40081: perf: arm_spe: Prevent overflow in PERF_IDX2OFF() (bsc#1252776). - CVE-2025-40102: KVM: arm64: Prevent access to vCPU events before init (bsc#1252919). - CVE-2025-40123: bpf: Enforce expected_attach_type for tailcall compatibility (bsc#1253365). - CVE-2025-40134: dm: fix NULL pointer dereference in __dm_suspend() (bsc#1253386). - CVE-2025-40135: ipv6: use RCU in ip6_xmit() (bsc#1253342). - CVE-2025-40153: mm: hugetlb: avoid soft lockup when mprotect to large memory area (bsc#1253408). - CVE-2025-40158: ipv6: use RCU in ip6_output() (bsc#1253402). - CVE-2025-40160: xen/events: Cleanup find_virq() return codes (bsc#1253400). - CVE-2025-40167: ext4: detect invalid INLINE_DATA + EXTENTS flag combination (bsc#1253458). - CVE-2025-40170: net: use dst_dev_rcu() in sk_setup_caps() (bsc#1253413). - CVE-2025-40178: pid: Add a judgment for ns null in pid_nr_ns (bsc#1253463). - CVE-2025-40179: ext4: verify orphan file size is not too big (bsc#1253442). - CVE-2025-40187: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() (bsc#1253647). - CVE-2025-40190: ext4: guard against EA inode refcount underflow in xattr update (bsc#1253623). - CVE-2025-40215: kABI: xfrm: delete x->tunnel as we delete x (bsc#1254959). - CVE-2025-40220: fuse: fix livelock in synchronous file put from fuseblk workers (bsc#1254520). - CVE-2025-40231: vsock: fix lock inversion in vsock_assign_transport() (bsc#1254815). - CVE-2025-40233: ocfs2: clear extent cache after moving/defragmenting extents (bsc#1254813). - CVE-2025-40238: net/mlx5: Fix IPsec cleanup over MPV device (bsc#1254871). - CVE-2025-40240: sctp: avoid NULL dereference when chunk data buffer is missing (bsc#1254869). - CVE-2025-40242: gfs2: Fix unlikely race in gdlm_put_lock (bsc#1255075). - CVE-2025-40248: vsock: Ignore signal/timeout on connect() if already established (bsc#1254864). - CVE-2025-40250: net/mlx5: Clean up only new IRQ glue on request_irq() failure (bsc#1254854). - CVE-2025-40251: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy (bsc#1254856). - CVE-2025-40252: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() (bsc#1254849). - CVE-2025-40254: net: openvswitch: remove never-working support for setting nsh fields (bsc#1254852). - CVE-2025-40257: mptcp: fix a race in mptcp_pm_del_add_timer() (bsc#1254842). - CVE-2025-40258: mptcp: fix race condition in mptcp_schedule_work() (bsc#1254843). - CVE-2025-40259: scsi: sg: Do not sleep in atomic context (bsc#1254845). - CVE-2025-40261: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() (bsc#1254839). - CVE-2025-40264: be2net: pass wrb_params in case of OS2BMC (bsc#1254835). - CVE-2025-40268: cifs: client: fix memory leak in smb3_fs_context_parse_param (bsc#1255082). - CVE-2025-40271: fs/proc: fix uaf in proc_readdir_de() (bsc#1255297). - CVE-2025-40274: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying (bsc#1254830). - CVE-2025-40278: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak (bsc#1254825). - CVE-2025-40279: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak (bsc#1254846). - CVE-2025-40280: tipc: Fix use-after-free in tipc_mon_reinit_self() (bsc#1254847). - CVE-2025-40287: exfat: fix improper check of dentry.stream.valid_size (bsc#1255030). - CVE-2025-40289: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM (bsc#1255042). - CVE-2025-40292: virtio-net: fix received length check in big packets (bsc#1255175). - CVE-2025-40293: iommufd: Don't overflow during division for dirty tracking (bsc#1255179). - CVE-2025-40297: net: bridge: fix use-after-free due to MST port state bypass (bsc#1255187). - CVE-2025-40307: exfat: validate cluster allocation bits of the allocation bitmap (bsc#1255039). - CVE-2025-40319: bpf: Sync pending IRQ work before freeing ring buffer (bsc#1254794). - CVE-2025-40328: smb: client: fix potential UAF in smb2_close_cached_fid() (bsc#1254624). - CVE-2025-40331: sctp: Prevent TOCTOU out-of-bounds write (bsc#1254615). - CVE-2025-40337: net: stmmac: Correctly handle Rx checksum offload errors (bsc#1255081). - CVE-2025-40338: ASoC: Intel: avs: Do not share the name pointer between components (bsc#1255273). - CVE-2025-40339: drm/amdgpu: fix nullptr err of vm_handle_moved (bsc#1255428). - CVE-2025-40346: arch_topology: Fix incorrect error check in topology_parse_cpu_capacity() (bsc#1255318). - CVE-2025-40350: net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ (bsc#1255260). - CVE-2025-40355: sysfs: check visibility before changing group attribute ownership (bsc#1255261). - CVE-2025-40360: drm/sysfb: Do not dereference NULL pointer in plane reset (bsc#1255095). - CVE-2025-40363: net: ipv6: fix field-spanning memcpy warning in AH output (bsc#1255102). - CVE-2025-68171: x86/fpu: Ensure XFD state on signal delivery (bsc#1255255). - CVE-2025-68174: amd/amdkfd: enhance kfd process check in switch partition (bsc#1255327). - CVE-2025-68178: blk-cgroup: fix possible deadlock while configuring policy (bsc#1255266). - CVE-2025-68188: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() (bsc#1255269). - CVE-2025-68190: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() (bsc#1255131). - CVE-2025-68200: bpf: Add bpf_prog_run_data_pointers() (bsc#1255241). - CVE-2025-68201: drm/amdgpu: remove two invalid BUG_ON()s (bsc#1255136). - CVE-2025-68204: pmdomain: arm: scmi: Fix genpd leak on provider registration failure (bsc#1255224). - CVE-2025-68206: netfilter: nft_ct: add seqadj extension for natted connections (bsc#1255142). - CVE-2025-68208: bpf: account for current allocated stack depth in widen_imprecise_scalars() (bsc#1255227). - CVE-2025-68209: mlx5: Fix default values in create CQ (bsc#1255230). - CVE-2025-68227: mptcp: Fix proto fallback detection with BPF (bsc#1255216). - CVE-2025-68230: drm/amdgpu: fix gpu page fault after hibernation on PF passthrough (bsc#1255134). - CVE-2025-68239: binfmt_misc: restore write access before closing files opened by open_exec() (bsc#1255272). - CVE-2025-68241: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe (bsc#1255157). - CVE-2025-68245: net: netpoll: fix incorrect refcount handling causing incorrect cleanup (bsc#1255268). - CVE-2025-68255: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing (bsc#1255395). - CVE-2025-68259: KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced (bsc#1255199). - CVE-2025-68261: ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() (bsc#1255164). - CVE-2025-68264: ext4: refresh inline data size before write operations (bsc#1255380). - CVE-2025-68284: libceph: prevent potential out-of-bounds writes in handle_auth_session_key() (bsc#1255377). - CVE-2025-68285: libceph: fix potential use-after-free in have_mon_and_osd_map() (bsc#1255401). - CVE-2025-68296: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup (bsc#1255128). - CVE-2025-68297: ceph: fix crash in process_v2_sparse_read() for encrypted directories (bsc#1255403). - CVE-2025-68301: net: atlantic: fix fragment overflow handling in RX path (bsc#1255120). - CVE-2025-68320: lan966x: Fix sleeping in atomic context (bsc#1255172). - CVE-2025-68325: net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop (bsc#1255417). - CVE-2025-68327: usb: renesas_usbhs: Fix synchronous external abort on unbind (bsc#1255488). - CVE-2025-68337: jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted (bsc#1255482). - CVE-2025-68340: team: Move team device type change at the end of team_port_add (bsc#1255507). - CVE-2025-68349: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid (bsc#1255544). - CVE-2025-68363: bpf: Check skb->transport_header is set in bpf_skb_check_mtu (bsc#1255552). - CVE-2025-68365: fs/ntfs3: Initialize allocated memory before use (bsc#1255548). - CVE-2025-68366: nbd: defer config unlock in nbd_genl_connect (bsc#1255622). - CVE-2025-68367: macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse (bsc#1255547). - CVE-2025-68372: nbd: defer config put in recv_work (bsc#1255537). - CVE-2025-68378: bpf: Refactor stack map trace depth calculation into helper function (bsc#1255614). - CVE-2025-68379: RDMA/rxe: Fix null deref on srq->rq.queue after resize failure (bsc#1255695). - CVE-2025-68727: ntfs3: Fix uninit buffer allocated by __getname() (bsc#1255568). - CVE-2025-68728: ntfs3: fix uninit memory after failed mi_read in mi_format_new (bsc#1255539). - CVE-2025-68733: smack: fix bug: unprivileged task can create labels (bsc#1255615). - CVE-2025-68742: bpf: Improve program stats run-time calculation (bsc#1255707). - CVE-2025-68744: bpf: Free special fields when update [lru_,]percpu_hash maps (bsc#1255709). - CVE-2025-68764: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags (bsc#1255930). - CVE-2025-68768: inet: frags: add inet_frag_queue_flush() (bsc#1256579). - CVE-2025-68770: bnxt_en: Fix XDP_TX path (bsc#1256584). - CVE-2025-68771: ocfs2: fix kernel BUG in ocfs2_find_victim_chain (bsc#1256582). - CVE-2025-68775: net/handshake: duplicate handshake cancellations leak socket (bsc#1256665). - CVE-2025-68776: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() (bsc#1256659). - CVE-2025-68788: fsnotify: do not generate ACCESS/MODIFY events on child for special files (bsc#1256638). - CVE-2025-68795: ethtool: Avoid overflowing userspace buffer on stats query (bsc#1256688). - CVE-2025-68798: perf/x86/amd: Check event before enable to avoid GPF (bsc#1256689). - CVE-2025-68800: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats (bsc#1256646). - CVE-2025-68801: mlxsw: spectrum_router: Fix neighbour use-after-free (bsc#1256653). - CVE-2025-68803: nfsd: set security label during create operations (bsc#1256770). - CVE-2025-68813: ipvs: fix ipv4 null-ptr-deref in route error path (bsc#1256641). - CVE-2025-68814: io_uring: fix filename leak in __io_openat_prep() (bsc#1256651). - CVE-2025-68815: net/sched: ets: Remove drr class from the active list if it changes to strict (bsc#1256680). - CVE-2025-68816: net/mlx5: fw_tracer, Validate format string parameters (bsc#1256674). - CVE-2025-68820: ext4: xattr: fix null pointer deref in ext4_raw_inode() (bsc#1256754). - CVE-2025-71064: net: hns3: using the num_tqps in the vf driver to apply for resources (bsc#1256654). - CVE-2025-71066: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change (bsc#1256645). - CVE-2025-71077: tpm: Cap the number of PCR banks (bsc#1256613). - CVE-2025-71084: RDMA/cm: Fix leaking the multicast GID table reference (bsc#1256622). - CVE-2025-71085: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (bsc#1256623). - CVE-2025-71087: iavf: fix off-by-one issues in iavf_config_rss_reg() (bsc#1256628). - CVE-2025-71088: mptcp: fallback earlier on simult connection (bsc#1256630). - CVE-2025-71089: iommu: disable SVA when CONFIG_X86 is set (bsc#1256612). - CVE-2025-71091: team: fix check for port enabled in team_queue_override_port_prio_changed() (bsc#1256773). - CVE-2025-71093: e1000: fix OOB in e1000_tbi_should_accept() (bsc#1256777). - CVE-2025-71094: net: usb: asix: ax88772: Increase phy_name size (bsc#1256597). - CVE-2025-71095: net: stmmac: fix the crash issue for zero copy XDP_TX action (bsc#1256605). - CVE-2025-71096: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly (bsc#1256606). - CVE-2025-71097: ipv4: Fix reference count leak when using error routes with nexthop objects (bsc#1256607). - CVE-2025-71098: ip6_gre: make ip6gre_header() robust (bsc#1256591). - CVE-2025-71112: net: hns3: add VLAN id validation before using (bsc#1256726). - CVE-2025-71116: libceph: make decode_pool() more resilient against corrupted osdmaps (bsc#1256744). - CVE-2025-71120: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf (bsc#1256779). - CVE-2025-71123: ext4: fix string copying in parse_apply_sb_mount_options() (bsc#1256757). - CVE-2025-71133: RDMA/irdma: avoid invalid read in irdma_net_event (bsc#1256733). - CVE-2025-71135: md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() (bsc#1256761). - CVE-2025-71137: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" (bsc#1256760). - CVE-2025-71149: io_uring/poll: correctly handle io_poll_add() return value on update (bsc#1257164). - CVE-2026-22976: net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset (bsc#1257035). - CVE-2026-22977: net: sock: fix hardened usercopy panic in sock_recv_errqueue (bsc#1257053). - CVE-2026-22984: libceph: prevent potential out-of-bounds reads in handle_auth_done() (bsc#1257217). - CVE-2026-22990: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() (bsc#1257221). - CVE-2026-22991: libceph: make free_choose_arg_map() resilient to partial allocation (bsc#1257220). - CVE-2026-22992: libceph: return the handler error from mon_handle_auth_done() (bsc#1257218). - CVE-2026-22993: idpf: Fix RSS LUT NULL pointer crash on early ethtool operations (bsc#1257180). - CVE-2026-22996: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv. - CVE-2026-22999: net/sched: sch_qfq: do not free existing class in qfq_change_class() (bsc#1257236). - CVE-2026-23000: net/mlx5e: Fix crash on profile change rollback failure (bsc#1257234). - CVE-2026-23001: macvlan: fix possible UAF in macvlan_forward_source() (bsc#1257232). - CVE-2026-23005: x86/fpu: Clear XSTATE_BV in guest XSAVE state whenever XFD[i]=1 (bsc#1257245). - CVE-2026-23010: ipv6: Fix use-after-free in inet6_addr_del() (bsc#1257332). - CVE-2026-23011: ipv4: ip_gre: make ipgre_header() robust (bsc#1257207). The following non security issues were fixed: - ALSA: usb-audio: Update for native DSD support quirks (stable-fixes). - Disable CONFIG_CPU5_WDT The cpu5wdt driver doesn't implement a proper watchdog interface and has many code issues. It only handles obscure and obsolete hardware. Stop building and supporting this driver (jsc#PED-14062). - Update config files (jsc#PED-12554 jsc#PED-6996 bsc#1243677 ltc#213602 bsc#1243678 ltc#213596) CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX=y - Update config files: disable CONFIG_DEVPORT for arm64 (bsc#1256792) - bpf/selftests: test_select_reuseport_kern: Remove unused header (bsc#1257603). - bpf: Do not let BPF test infra emit invalid GSO types to stack (bsc#1255569). - cifs: Fix copy offload to flush destination region (bsc#1252511). - cifs: Fix flushing, invalidation and file size with copy_file_range() (bsc#1252511). - cifs: Fix uncached read into ITER_KVEC iterator (bsc#1245449). - cifs: make cifs_chan_update_iface() a void function (git-fixes). - cifs: update dstaddr whenever channel iface is updated (git-fixes). - cpuidle: menu: Use residency threshold in polling state override decisions (bsc#1255026). - dm: fix queue start/stop imbalance under suspend/load/resume races (bsc#1253386) - drm/amdgpu: update mappings not managed by KFD (bsc#1255428) - ext4: use optimized mballoc scanning regardless of inode format (bsc#1254378). - ext4: wait for ongoing I/O to complete before freeing blocks (bsc#1256366). - fs: dlm: allow to F_SETLKW getting interrupted (bsc#1255025). - ice: use netif_get_num_default_rss_queues() (bsc#1247712). - media: atomisp: Prefix firmware paths with "intel/ipu/" (bsc#1252973). - media: atomisp: Remove firmware_name module parameter (bsc#1252973). - mm, page_alloc, thp: prevent reclaim for __GFP_THISNODE THP allocations (bsc#1254447 bsc#1253087). - net: hv_netvsc: reject RSS hash key programming without RX indirection table (bsc#1257473). - net: tcp: allow zero-window ACK update the window (bsc#1254767). - net: usb: pegasus: fix memory leak in update_eth_regs_async() (git-fixes). - powerpc/addnote: Fix overflow on 32-bit builds (bsc#1215199). - powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling (bsc#1253262 ltc#216029). - powerpc/kexec: Enable SMT before waking offline CPUs (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588 git-fixes bsc#1253739 ltc#211493 bsc#1254244 ltc#216496). - sched: Increase sched_tick_remote timeout (bsc#1254510). - scsi: lpfc: Add capability to register Platform Name ID to fabric (bsc#1254119). - scsi: lpfc: Allow support for BB credit recovery in point-to-point topology (bsc#1254119). - scsi: lpfc: Ensure unregistration of rpis for received PLOGIs (bsc#1254119). - scsi: lpfc: Fix leaked ndlp krefs when in point-to-point topology (bsc#1254119). - scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI (bsc#1254119). - scsi: lpfc: Modify kref handling for Fabric Controller ndlps (bsc#1254119). - scsi: lpfc: Remove redundant NULL ptr assignment in lpfc_els_free_iocb() (bsc#1254119). - scsi: lpfc: Revise discovery related function headers and comments (bsc#1254119). - scsi: lpfc: Rework lpfc_sli4_fcf_rr_next_index_get() (bsc#1256861). - scsi: lpfc: Update lpfc version to 14.4.0.12 (bsc#1254119). - scsi: lpfc: Update lpfc version to 14.4.0.13 (bsc#1256861). - scsi: lpfc: Update various NPIV diagnostic log messaging (bsc#1254119). - scsi: qla2xxx: Add Speed in SFP print information (bsc#1256863). - scsi: qla2xxx: Add bsg interface to support firmware img validation (bsc#1256863). - scsi: qla2xxx: Add load flash firmware mailbox support for 28xxx (bsc#1256863). - scsi: qla2xxx: Add support for 64G SFP speed (bsc#1256863). - scsi: qla2xxx: Allow recovery for tape devices (bsc#1256863). - scsi: qla2xxx: Delay module unload while fabric scan in progress (bsc#1256863). - scsi: qla2xxx: Fix bsg_done() causing double free (bsc#1256863). - scsi: qla2xxx: Free sp in error path to fix system crash (bsc#1256863). - scsi: qla2xxx: Query FW again before proceeding with login (bsc#1256863). - scsi: qla2xxx: Update version to 10.02.10.100-k (bsc#1256863). - scsi: qla2xxx: Validate MCU signature before executing MBC 03h (bsc#1256863). - scsi: qla2xxx: Validate sp before freeing associated memory (bsc#1256863). - scsi: storvsc: Process unsupported MODE_SENSE_10 (bsc#1257296). - smb: client: split cached_fid bitfields to avoid shared-byte RMW races (bsc#1250748,bsc#1257154). - smb: client: update cfid->last_access_time in open_cached_dir_by_dentry() (git-fixes). - smb: improve directory cache reuse for readdir operations (bsc#1252712). - soc/tegra: fuse: speedo-tegra210: Update speedo IDs (git-fixes). - spi: tegra210-quad: Check hardware status on timeout (bsc#1253155) - spi: tegra210-quad: Fix timeout handling (bsc#1253155) - spi: tegra210-quad: Refactor error handling into helper functions (bsc#1253155) - spi: tegra210-quad: Update dummy sequence configuration (git-fixes) - supported.conf: Mark lan 743x supported (jsc#PED-14571) - tracing: Fix access to trace_event_file (bsc#1254373). - wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize() (git-fixes). - x86/microcode/AMD: Add TSA microcode SHAs (bsc#1256528). - x86/microcode/AMD: Add Zen5 model 0x44, stepping 0x1 minrev (bsc#1256528). - x86/microcode/AMD: Add more known models to entry sign checking (bsc#1256528). - x86/microcode/AMD: Add some forgotten models to the SHA check (bsc#1256528). - x86/microcode/AMD: Clean the cache if update did not load microcode (bsc#1256528). - x86/microcode/AMD: Extend the SHA check to Zen5, block loading of any unreleased standalone Zen5 microcode patches (bsc#1256528). - x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo (bsc#1256528). - x86/microcode/AMD: Fix __apply_microcode_amd()'s return value (bsc#1256528). - x86/microcode/AMD: Limit Entrysign signature checking to known generations (bsc#1256528). - x86/microcode/AMD: Load only SHA256-checksummed patches (bsc#1256528). - x86/microcode/AMD: Select which microcode patch to load (bsc#1256528). - x86/microcode/AMD: Use sha256() instead of init/update/final (bsc#1256528). - x86/microcode: Fix Entrysign revision check for Zen1/Naples (bsc#1256528). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-kernel-281 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ Link for SUSE-SU-2026:20498-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024476.html E-Mail link for SUSE-SU-2026:20498-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1012628 SUSE Bug 1012628 https://bugzilla.suse.com/1065729 SUSE Bug 1065729 https://bugzilla.suse.com/1194869 SUSE Bug 1194869 https://bugzilla.suse.com/1205462 SUSE Bug 1205462 https://bugzilla.suse.com/1214285 SUSE Bug 1214285 https://bugzilla.suse.com/1214635 SUSE Bug 1214635 https://bugzilla.suse.com/1214847 SUSE Bug 1214847 https://bugzilla.suse.com/1215146 SUSE Bug 1215146 https://bugzilla.suse.com/1215199 SUSE Bug 1215199 https://bugzilla.suse.com/1215211 SUSE Bug 1215211 https://bugzilla.suse.com/1215344 SUSE Bug 1215344 https://bugzilla.suse.com/1216062 SUSE Bug 1216062 https://bugzilla.suse.com/1216436 SUSE Bug 1216436 https://bugzilla.suse.com/1219165 SUSE Bug 1219165 https://bugzilla.suse.com/1220419 SUSE Bug 1220419 https://bugzilla.suse.com/1223731 SUSE Bug 1223731 https://bugzilla.suse.com/1223800 SUSE Bug 1223800 https://bugzilla.suse.com/1228490 SUSE Bug 1228490 https://bugzilla.suse.com/1233563 SUSE Bug 1233563 https://bugzilla.suse.com/1234163 SUSE Bug 1234163 https://bugzilla.suse.com/1234842 SUSE Bug 1234842 https://bugzilla.suse.com/1241437 SUSE Bug 1241437 https://bugzilla.suse.com/1242909 SUSE Bug 1242909 https://bugzilla.suse.com/1243677 SUSE Bug 1243677 https://bugzilla.suse.com/1243678 SUSE Bug 1243678 https://bugzilla.suse.com/1245193 SUSE Bug 1245193 https://bugzilla.suse.com/1245449 SUSE Bug 1245449 https://bugzilla.suse.com/1246184 SUSE Bug 1246184 https://bugzilla.suse.com/1246328 SUSE Bug 1246328 https://bugzilla.suse.com/1246447 SUSE Bug 1246447 https://bugzilla.suse.com/1247030 SUSE Bug 1247030 https://bugzilla.suse.com/1247500 SUSE Bug 1247500 https://bugzilla.suse.com/1247712 SUSE Bug 1247712 https://bugzilla.suse.com/1248211 SUSE Bug 1248211 https://bugzilla.suse.com/1248886 SUSE Bug 1248886 https://bugzilla.suse.com/1249256 SUSE Bug 1249256 https://bugzilla.suse.com/1249307 SUSE Bug 1249307 https://bugzilla.suse.com/1250032 SUSE Bug 1250032 https://bugzilla.suse.com/1250082 SUSE Bug 1250082 https://bugzilla.suse.com/1250334 SUSE Bug 1250334 https://bugzilla.suse.com/1250388 SUSE Bug 1250388 https://bugzilla.suse.com/1250705 SUSE Bug 1250705 https://bugzilla.suse.com/1250748 SUSE Bug 1250748 https://bugzilla.suse.com/1252046 SUSE Bug 1252046 https://bugzilla.suse.com/1252342 SUSE Bug 1252342 https://bugzilla.suse.com/1252511 SUSE Bug 1252511 https://bugzilla.suse.com/1252686 SUSE Bug 1252686 https://bugzilla.suse.com/1252712 SUSE Bug 1252712 https://bugzilla.suse.com/1252776 SUSE Bug 1252776 https://bugzilla.suse.com/1252808 SUSE Bug 1252808 https://bugzilla.suse.com/1252824 SUSE Bug 1252824 https://bugzilla.suse.com/1252861 SUSE Bug 1252861 https://bugzilla.suse.com/1252891 SUSE Bug 1252891 https://bugzilla.suse.com/1252900 SUSE Bug 1252900 https://bugzilla.suse.com/1252919 SUSE Bug 1252919 https://bugzilla.suse.com/1252973 SUSE Bug 1252973 https://bugzilla.suse.com/1253087 SUSE Bug 1253087 https://bugzilla.suse.com/1253155 SUSE Bug 1253155 https://bugzilla.suse.com/1253262 SUSE Bug 1253262 https://bugzilla.suse.com/1253342 SUSE Bug 1253342 https://bugzilla.suse.com/1253365 SUSE Bug 1253365 https://bugzilla.suse.com/1253386 SUSE Bug 1253386 https://bugzilla.suse.com/1253400 SUSE Bug 1253400 https://bugzilla.suse.com/1253402 SUSE Bug 1253402 https://bugzilla.suse.com/1253408 SUSE Bug 1253408 https://bugzilla.suse.com/1253413 SUSE Bug 1253413 https://bugzilla.suse.com/1253442 SUSE Bug 1253442 https://bugzilla.suse.com/1253451 SUSE Bug 1253451 https://bugzilla.suse.com/1253458 SUSE Bug 1253458 https://bugzilla.suse.com/1253463 SUSE Bug 1253463 https://bugzilla.suse.com/1253623 SUSE Bug 1253623 https://bugzilla.suse.com/1253647 SUSE Bug 1253647 https://bugzilla.suse.com/1253739 SUSE Bug 1253739 https://bugzilla.suse.com/1254119 SUSE Bug 1254119 https://bugzilla.suse.com/1254126 SUSE Bug 1254126 https://bugzilla.suse.com/1254244 SUSE Bug 1254244 https://bugzilla.suse.com/1254373 SUSE Bug 1254373 https://bugzilla.suse.com/1254378 SUSE Bug 1254378 https://bugzilla.suse.com/1254447 SUSE Bug 1254447 https://bugzilla.suse.com/1254465 SUSE Bug 1254465 https://bugzilla.suse.com/1254510 SUSE Bug 1254510 https://bugzilla.suse.com/1254518 SUSE Bug 1254518 https://bugzilla.suse.com/1254520 SUSE Bug 1254520 https://bugzilla.suse.com/1254599 SUSE Bug 1254599 https://bugzilla.suse.com/1254606 SUSE Bug 1254606 https://bugzilla.suse.com/1254611 SUSE Bug 1254611 https://bugzilla.suse.com/1254613 SUSE Bug 1254613 https://bugzilla.suse.com/1254615 SUSE Bug 1254615 https://bugzilla.suse.com/1254621 SUSE Bug 1254621 https://bugzilla.suse.com/1254623 SUSE Bug 1254623 https://bugzilla.suse.com/1254624 SUSE Bug 1254624 https://bugzilla.suse.com/1254626 SUSE Bug 1254626 https://bugzilla.suse.com/1254648 SUSE Bug 1254648 https://bugzilla.suse.com/1254649 SUSE Bug 1254649 https://bugzilla.suse.com/1254653 SUSE Bug 1254653 https://bugzilla.suse.com/1254655 SUSE Bug 1254655 https://bugzilla.suse.com/1254657 SUSE Bug 1254657 https://bugzilla.suse.com/1254660 SUSE Bug 1254660 https://bugzilla.suse.com/1254661 SUSE Bug 1254661 https://bugzilla.suse.com/1254663 SUSE Bug 1254663 https://bugzilla.suse.com/1254669 SUSE Bug 1254669 https://bugzilla.suse.com/1254677 SUSE Bug 1254677 https://bugzilla.suse.com/1254678 SUSE Bug 1254678 https://bugzilla.suse.com/1254688 SUSE Bug 1254688 https://bugzilla.suse.com/1254690 SUSE Bug 1254690 https://bugzilla.suse.com/1254691 SUSE Bug 1254691 https://bugzilla.suse.com/1254693 SUSE Bug 1254693 https://bugzilla.suse.com/1254695 SUSE Bug 1254695 https://bugzilla.suse.com/1254698 SUSE Bug 1254698 https://bugzilla.suse.com/1254701 SUSE Bug 1254701 https://bugzilla.suse.com/1254704 SUSE Bug 1254704 https://bugzilla.suse.com/1254705 SUSE Bug 1254705 https://bugzilla.suse.com/1254707 SUSE Bug 1254707 https://bugzilla.suse.com/1254712 SUSE Bug 1254712 https://bugzilla.suse.com/1254715 SUSE Bug 1254715 https://bugzilla.suse.com/1254717 SUSE Bug 1254717 https://bugzilla.suse.com/1254723 SUSE Bug 1254723 https://bugzilla.suse.com/1254724 SUSE Bug 1254724 https://bugzilla.suse.com/1254732 SUSE Bug 1254732 https://bugzilla.suse.com/1254733 SUSE Bug 1254733 https://bugzilla.suse.com/1254737 SUSE Bug 1254737 https://bugzilla.suse.com/1254739 SUSE Bug 1254739 https://bugzilla.suse.com/1254742 SUSE Bug 1254742 https://bugzilla.suse.com/1254743 SUSE Bug 1254743 https://bugzilla.suse.com/1254749 SUSE Bug 1254749 https://bugzilla.suse.com/1254750 SUSE Bug 1254750 https://bugzilla.suse.com/1254753 SUSE Bug 1254753 https://bugzilla.suse.com/1254754 SUSE Bug 1254754 https://bugzilla.suse.com/1254758 SUSE Bug 1254758 https://bugzilla.suse.com/1254761 SUSE Bug 1254761 https://bugzilla.suse.com/1254762 SUSE Bug 1254762 https://bugzilla.suse.com/1254765 SUSE Bug 1254765 https://bugzilla.suse.com/1254767 SUSE Bug 1254767 https://bugzilla.suse.com/1254782 SUSE Bug 1254782 https://bugzilla.suse.com/1254791 SUSE Bug 1254791 https://bugzilla.suse.com/1254793 SUSE Bug 1254793 https://bugzilla.suse.com/1254794 SUSE Bug 1254794 https://bugzilla.suse.com/1254795 SUSE Bug 1254795 https://bugzilla.suse.com/1254796 SUSE Bug 1254796 https://bugzilla.suse.com/1254797 SUSE Bug 1254797 https://bugzilla.suse.com/1254798 SUSE Bug 1254798 https://bugzilla.suse.com/1254813 SUSE Bug 1254813 https://bugzilla.suse.com/1254815 SUSE Bug 1254815 https://bugzilla.suse.com/1254825 SUSE Bug 1254825 https://bugzilla.suse.com/1254828 SUSE Bug 1254828 https://bugzilla.suse.com/1254829 SUSE Bug 1254829 https://bugzilla.suse.com/1254830 SUSE Bug 1254830 https://bugzilla.suse.com/1254832 SUSE Bug 1254832 https://bugzilla.suse.com/1254835 SUSE Bug 1254835 https://bugzilla.suse.com/1254839 SUSE Bug 1254839 https://bugzilla.suse.com/1254840 SUSE Bug 1254840 https://bugzilla.suse.com/1254842 SUSE Bug 1254842 https://bugzilla.suse.com/1254843 SUSE Bug 1254843 https://bugzilla.suse.com/1254845 SUSE Bug 1254845 https://bugzilla.suse.com/1254846 SUSE Bug 1254846 https://bugzilla.suse.com/1254847 SUSE Bug 1254847 https://bugzilla.suse.com/1254849 SUSE Bug 1254849 https://bugzilla.suse.com/1254850 SUSE Bug 1254850 https://bugzilla.suse.com/1254851 SUSE Bug 1254851 https://bugzilla.suse.com/1254852 SUSE Bug 1254852 https://bugzilla.suse.com/1254854 SUSE Bug 1254854 https://bugzilla.suse.com/1254856 SUSE Bug 1254856 https://bugzilla.suse.com/1254858 SUSE Bug 1254858 https://bugzilla.suse.com/1254860 SUSE Bug 1254860 https://bugzilla.suse.com/1254864 SUSE Bug 1254864 https://bugzilla.suse.com/1254869 SUSE Bug 1254869 https://bugzilla.suse.com/1254871 SUSE Bug 1254871 https://bugzilla.suse.com/1254894 SUSE Bug 1254894 https://bugzilla.suse.com/1254918 SUSE Bug 1254918 https://bugzilla.suse.com/1254957 SUSE Bug 1254957 https://bugzilla.suse.com/1254959 SUSE Bug 1254959 https://bugzilla.suse.com/1254983 SUSE Bug 1254983 https://bugzilla.suse.com/1255005 SUSE Bug 1255005 https://bugzilla.suse.com/1255009 SUSE Bug 1255009 https://bugzilla.suse.com/1255025 SUSE Bug 1255025 https://bugzilla.suse.com/1255026 SUSE Bug 1255026 https://bugzilla.suse.com/1255030 SUSE Bug 1255030 https://bugzilla.suse.com/1255033 SUSE Bug 1255033 https://bugzilla.suse.com/1255034 SUSE Bug 1255034 https://bugzilla.suse.com/1255035 SUSE Bug 1255035 https://bugzilla.suse.com/1255039 SUSE Bug 1255039 https://bugzilla.suse.com/1255041 SUSE Bug 1255041 https://bugzilla.suse.com/1255042 SUSE Bug 1255042 https://bugzilla.suse.com/1255046 SUSE Bug 1255046 https://bugzilla.suse.com/1255057 SUSE Bug 1255057 https://bugzilla.suse.com/1255062 SUSE Bug 1255062 https://bugzilla.suse.com/1255064 SUSE Bug 1255064 https://bugzilla.suse.com/1255065 SUSE Bug 1255065 https://bugzilla.suse.com/1255068 SUSE Bug 1255068 https://bugzilla.suse.com/1255072 SUSE Bug 1255072 https://bugzilla.suse.com/1255075 SUSE Bug 1255075 https://bugzilla.suse.com/1255077 SUSE Bug 1255077 https://bugzilla.suse.com/1255081 SUSE Bug 1255081 https://bugzilla.suse.com/1255082 SUSE Bug 1255082 https://bugzilla.suse.com/1255083 SUSE Bug 1255083 https://bugzilla.suse.com/1255092 SUSE Bug 1255092 https://bugzilla.suse.com/1255094 SUSE Bug 1255094 https://bugzilla.suse.com/1255095 SUSE Bug 1255095 https://bugzilla.suse.com/1255100 SUSE Bug 1255100 https://bugzilla.suse.com/1255102 SUSE Bug 1255102 https://bugzilla.suse.com/1255120 SUSE Bug 1255120 https://bugzilla.suse.com/1255122 SUSE Bug 1255122 https://bugzilla.suse.com/1255128 SUSE Bug 1255128 https://bugzilla.suse.com/1255131 SUSE Bug 1255131 https://bugzilla.suse.com/1255134 SUSE Bug 1255134 https://bugzilla.suse.com/1255135 SUSE Bug 1255135 https://bugzilla.suse.com/1255136 SUSE Bug 1255136 https://bugzilla.suse.com/1255138 SUSE Bug 1255138 https://bugzilla.suse.com/1255140 SUSE Bug 1255140 https://bugzilla.suse.com/1255142 SUSE Bug 1255142 https://bugzilla.suse.com/1255146 SUSE Bug 1255146 https://bugzilla.suse.com/1255149 SUSE Bug 1255149 https://bugzilla.suse.com/1255152 SUSE Bug 1255152 https://bugzilla.suse.com/1255154 SUSE Bug 1255154 https://bugzilla.suse.com/1255155 SUSE Bug 1255155 https://bugzilla.suse.com/1255157 SUSE Bug 1255157 https://bugzilla.suse.com/1255163 SUSE Bug 1255163 https://bugzilla.suse.com/1255164 SUSE Bug 1255164 https://bugzilla.suse.com/1255167 SUSE Bug 1255167 https://bugzilla.suse.com/1255169 SUSE Bug 1255169 https://bugzilla.suse.com/1255171 SUSE Bug 1255171 https://bugzilla.suse.com/1255172 SUSE Bug 1255172 https://bugzilla.suse.com/1255175 SUSE Bug 1255175 https://bugzilla.suse.com/1255179 SUSE Bug 1255179 https://bugzilla.suse.com/1255182 SUSE Bug 1255182 https://bugzilla.suse.com/1255187 SUSE Bug 1255187 https://bugzilla.suse.com/1255190 SUSE Bug 1255190 https://bugzilla.suse.com/1255193 SUSE Bug 1255193 https://bugzilla.suse.com/1255197 SUSE Bug 1255197 https://bugzilla.suse.com/1255199 SUSE Bug 1255199 https://bugzilla.suse.com/1255202 SUSE Bug 1255202 https://bugzilla.suse.com/1255203 SUSE Bug 1255203 https://bugzilla.suse.com/1255206 SUSE Bug 1255206 https://bugzilla.suse.com/1255209 SUSE Bug 1255209 https://bugzilla.suse.com/1255216 SUSE Bug 1255216 https://bugzilla.suse.com/1255218 SUSE Bug 1255218 https://bugzilla.suse.com/1255221 SUSE Bug 1255221 https://bugzilla.suse.com/1255224 SUSE Bug 1255224 https://bugzilla.suse.com/1255227 SUSE Bug 1255227 https://bugzilla.suse.com/1255230 SUSE Bug 1255230 https://bugzilla.suse.com/1255233 SUSE Bug 1255233 https://bugzilla.suse.com/1255241 SUSE Bug 1255241 https://bugzilla.suse.com/1255245 SUSE Bug 1255245 https://bugzilla.suse.com/1255246 SUSE Bug 1255246 https://bugzilla.suse.com/1255251 SUSE Bug 1255251 https://bugzilla.suse.com/1255252 SUSE Bug 1255252 https://bugzilla.suse.com/1255253 SUSE Bug 1255253 https://bugzilla.suse.com/1255255 SUSE Bug 1255255 https://bugzilla.suse.com/1255259 SUSE Bug 1255259 https://bugzilla.suse.com/1255260 SUSE Bug 1255260 https://bugzilla.suse.com/1255261 SUSE Bug 1255261 https://bugzilla.suse.com/1255262 SUSE Bug 1255262 https://bugzilla.suse.com/1255266 SUSE Bug 1255266 https://bugzilla.suse.com/1255268 SUSE Bug 1255268 https://bugzilla.suse.com/1255269 SUSE Bug 1255269 https://bugzilla.suse.com/1255272 SUSE Bug 1255272 https://bugzilla.suse.com/1255273 SUSE Bug 1255273 https://bugzilla.suse.com/1255274 SUSE Bug 1255274 https://bugzilla.suse.com/1255276 SUSE Bug 1255276 https://bugzilla.suse.com/1255279 SUSE Bug 1255279 https://bugzilla.suse.com/1255280 SUSE Bug 1255280 https://bugzilla.suse.com/1255281 SUSE Bug 1255281 https://bugzilla.suse.com/1255297 SUSE Bug 1255297 https://bugzilla.suse.com/1255318 SUSE Bug 1255318 https://bugzilla.suse.com/1255325 SUSE Bug 1255325 https://bugzilla.suse.com/1255327 SUSE Bug 1255327 https://bugzilla.suse.com/1255329 SUSE Bug 1255329 https://bugzilla.suse.com/1255351 SUSE Bug 1255351 https://bugzilla.suse.com/1255377 SUSE Bug 1255377 https://bugzilla.suse.com/1255380 SUSE Bug 1255380 https://bugzilla.suse.com/1255395 SUSE Bug 1255395 https://bugzilla.suse.com/1255401 SUSE Bug 1255401 https://bugzilla.suse.com/1255403 SUSE Bug 1255403 https://bugzilla.suse.com/1255415 SUSE Bug 1255415 https://bugzilla.suse.com/1255417 SUSE Bug 1255417 https://bugzilla.suse.com/1255428 SUSE Bug 1255428 https://bugzilla.suse.com/1255480 SUSE Bug 1255480 https://bugzilla.suse.com/1255482 SUSE Bug 1255482 https://bugzilla.suse.com/1255483 SUSE Bug 1255483 https://bugzilla.suse.com/1255488 SUSE Bug 1255488 https://bugzilla.suse.com/1255489 SUSE Bug 1255489 https://bugzilla.suse.com/1255493 SUSE Bug 1255493 https://bugzilla.suse.com/1255495 SUSE Bug 1255495 https://bugzilla.suse.com/1255505 SUSE Bug 1255505 https://bugzilla.suse.com/1255507 SUSE Bug 1255507 https://bugzilla.suse.com/1255537 SUSE Bug 1255537 https://bugzilla.suse.com/1255538 SUSE Bug 1255538 https://bugzilla.suse.com/1255539 SUSE Bug 1255539 https://bugzilla.suse.com/1255540 SUSE Bug 1255540 https://bugzilla.suse.com/1255544 SUSE Bug 1255544 https://bugzilla.suse.com/1255545 SUSE Bug 1255545 https://bugzilla.suse.com/1255547 SUSE Bug 1255547 https://bugzilla.suse.com/1255548 SUSE Bug 1255548 https://bugzilla.suse.com/1255549 SUSE Bug 1255549 https://bugzilla.suse.com/1255550 SUSE Bug 1255550 https://bugzilla.suse.com/1255552 SUSE Bug 1255552 https://bugzilla.suse.com/1255553 SUSE Bug 1255553 https://bugzilla.suse.com/1255557 SUSE Bug 1255557 https://bugzilla.suse.com/1255558 SUSE Bug 1255558 https://bugzilla.suse.com/1255563 SUSE Bug 1255563 https://bugzilla.suse.com/1255564 SUSE Bug 1255564 https://bugzilla.suse.com/1255567 SUSE Bug 1255567 https://bugzilla.suse.com/1255568 SUSE Bug 1255568 https://bugzilla.suse.com/1255569 SUSE Bug 1255569 https://bugzilla.suse.com/1255570 SUSE Bug 1255570 https://bugzilla.suse.com/1255578 SUSE Bug 1255578 https://bugzilla.suse.com/1255579 SUSE Bug 1255579 https://bugzilla.suse.com/1255580 SUSE Bug 1255580 https://bugzilla.suse.com/1255583 SUSE Bug 1255583 https://bugzilla.suse.com/1255591 SUSE Bug 1255591 https://bugzilla.suse.com/1255601 SUSE Bug 1255601 https://bugzilla.suse.com/1255603 SUSE Bug 1255603 https://bugzilla.suse.com/1255605 SUSE Bug 1255605 https://bugzilla.suse.com/1255611 SUSE Bug 1255611 https://bugzilla.suse.com/1255614 SUSE Bug 1255614 https://bugzilla.suse.com/1255615 SUSE Bug 1255615 https://bugzilla.suse.com/1255616 SUSE Bug 1255616 https://bugzilla.suse.com/1255617 SUSE Bug 1255617 https://bugzilla.suse.com/1255618 SUSE Bug 1255618 https://bugzilla.suse.com/1255621 SUSE Bug 1255621 https://bugzilla.suse.com/1255622 SUSE Bug 1255622 https://bugzilla.suse.com/1255628 SUSE Bug 1255628 https://bugzilla.suse.com/1255629 SUSE Bug 1255629 https://bugzilla.suse.com/1255630 SUSE Bug 1255630 https://bugzilla.suse.com/1255632 SUSE Bug 1255632 https://bugzilla.suse.com/1255636 SUSE Bug 1255636 https://bugzilla.suse.com/1255688 SUSE Bug 1255688 https://bugzilla.suse.com/1255691 SUSE Bug 1255691 https://bugzilla.suse.com/1255695 SUSE Bug 1255695 https://bugzilla.suse.com/1255702 SUSE Bug 1255702 https://bugzilla.suse.com/1255704 SUSE Bug 1255704 https://bugzilla.suse.com/1255706 SUSE Bug 1255706 https://bugzilla.suse.com/1255707 SUSE Bug 1255707 https://bugzilla.suse.com/1255709 SUSE Bug 1255709 https://bugzilla.suse.com/1255722 SUSE Bug 1255722 https://bugzilla.suse.com/1255758 SUSE Bug 1255758 https://bugzilla.suse.com/1255759 SUSE Bug 1255759 https://bugzilla.suse.com/1255760 SUSE Bug 1255760 https://bugzilla.suse.com/1255763 SUSE Bug 1255763 https://bugzilla.suse.com/1255769 SUSE Bug 1255769 https://bugzilla.suse.com/1255770 SUSE Bug 1255770 https://bugzilla.suse.com/1255772 SUSE Bug 1255772 https://bugzilla.suse.com/1255774 SUSE Bug 1255774 https://bugzilla.suse.com/1255775 SUSE Bug 1255775 https://bugzilla.suse.com/1255776 SUSE Bug 1255776 https://bugzilla.suse.com/1255780 SUSE Bug 1255780 https://bugzilla.suse.com/1255785 SUSE Bug 1255785 https://bugzilla.suse.com/1255786 SUSE Bug 1255786 https://bugzilla.suse.com/1255789 SUSE Bug 1255789 https://bugzilla.suse.com/1255790 SUSE Bug 1255790 https://bugzilla.suse.com/1255792 SUSE Bug 1255792 https://bugzilla.suse.com/1255793 SUSE Bug 1255793 https://bugzilla.suse.com/1255795 SUSE Bug 1255795 https://bugzilla.suse.com/1255798 SUSE Bug 1255798 https://bugzilla.suse.com/1255800 SUSE Bug 1255800 https://bugzilla.suse.com/1255801 SUSE Bug 1255801 https://bugzilla.suse.com/1255806 SUSE Bug 1255806 https://bugzilla.suse.com/1255807 SUSE Bug 1255807 https://bugzilla.suse.com/1255809 SUSE Bug 1255809 https://bugzilla.suse.com/1255810 SUSE Bug 1255810 https://bugzilla.suse.com/1255812 SUSE Bug 1255812 https://bugzilla.suse.com/1255814 SUSE Bug 1255814 https://bugzilla.suse.com/1255820 SUSE Bug 1255820 https://bugzilla.suse.com/1255838 SUSE Bug 1255838 https://bugzilla.suse.com/1255842 SUSE Bug 1255842 https://bugzilla.suse.com/1255843 SUSE Bug 1255843 https://bugzilla.suse.com/1255872 SUSE Bug 1255872 https://bugzilla.suse.com/1255875 SUSE Bug 1255875 https://bugzilla.suse.com/1255879 SUSE Bug 1255879 https://bugzilla.suse.com/1255883 SUSE Bug 1255883 https://bugzilla.suse.com/1255884 SUSE Bug 1255884 https://bugzilla.suse.com/1255886 SUSE Bug 1255886 https://bugzilla.suse.com/1255888 SUSE Bug 1255888 https://bugzilla.suse.com/1255890 SUSE Bug 1255890 https://bugzilla.suse.com/1255891 SUSE Bug 1255891 https://bugzilla.suse.com/1255892 SUSE Bug 1255892 https://bugzilla.suse.com/1255899 SUSE Bug 1255899 https://bugzilla.suse.com/1255902 SUSE Bug 1255902 https://bugzilla.suse.com/1255907 SUSE Bug 1255907 https://bugzilla.suse.com/1255911 SUSE Bug 1255911 https://bugzilla.suse.com/1255915 SUSE Bug 1255915 https://bugzilla.suse.com/1255918 SUSE Bug 1255918 https://bugzilla.suse.com/1255921 SUSE Bug 1255921 https://bugzilla.suse.com/1255924 SUSE Bug 1255924 https://bugzilla.suse.com/1255925 SUSE Bug 1255925 https://bugzilla.suse.com/1255930 SUSE Bug 1255930 https://bugzilla.suse.com/1255931 SUSE Bug 1255931 https://bugzilla.suse.com/1255932 SUSE Bug 1255932 https://bugzilla.suse.com/1255934 SUSE Bug 1255934 https://bugzilla.suse.com/1255943 SUSE Bug 1255943 https://bugzilla.suse.com/1255944 SUSE Bug 1255944 https://bugzilla.suse.com/1255949 SUSE Bug 1255949 https://bugzilla.suse.com/1255951 SUSE Bug 1255951 https://bugzilla.suse.com/1255952 SUSE Bug 1255952 https://bugzilla.suse.com/1255955 SUSE Bug 1255955 https://bugzilla.suse.com/1255957 SUSE Bug 1255957 https://bugzilla.suse.com/1255961 SUSE Bug 1255961 https://bugzilla.suse.com/1255963 SUSE Bug 1255963 https://bugzilla.suse.com/1255964 SUSE Bug 1255964 https://bugzilla.suse.com/1255967 SUSE Bug 1255967 https://bugzilla.suse.com/1255974 SUSE Bug 1255974 https://bugzilla.suse.com/1255978 SUSE Bug 1255978 https://bugzilla.suse.com/1255984 SUSE Bug 1255984 https://bugzilla.suse.com/1255988 SUSE Bug 1255988 https://bugzilla.suse.com/1255990 SUSE Bug 1255990 https://bugzilla.suse.com/1255992 SUSE Bug 1255992 https://bugzilla.suse.com/1255993 SUSE Bug 1255993 https://bugzilla.suse.com/1255994 SUSE Bug 1255994 https://bugzilla.suse.com/1255996 SUSE Bug 1255996 https://bugzilla.suse.com/1256033 SUSE Bug 1256033 https://bugzilla.suse.com/1256034 SUSE Bug 1256034 https://bugzilla.suse.com/1256045 SUSE Bug 1256045 https://bugzilla.suse.com/1256050 SUSE Bug 1256050 https://bugzilla.suse.com/1256058 SUSE Bug 1256058 https://bugzilla.suse.com/1256071 SUSE Bug 1256071 https://bugzilla.suse.com/1256074 SUSE Bug 1256074 https://bugzilla.suse.com/1256081 SUSE Bug 1256081 https://bugzilla.suse.com/1256082 SUSE Bug 1256082 https://bugzilla.suse.com/1256083 SUSE Bug 1256083 https://bugzilla.suse.com/1256084 SUSE Bug 1256084 https://bugzilla.suse.com/1256085 SUSE Bug 1256085 https://bugzilla.suse.com/1256090 SUSE Bug 1256090 https://bugzilla.suse.com/1256093 SUSE Bug 1256093 https://bugzilla.suse.com/1256094 SUSE Bug 1256094 https://bugzilla.suse.com/1256095 SUSE Bug 1256095 https://bugzilla.suse.com/1256096 SUSE Bug 1256096 https://bugzilla.suse.com/1256099 SUSE Bug 1256099 https://bugzilla.suse.com/1256100 SUSE Bug 1256100 https://bugzilla.suse.com/1256104 SUSE Bug 1256104 https://bugzilla.suse.com/1256106 SUSE Bug 1256106 https://bugzilla.suse.com/1256107 SUSE Bug 1256107 https://bugzilla.suse.com/1256117 SUSE Bug 1256117 https://bugzilla.suse.com/1256119 SUSE Bug 1256119 https://bugzilla.suse.com/1256121 SUSE Bug 1256121 https://bugzilla.suse.com/1256145 SUSE Bug 1256145 https://bugzilla.suse.com/1256153 SUSE Bug 1256153 https://bugzilla.suse.com/1256178 SUSE Bug 1256178 https://bugzilla.suse.com/1256197 SUSE Bug 1256197 https://bugzilla.suse.com/1256231 SUSE Bug 1256231 https://bugzilla.suse.com/1256233 SUSE Bug 1256233 https://bugzilla.suse.com/1256234 SUSE Bug 1256234 https://bugzilla.suse.com/1256238 SUSE Bug 1256238 https://bugzilla.suse.com/1256263 SUSE Bug 1256263 https://bugzilla.suse.com/1256267 SUSE Bug 1256267 https://bugzilla.suse.com/1256268 SUSE Bug 1256268 https://bugzilla.suse.com/1256271 SUSE Bug 1256271 https://bugzilla.suse.com/1256273 SUSE Bug 1256273 https://bugzilla.suse.com/1256274 SUSE Bug 1256274 https://bugzilla.suse.com/1256279 SUSE Bug 1256279 https://bugzilla.suse.com/1256280 SUSE Bug 1256280 https://bugzilla.suse.com/1256285 SUSE Bug 1256285 https://bugzilla.suse.com/1256291 SUSE Bug 1256291 https://bugzilla.suse.com/1256292 SUSE Bug 1256292 https://bugzilla.suse.com/1256300 SUSE Bug 1256300 https://bugzilla.suse.com/1256301 SUSE Bug 1256301 https://bugzilla.suse.com/1256302 SUSE Bug 1256302 https://bugzilla.suse.com/1256335 SUSE Bug 1256335 https://bugzilla.suse.com/1256348 SUSE Bug 1256348 https://bugzilla.suse.com/1256351 SUSE Bug 1256351 https://bugzilla.suse.com/1256354 SUSE Bug 1256354 https://bugzilla.suse.com/1256358 SUSE Bug 1256358 https://bugzilla.suse.com/1256361 SUSE Bug 1256361 https://bugzilla.suse.com/1256364 SUSE Bug 1256364 https://bugzilla.suse.com/1256366 SUSE Bug 1256366 https://bugzilla.suse.com/1256367 SUSE Bug 1256367 https://bugzilla.suse.com/1256368 SUSE Bug 1256368 https://bugzilla.suse.com/1256369 SUSE Bug 1256369 https://bugzilla.suse.com/1256370 SUSE Bug 1256370 https://bugzilla.suse.com/1256371 SUSE Bug 1256371 https://bugzilla.suse.com/1256373 SUSE Bug 1256373 https://bugzilla.suse.com/1256375 SUSE Bug 1256375 https://bugzilla.suse.com/1256379 SUSE Bug 1256379 https://bugzilla.suse.com/1256387 SUSE Bug 1256387 https://bugzilla.suse.com/1256394 SUSE Bug 1256394 https://bugzilla.suse.com/1256395 SUSE Bug 1256395 https://bugzilla.suse.com/1256396 SUSE Bug 1256396 https://bugzilla.suse.com/1256528 SUSE Bug 1256528 https://bugzilla.suse.com/1256579 SUSE Bug 1256579 https://bugzilla.suse.com/1256582 SUSE Bug 1256582 https://bugzilla.suse.com/1256584 SUSE Bug 1256584 https://bugzilla.suse.com/1256586 SUSE Bug 1256586 https://bugzilla.suse.com/1256591 SUSE Bug 1256591 https://bugzilla.suse.com/1256593 SUSE Bug 1256593 https://bugzilla.suse.com/1256597 SUSE Bug 1256597 https://bugzilla.suse.com/1256605 SUSE Bug 1256605 https://bugzilla.suse.com/1256606 SUSE Bug 1256606 https://bugzilla.suse.com/1256607 SUSE Bug 1256607 https://bugzilla.suse.com/1256609 SUSE Bug 1256609 https://bugzilla.suse.com/1256610 SUSE Bug 1256610 https://bugzilla.suse.com/1256611 SUSE Bug 1256611 https://bugzilla.suse.com/1256612 SUSE Bug 1256612 https://bugzilla.suse.com/1256613 SUSE Bug 1256613 https://bugzilla.suse.com/1256616 SUSE Bug 1256616 https://bugzilla.suse.com/1256617 SUSE Bug 1256617 https://bugzilla.suse.com/1256619 SUSE Bug 1256619 https://bugzilla.suse.com/1256622 SUSE Bug 1256622 https://bugzilla.suse.com/1256623 SUSE Bug 1256623 https://bugzilla.suse.com/1256625 SUSE Bug 1256625 https://bugzilla.suse.com/1256628 SUSE Bug 1256628 https://bugzilla.suse.com/1256630 SUSE Bug 1256630 https://bugzilla.suse.com/1256638 SUSE Bug 1256638 https://bugzilla.suse.com/1256641 SUSE Bug 1256641 https://bugzilla.suse.com/1256645 SUSE Bug 1256645 https://bugzilla.suse.com/1256646 SUSE Bug 1256646 https://bugzilla.suse.com/1256650 SUSE Bug 1256650 https://bugzilla.suse.com/1256651 SUSE Bug 1256651 https://bugzilla.suse.com/1256653 SUSE Bug 1256653 https://bugzilla.suse.com/1256654 SUSE Bug 1256654 https://bugzilla.suse.com/1256655 SUSE Bug 1256655 https://bugzilla.suse.com/1256659 SUSE Bug 1256659 https://bugzilla.suse.com/1256660 SUSE Bug 1256660 https://bugzilla.suse.com/1256664 SUSE Bug 1256664 https://bugzilla.suse.com/1256665 SUSE Bug 1256665 https://bugzilla.suse.com/1256674 SUSE Bug 1256674 https://bugzilla.suse.com/1256680 SUSE Bug 1256680 https://bugzilla.suse.com/1256682 SUSE Bug 1256682 https://bugzilla.suse.com/1256688 SUSE Bug 1256688 https://bugzilla.suse.com/1256689 SUSE Bug 1256689 https://bugzilla.suse.com/1256726 SUSE Bug 1256726 https://bugzilla.suse.com/1256728 SUSE Bug 1256728 https://bugzilla.suse.com/1256730 SUSE Bug 1256730 https://bugzilla.suse.com/1256733 SUSE Bug 1256733 https://bugzilla.suse.com/1256737 SUSE Bug 1256737 https://bugzilla.suse.com/1256741 SUSE Bug 1256741 https://bugzilla.suse.com/1256742 SUSE Bug 1256742 https://bugzilla.suse.com/1256744 SUSE Bug 1256744 https://bugzilla.suse.com/1256752 SUSE Bug 1256752 https://bugzilla.suse.com/1256754 SUSE Bug 1256754 https://bugzilla.suse.com/1256757 SUSE Bug 1256757 https://bugzilla.suse.com/1256759 SUSE Bug 1256759 https://bugzilla.suse.com/1256760 SUSE Bug 1256760 https://bugzilla.suse.com/1256761 SUSE Bug 1256761 https://bugzilla.suse.com/1256763 SUSE Bug 1256763 https://bugzilla.suse.com/1256770 SUSE Bug 1256770 https://bugzilla.suse.com/1256773 SUSE Bug 1256773 https://bugzilla.suse.com/1256774 SUSE Bug 1256774 https://bugzilla.suse.com/1256777 SUSE Bug 1256777 https://bugzilla.suse.com/1256779 SUSE Bug 1256779 https://bugzilla.suse.com/1256781 SUSE Bug 1256781 https://bugzilla.suse.com/1256785 SUSE Bug 1256785 https://bugzilla.suse.com/1256792 SUSE Bug 1256792 https://bugzilla.suse.com/1256861 SUSE Bug 1256861 https://bugzilla.suse.com/1256863 SUSE Bug 1256863 https://bugzilla.suse.com/1257035 SUSE Bug 1257035 https://bugzilla.suse.com/1257053 SUSE Bug 1257053 https://bugzilla.suse.com/1257154 SUSE Bug 1257154 https://bugzilla.suse.com/1257155 SUSE Bug 1257155 https://bugzilla.suse.com/1257158 SUSE Bug 1257158 https://bugzilla.suse.com/1257163 SUSE Bug 1257163 https://bugzilla.suse.com/1257164 SUSE Bug 1257164 https://bugzilla.suse.com/1257180 SUSE Bug 1257180 https://bugzilla.suse.com/1257202 SUSE Bug 1257202 https://bugzilla.suse.com/1257204 SUSE Bug 1257204 https://bugzilla.suse.com/1257207 SUSE Bug 1257207 https://bugzilla.suse.com/1257208 SUSE Bug 1257208 https://bugzilla.suse.com/1257215 SUSE Bug 1257215 https://bugzilla.suse.com/1257217 SUSE Bug 1257217 https://bugzilla.suse.com/1257218 SUSE Bug 1257218 https://bugzilla.suse.com/1257220 SUSE Bug 1257220 https://bugzilla.suse.com/1257221 SUSE Bug 1257221 https://bugzilla.suse.com/1257227 SUSE Bug 1257227 https://bugzilla.suse.com/1257232 SUSE Bug 1257232 https://bugzilla.suse.com/1257234 SUSE Bug 1257234 https://bugzilla.suse.com/1257236 SUSE Bug 1257236 https://bugzilla.suse.com/1257245 SUSE Bug 1257245 https://bugzilla.suse.com/1257277 SUSE Bug 1257277 https://bugzilla.suse.com/1257282 SUSE Bug 1257282 https://bugzilla.suse.com/1257296 SUSE Bug 1257296 https://bugzilla.suse.com/1257332 SUSE Bug 1257332 https://bugzilla.suse.com/1257473 SUSE Bug 1257473 https://bugzilla.suse.com/1257603 SUSE Bug 1257603 https://www.suse.com/security/cve/CVE-2023-42752/ SUSE CVE CVE-2023-42752 page https://www.suse.com/security/cve/CVE-2023-53714/ SUSE CVE CVE-2023-53714 page https://www.suse.com/security/cve/CVE-2023-53743/ SUSE CVE CVE-2023-53743 page https://www.suse.com/security/cve/CVE-2023-53750/ SUSE CVE CVE-2023-53750 page https://www.suse.com/security/cve/CVE-2023-53752/ SUSE CVE CVE-2023-53752 page https://www.suse.com/security/cve/CVE-2023-53759/ SUSE CVE CVE-2023-53759 page https://www.suse.com/security/cve/CVE-2023-53762/ SUSE CVE CVE-2023-53762 page https://www.suse.com/security/cve/CVE-2023-53766/ SUSE CVE CVE-2023-53766 page https://www.suse.com/security/cve/CVE-2023-53768/ SUSE CVE CVE-2023-53768 page https://www.suse.com/security/cve/CVE-2023-53777/ SUSE CVE CVE-2023-53777 page https://www.suse.com/security/cve/CVE-2023-53778/ SUSE CVE CVE-2023-53778 page https://www.suse.com/security/cve/CVE-2023-53782/ SUSE CVE CVE-2023-53782 page https://www.suse.com/security/cve/CVE-2023-53784/ SUSE CVE CVE-2023-53784 page https://www.suse.com/security/cve/CVE-2023-53785/ SUSE CVE CVE-2023-53785 page https://www.suse.com/security/cve/CVE-2023-53787/ SUSE CVE CVE-2023-53787 page https://www.suse.com/security/cve/CVE-2023-53791/ SUSE CVE CVE-2023-53791 page https://www.suse.com/security/cve/CVE-2023-53792/ SUSE CVE CVE-2023-53792 page https://www.suse.com/security/cve/CVE-2023-53793/ SUSE CVE CVE-2023-53793 page https://www.suse.com/security/cve/CVE-2023-53794/ SUSE CVE CVE-2023-53794 page https://www.suse.com/security/cve/CVE-2023-53795/ SUSE CVE CVE-2023-53795 page https://www.suse.com/security/cve/CVE-2023-53797/ SUSE CVE CVE-2023-53797 page https://www.suse.com/security/cve/CVE-2023-53799/ SUSE CVE CVE-2023-53799 page https://www.suse.com/security/cve/CVE-2023-53807/ SUSE CVE CVE-2023-53807 page https://www.suse.com/security/cve/CVE-2023-53808/ SUSE CVE CVE-2023-53808 page https://www.suse.com/security/cve/CVE-2023-53813/ SUSE CVE CVE-2023-53813 page https://www.suse.com/security/cve/CVE-2023-53815/ SUSE CVE CVE-2023-53815 page https://www.suse.com/security/cve/CVE-2023-53819/ SUSE CVE CVE-2023-53819 page https://www.suse.com/security/cve/CVE-2023-53821/ SUSE CVE CVE-2023-53821 page https://www.suse.com/security/cve/CVE-2023-53823/ SUSE CVE CVE-2023-53823 page https://www.suse.com/security/cve/CVE-2023-53825/ SUSE CVE CVE-2023-53825 page https://www.suse.com/security/cve/CVE-2023-53828/ SUSE CVE CVE-2023-53828 page https://www.suse.com/security/cve/CVE-2023-53831/ SUSE CVE CVE-2023-53831 page https://www.suse.com/security/cve/CVE-2023-53834/ SUSE CVE CVE-2023-53834 page https://www.suse.com/security/cve/CVE-2023-53836/ SUSE CVE CVE-2023-53836 page https://www.suse.com/security/cve/CVE-2023-53839/ SUSE CVE CVE-2023-53839 page https://www.suse.com/security/cve/CVE-2023-53841/ SUSE CVE CVE-2023-53841 page https://www.suse.com/security/cve/CVE-2023-53842/ SUSE CVE CVE-2023-53842 page https://www.suse.com/security/cve/CVE-2023-53843/ SUSE CVE CVE-2023-53843 page https://www.suse.com/security/cve/CVE-2023-53844/ SUSE CVE CVE-2023-53844 page https://www.suse.com/security/cve/CVE-2023-53846/ SUSE CVE CVE-2023-53846 page https://www.suse.com/security/cve/CVE-2023-53847/ SUSE CVE CVE-2023-53847 page https://www.suse.com/security/cve/CVE-2023-53848/ SUSE CVE CVE-2023-53848 page https://www.suse.com/security/cve/CVE-2023-53850/ SUSE CVE CVE-2023-53850 page https://www.suse.com/security/cve/CVE-2023-53851/ SUSE CVE CVE-2023-53851 page https://www.suse.com/security/cve/CVE-2023-53852/ SUSE CVE CVE-2023-53852 page https://www.suse.com/security/cve/CVE-2023-53855/ SUSE CVE CVE-2023-53855 page https://www.suse.com/security/cve/CVE-2023-53856/ SUSE CVE CVE-2023-53856 page https://www.suse.com/security/cve/CVE-2023-53857/ SUSE CVE CVE-2023-53857 page https://www.suse.com/security/cve/CVE-2023-53858/ SUSE CVE CVE-2023-53858 page https://www.suse.com/security/cve/CVE-2023-53860/ SUSE CVE CVE-2023-53860 page https://www.suse.com/security/cve/CVE-2023-53861/ SUSE CVE CVE-2023-53861 page https://www.suse.com/security/cve/CVE-2023-53863/ SUSE CVE CVE-2023-53863 page https://www.suse.com/security/cve/CVE-2023-53864/ SUSE CVE CVE-2023-53864 page https://www.suse.com/security/cve/CVE-2023-53865/ SUSE CVE CVE-2023-53865 page https://www.suse.com/security/cve/CVE-2023-53989/ SUSE CVE CVE-2023-53989 page https://www.suse.com/security/cve/CVE-2023-53992/ SUSE CVE CVE-2023-53992 page https://www.suse.com/security/cve/CVE-2023-53994/ SUSE CVE CVE-2023-53994 page https://www.suse.com/security/cve/CVE-2023-53995/ SUSE CVE CVE-2023-53995 page https://www.suse.com/security/cve/CVE-2023-53996/ SUSE CVE CVE-2023-53996 page https://www.suse.com/security/cve/CVE-2023-53997/ SUSE CVE CVE-2023-53997 page https://www.suse.com/security/cve/CVE-2023-53998/ SUSE CVE CVE-2023-53998 page https://www.suse.com/security/cve/CVE-2023-53999/ SUSE CVE CVE-2023-53999 page https://www.suse.com/security/cve/CVE-2023-54000/ SUSE CVE CVE-2023-54000 page https://www.suse.com/security/cve/CVE-2023-54001/ SUSE CVE CVE-2023-54001 page https://www.suse.com/security/cve/CVE-2023-54005/ SUSE CVE CVE-2023-54005 page https://www.suse.com/security/cve/CVE-2023-54006/ SUSE CVE CVE-2023-54006 page https://www.suse.com/security/cve/CVE-2023-54008/ SUSE CVE CVE-2023-54008 page https://www.suse.com/security/cve/CVE-2023-54013/ SUSE CVE CVE-2023-54013 page https://www.suse.com/security/cve/CVE-2023-54014/ SUSE CVE CVE-2023-54014 page https://www.suse.com/security/cve/CVE-2023-54016/ SUSE CVE CVE-2023-54016 page https://www.suse.com/security/cve/CVE-2023-54017/ SUSE CVE CVE-2023-54017 page https://www.suse.com/security/cve/CVE-2023-54019/ SUSE CVE CVE-2023-54019 page https://www.suse.com/security/cve/CVE-2023-54022/ SUSE CVE CVE-2023-54022 page https://www.suse.com/security/cve/CVE-2023-54023/ SUSE CVE CVE-2023-54023 page https://www.suse.com/security/cve/CVE-2023-54025/ SUSE CVE CVE-2023-54025 page https://www.suse.com/security/cve/CVE-2023-54026/ SUSE CVE CVE-2023-54026 page https://www.suse.com/security/cve/CVE-2023-54027/ SUSE CVE CVE-2023-54027 page https://www.suse.com/security/cve/CVE-2023-54030/ SUSE CVE CVE-2023-54030 page https://www.suse.com/security/cve/CVE-2023-54031/ SUSE CVE CVE-2023-54031 page https://www.suse.com/security/cve/CVE-2023-54032/ SUSE CVE CVE-2023-54032 page https://www.suse.com/security/cve/CVE-2023-54035/ SUSE CVE CVE-2023-54035 page https://www.suse.com/security/cve/CVE-2023-54037/ SUSE CVE CVE-2023-54037 page https://www.suse.com/security/cve/CVE-2023-54038/ SUSE CVE CVE-2023-54038 page https://www.suse.com/security/cve/CVE-2023-54042/ SUSE CVE CVE-2023-54042 page https://www.suse.com/security/cve/CVE-2023-54045/ SUSE CVE CVE-2023-54045 page https://www.suse.com/security/cve/CVE-2023-54048/ SUSE CVE CVE-2023-54048 page https://www.suse.com/security/cve/CVE-2023-54049/ SUSE CVE CVE-2023-54049 page https://www.suse.com/security/cve/CVE-2023-54051/ SUSE CVE CVE-2023-54051 page https://www.suse.com/security/cve/CVE-2023-54052/ SUSE CVE CVE-2023-54052 page https://www.suse.com/security/cve/CVE-2023-54060/ SUSE CVE CVE-2023-54060 page https://www.suse.com/security/cve/CVE-2023-54064/ SUSE CVE CVE-2023-54064 page https://www.suse.com/security/cve/CVE-2023-54066/ SUSE CVE CVE-2023-54066 page https://www.suse.com/security/cve/CVE-2023-54067/ SUSE CVE CVE-2023-54067 page https://www.suse.com/security/cve/CVE-2023-54069/ SUSE CVE CVE-2023-54069 page https://www.suse.com/security/cve/CVE-2023-54070/ SUSE CVE CVE-2023-54070 page https://www.suse.com/security/cve/CVE-2023-54072/ SUSE CVE CVE-2023-54072 page https://www.suse.com/security/cve/CVE-2023-54076/ SUSE CVE CVE-2023-54076 page https://www.suse.com/security/cve/CVE-2023-54080/ SUSE CVE CVE-2023-54080 page https://www.suse.com/security/cve/CVE-2023-54081/ SUSE CVE CVE-2023-54081 page https://www.suse.com/security/cve/CVE-2023-54083/ SUSE CVE CVE-2023-54083 page https://www.suse.com/security/cve/CVE-2023-54088/ SUSE CVE CVE-2023-54088 page https://www.suse.com/security/cve/CVE-2023-54089/ SUSE CVE CVE-2023-54089 page https://www.suse.com/security/cve/CVE-2023-54091/ SUSE CVE CVE-2023-54091 page https://www.suse.com/security/cve/CVE-2023-54092/ SUSE CVE CVE-2023-54092 page https://www.suse.com/security/cve/CVE-2023-54093/ SUSE CVE CVE-2023-54093 page https://www.suse.com/security/cve/CVE-2023-54094/ SUSE CVE CVE-2023-54094 page https://www.suse.com/security/cve/CVE-2023-54095/ SUSE CVE CVE-2023-54095 page https://www.suse.com/security/cve/CVE-2023-54096/ SUSE CVE CVE-2023-54096 page https://www.suse.com/security/cve/CVE-2023-54099/ SUSE CVE CVE-2023-54099 page https://www.suse.com/security/cve/CVE-2023-54101/ SUSE CVE CVE-2023-54101 page https://www.suse.com/security/cve/CVE-2023-54104/ SUSE CVE CVE-2023-54104 page https://www.suse.com/security/cve/CVE-2023-54106/ SUSE CVE CVE-2023-54106 page https://www.suse.com/security/cve/CVE-2023-54112/ SUSE CVE CVE-2023-54112 page https://www.suse.com/security/cve/CVE-2023-54113/ SUSE CVE CVE-2023-54113 page https://www.suse.com/security/cve/CVE-2023-54115/ SUSE CVE CVE-2023-54115 page https://www.suse.com/security/cve/CVE-2023-54117/ SUSE CVE CVE-2023-54117 page https://www.suse.com/security/cve/CVE-2023-54121/ SUSE CVE CVE-2023-54121 page https://www.suse.com/security/cve/CVE-2023-54125/ SUSE CVE CVE-2023-54125 page https://www.suse.com/security/cve/CVE-2023-54127/ SUSE CVE CVE-2023-54127 page https://www.suse.com/security/cve/CVE-2023-54133/ SUSE CVE CVE-2023-54133 page https://www.suse.com/security/cve/CVE-2023-54134/ SUSE CVE CVE-2023-54134 page https://www.suse.com/security/cve/CVE-2023-54135/ SUSE CVE CVE-2023-54135 page https://www.suse.com/security/cve/CVE-2023-54136/ SUSE CVE CVE-2023-54136 page https://www.suse.com/security/cve/CVE-2023-54137/ SUSE CVE CVE-2023-54137 page https://www.suse.com/security/cve/CVE-2023-54140/ SUSE CVE CVE-2023-54140 page https://www.suse.com/security/cve/CVE-2023-54141/ SUSE CVE CVE-2023-54141 page https://www.suse.com/security/cve/CVE-2023-54142/ SUSE CVE CVE-2023-54142 page https://www.suse.com/security/cve/CVE-2023-54143/ SUSE CVE CVE-2023-54143 page https://www.suse.com/security/cve/CVE-2023-54145/ SUSE CVE CVE-2023-54145 page https://www.suse.com/security/cve/CVE-2023-54148/ SUSE CVE CVE-2023-54148 page https://www.suse.com/security/cve/CVE-2023-54149/ SUSE CVE CVE-2023-54149 page https://www.suse.com/security/cve/CVE-2023-54153/ SUSE CVE CVE-2023-54153 page https://www.suse.com/security/cve/CVE-2023-54154/ SUSE CVE CVE-2023-54154 page https://www.suse.com/security/cve/CVE-2023-54155/ SUSE CVE CVE-2023-54155 page https://www.suse.com/security/cve/CVE-2023-54156/ SUSE CVE CVE-2023-54156 page https://www.suse.com/security/cve/CVE-2023-54164/ SUSE CVE CVE-2023-54164 page https://www.suse.com/security/cve/CVE-2023-54166/ SUSE CVE CVE-2023-54166 page https://www.suse.com/security/cve/CVE-2023-54169/ SUSE CVE CVE-2023-54169 page https://www.suse.com/security/cve/CVE-2023-54170/ SUSE CVE CVE-2023-54170 page https://www.suse.com/security/cve/CVE-2023-54171/ SUSE CVE CVE-2023-54171 page https://www.suse.com/security/cve/CVE-2023-54172/ SUSE CVE CVE-2023-54172 page https://www.suse.com/security/cve/CVE-2023-54173/ SUSE CVE CVE-2023-54173 page https://www.suse.com/security/cve/CVE-2023-54177/ SUSE CVE CVE-2023-54177 page https://www.suse.com/security/cve/CVE-2023-54178/ SUSE CVE CVE-2023-54178 page https://www.suse.com/security/cve/CVE-2023-54179/ SUSE CVE CVE-2023-54179 page https://www.suse.com/security/cve/CVE-2023-54181/ SUSE CVE CVE-2023-54181 page https://www.suse.com/security/cve/CVE-2023-54183/ SUSE CVE CVE-2023-54183 page https://www.suse.com/security/cve/CVE-2023-54185/ SUSE CVE CVE-2023-54185 page https://www.suse.com/security/cve/CVE-2023-54189/ SUSE CVE CVE-2023-54189 page https://www.suse.com/security/cve/CVE-2023-54194/ SUSE CVE CVE-2023-54194 page https://www.suse.com/security/cve/CVE-2023-54201/ SUSE CVE CVE-2023-54201 page https://www.suse.com/security/cve/CVE-2023-54204/ SUSE CVE CVE-2023-54204 page https://www.suse.com/security/cve/CVE-2023-54207/ SUSE CVE CVE-2023-54207 page https://www.suse.com/security/cve/CVE-2023-54209/ SUSE CVE CVE-2023-54209 page https://www.suse.com/security/cve/CVE-2023-54210/ SUSE CVE CVE-2023-54210 page https://www.suse.com/security/cve/CVE-2023-54211/ SUSE CVE CVE-2023-54211 page https://www.suse.com/security/cve/CVE-2023-54215/ SUSE CVE CVE-2023-54215 page https://www.suse.com/security/cve/CVE-2023-54219/ SUSE CVE CVE-2023-54219 page https://www.suse.com/security/cve/CVE-2023-54220/ SUSE CVE CVE-2023-54220 page https://www.suse.com/security/cve/CVE-2023-54221/ SUSE CVE CVE-2023-54221 page https://www.suse.com/security/cve/CVE-2023-54223/ SUSE CVE CVE-2023-54223 page https://www.suse.com/security/cve/CVE-2023-54224/ SUSE CVE CVE-2023-54224 page https://www.suse.com/security/cve/CVE-2023-54225/ SUSE CVE CVE-2023-54225 page https://www.suse.com/security/cve/CVE-2023-54227/ SUSE CVE CVE-2023-54227 page https://www.suse.com/security/cve/CVE-2023-54229/ SUSE CVE CVE-2023-54229 page https://www.suse.com/security/cve/CVE-2023-54230/ SUSE CVE CVE-2023-54230 page https://www.suse.com/security/cve/CVE-2023-54235/ SUSE CVE CVE-2023-54235 page https://www.suse.com/security/cve/CVE-2023-54240/ SUSE CVE CVE-2023-54240 page https://www.suse.com/security/cve/CVE-2023-54241/ SUSE CVE CVE-2023-54241 page https://www.suse.com/security/cve/CVE-2023-54246/ SUSE CVE CVE-2023-54246 page https://www.suse.com/security/cve/CVE-2023-54247/ SUSE CVE CVE-2023-54247 page https://www.suse.com/security/cve/CVE-2023-54251/ SUSE CVE CVE-2023-54251 page https://www.suse.com/security/cve/CVE-2023-54253/ SUSE CVE CVE-2023-54253 page https://www.suse.com/security/cve/CVE-2023-54254/ SUSE CVE CVE-2023-54254 page https://www.suse.com/security/cve/CVE-2023-54255/ SUSE CVE CVE-2023-54255 page https://www.suse.com/security/cve/CVE-2023-54258/ SUSE CVE CVE-2023-54258 page https://www.suse.com/security/cve/CVE-2023-54261/ SUSE CVE CVE-2023-54261 page https://www.suse.com/security/cve/CVE-2023-54263/ SUSE CVE CVE-2023-54263 page https://www.suse.com/security/cve/CVE-2023-54264/ SUSE CVE CVE-2023-54264 page https://www.suse.com/security/cve/CVE-2023-54266/ SUSE CVE CVE-2023-54266 page https://www.suse.com/security/cve/CVE-2023-54267/ SUSE CVE CVE-2023-54267 page https://www.suse.com/security/cve/CVE-2023-54271/ SUSE CVE CVE-2023-54271 page https://www.suse.com/security/cve/CVE-2023-54276/ SUSE CVE CVE-2023-54276 page https://www.suse.com/security/cve/CVE-2023-54278/ SUSE CVE CVE-2023-54278 page https://www.suse.com/security/cve/CVE-2023-54281/ SUSE CVE CVE-2023-54281 page https://www.suse.com/security/cve/CVE-2023-54282/ SUSE CVE CVE-2023-54282 page https://www.suse.com/security/cve/CVE-2023-54283/ SUSE CVE CVE-2023-54283 page https://www.suse.com/security/cve/CVE-2023-54285/ SUSE CVE CVE-2023-54285 page https://www.suse.com/security/cve/CVE-2023-54289/ SUSE CVE CVE-2023-54289 page https://www.suse.com/security/cve/CVE-2023-54291/ SUSE CVE CVE-2023-54291 page https://www.suse.com/security/cve/CVE-2023-54292/ SUSE CVE CVE-2023-54292 page https://www.suse.com/security/cve/CVE-2023-54293/ SUSE CVE CVE-2023-54293 page https://www.suse.com/security/cve/CVE-2023-54296/ SUSE CVE CVE-2023-54296 page https://www.suse.com/security/cve/CVE-2023-54297/ SUSE CVE CVE-2023-54297 page https://www.suse.com/security/cve/CVE-2023-54299/ SUSE CVE CVE-2023-54299 page https://www.suse.com/security/cve/CVE-2023-54300/ SUSE CVE CVE-2023-54300 page https://www.suse.com/security/cve/CVE-2023-54302/ SUSE CVE CVE-2023-54302 page https://www.suse.com/security/cve/CVE-2023-54303/ SUSE CVE CVE-2023-54303 page https://www.suse.com/security/cve/CVE-2023-54304/ SUSE CVE CVE-2023-54304 page https://www.suse.com/security/cve/CVE-2023-54309/ SUSE CVE CVE-2023-54309 page https://www.suse.com/security/cve/CVE-2023-54312/ SUSE CVE CVE-2023-54312 page https://www.suse.com/security/cve/CVE-2023-54313/ SUSE CVE CVE-2023-54313 page https://www.suse.com/security/cve/CVE-2023-54314/ SUSE CVE CVE-2023-54314 page https://www.suse.com/security/cve/CVE-2023-54315/ SUSE CVE CVE-2023-54315 page https://www.suse.com/security/cve/CVE-2023-54316/ SUSE CVE CVE-2023-54316 page https://www.suse.com/security/cve/CVE-2023-54318/ SUSE CVE CVE-2023-54318 page https://www.suse.com/security/cve/CVE-2023-54319/ SUSE CVE CVE-2023-54319 page https://www.suse.com/security/cve/CVE-2023-54322/ SUSE CVE CVE-2023-54322 page https://www.suse.com/security/cve/CVE-2023-54324/ SUSE CVE CVE-2023-54324 page https://www.suse.com/security/cve/CVE-2023-54326/ SUSE CVE CVE-2023-54326 page https://www.suse.com/security/cve/CVE-2024-26944/ SUSE CVE CVE-2024-26944 page https://www.suse.com/security/cve/CVE-2024-27005/ SUSE CVE CVE-2024-27005 page https://www.suse.com/security/cve/CVE-2024-42103/ SUSE CVE CVE-2024-42103 page https://www.suse.com/security/cve/CVE-2024-53070/ SUSE CVE CVE-2024-53070 page https://www.suse.com/security/cve/CVE-2024-53149/ SUSE CVE CVE-2024-53149 page https://www.suse.com/security/cve/CVE-2025-22047/ SUSE CVE CVE-2025-22047 page https://www.suse.com/security/cve/CVE-2025-37813/ SUSE CVE CVE-2025-37813 page https://www.suse.com/security/cve/CVE-2025-38243/ SUSE CVE CVE-2025-38243 page https://www.suse.com/security/cve/CVE-2025-38321/ SUSE CVE CVE-2025-38321 page https://www.suse.com/security/cve/CVE-2025-38322/ SUSE CVE CVE-2025-38322 page https://www.suse.com/security/cve/CVE-2025-38379/ SUSE CVE CVE-2025-38379 page https://www.suse.com/security/cve/CVE-2025-38539/ SUSE CVE CVE-2025-38539 page https://www.suse.com/security/cve/CVE-2025-38728/ SUSE CVE CVE-2025-38728 page https://www.suse.com/security/cve/CVE-2025-39689/ SUSE CVE CVE-2025-39689 page https://www.suse.com/security/cve/CVE-2025-39813/ SUSE CVE CVE-2025-39813 page https://www.suse.com/security/cve/CVE-2025-39829/ SUSE CVE CVE-2025-39829 page https://www.suse.com/security/cve/CVE-2025-39880/ SUSE CVE CVE-2025-39880 page https://www.suse.com/security/cve/CVE-2025-39890/ SUSE CVE CVE-2025-39890 page https://www.suse.com/security/cve/CVE-2025-39913/ SUSE CVE CVE-2025-39913 page https://www.suse.com/security/cve/CVE-2025-39977/ SUSE CVE CVE-2025-39977 page https://www.suse.com/security/cve/CVE-2025-40006/ SUSE CVE CVE-2025-40006 page https://www.suse.com/security/cve/CVE-2025-40024/ SUSE CVE CVE-2025-40024 page https://www.suse.com/security/cve/CVE-2025-40033/ SUSE CVE CVE-2025-40033 page https://www.suse.com/security/cve/CVE-2025-40042/ SUSE CVE CVE-2025-40042 page https://www.suse.com/security/cve/CVE-2025-40053/ SUSE CVE CVE-2025-40053 page https://www.suse.com/security/cve/CVE-2025-40081/ SUSE CVE CVE-2025-40081 page https://www.suse.com/security/cve/CVE-2025-40097/ SUSE CVE CVE-2025-40097 page https://www.suse.com/security/cve/CVE-2025-40102/ SUSE CVE CVE-2025-40102 page https://www.suse.com/security/cve/CVE-2025-40106/ SUSE CVE CVE-2025-40106 page https://www.suse.com/security/cve/CVE-2025-40123/ SUSE CVE CVE-2025-40123 page https://www.suse.com/security/cve/CVE-2025-40134/ SUSE CVE CVE-2025-40134 page https://www.suse.com/security/cve/CVE-2025-40135/ SUSE CVE CVE-2025-40135 page https://www.suse.com/security/cve/CVE-2025-40153/ SUSE CVE CVE-2025-40153 page https://www.suse.com/security/cve/CVE-2025-40158/ SUSE CVE CVE-2025-40158 page https://www.suse.com/security/cve/CVE-2025-40160/ SUSE CVE CVE-2025-40160 page https://www.suse.com/security/cve/CVE-2025-40167/ SUSE CVE CVE-2025-40167 page https://www.suse.com/security/cve/CVE-2025-40170/ SUSE CVE CVE-2025-40170 page https://www.suse.com/security/cve/CVE-2025-40178/ SUSE CVE CVE-2025-40178 page https://www.suse.com/security/cve/CVE-2025-40179/ SUSE CVE CVE-2025-40179 page https://www.suse.com/security/cve/CVE-2025-40187/ SUSE CVE CVE-2025-40187 page https://www.suse.com/security/cve/CVE-2025-40190/ SUSE CVE CVE-2025-40190 page https://www.suse.com/security/cve/CVE-2025-40202/ SUSE CVE CVE-2025-40202 page https://www.suse.com/security/cve/CVE-2025-40211/ SUSE CVE CVE-2025-40211 page https://www.suse.com/security/cve/CVE-2025-40215/ SUSE CVE CVE-2025-40215 page https://www.suse.com/security/cve/CVE-2025-40219/ SUSE CVE CVE-2025-40219 page https://www.suse.com/security/cve/CVE-2025-40220/ SUSE CVE CVE-2025-40220 page https://www.suse.com/security/cve/CVE-2025-40223/ SUSE CVE CVE-2025-40223 page https://www.suse.com/security/cve/CVE-2025-40231/ SUSE CVE CVE-2025-40231 page https://www.suse.com/security/cve/CVE-2025-40233/ SUSE CVE CVE-2025-40233 page https://www.suse.com/security/cve/CVE-2025-40238/ SUSE CVE CVE-2025-40238 page https://www.suse.com/security/cve/CVE-2025-40240/ SUSE CVE CVE-2025-40240 page https://www.suse.com/security/cve/CVE-2025-40242/ SUSE CVE CVE-2025-40242 page https://www.suse.com/security/cve/CVE-2025-40244/ SUSE CVE CVE-2025-40244 page https://www.suse.com/security/cve/CVE-2025-40248/ SUSE CVE CVE-2025-40248 page https://www.suse.com/security/cve/CVE-2025-40250/ SUSE CVE CVE-2025-40250 page https://www.suse.com/security/cve/CVE-2025-40251/ SUSE CVE CVE-2025-40251 page https://www.suse.com/security/cve/CVE-2025-40252/ SUSE CVE CVE-2025-40252 page https://www.suse.com/security/cve/CVE-2025-40254/ SUSE CVE CVE-2025-40254 page https://www.suse.com/security/cve/CVE-2025-40256/ SUSE CVE CVE-2025-40256 page https://www.suse.com/security/cve/CVE-2025-40257/ SUSE CVE CVE-2025-40257 page https://www.suse.com/security/cve/CVE-2025-40258/ SUSE CVE CVE-2025-40258 page https://www.suse.com/security/cve/CVE-2025-40259/ SUSE CVE CVE-2025-40259 page https://www.suse.com/security/cve/CVE-2025-40261/ SUSE CVE CVE-2025-40261 page https://www.suse.com/security/cve/CVE-2025-40262/ SUSE CVE CVE-2025-40262 page https://www.suse.com/security/cve/CVE-2025-40263/ SUSE CVE CVE-2025-40263 page https://www.suse.com/security/cve/CVE-2025-40264/ SUSE CVE CVE-2025-40264 page https://www.suse.com/security/cve/CVE-2025-40268/ SUSE CVE CVE-2025-40268 page https://www.suse.com/security/cve/CVE-2025-40269/ SUSE CVE CVE-2025-40269 page https://www.suse.com/security/cve/CVE-2025-40271/ SUSE CVE CVE-2025-40271 page https://www.suse.com/security/cve/CVE-2025-40272/ SUSE CVE CVE-2025-40272 page https://www.suse.com/security/cve/CVE-2025-40273/ SUSE CVE CVE-2025-40273 page https://www.suse.com/security/cve/CVE-2025-40274/ SUSE CVE CVE-2025-40274 page https://www.suse.com/security/cve/CVE-2025-40275/ SUSE CVE CVE-2025-40275 page https://www.suse.com/security/cve/CVE-2025-40277/ SUSE CVE CVE-2025-40277 page https://www.suse.com/security/cve/CVE-2025-40278/ SUSE CVE CVE-2025-40278 page https://www.suse.com/security/cve/CVE-2025-40279/ SUSE CVE CVE-2025-40279 page https://www.suse.com/security/cve/CVE-2025-40280/ SUSE CVE CVE-2025-40280 page https://www.suse.com/security/cve/CVE-2025-40282/ SUSE CVE CVE-2025-40282 page https://www.suse.com/security/cve/CVE-2025-40283/ SUSE CVE CVE-2025-40283 page https://www.suse.com/security/cve/CVE-2025-40284/ SUSE CVE CVE-2025-40284 page https://www.suse.com/security/cve/CVE-2025-40287/ SUSE CVE CVE-2025-40287 page https://www.suse.com/security/cve/CVE-2025-40288/ SUSE CVE CVE-2025-40288 page https://www.suse.com/security/cve/CVE-2025-40289/ SUSE CVE CVE-2025-40289 page https://www.suse.com/security/cve/CVE-2025-40292/ SUSE CVE CVE-2025-40292 page https://www.suse.com/security/cve/CVE-2025-40293/ SUSE CVE CVE-2025-40293 page https://www.suse.com/security/cve/CVE-2025-40297/ SUSE CVE CVE-2025-40297 page https://www.suse.com/security/cve/CVE-2025-40301/ SUSE CVE CVE-2025-40301 page https://www.suse.com/security/cve/CVE-2025-40304/ SUSE CVE CVE-2025-40304 page https://www.suse.com/security/cve/CVE-2025-40306/ SUSE CVE CVE-2025-40306 page https://www.suse.com/security/cve/CVE-2025-40307/ SUSE CVE CVE-2025-40307 page https://www.suse.com/security/cve/CVE-2025-40308/ SUSE CVE CVE-2025-40308 page https://www.suse.com/security/cve/CVE-2025-40309/ SUSE CVE CVE-2025-40309 page https://www.suse.com/security/cve/CVE-2025-40310/ SUSE CVE CVE-2025-40310 page https://www.suse.com/security/cve/CVE-2025-40311/ SUSE CVE CVE-2025-40311 page https://www.suse.com/security/cve/CVE-2025-40312/ SUSE CVE CVE-2025-40312 page https://www.suse.com/security/cve/CVE-2025-40314/ SUSE CVE CVE-2025-40314 page https://www.suse.com/security/cve/CVE-2025-40315/ SUSE CVE CVE-2025-40315 page https://www.suse.com/security/cve/CVE-2025-40316/ SUSE CVE CVE-2025-40316 page https://www.suse.com/security/cve/CVE-2025-40317/ SUSE CVE CVE-2025-40317 page https://www.suse.com/security/cve/CVE-2025-40318/ SUSE CVE CVE-2025-40318 page https://www.suse.com/security/cve/CVE-2025-40319/ SUSE CVE CVE-2025-40319 page https://www.suse.com/security/cve/CVE-2025-40320/ SUSE CVE CVE-2025-40320 page https://www.suse.com/security/cve/CVE-2025-40321/ SUSE CVE CVE-2025-40321 page https://www.suse.com/security/cve/CVE-2025-40322/ SUSE CVE CVE-2025-40322 page https://www.suse.com/security/cve/CVE-2025-40323/ SUSE CVE CVE-2025-40323 page https://www.suse.com/security/cve/CVE-2025-40324/ SUSE CVE CVE-2025-40324 page https://www.suse.com/security/cve/CVE-2025-40328/ SUSE CVE CVE-2025-40328 page https://www.suse.com/security/cve/CVE-2025-40329/ SUSE CVE CVE-2025-40329 page https://www.suse.com/security/cve/CVE-2025-40331/ SUSE CVE CVE-2025-40331 page https://www.suse.com/security/cve/CVE-2025-40337/ SUSE CVE CVE-2025-40337 page https://www.suse.com/security/cve/CVE-2025-40338/ SUSE CVE CVE-2025-40338 page https://www.suse.com/security/cve/CVE-2025-40339/ SUSE CVE CVE-2025-40339 page https://www.suse.com/security/cve/CVE-2025-40342/ SUSE CVE CVE-2025-40342 page https://www.suse.com/security/cve/CVE-2025-40343/ SUSE CVE CVE-2025-40343 page https://www.suse.com/security/cve/CVE-2025-40345/ SUSE CVE CVE-2025-40345 page https://www.suse.com/security/cve/CVE-2025-40346/ SUSE CVE CVE-2025-40346 page https://www.suse.com/security/cve/CVE-2025-40347/ SUSE CVE CVE-2025-40347 page https://www.suse.com/security/cve/CVE-2025-40349/ SUSE CVE CVE-2025-40349 page https://www.suse.com/security/cve/CVE-2025-40350/ SUSE CVE CVE-2025-40350 page https://www.suse.com/security/cve/CVE-2025-40351/ SUSE CVE CVE-2025-40351 page https://www.suse.com/security/cve/CVE-2025-40355/ SUSE CVE CVE-2025-40355 page https://www.suse.com/security/cve/CVE-2025-40360/ SUSE CVE CVE-2025-40360 page https://www.suse.com/security/cve/CVE-2025-40363/ SUSE CVE CVE-2025-40363 page https://www.suse.com/security/cve/CVE-2025-68168/ SUSE CVE CVE-2025-68168 page https://www.suse.com/security/cve/CVE-2025-68171/ SUSE CVE CVE-2025-68171 page https://www.suse.com/security/cve/CVE-2025-68172/ SUSE CVE CVE-2025-68172 page https://www.suse.com/security/cve/CVE-2025-68174/ SUSE CVE CVE-2025-68174 page https://www.suse.com/security/cve/CVE-2025-68176/ SUSE CVE CVE-2025-68176 page https://www.suse.com/security/cve/CVE-2025-68178/ SUSE CVE CVE-2025-68178 page https://www.suse.com/security/cve/CVE-2025-68180/ SUSE CVE CVE-2025-68180 page https://www.suse.com/security/cve/CVE-2025-68183/ SUSE CVE CVE-2025-68183 page https://www.suse.com/security/cve/CVE-2025-68185/ SUSE CVE CVE-2025-68185 page https://www.suse.com/security/cve/CVE-2025-68188/ SUSE CVE CVE-2025-68188 page https://www.suse.com/security/cve/CVE-2025-68190/ SUSE CVE CVE-2025-68190 page https://www.suse.com/security/cve/CVE-2025-68192/ SUSE CVE CVE-2025-68192 page https://www.suse.com/security/cve/CVE-2025-68194/ SUSE CVE CVE-2025-68194 page https://www.suse.com/security/cve/CVE-2025-68195/ SUSE CVE CVE-2025-68195 page https://www.suse.com/security/cve/CVE-2025-68200/ SUSE CVE CVE-2025-68200 page https://www.suse.com/security/cve/CVE-2025-68201/ SUSE CVE CVE-2025-68201 page https://www.suse.com/security/cve/CVE-2025-68204/ SUSE CVE CVE-2025-68204 page https://www.suse.com/security/cve/CVE-2025-68206/ SUSE CVE CVE-2025-68206 page https://www.suse.com/security/cve/CVE-2025-68208/ SUSE CVE CVE-2025-68208 page https://www.suse.com/security/cve/CVE-2025-68209/ SUSE CVE CVE-2025-68209 page https://www.suse.com/security/cve/CVE-2025-68217/ SUSE CVE CVE-2025-68217 page https://www.suse.com/security/cve/CVE-2025-68218/ SUSE CVE CVE-2025-68218 page https://www.suse.com/security/cve/CVE-2025-68222/ SUSE CVE CVE-2025-68222 page https://www.suse.com/security/cve/CVE-2025-68227/ SUSE CVE CVE-2025-68227 page https://www.suse.com/security/cve/CVE-2025-68230/ SUSE CVE CVE-2025-68230 page https://www.suse.com/security/cve/CVE-2025-68233/ SUSE CVE CVE-2025-68233 page https://www.suse.com/security/cve/CVE-2025-68235/ SUSE CVE CVE-2025-68235 page https://www.suse.com/security/cve/CVE-2025-68237/ SUSE CVE CVE-2025-68237 page https://www.suse.com/security/cve/CVE-2025-68238/ SUSE CVE CVE-2025-68238 page https://www.suse.com/security/cve/CVE-2025-68239/ SUSE CVE CVE-2025-68239 page https://www.suse.com/security/cve/CVE-2025-68241/ SUSE CVE CVE-2025-68241 page https://www.suse.com/security/cve/CVE-2025-68244/ SUSE CVE CVE-2025-68244 page https://www.suse.com/security/cve/CVE-2025-68245/ SUSE CVE CVE-2025-68245 page https://www.suse.com/security/cve/CVE-2025-68249/ SUSE CVE CVE-2025-68249 page https://www.suse.com/security/cve/CVE-2025-68252/ SUSE CVE CVE-2025-68252 page https://www.suse.com/security/cve/CVE-2025-68254/ SUSE CVE CVE-2025-68254 page https://www.suse.com/security/cve/CVE-2025-68255/ SUSE CVE CVE-2025-68255 page https://www.suse.com/security/cve/CVE-2025-68256/ SUSE CVE CVE-2025-68256 page https://www.suse.com/security/cve/CVE-2025-68257/ SUSE CVE CVE-2025-68257 page https://www.suse.com/security/cve/CVE-2025-68258/ SUSE CVE CVE-2025-68258 page https://www.suse.com/security/cve/CVE-2025-68259/ SUSE CVE CVE-2025-68259 page https://www.suse.com/security/cve/CVE-2025-68261/ SUSE CVE CVE-2025-68261 page https://www.suse.com/security/cve/CVE-2025-68264/ SUSE CVE CVE-2025-68264 page https://www.suse.com/security/cve/CVE-2025-68284/ SUSE CVE CVE-2025-68284 page https://www.suse.com/security/cve/CVE-2025-68285/ SUSE CVE CVE-2025-68285 page https://www.suse.com/security/cve/CVE-2025-68286/ SUSE CVE CVE-2025-68286 page https://www.suse.com/security/cve/CVE-2025-68287/ SUSE CVE CVE-2025-68287 page https://www.suse.com/security/cve/CVE-2025-68289/ SUSE CVE CVE-2025-68289 page https://www.suse.com/security/cve/CVE-2025-68290/ SUSE CVE CVE-2025-68290 page https://www.suse.com/security/cve/CVE-2025-68296/ SUSE CVE CVE-2025-68296 page https://www.suse.com/security/cve/CVE-2025-68297/ SUSE CVE CVE-2025-68297 page https://www.suse.com/security/cve/CVE-2025-68301/ SUSE CVE CVE-2025-68301 page https://www.suse.com/security/cve/CVE-2025-68303/ SUSE CVE CVE-2025-68303 page https://www.suse.com/security/cve/CVE-2025-68305/ SUSE CVE CVE-2025-68305 page https://www.suse.com/security/cve/CVE-2025-68307/ SUSE CVE CVE-2025-68307 page https://www.suse.com/security/cve/CVE-2025-68308/ SUSE CVE CVE-2025-68308 page https://www.suse.com/security/cve/CVE-2025-68312/ SUSE CVE CVE-2025-68312 page https://www.suse.com/security/cve/CVE-2025-68313/ SUSE CVE CVE-2025-68313 page https://www.suse.com/security/cve/CVE-2025-68320/ SUSE CVE CVE-2025-68320 page https://www.suse.com/security/cve/CVE-2025-68325/ SUSE CVE CVE-2025-68325 page https://www.suse.com/security/cve/CVE-2025-68327/ SUSE CVE CVE-2025-68327 page https://www.suse.com/security/cve/CVE-2025-68328/ SUSE CVE CVE-2025-68328 page https://www.suse.com/security/cve/CVE-2025-68330/ SUSE CVE CVE-2025-68330 page https://www.suse.com/security/cve/CVE-2025-68331/ SUSE CVE CVE-2025-68331 page https://www.suse.com/security/cve/CVE-2025-68332/ SUSE CVE CVE-2025-68332 page https://www.suse.com/security/cve/CVE-2025-68335/ SUSE CVE CVE-2025-68335 page https://www.suse.com/security/cve/CVE-2025-68337/ SUSE CVE CVE-2025-68337 page https://www.suse.com/security/cve/CVE-2025-68339/ SUSE CVE CVE-2025-68339 page https://www.suse.com/security/cve/CVE-2025-68340/ SUSE CVE CVE-2025-68340 page https://www.suse.com/security/cve/CVE-2025-68345/ SUSE CVE CVE-2025-68345 page https://www.suse.com/security/cve/CVE-2025-68346/ SUSE CVE CVE-2025-68346 page https://www.suse.com/security/cve/CVE-2025-68347/ SUSE CVE CVE-2025-68347 page https://www.suse.com/security/cve/CVE-2025-68349/ SUSE CVE CVE-2025-68349 page https://www.suse.com/security/cve/CVE-2025-68351/ SUSE CVE CVE-2025-68351 page https://www.suse.com/security/cve/CVE-2025-68354/ SUSE CVE CVE-2025-68354 page https://www.suse.com/security/cve/CVE-2025-68362/ SUSE CVE CVE-2025-68362 page https://www.suse.com/security/cve/CVE-2025-68363/ SUSE CVE CVE-2025-68363 page https://www.suse.com/security/cve/CVE-2025-68365/ SUSE CVE CVE-2025-68365 page https://www.suse.com/security/cve/CVE-2025-68366/ SUSE CVE CVE-2025-68366 page https://www.suse.com/security/cve/CVE-2025-68367/ SUSE CVE CVE-2025-68367 page https://www.suse.com/security/cve/CVE-2025-68372/ SUSE CVE CVE-2025-68372 page https://www.suse.com/security/cve/CVE-2025-68378/ SUSE CVE CVE-2025-68378 page https://www.suse.com/security/cve/CVE-2025-68379/ SUSE CVE CVE-2025-68379 page https://www.suse.com/security/cve/CVE-2025-68380/ SUSE CVE CVE-2025-68380 page https://www.suse.com/security/cve/CVE-2025-68724/ SUSE CVE CVE-2025-68724 page https://www.suse.com/security/cve/CVE-2025-68725/ SUSE CVE CVE-2025-68725 page https://www.suse.com/security/cve/CVE-2025-68727/ SUSE CVE CVE-2025-68727 page https://www.suse.com/security/cve/CVE-2025-68728/ SUSE CVE CVE-2025-68728 page https://www.suse.com/security/cve/CVE-2025-68732/ SUSE CVE CVE-2025-68732 page https://www.suse.com/security/cve/CVE-2025-68733/ SUSE CVE CVE-2025-68733 page https://www.suse.com/security/cve/CVE-2025-68734/ SUSE CVE CVE-2025-68734 page https://www.suse.com/security/cve/CVE-2025-68740/ SUSE CVE CVE-2025-68740 page https://www.suse.com/security/cve/CVE-2025-68742/ SUSE CVE CVE-2025-68742 page https://www.suse.com/security/cve/CVE-2025-68744/ SUSE CVE CVE-2025-68744 page https://www.suse.com/security/cve/CVE-2025-68746/ SUSE CVE CVE-2025-68746 page https://www.suse.com/security/cve/CVE-2025-68750/ SUSE CVE CVE-2025-68750 page https://www.suse.com/security/cve/CVE-2025-68753/ SUSE CVE CVE-2025-68753 page https://www.suse.com/security/cve/CVE-2025-68757/ SUSE CVE CVE-2025-68757 page https://www.suse.com/security/cve/CVE-2025-68758/ SUSE CVE CVE-2025-68758 page https://www.suse.com/security/cve/CVE-2025-68759/ SUSE CVE CVE-2025-68759 page https://www.suse.com/security/cve/CVE-2025-68764/ SUSE CVE CVE-2025-68764 page https://www.suse.com/security/cve/CVE-2025-68765/ SUSE CVE CVE-2025-68765 page https://www.suse.com/security/cve/CVE-2025-68766/ SUSE CVE CVE-2025-68766 page https://www.suse.com/security/cve/CVE-2025-68768/ SUSE CVE CVE-2025-68768 page https://www.suse.com/security/cve/CVE-2025-68770/ SUSE CVE CVE-2025-68770 page https://www.suse.com/security/cve/CVE-2025-68771/ SUSE CVE CVE-2025-68771 page https://www.suse.com/security/cve/CVE-2025-68773/ SUSE CVE CVE-2025-68773 page https://www.suse.com/security/cve/CVE-2025-68775/ SUSE CVE CVE-2025-68775 page https://www.suse.com/security/cve/CVE-2025-68776/ SUSE CVE CVE-2025-68776 page https://www.suse.com/security/cve/CVE-2025-68777/ SUSE CVE CVE-2025-68777 page https://www.suse.com/security/cve/CVE-2025-68783/ SUSE CVE CVE-2025-68783 page https://www.suse.com/security/cve/CVE-2025-68788/ SUSE CVE CVE-2025-68788 page https://www.suse.com/security/cve/CVE-2025-68789/ SUSE CVE CVE-2025-68789 page https://www.suse.com/security/cve/CVE-2025-68795/ SUSE CVE CVE-2025-68795 page https://www.suse.com/security/cve/CVE-2025-68797/ SUSE CVE CVE-2025-68797 page https://www.suse.com/security/cve/CVE-2025-68798/ SUSE CVE CVE-2025-68798 page https://www.suse.com/security/cve/CVE-2025-68800/ SUSE CVE CVE-2025-68800 page https://www.suse.com/security/cve/CVE-2025-68801/ SUSE CVE CVE-2025-68801 page https://www.suse.com/security/cve/CVE-2025-68803/ SUSE CVE CVE-2025-68803 page https://www.suse.com/security/cve/CVE-2025-68804/ SUSE CVE CVE-2025-68804 page https://www.suse.com/security/cve/CVE-2025-68808/ SUSE CVE CVE-2025-68808 page https://www.suse.com/security/cve/CVE-2025-68813/ SUSE CVE CVE-2025-68813 page https://www.suse.com/security/cve/CVE-2025-68814/ SUSE CVE CVE-2025-68814 page https://www.suse.com/security/cve/CVE-2025-68815/ SUSE CVE CVE-2025-68815 page https://www.suse.com/security/cve/CVE-2025-68816/ SUSE CVE CVE-2025-68816 page https://www.suse.com/security/cve/CVE-2025-68819/ SUSE CVE CVE-2025-68819 page https://www.suse.com/security/cve/CVE-2025-68820/ SUSE CVE CVE-2025-68820 page https://www.suse.com/security/cve/CVE-2025-71064/ SUSE CVE CVE-2025-71064 page https://www.suse.com/security/cve/CVE-2025-71066/ SUSE CVE CVE-2025-71066 page https://www.suse.com/security/cve/CVE-2025-71077/ SUSE CVE CVE-2025-71077 page https://www.suse.com/security/cve/CVE-2025-71078/ SUSE CVE CVE-2025-71078 page https://www.suse.com/security/cve/CVE-2025-71079/ SUSE CVE CVE-2025-71079 page https://www.suse.com/security/cve/CVE-2025-71081/ SUSE CVE CVE-2025-71081 page https://www.suse.com/security/cve/CVE-2025-71082/ SUSE CVE CVE-2025-71082 page https://www.suse.com/security/cve/CVE-2025-71083/ SUSE CVE CVE-2025-71083 page https://www.suse.com/security/cve/CVE-2025-71084/ SUSE CVE CVE-2025-71084 page https://www.suse.com/security/cve/CVE-2025-71085/ SUSE CVE CVE-2025-71085 page https://www.suse.com/security/cve/CVE-2025-71086/ SUSE CVE CVE-2025-71086 page https://www.suse.com/security/cve/CVE-2025-71087/ SUSE CVE CVE-2025-71087 page https://www.suse.com/security/cve/CVE-2025-71088/ SUSE CVE CVE-2025-71088 page https://www.suse.com/security/cve/CVE-2025-71089/ SUSE CVE CVE-2025-71089 page https://www.suse.com/security/cve/CVE-2025-71091/ SUSE CVE CVE-2025-71091 page https://www.suse.com/security/cve/CVE-2025-71093/ SUSE CVE CVE-2025-71093 page https://www.suse.com/security/cve/CVE-2025-71094/ SUSE CVE CVE-2025-71094 page https://www.suse.com/security/cve/CVE-2025-71095/ SUSE CVE CVE-2025-71095 page https://www.suse.com/security/cve/CVE-2025-71096/ SUSE CVE CVE-2025-71096 page https://www.suse.com/security/cve/CVE-2025-71097/ SUSE CVE CVE-2025-71097 page https://www.suse.com/security/cve/CVE-2025-71098/ SUSE CVE CVE-2025-71098 page https://www.suse.com/security/cve/CVE-2025-71100/ SUSE CVE CVE-2025-71100 page https://www.suse.com/security/cve/CVE-2025-71108/ SUSE CVE CVE-2025-71108 page https://www.suse.com/security/cve/CVE-2025-71111/ SUSE CVE CVE-2025-71111 page https://www.suse.com/security/cve/CVE-2025-71112/ SUSE CVE CVE-2025-71112 page https://www.suse.com/security/cve/CVE-2025-71114/ SUSE CVE CVE-2025-71114 page https://www.suse.com/security/cve/CVE-2025-71116/ SUSE CVE CVE-2025-71116 page https://www.suse.com/security/cve/CVE-2025-71118/ SUSE CVE CVE-2025-71118 page https://www.suse.com/security/cve/CVE-2025-71119/ SUSE CVE CVE-2025-71119 page https://www.suse.com/security/cve/CVE-2025-71120/ SUSE CVE CVE-2025-71120 page https://www.suse.com/security/cve/CVE-2025-71123/ SUSE CVE CVE-2025-71123 page https://www.suse.com/security/cve/CVE-2025-71130/ SUSE CVE CVE-2025-71130 page https://www.suse.com/security/cve/CVE-2025-71131/ SUSE CVE CVE-2025-71131 page https://www.suse.com/security/cve/CVE-2025-71132/ SUSE CVE CVE-2025-71132 page https://www.suse.com/security/cve/CVE-2025-71133/ SUSE CVE CVE-2025-71133 page https://www.suse.com/security/cve/CVE-2025-71135/ SUSE CVE CVE-2025-71135 page https://www.suse.com/security/cve/CVE-2025-71136/ SUSE CVE CVE-2025-71136 page https://www.suse.com/security/cve/CVE-2025-71137/ SUSE CVE CVE-2025-71137 page https://www.suse.com/security/cve/CVE-2025-71138/ SUSE CVE CVE-2025-71138 page https://www.suse.com/security/cve/CVE-2025-71145/ SUSE CVE CVE-2025-71145 page https://www.suse.com/security/cve/CVE-2025-71147/ SUSE CVE CVE-2025-71147 page https://www.suse.com/security/cve/CVE-2025-71149/ SUSE CVE CVE-2025-71149 page https://www.suse.com/security/cve/CVE-2025-71154/ SUSE CVE CVE-2025-71154 page https://www.suse.com/security/cve/CVE-2025-71162/ SUSE CVE CVE-2025-71162 page https://www.suse.com/security/cve/CVE-2025-71163/ SUSE CVE CVE-2025-71163 page https://www.suse.com/security/cve/CVE-2026-22976/ SUSE CVE CVE-2026-22976 page https://www.suse.com/security/cve/CVE-2026-22977/ SUSE CVE CVE-2026-22977 page https://www.suse.com/security/cve/CVE-2026-22978/ SUSE CVE CVE-2026-22978 page https://www.suse.com/security/cve/CVE-2026-22984/ SUSE CVE CVE-2026-22984 page https://www.suse.com/security/cve/CVE-2026-22985/ SUSE CVE CVE-2026-22985 page https://www.suse.com/security/cve/CVE-2026-22988/ SUSE CVE CVE-2026-22988 page https://www.suse.com/security/cve/CVE-2026-22990/ SUSE CVE CVE-2026-22990 page https://www.suse.com/security/cve/CVE-2026-22991/ SUSE CVE CVE-2026-22991 page https://www.suse.com/security/cve/CVE-2026-22992/ SUSE CVE CVE-2026-22992 page https://www.suse.com/security/cve/CVE-2026-22993/ SUSE CVE CVE-2026-22993 page https://www.suse.com/security/cve/CVE-2026-22996/ SUSE CVE CVE-2026-22996 page https://www.suse.com/security/cve/CVE-2026-22997/ SUSE CVE CVE-2026-22997 page https://www.suse.com/security/cve/CVE-2026-22999/ SUSE CVE CVE-2026-22999 page https://www.suse.com/security/cve/CVE-2026-23000/ SUSE CVE CVE-2026-23000 page https://www.suse.com/security/cve/CVE-2026-23001/ SUSE CVE CVE-2026-23001 page https://www.suse.com/security/cve/CVE-2026-23005/ SUSE CVE CVE-2026-23005 page https://www.suse.com/security/cve/CVE-2026-23006/ SUSE CVE CVE-2026-23006 page https://www.suse.com/security/cve/CVE-2026-23010/ SUSE CVE CVE-2026-23010 page https://www.suse.com/security/cve/CVE-2026-23011/ SUSE CVE CVE-2026-23011 page SUSE Linux Micro 6.1 kernel-default-6.4.0-39.1 kernel-default-base-6.4.0-39.1.21.16 kernel-default-devel-6.4.0-39.1 kernel-default-livepatch-6.4.0-39.1 kernel-devel-6.4.0-39.1 kernel-kvmsmall-6.4.0-39.1 kernel-macros-6.4.0-39.1 kernel-source-6.4.0-39.1 kernel-default-6.4.0-39.1 as a component of SUSE Linux Micro 6.1 kernel-default-base-6.4.0-39.1.21.16 as a component of SUSE Linux Micro 6.1 kernel-default-devel-6.4.0-39.1 as a component of SUSE Linux Micro 6.1 kernel-default-livepatch-6.4.0-39.1 as a component of SUSE Linux Micro 6.1 kernel-devel-6.4.0-39.1 as a component of SUSE Linux Micro 6.1 kernel-kvmsmall-6.4.0-39.1 as a component of SUSE Linux Micro 6.1 kernel-macros-6.4.0-39.1 as a component of SUSE Linux Micro 6.1 kernel-source-6.4.0-39.1 as a component of SUSE Linux Micro 6.1 An integer overflow flaw was found in the Linux kernel. This issue leads to the kernel allocating `skb_shared_info` in the userspace, which is exploitable in systems without SMAP protection since `skb_shared_info` contains references to function pointers. CVE-2023-42752 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-42752.html CVE-2023-42752 https://bugzilla.suse.com/1215146 SUSE Bug 1215146 https://bugzilla.suse.com/1215468 SUSE Bug 1215468 In the Linux kernel, the following vulnerability has been resolved: drm/stm: ltdc: fix late dereference check In ltdc_crtc_set_crc_source(), struct drm_crtc was dereferenced in a container_of() before the pointer check. This could cause a kernel panic. Fix this smatch warning: drivers/gpu/drm/stm/ltdc.c:1124 ltdc_crtc_set_crc_source() warn: variable dereferenced before check 'crtc' (see line 1119) CVE-2023-53714 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53714.html CVE-2023-53714 https://bugzilla.suse.com/1254465 SUSE Bug 1254465 In the Linux kernel, the following vulnerability has been resolved: PCI: Free released resource after coalescing release_resource() doesn't actually free the resource or resource list entry so free the resource list entry to avoid a leak. CVE-2023-53743 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53743.html CVE-2023-53743 https://bugzilla.suse.com/1254782 SUSE Bug 1254782 In the Linux kernel, the following vulnerability has been resolved: pinctrl: freescale: Fix a memory out of bounds when num_configs is 1 The config passed in by pad wakeup is 1, when num_configs is 1, Configuration [1] should not be fetched, which will be detected by KASAN as a memory out of bounds condition. Modify to get configs[1] when num_configs is 2. CVE-2023-53750 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53750.html CVE-2023-53750 https://bugzilla.suse.com/1254611 SUSE Bug 1254611 In the Linux kernel, the following vulnerability has been resolved: net: deal with integer overflows in kmalloc_reserve() Blamed commit changed: ptr = kmalloc(size); if (ptr) size = ksize(ptr); size = kmalloc_size_roundup(size); ptr = kmalloc(size); This allowed various crash as reported by syzbot [1] and Kyle Zeng. Problem is that if @size is bigger than 0x80000001, kmalloc_size_roundup(size) returns 2^32. kmalloc_reserve() uses a 32bit variable (obj_size), so 2^32 is truncated to 0. kmalloc(0) returns ZERO_SIZE_PTR which is not handled by skb allocations. Following trace can be triggered if a netdev->mtu is set close to 0x7fffffff We might in the future limit netdev->mtu to more sensible limit (like KMALLOC_MAX_SIZE). This patch is based on a syzbot report, and also a report and tentative fix from Kyle Zeng. [1] BUG: KASAN: user-memory-access in __build_skb_around net/core/skbuff.c:294 [inline] BUG: KASAN: user-memory-access in __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527 Write of size 32 at addr 00000000fffffd10 by task syz-executor.4/22554 CPU: 1 PID: 22554 Comm: syz-executor.4 Not tainted 6.1.39-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 Call trace: dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:279 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:286 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x120/0x1a0 lib/dump_stack.c:106 print_report+0xe4/0x4b4 mm/kasan/report.c:398 kasan_report+0x150/0x1ac mm/kasan/report.c:495 kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 memset+0x40/0x70 mm/kasan/shadow.c:44 __build_skb_around net/core/skbuff.c:294 [inline] __alloc_skb+0x3c4/0x6e8 net/core/skbuff.c:527 alloc_skb include/linux/skbuff.h:1316 [inline] igmpv3_newpack+0x104/0x1088 net/ipv4/igmp.c:359 add_grec+0x81c/0x1124 net/ipv4/igmp.c:534 igmpv3_send_cr net/ipv4/igmp.c:667 [inline] igmp_ifc_timer_expire+0x1b0/0x1008 net/ipv4/igmp.c:810 call_timer_fn+0x1c0/0x9f0 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [inline] __run_timers+0x54c/0x710 kernel/time/timer.c:1790 run_timer_softirq+0x28/0x4c kernel/time/timer.c:1803 _stext+0x380/0xfbc ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891 do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:84 invoke_softirq kernel/softirq.c:437 [inline] __irq_exit_rcu+0x1c0/0x4cc kernel/softirq.c:683 irq_exit_rcu+0x14/0x78 kernel/softirq.c:695 el0_interrupt+0x7c/0x2e0 arch/arm64/kernel/entry-common.c:717 __el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:724 el0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:729 el0t_64_irq+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 CVE-2023-53752 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53752.html CVE-2023-53752 https://bugzilla.suse.com/1254613 SUSE Bug 1254613 In the Linux kernel, the following vulnerability has been resolved: HID: hidraw: fix data race on device refcount The hidraw_open() function increments the hidraw device reference counter. The counter has no dedicated synchronization mechanism, resulting in a potential data race when concurrently opening a device. The race is a regression introduced by commit 8590222e4b02 ("HID: hidraw: Replace hidraw device table mutex with a rwsem"). While minors_rwsem is intended to protect the hidraw_table itself, by instead acquiring the lock for writing, the reference counter is also protected. This is symmetrical to hidraw_release(). CVE-2023-53759 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53759.html CVE-2023-53759 https://bugzilla.suse.com/1254663 SUSE Bug 1254663 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync Use-after-free can occur in hci_disconnect_all_sync if a connection is deleted by concurrent processing of a controller event. To prevent this the code now tries to iterate over the list backwards to ensure the links are cleanup before its parents, also it no longer relies on a cursor, instead it always uses the last element since hci_abort_conn_sync is guaranteed to call hci_conn_del. UAF crash log: ================================================================== BUG: KASAN: slab-use-after-free in hci_set_powered_sync (net/bluetooth/hci_sync.c:5424) [bluetooth] Read of size 8 at addr ffff888009d9c000 by task kworker/u9:0/124 CPU: 0 PID: 124 Comm: kworker/u9:0 Tainted: G W 6.5.0-rc1+ #10 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 Workqueue: hci0 hci_cmd_sync_work [bluetooth] Call Trace: <TASK> dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0xdd/0x160 ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth] kasan_report+0xa6/0xe0 ? hci_set_powered_sync+0x2c9/0x4a0 [bluetooth] ? __pfx_set_powered_sync+0x10/0x10 [bluetooth] hci_set_powered_sync+0x2c9/0x4a0 [bluetooth] ? __pfx_hci_set_powered_sync+0x10/0x10 [bluetooth] ? __pfx_lock_release+0x10/0x10 ? __pfx_set_powered_sync+0x10/0x10 [bluetooth] hci_cmd_sync_work+0x137/0x220 [bluetooth] process_one_work+0x526/0x9d0 ? __pfx_process_one_work+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? mark_held_locks+0x1a/0x90 worker_thread+0x92/0x630 ? __pfx_worker_thread+0x10/0x10 kthread+0x196/0x1e0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 </TASK> Allocated by task 1782: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x8f/0xa0 hci_conn_add+0xa5/0xa80 [bluetooth] hci_bind_cis+0x881/0x9b0 [bluetooth] iso_connect_cis+0x121/0x520 [bluetooth] iso_sock_connect+0x3f6/0x790 [bluetooth] __sys_connect+0x109/0x130 __x64_sys_connect+0x40/0x50 do_syscall_64+0x60/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Freed by task 695: kasan_save_stack+0x33/0x60 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x50 __kasan_slab_free+0x10a/0x180 __kmem_cache_free+0x14d/0x2e0 device_release+0x5d/0xf0 kobject_put+0xdf/0x270 hci_disconn_complete_evt+0x274/0x3a0 [bluetooth] hci_event_packet+0x579/0x7e0 [bluetooth] hci_rx_work+0x287/0xaa0 [bluetooth] process_one_work+0x526/0x9d0 worker_thread+0x92/0x630 kthread+0x196/0x1e0 ret_from_fork+0x2c/0x50 ================================================================== CVE-2023-53762 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53762.html CVE-2023-53762 https://bugzilla.suse.com/1254606 SUSE Bug 1254606 In the Linux kernel, the following vulnerability has been resolved: FS: JFS: Check for read-only mounted filesystem in txBegin This patch adds a check for read-only mounted filesystem in txBegin before starting a transaction potentially saving from NULL pointer deref. CVE-2023-53766 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53766.html CVE-2023-53766 https://bugzilla.suse.com/1255005 SUSE Bug 1255005 https://bugzilla.suse.com/1255006 SUSE Bug 1255006 In the Linux kernel, the following vulnerability has been resolved: regmap-irq: Fix out-of-bounds access when allocating config buffers When allocating the 2D array for handling IRQ type registers in regmap_add_irq_chip_fwnode(), the intent is to allocate a matrix with num_config_bases rows and num_config_regs columns. This is currently handled by allocating a buffer to hold a pointer for each row (i.e. num_config_bases). After that, the logic attempts to allocate the memory required to hold the register configuration for each row. However, instead of doing this allocation for each row (i.e. num_config_bases allocations), the logic erroneously does this allocation num_config_regs number of times. This scenario can lead to out-of-bounds accesses when num_config_regs is greater than num_config_bases. Fix this by updating the terminating condition of the loop that allocates the memory for holding the register configuration to allocate memory only for each row in the matrix. Amit Pundir reported a crash that was occurring on his db845c device due to memory corruption (see "Closes" tag for Amit's report). The KASAN report below helped narrow it down to this issue: [ 14.033877][ T1] ================================================================== [ 14.042507][ T1] BUG: KASAN: invalid-access in regmap_add_irq_chip_fwnode+0x594/0x1364 [ 14.050796][ T1] Write of size 8 at addr 06ffff8081021850 by task init/1 [ 14.242004][ T1] The buggy address belongs to the object at ffffff8081021850 [ 14.242004][ T1] which belongs to the cache kmalloc-8 of size 8 [ 14.255669][ T1] The buggy address is located 0 bytes inside of [ 14.255669][ T1] 8-byte region [ffffff8081021850, ffffff8081021858) CVE-2023-53768 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53768.html CVE-2023-53768 https://bugzilla.suse.com/1254599 SUSE Bug 1254599 In the Linux kernel, the following vulnerability has been resolved: erofs: kill hooked chains to avoid loops on deduplicated compressed images After heavily stressing EROFS with several images which include a hand-crafted image of repeated patterns for more than 46 days, I found two chains could be linked with each other almost simultaneously and form a loop so that the entire loop won't be submitted. As a consequence, the corresponding file pages will remain locked forever. It can be _only_ observed on data-deduplicated compressed images. For example, consider two chains with five pclusters in total: Chain 1: 2->3->4->5 -- The tail pcluster is 5; Chain 2: 5->1->2 -- The tail pcluster is 2. Chain 2 could link to Chain 1 with pcluster 5; and Chain 1 could link to Chain 2 at the same time with pcluster 2. Since hooked chains are all linked locklessly now, I have no idea how to simply avoid the race. Instead, let's avoid hooked chains completely until I could work out a proper way to fix this and end users finally tell us that it's needed to add it back. Actually, this optimization can be found with multi-threaded workloads (especially even more often on deduplicated compressed images), yet I'm not sure about the overall system impacts of not having this compared with implementation complexity. CVE-2023-53777 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53777.html CVE-2023-53777 https://bugzilla.suse.com/1254749 SUSE Bug 1254749 In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Clean up integer overflow checking in map_user_pages() The encode_dma() function has some validation on in_trans->size but it would be more clear to move those checks to find_and_map_user_pages(). The encode_dma() had two checks: if (in_trans->addr + in_trans->size < in_trans->addr || !in_trans->size) return -EINVAL; The in_trans->addr variable is the starting address. The in_trans->size variable is the total size of the transfer. The transfer can occur in parts and the resources->xferred_dma_size tracks how many bytes we have already transferred. This patch introduces a new variable "remaining" which represents the amount we want to transfer (in_trans->size) minus the amount we have already transferred (resources->xferred_dma_size). I have modified the check for if in_trans->size is zero to instead check if in_trans->size is less than resources->xferred_dma_size. If we have already transferred more bytes than in_trans->size then there are negative bytes remaining which doesn't make sense. If there are zero bytes remaining to be copied, just return success. The check in encode_dma() checked that "addr + size" could not overflow and barring a driver bug that should work, but it's easier to check if we do this in parts. First check that "in_trans->addr + resources->xferred_dma_size" is safe. Then check that "xfer_start_addr + remaining" is safe. My final concern was that we are dealing with u64 values but on 32bit systems the kmalloc() function will truncate the sizes to 32 bits. So I calculated "total = in_trans->size + offset_in_page(xfer_start_addr);" and returned -EINVAL if it were >= SIZE_MAX. This will not affect 64bit systems. CVE-2023-53778 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53778.html CVE-2023-53778 https://bugzilla.suse.com/1254761 SUSE Bug 1254761 In the Linux kernel, the following vulnerability has been resolved: dccp: Fix out of bounds access in DCCP error handler There was a previous attempt to fix an out-of-bounds access in the DCCP error handlers, but that fix assumed that the error handlers only want to access the first 8 bytes of the DCCP header. Actually, they also look at the DCCP sequence number, which is stored beyond 8 bytes, so an explicit pskb_may_pull() is required. CVE-2023-53782 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53782.html CVE-2023-53782 https://bugzilla.suse.com/1254758 SUSE Bug 1254758 In the Linux kernel, the following vulnerability has been resolved: drm: bridge: dw_hdmi: fix connector access for scdc Commit 5d844091f237 ("drm/scdc-helper: Pimp SCDC debugs") changed the scdc interface to pick up an i2c adapter from a connector instead. However, in the case of dw-hdmi, the wrong connector was being used to pass i2c adapter information, since dw-hdmi's embedded connector structure is only populated when the bridge attachment callback explicitly asks for it. drm-meson is handling connector creation, so this won't happen, leading to a NULL pointer dereference. Fix it by having scdc functions access dw-hdmi's current connector pointer instead, which is assigned during the bridge enablement stage. [narmstrong: moved Fixes tag before first S-o-b and added Reported-by tag] CVE-2023-53784 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53784.html CVE-2023-53784 https://bugzilla.suse.com/1254765 SUSE Bug 1254765 In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: don't assume adequate headroom for SDIO headers mt7921_usb_sdio_tx_prepare_skb() calls mt7921_usb_sdio_write_txwi() and mt7921_skb_add_usb_sdio_hdr(), both of which blindly assume that adequate headroom will be available in the passed skb. This assumption typically is satisfied when the skb was allocated in the net core for transmission via the mt7921 netdev (although even that is only an optimization and is not strictly guaranteed), but the assumption is sometimes not satisfied when the skb originated in the receive path of another netdev and was passed through to the mt7921, such as by the bridge layer. Blindly prepending bytes to an skb is always wrong. This commit introduces a call to skb_cow_head() before the call to mt7921_usb_sdio_write_txwi() in mt7921_usb_sdio_tx_prepare_skb() to ensure that at least MT_SDIO_TXD_SIZE + MT_SDIO_HDR_SIZE bytes can be pushed onto the skb. Without this fix, I can trivially cause kernel panics by bridging an MT7921AU-based USB 802.11ax interface with an Ethernet interface on an Intel Atom-based x86 system using its onboard RTL8169 PCI Ethernet adapter and also on an ARM-based Raspberry Pi 1 using its onboard SMSC9512 USB Ethernet adapter. Note that the panics do not occur in every system configuration, as they occur only if the receiving netdev leaves less headroom in its received skbs than the mt7921 needs for its SDIO headers. Here is an example stack trace of this panic on Raspberry Pi OS Lite 2023-02-21 running kernel 6.1.24+ [1]: skb_panic from skb_push+0x44/0x48 skb_push from mt7921_usb_sdio_tx_prepare_skb+0xd4/0x190 [mt7921_common] mt7921_usb_sdio_tx_prepare_skb [mt7921_common] from mt76u_tx_queue_skb+0x94/0x1d0 [mt76_usb] mt76u_tx_queue_skb [mt76_usb] from __mt76_tx_queue_skb+0x4c/0xc8 [mt76] __mt76_tx_queue_skb [mt76] from mt76_txq_schedule.part.0+0x13c/0x398 [mt76] mt76_txq_schedule.part.0 [mt76] from mt76_txq_schedule_all+0x24/0x30 [mt76] mt76_txq_schedule_all [mt76] from mt7921_tx_worker+0x58/0xf4 [mt7921_common] mt7921_tx_worker [mt7921_common] from __mt76_worker_fn+0x9c/0xec [mt76] __mt76_worker_fn [mt76] from kthread+0xbc/0xe0 kthread from ret_from_fork+0x14/0x34 After this fix, bridging the mt7921 interface works fine on both of my previously problematic systems. [1] https://github.com/raspberrypi/firmware/tree/5c276f55a4b21345cd4d6200a504ee991851ff7a CVE-2023-53785 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53785.html CVE-2023-53785 https://bugzilla.suse.com/1254918 SUSE Bug 1254918 In the Linux kernel, the following vulnerability has been resolved: regulator: da9063: fix null pointer deref with partial DT config When some of the da9063 regulators do not have corresponding DT nodes a null pointer dereference occurs on boot because such regulators have no init_data causing the pointers calculated in da9063_check_xvp_constraints() to be invalid. Do not dereference them in this case. CVE-2023-53787 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53787.html CVE-2023-53787 https://bugzilla.suse.com/1254750 SUSE Bug 1254750 In the Linux kernel, the following vulnerability has been resolved: md: fix warning for holder mismatch from export_rdev() Commit a1d767191096 ("md: use mddev->external to select holder in export_rdev()") fix the problem that 'claim_rdev' is used for blkdev_get_by_dev() while 'rdev' is used for blkdev_put(). However, if mddev->external is changed from 0 to 1, then 'rdev' is used for blkdev_get_by_dev() while 'claim_rdev' is used for blkdev_put(). And this problem can be reporduced reliably by following: New file: mdadm/tests/23rdev-lifetime devname=${dev0##*/} devt=`cat /sys/block/$devname/dev` pid="" runtime=2 clean_up_test() { pill -9 $pid echo clear > /sys/block/md0/md/array_state } trap 'clean_up_test' EXIT add_by_sysfs() { while true; do echo $devt > /sys/block/md0/md/new_dev done } remove_by_sysfs(){ while true; do echo remove > /sys/block/md0/md/dev-${devname}/state done } echo md0 > /sys/module/md_mod/parameters/new_array || die "create md0 failed" add_by_sysfs & pid="$pid $!" remove_by_sysfs & pid="$pid $!" sleep $runtime exit 0 Test cmd: ./test --save-logs --logdir=/tmp/ --keep-going --dev=loop --tests=23rdev-lifetime Test result: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 960 at block/bdev.c:618 blkdev_put+0x27c/0x330 Modules linked in: multipath md_mod loop CPU: 0 PID: 960 Comm: test Not tainted 6.5.0-rc2-00121-g01e55c376936-dirty #50 RIP: 0010:blkdev_put+0x27c/0x330 Call Trace: <TASK> export_rdev.isra.23+0x50/0xa0 [md_mod] mddev_unlock+0x19d/0x300 [md_mod] rdev_attr_store+0xec/0x190 [md_mod] sysfs_kf_write+0x52/0x70 kernfs_fop_write_iter+0x19a/0x2a0 vfs_write+0x3b5/0x770 ksys_write+0x74/0x150 __x64_sys_write+0x22/0x30 do_syscall_64+0x40/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Fix the problem by recording if 'rdev' is used as holder. CVE-2023-53791 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53791.html CVE-2023-53791 https://bugzilla.suse.com/1254742 SUSE Bug 1254742 In the Linux kernel, the following vulnerability has been resolved: nvme-core: fix memory leak in dhchap_ctrl_secret Free dhchap_secret in nvme_ctrl_dhchap_ctrl_secret_store() before we return when nvme_auth_generate_key() returns error. CVE-2023-53792 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53792.html CVE-2023-53792 https://bugzilla.suse.com/1254743 SUSE Bug 1254743 In the Linux kernel, the following vulnerability has been resolved: perf tool x86: Fix perf_env memory leak Found by leak sanitizer: ``` ==1632594==ERROR: LeakSanitizer: detected memory leaks Direct leak of 21 byte(s) in 1 object(s) allocated from: #0 0x7f2953a7077b in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cpp:439 #1 0x556701d6fbbf in perf_env__read_cpuid util/env.c:369 #2 0x556701d70589 in perf_env__cpuid util/env.c:465 #3 0x55670204bba2 in x86__is_amd_cpu arch/x86/util/env.c:14 #4 0x5567020487a2 in arch__post_evsel_config arch/x86/util/evsel.c:83 #5 0x556701d8f78b in evsel__config util/evsel.c:1366 #6 0x556701ef5872 in evlist__config util/record.c:108 #7 0x556701cd6bcd in test__PERF_RECORD tests/perf-record.c:112 #8 0x556701cacd07 in run_test tests/builtin-test.c:236 #9 0x556701cacfac in test_and_print tests/builtin-test.c:265 #10 0x556701cadddb in __cmd_test tests/builtin-test.c:402 #11 0x556701caf2aa in cmd_test tests/builtin-test.c:559 #12 0x556701d3b557 in run_builtin tools/perf/perf.c:323 #13 0x556701d3bac8 in handle_internal_command tools/perf/perf.c:377 #14 0x556701d3be90 in run_argv tools/perf/perf.c:421 #15 0x556701d3c3f8 in main tools/perf/perf.c:537 #16 0x7f2952a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: 21 byte(s) leaked in 1 allocation(s). ``` CVE-2023-53793 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53793.html CVE-2023-53793 https://bugzilla.suse.com/1254739 SUSE Bug 1254739 In the Linux kernel, the following vulnerability has been resolved: cifs: fix session state check in reconnect to avoid use-after-free issue Don't collect exiting session in smb2_reconnect_server(), because it will be released soon. Note that the exiting session will stay in server->smb_ses_list until it complete the cifs_free_ipc() and logoff() and then delete itself from the list. CVE-2023-53794 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53794.html CVE-2023-53794 https://bugzilla.suse.com/1255163 SUSE Bug 1255163 https://bugzilla.suse.com/1255235 SUSE Bug 1255235 In the Linux kernel, the following vulnerability has been resolved: iommufd: IOMMUFD_DESTROY should not increase the refcount syzkaller found a race where IOMMUFD_DESTROY increments the refcount: obj = iommufd_get_object(ucmd->ictx, cmd->id, IOMMUFD_OBJ_ANY); if (IS_ERR(obj)) return PTR_ERR(obj); iommufd_ref_to_users(obj); /* See iommufd_ref_to_users() */ if (!iommufd_object_destroy_user(ucmd->ictx, obj)) As part of the sequence to join the two existing primitives together. Allowing the refcount the be elevated without holding the destroy_rwsem violates the assumption that all temporary refcount elevations are protected by destroy_rwsem. Racing IOMMUFD_DESTROY with iommufd_object_destroy_user() will cause spurious failures: WARNING: CPU: 0 PID: 3076 at drivers/iommu/iommufd/device.c:477 iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:478 Modules linked in: CPU: 0 PID: 3076 Comm: syz-executor.0 Not tainted 6.3.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 RIP: 0010:iommufd_access_destroy+0x18/0x20 drivers/iommu/iommufd/device.c:477 Code: e8 3d 4e 00 00 84 c0 74 01 c3 0f 0b c3 0f 1f 44 00 00 f3 0f 1e fa 48 89 fe 48 8b bf a8 00 00 00 e8 1d 4e 00 00 84 c0 74 01 c3 <0f> 0b c3 0f 1f 44 00 00 41 57 41 56 41 55 4c 8d ae d0 00 00 00 41 RSP: 0018:ffffc90003067e08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888109ea0300 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00000000ffffffff RBP: 0000000000000004 R08: 0000000000000000 R09: ffff88810bbb3500 R10: ffff88810bbb3e48 R11: 0000000000000000 R12: ffffc90003067e88 R13: ffffc90003067ea8 R14: ffff888101249800 R15: 00000000fffffffe FS: 00007ff7254fe6c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555557262da8 CR3: 000000010a6fd000 CR4: 0000000000350ef0 Call Trace: <TASK> iommufd_test_create_access drivers/iommu/iommufd/selftest.c:596 [inline] iommufd_test+0x71c/0xcf0 drivers/iommu/iommufd/selftest.c:813 iommufd_fops_ioctl+0x10f/0x1b0 drivers/iommu/iommufd/main.c:337 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x84/0xc0 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The solution is to not increment the refcount on the IOMMUFD_DESTROY path at all. Instead use the xa_lock to serialize everything. The refcount check == 1 and xa_erase can be done under a single critical region. This avoids the need for any refcount incrementing. It has the downside that if userspace races destroy with other operations it will get an EBUSY instead of waiting, but this is kind of racing is already dangerous. CVE-2023-53795 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53795.html CVE-2023-53795 https://bugzilla.suse.com/1254737 SUSE Bug 1254737 In the Linux kernel, the following vulnerability has been resolved: HID: wacom: Use ktime_t rather than int when dealing with timestamps Code which interacts with timestamps needs to use the ktime_t type returned by functions like ktime_get. The int type does not offer enough space to store these values, and attempting to use it is a recipe for problems. In this particular case, overflows would occur when calculating/storing timestamps leading to incorrect values being reported to userspace. In some cases these bad timestamps cause input handling in userspace to appear hung. CVE-2023-53797 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53797.html CVE-2023-53797 https://bugzilla.suse.com/1254733 SUSE Bug 1254733 In the Linux kernel, the following vulnerability has been resolved: crypto: api - Use work queue in crypto_destroy_instance The function crypto_drop_spawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the instance to be freed in atomic context. Fix this by delaying the freeing to a work queue. CVE-2023-53799 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53799.html CVE-2023-53799 https://bugzilla.suse.com/1254732 SUSE Bug 1254732 In the Linux kernel, the following vulnerability has been resolved: clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider() Smatch detected this potential error pointer dereference clk_wzrd_register_divider(). If devm_clk_hw_register() fails then it sets "hw" to an error pointer and then dereferences it on the next line. Return the error directly instead. CVE-2023-53807 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53807.html CVE-2023-53807 https://bugzilla.suse.com/1254724 SUSE Bug 1254724 In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: fix memory leak in mwifiex_histogram_read() Always free the zeroed page on return from 'mwifiex_histogram_read()'. CVE-2023-53808 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53808.html CVE-2023-53808 https://bugzilla.suse.com/1254723 SUSE Bug 1254723 In the Linux kernel, the following vulnerability has been resolved: ext4: fix rbtree traversal bug in ext4_mb_use_preallocated During allocations, while looking for preallocations(PA) in the per inode rbtree, we can't do a direct traversal of the tree because ext4_mb_discard_group_preallocation() can paralelly mark the pa deleted and that can cause direct traversal to skip some entries. This was leading to a BUG_ON() being hit [1] when we missed a PA that could satisfy our request and ultimately tried to create a new PA that would overlap with the missed one. To makes sure we handle that case while still keeping the performance of the rbtree, we make use of the fact that the only pa that could possibly overlap the original goal start is the one that satisfies the below conditions: 1. It must have it's logical start immediately to the left of (ie less than) original logical start. 2. It must not be deleted To find this pa we use the following traversal method: 1. Descend into the rbtree normally to find the immediate neighboring PA. Here we keep descending irrespective of if the PA is deleted or if it overlaps with our request etc. The goal is to find an immediately adjacent PA. 2. If the found PA is on right of original goal, use rb_prev() to find the left adjacent PA. 3. Check if this PA is deleted and keep moving left with rb_prev() until a non deleted PA is found. 4. This is the PA we are looking for. Now we can check if it can satisfy the original request and proceed accordingly. This approach also takes care of having deleted PAs in the tree. (While we are at it, also fix a possible overflow bug in calculating the end of a PA) [1] https://lore.kernel.org/linux-ext4/CA+G9fYv2FRpLqBZf34ZinR8bU2_ZRAUOjKAD3+tKRFaEQHtt8Q@mail.gmail.com/ CVE-2023-53813 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53813.html CVE-2023-53813 https://bugzilla.suse.com/1254717 SUSE Bug 1254717 In the Linux kernel, the following vulnerability has been resolved: posix-timers: Prevent RT livelock in itimer_delete() itimer_delete() has a retry loop when the timer is concurrently expired. On non-RT kernels this just spin-waits until the timer callback has completed, except for posix CPU timers which have HAVE_POSIX_CPU_TIMERS_TASK_WORK enabled. In that case and on RT kernels the existing task could live lock when preempting the task which does the timer delivery. Replace spin_unlock() with an invocation of timer_wait_running() to handle it the same way as the other retry loops in the posix timer code. CVE-2023-53815 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53815.html CVE-2023-53815 https://bugzilla.suse.com/1254715 SUSE Bug 1254715 In the Linux kernel, the following vulnerability has been resolved: amdgpu: validate offset_in_bo of drm_amdgpu_gem_va This is motivated by OOB access in amdgpu_vm_update_range when offset_in_bo+map_size overflows. v2: keep the validations in amdgpu_vm_bo_map v3: add the validations to amdgpu_vm_bo_map/amdgpu_vm_bo_replace_map rather than to amdgpu_gem_va_ioctl CVE-2023-53819 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53819.html CVE-2023-53819 https://bugzilla.suse.com/1254712 SUSE Bug 1254712 In the Linux kernel, the following vulnerability has been resolved: ip6_vti: fix slab-use-after-free in decode_session6 When ipv6_vti device is set to the qdisc of the sfb type, the cb field of the sent skb may be modified during enqueuing. Then, slab-use-after-free may occur when ipv6_vti device sends IPv6 packets. The stack information is as follows: BUG: KASAN: slab-use-after-free in decode_session6+0x103f/0x1890 Read of size 1 at addr ffff88802e08edc2 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.4.0-next-20230707-00001-g84e2cad7f979 #410 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0xd9/0x150 print_address_description.constprop.0+0x2c/0x3c0 kasan_report+0x11d/0x130 decode_session6+0x103f/0x1890 __xfrm_decode_session+0x54/0xb0 vti6_tnl_xmit+0x3e6/0x1ee0 dev_hard_start_xmit+0x187/0x700 sch_direct_xmit+0x1a3/0xc30 __qdisc_run+0x510/0x17a0 __dev_queue_xmit+0x2215/0x3b10 neigh_connected_output+0x3c2/0x550 ip6_finish_output2+0x55a/0x1550 ip6_finish_output+0x6b9/0x1270 ip6_output+0x1f1/0x540 ndisc_send_skb+0xa63/0x1890 ndisc_send_rs+0x132/0x6f0 addrconf_rs_timer+0x3f1/0x870 call_timer_fn+0x1a0/0x580 expire_timers+0x29b/0x4b0 run_timer_softirq+0x326/0x910 __do_softirq+0x1d4/0x905 irq_exit_rcu+0xb7/0x120 sysvec_apic_timer_interrupt+0x97/0xc0 </IRQ> Allocated by task 9176: kasan_save_stack+0x22/0x40 kasan_set_track+0x25/0x30 __kasan_slab_alloc+0x7f/0x90 kmem_cache_alloc_node+0x1cd/0x410 kmalloc_reserve+0x165/0x270 __alloc_skb+0x129/0x330 netlink_sendmsg+0x9b1/0xe30 sock_sendmsg+0xde/0x190 ____sys_sendmsg+0x739/0x920 ___sys_sendmsg+0x110/0x1b0 __sys_sendmsg+0xf7/0x1c0 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 9176: kasan_save_stack+0x22/0x40 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2b/0x40 ____kasan_slab_free+0x160/0x1c0 slab_free_freelist_hook+0x11b/0x220 kmem_cache_free+0xf0/0x490 skb_free_head+0x17f/0x1b0 skb_release_data+0x59c/0x850 consume_skb+0xd2/0x170 netlink_unicast+0x54f/0x7f0 netlink_sendmsg+0x926/0xe30 sock_sendmsg+0xde/0x190 ____sys_sendmsg+0x739/0x920 ___sys_sendmsg+0x110/0x1b0 __sys_sendmsg+0xf7/0x1c0 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff88802e08ed00 which belongs to the cache skbuff_small_head of size 640 The buggy address is located 194 bytes inside of freed 640-byte region [ffff88802e08ed00, ffff88802e08ef80) As commit f855691975bb ("xfrm6: Fix the nexthdr offset in _decode_session6.") showed, xfrm_decode_session was originally intended only for the receive path. IP6CB(skb)->nhoff is not set during transmission. Therefore, set the cb field in the skb to 0 before sending packets. CVE-2023-53821 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53821.html CVE-2023-53821 https://bugzilla.suse.com/1254669 SUSE Bug 1254669 In the Linux kernel, the following vulnerability has been resolved: block/rq_qos: protect rq_qos apis with a new lock commit 50e34d78815e ("block: disable the elevator int del_gendisk") move rq_qos_exit() from disk_release() to del_gendisk(), this will introduce some problems: 1) If rq_qos_add() is triggered by enabling iocost/iolatency through cgroupfs, then it can concurrent with del_gendisk(), it's not safe to write 'q->rq_qos' concurrently. 2) Activate cgroup policy that is relied on rq_qos will call rq_qos_add() and blkcg_activate_policy(), and if rq_qos_exit() is called in the middle, null-ptr-dereference will be triggered in blkcg_activate_policy(). 3) blkg_conf_open_bdev() can call blkdev_get_no_open() first to find the disk, then if rq_qos_exit() from del_gendisk() is done before rq_qos_add(), then memory will be leaked. This patch add a new disk level mutex 'rq_qos_mutex': 1) The lock will protect rq_qos_exit() directly. 2) For wbt that doesn't relied on blk-cgroup, rq_qos_add() can only be called from disk initialization for now because wbt can't be destructed until rq_qos_exit(), so it's safe not to protect wbt for now. Hoever, in case that rq_qos dynamically destruction is supported in the furture, this patch also protect rq_qos_add() from wbt_init() directly, this is enough because blk-sysfs already synchronize writers with disk removal. 3) For iocost and iolatency, in order to synchronize disk removal and cgroup configuration, the lock is held after blkdev_get_no_open() from blkg_conf_open_bdev(), and is released in blkg_conf_exit(). In order to fix the above memory leak, disk_live() is checked after holding the new lock. CVE-2023-53823 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53823.html CVE-2023-53823 https://bugzilla.suse.com/1254691 SUSE Bug 1254691 In the Linux kernel, the following vulnerability has been resolved: kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). syzkaller found a memory leak in kcm_sendmsg(), and commit c821a88bd720 ("kcm: Fix memory leak in error path of kcm_sendmsg()") suppressed it by updating kcm_tx_msg(head)->last_skb if partial data is copied so that the following sendmsg() will resume from the skb. However, we cannot know how many bytes were copied when we get the error. Thus, we could mess up the MSG_MORE queue. When kcm_sendmsg() fails for SOCK_DGRAM, we should purge the queue as we do so for UDP by udp_flush_pending_frames(). Even without this change, when the error occurred, the following sendmsg() resumed from a wrong skb and the queue was messed up. However, we have yet to get such a report, and only syzkaller stumbled on it. So, this can be changed safely. Note this does not change SOCK_SEQPACKET behaviour. CVE-2023-53825 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53825.html CVE-2023-53825 https://bugzilla.suse.com/1254707 SUSE Bug 1254707 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_add_adv_monitor() KSAN reports use-after-free in hci_add_adv_monitor(). While adding an adv monitor, hci_add_adv_monitor() calls -> msft_add_monitor_pattern() calls -> msft_add_monitor_sync() calls -> msft_le_monitor_advertisement_cb() calls in an error case -> hci_free_adv_monitor() which frees the *moniter. This is referenced by bt_dev_dbg() in hci_add_adv_monitor(). Fix the bt_dev_dbg() by using handle instead of monitor->handle. CVE-2023-53828 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53828.html CVE-2023-53828 https://bugzilla.suse.com/1254623 SUSE Bug 1254623 In the Linux kernel, the following vulnerability has been resolved: net: read sk->sk_family once in sk_mc_loop() syzbot is playing with IPV6_ADDRFORM quite a lot these days, and managed to hit the WARN_ON_ONCE(1) in sk_mc_loop() We have many more similar issues to fix. WARNING: CPU: 1 PID: 1593 at net/core/sock.c:782 sk_mc_loop+0x165/0x260 Modules linked in: CPU: 1 PID: 1593 Comm: kworker/1:3 Not tainted 6.1.40-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 Workqueue: events_power_efficient gc_worker RIP: 0010:sk_mc_loop+0x165/0x260 net/core/sock.c:782 Code: 34 1b fd 49 81 c7 18 05 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ff e8 25 36 6d fd 4d 8b 37 eb 13 e8 db 33 1b fd <0f> 0b b3 01 eb 34 e8 d0 33 1b fd 45 31 f6 49 83 c6 38 4c 89 f0 48 RSP: 0018:ffffc90000388530 EFLAGS: 00010246 RAX: ffffffff846d9b55 RBX: 0000000000000011 RCX: ffff88814f884980 RDX: 0000000000000102 RSI: ffffffff87ae5160 RDI: 0000000000000011 RBP: ffffc90000388550 R08: 0000000000000003 R09: ffffffff846d9a65 R10: 0000000000000002 R11: ffff88814f884980 R12: dffffc0000000000 R13: ffff88810dbee000 R14: 0000000000000010 R15: ffff888150084000 FS: 0000000000000000(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000180 CR3: 000000014ee5b000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> [<ffffffff8507734f>] ip6_finish_output2+0x33f/0x1ae0 net/ipv6/ip6_output.c:83 [<ffffffff85062766>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline] [<ffffffff85062766>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211 [<ffffffff85061f8c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [<ffffffff85061f8c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232 [<ffffffff852071cf>] dst_output include/net/dst.h:444 [inline] [<ffffffff852071cf>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161 [<ffffffff83618fb4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline] [<ffffffff83618fb4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline] [<ffffffff83618fb4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline] [<ffffffff83618fb4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677 [<ffffffff8361ddd9>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229 [<ffffffff84763fc0>] netdev_start_xmit include/linux/netdevice.h:4925 [inline] [<ffffffff84763fc0>] xmit_one net/core/dev.c:3644 [inline] [<ffffffff84763fc0>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660 [<ffffffff8494c650>] sch_direct_xmit+0x2a0/0x9c0 net/sched/sch_generic.c:342 [<ffffffff8494d883>] qdisc_restart net/sched/sch_generic.c:407 [inline] [<ffffffff8494d883>] __qdisc_run+0xb13/0x1e70 net/sched/sch_generic.c:415 [<ffffffff8478c426>] qdisc_run+0xd6/0x260 include/net/pkt_sched.h:125 [<ffffffff84796eac>] net_tx_action+0x7ac/0x940 net/core/dev.c:5247 [<ffffffff858002bd>] __do_softirq+0x2bd/0x9bd kernel/softirq.c:599 [<ffffffff814c3fe8>] invoke_softirq kernel/softirq.c:430 [inline] [<ffffffff814c3fe8>] __irq_exit_rcu+0xc8/0x170 kernel/softirq.c:683 [<ffffffff814c3f09>] irq_exit_rcu+0x9/0x20 kernel/softirq.c:695 CVE-2023-53831 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53831.html CVE-2023-53831 https://bugzilla.suse.com/1254701 SUSE Bug 1254701 In the Linux kernel, the following vulnerability has been resolved: iio: adc: ina2xx: avoid NULL pointer dereference on OF device match The affected lines were resulting in a NULL pointer dereference on our platform because the device tree contained the following list of compatible strings: power-sensor@40 { compatible = "ti,ina232", "ti,ina231"; ... }; Since the driver doesn't declare a compatible string "ti,ina232", the OF matching succeeds on "ti,ina231". But the I2C device ID info is populated via the first compatible string, cf. modalias population in of_i2c_get_board_info(). Since there is no "ina232" entry in the legacy I2C device ID table either, the struct i2c_device_id *id pointer in the probe function is NULL. Fix this by using the already populated type variable instead, which points to the proper driver data. Since the name is also wanted, add a generic one to the ina2xx_config table. CVE-2023-53834 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53834.html CVE-2023-53834 https://bugzilla.suse.com/1254660 SUSE Bug 1254660 In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix skb refcnt race after locking changes There is a race where skb's from the sk_psock_backlog can be referenced after userspace side has already skb_consumed() the sk_buff and its refcnt dropped to zer0 causing use after free. The flow is the following: while ((skb = skb_peek(&psock->ingress_skb)) sk_psock_handle_Skb(psock, skb, ..., ingress) if (!ingress) ... sk_psock_skb_ingress sk_psock_skb_ingress_enqueue(skb) msg->skb = skb sk_psock_queue_msg(psock, msg) skb_dequeue(&psock->ingress_skb) The sk_psock_queue_msg() puts the msg on the ingress_msg queue. This is what the application reads when recvmsg() is called. An application can read this anytime after the msg is placed on the queue. The recvmsg hook will also read msg->skb and then after user space reads the msg will call consume_skb(skb) on it effectively free'ing it. But, the race is in above where backlog queue still has a reference to the skb and calls skb_dequeue(). If the skb_dequeue happens after the user reads and free's the skb we have a use after free. The !ingress case does not suffer from this problem because it uses sendmsg_*(sk, msg) which does not pass the sk_buff further down the stack. The following splat was observed with 'test_progs -t sockmap_listen': [ 1022.710250][ T2556] general protection fault, ... [...] [ 1022.712830][ T2556] Workqueue: events sk_psock_backlog [ 1022.713262][ T2556] RIP: 0010:skb_dequeue+0x4c/0x80 [ 1022.713653][ T2556] Code: ... [...] [ 1022.720699][ T2556] Call Trace: [ 1022.720984][ T2556] <TASK> [ 1022.721254][ T2556] ? die_addr+0x32/0x80^M [ 1022.721589][ T2556] ? exc_general_protection+0x25a/0x4b0 [ 1022.722026][ T2556] ? asm_exc_general_protection+0x22/0x30 [ 1022.722489][ T2556] ? skb_dequeue+0x4c/0x80 [ 1022.722854][ T2556] sk_psock_backlog+0x27a/0x300 [ 1022.723243][ T2556] process_one_work+0x2a7/0x5b0 [ 1022.723633][ T2556] worker_thread+0x4f/0x3a0 [ 1022.723998][ T2556] ? __pfx_worker_thread+0x10/0x10 [ 1022.724386][ T2556] kthread+0xfd/0x130 [ 1022.724709][ T2556] ? __pfx_kthread+0x10/0x10 [ 1022.725066][ T2556] ret_from_fork+0x2d/0x50 [ 1022.725409][ T2556] ? __pfx_kthread+0x10/0x10 [ 1022.725799][ T2556] ret_from_fork_asm+0x1b/0x30 [ 1022.726201][ T2556] </TASK> To fix we add an skb_get() before passing the skb to be enqueued in the engress queue. This bumps the skb->users refcnt so that consume_skb() and kfree_skb will not immediately free the sk_buff. With this we can be sure the skb is still around when we do the dequeue. Then we just need to decrement the refcnt or free the skb in the backlog case which we do by calling kfree_skb() on the ingress case as well as the sendmsg case. Before locking change from fixes tag we had the sock locked so we couldn't race with user and there was no issue here. CVE-2023-53836 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53836.html CVE-2023-53836 https://bugzilla.suse.com/1254693 SUSE Bug 1254693 In the Linux kernel, the following vulnerability has been resolved: dccp: fix data-race around dp->dccps_mss_cache dccp_sendmsg() reads dp->dccps_mss_cache before locking the socket. Same thing in do_dccp_getsockopt(). Add READ_ONCE()/WRITE_ONCE() annotations, and change dccp_sendmsg() to check again dccps_mss_cache after socket is locked. CVE-2023-53839 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53839.html CVE-2023-53839 https://bugzilla.suse.com/1254655 SUSE Bug 1254655 In the Linux kernel, the following vulnerability has been resolved: devlink: report devlink_port_type_warn source device devlink_port_type_warn is scheduled for port devlink and warning when the port type is not set. But from this warning it is not easy found out which device (driver) has no devlink port set. [ 3709.975552] Type was not set for devlink port. [ 3709.975579] WARNING: CPU: 1 PID: 13092 at net/devlink/leftover.c:6775 devlink_port_type_warn+0x11/0x20 [ 3709.993967] Modules linked in: openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nfnetlink bluetooth rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs vhost_net vhost vhost_iotlb tap tun bridge stp llc qrtr intel_rapl_msr intel_rapl_common i10nm_edac nfit libnvdimm x86_pkg_temp_thermal mlx5_ib intel_powerclamp coretemp dell_wmi ledtrig_audio sparse_keymap ipmi_ssif kvm_intel ib_uverbs rfkill ib_core video kvm iTCO_wdt acpi_ipmi intel_vsec irqbypass ipmi_si iTCO_vendor_support dcdbas ipmi_devintf mei_me ipmi_msghandler rapl mei intel_cstate isst_if_mmio isst_if_mbox_pci dell_smbios intel_uncore isst_if_common i2c_i801 dell_wmi_descriptor wmi_bmof i2c_smbus intel_pch_thermal pcspkr acpi_power_meter xfs libcrc32c sd_mod sg nvme_tcp mgag200 i2c_algo_bit nvme_fabrics drm_shmem_helper drm_kms_helper nvme syscopyarea ahci sysfillrect sysimgblt nvme_core fb_sys_fops crct10dif_pclmul libahci mlx5_core sfc crc32_pclmul nvme_common drm [ 3709.994030] crc32c_intel mtd t10_pi mlxfw libata tg3 mdio megaraid_sas psample ghash_clmulni_intel pci_hyperv_intf wmi dm_multipath sunrpc dm_mirror dm_region_hash dm_log dm_mod be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse [ 3710.108431] CPU: 1 PID: 13092 Comm: kworker/1:1 Kdump: loaded Not tainted 5.14.0-319.el9.x86_64 #1 [ 3710.108435] Hardware name: Dell Inc. PowerEdge R750/0PJ80M, BIOS 1.8.2 09/14/2022 [ 3710.108437] Workqueue: events devlink_port_type_warn [ 3710.108440] RIP: 0010:devlink_port_type_warn+0x11/0x20 [ 3710.108443] Code: 84 76 fe ff ff 48 c7 03 20 0e 1a ad 31 c0 e9 96 fd ff ff 66 0f 1f 44 00 00 0f 1f 44 00 00 48 c7 c7 18 24 4e ad e8 ef 71 62 ff <0f> 0b c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f6 87 [ 3710.108445] RSP: 0018:ff3b6d2e8b3c7e90 EFLAGS: 00010282 [ 3710.108447] RAX: 0000000000000000 RBX: ff366d6580127080 RCX: 0000000000000027 [ 3710.108448] RDX: 0000000000000027 RSI: 00000000ffff86de RDI: ff366d753f41f8c8 [ 3710.108449] RBP: ff366d658ff5a0c0 R08: ff366d753f41f8c0 R09: ff3b6d2e8b3c7e18 [ 3710.108450] R10: 0000000000000001 R11: 0000000000000023 R12: ff366d753f430600 [ 3710.108451] R13: ff366d753f436900 R14: 0000000000000000 R15: ff366d753f436905 [ 3710.108452] FS: 0000000000000000(0000) GS:ff366d753f400000(0000) knlGS:0000000000000000 [ 3710.108453] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3710.108454] CR2: 00007f1c57bc74e0 CR3: 000000111d26a001 CR4: 0000000000773ee0 [ 3710.108456] PKRU: 55555554 [ 3710.108457] Call Trace: [ 3710.108458] <TASK> [ 3710.108459] process_one_work+0x1e2/0x3b0 [ 3710.108466] ? rescuer_thread+0x390/0x390 [ 3710.108468] worker_thread+0x50/0x3a0 [ 3710.108471] ? rescuer_thread+0x390/0x390 [ 3710.108473] kthread+0xdd/0x100 [ 3710.108477] ? kthread_complete_and_exit+0x20/0x20 [ 3710.108479] ret_from_fork+0x1f/0x30 [ 3710.108485] </TASK> [ 3710.108486] ---[ end trace 1b4b23cd0c65d6a0 ]--- After patch: [ 402.473064] ice 0000:41:00.0: Type was not set for devlink port. [ 402.473064] ice 0000:41:00.1: Type was not set for devlink port. CVE-2023-53841 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53841.html CVE-2023-53841 https://bugzilla.suse.com/1255009 SUSE Bug 1255009 In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove The MBHC resources must be released on component probe failure and removal so can not be tied to the lifetime of the component device. This is specifically needed to allow probe deferrals of the sound card which otherwise fails when reprobing the codec component: snd-sc8280xp sound: ASoC: failed to instantiate card -517 genirq: Flags mismatch irq 299. 00002001 (mbhc sw intr) vs. 00002001 (mbhc sw intr) wcd938x_codec audio-codec: Failed to request mbhc interrupts -16 wcd938x_codec audio-codec: mbhc initialization failed wcd938x_codec audio-codec: ASoC: error at snd_soc_component_probe on audio-codec: -16 snd-sc8280xp sound: ASoC: failed to instantiate card -16 CVE-2023-53842 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53842.html CVE-2023-53842 https://bugzilla.suse.com/1254690 SUSE Bug 1254690 In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: reject negative ifindex Recent changes in net-next (commit 759ab1edb56c ("net: store netdevs in an xarray")) refactored the handling of pre-assigned ifindexes and let syzbot surface a latent problem in ovs. ovs does not validate ifindex, making it possible to create netdev ports with negative ifindex values. It's easy to repro with YNL: $ ./cli.py --spec netlink/specs/ovs_datapath.yaml \ --do new \ --json '{"upcall-pid": 1, "name":"my-dp"}' $ ./cli.py --spec netlink/specs/ovs_vport.yaml \ --do new \ --json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}' $ ip link show -65536: some-port0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether 7a:48:21:ad:0b:fb brd ff:ff:ff:ff:ff:ff ... Validate the inputs. Now the second command correctly returns: $ ./cli.py --spec netlink/specs/ovs_vport.yaml \ --do new \ --json '{"upcall-pid": "00000001", "name": "some-port0", "dp-ifindex":3,"ifindex":4294901760,"type":2}' lib.ynl.NlError: Netlink error: Numerical result out of range nl_len = 108 (92) nl_flags = 0x300 nl_type = 2 error: -34 extack: {'msg': 'integer out of range', 'unknown': [[type:4 len:36] b'\x0c\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x03\x00\xff\xff\xff\x7f\x00\x00\x00\x00\x08\x00\x01\x00\x08\x00\x00\x00'], 'bad-attr': '.ifindex'} Accept 0 since it used to be silently ignored. CVE-2023-53843 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53843.html CVE-2023-53843 https://bugzilla.suse.com/1254705 SUSE Bug 1254705 In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Don't leak a resource on swapout move error If moving the bo to system for swapout failed, we were leaking a resource. Fix. CVE-2023-53844 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53844.html CVE-2023-53844 https://bugzilla.suse.com/1254649 SUSE Bug 1254649 In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on direct node in truncate_dnode() syzbot reports below bug: BUG: KASAN: slab-use-after-free in f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574 Read of size 4 at addr ffff88802a25c000 by task syz-executor148/5000 CPU: 1 PID: 5000 Comm: syz-executor148 Not tainted 6.4.0-rc7-syzkaller-00041-ge660abd551f1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 f2fs_truncate_data_blocks_range+0x122a/0x14c0 fs/f2fs/file.c:574 truncate_dnode+0x229/0x2e0 fs/f2fs/node.c:944 f2fs_truncate_inode_blocks+0x64b/0xde0 fs/f2fs/node.c:1154 f2fs_do_truncate_blocks+0x4ac/0xf30 fs/f2fs/file.c:721 f2fs_truncate_blocks+0x7b/0x300 fs/f2fs/file.c:749 f2fs_truncate.part.0+0x4a5/0x630 fs/f2fs/file.c:799 f2fs_truncate include/linux/fs.h:825 [inline] f2fs_setattr+0x1738/0x2090 fs/f2fs/file.c:1006 notify_change+0xb2c/0x1180 fs/attr.c:483 do_truncate+0x143/0x200 fs/open.c:66 handle_truncate fs/namei.c:3295 [inline] do_open fs/namei.c:3640 [inline] path_openat+0x2083/0x2750 fs/namei.c:3791 do_filp_open+0x1ba/0x410 fs/namei.c:3818 do_sys_openat2+0x16d/0x4c0 fs/open.c:1356 do_sys_open fs/open.c:1372 [inline] __do_sys_creat fs/open.c:1448 [inline] __se_sys_creat fs/open.c:1442 [inline] __x64_sys_creat+0xcd/0x120 fs/open.c:1442 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The root cause is, inodeA references inodeB via inodeB's ino, once inodeA is truncated, it calls truncate_dnode() to truncate data blocks in inodeB's node page, it traverse mapping data from node->i.i_addr[0] to node->i.i_addr[ADDRS_PER_BLOCK() - 1], result in out-of-boundary access. This patch fixes to add sanity check on dnode page in truncate_dnode(), so that, it can help to avoid triggering such issue, and once it encounters such issue, it will record newly introduced ERROR_INVALID_NODE_REFERENCE error into superblock, later fsck can detect such issue and try repairing. Also, it removes f2fs_truncate_data_blocks() for cleanup due to the function has only one caller, and uses f2fs_truncate_data_blocks_range() instead. CVE-2023-53846 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53846.html CVE-2023-53846 https://bugzilla.suse.com/1254983 SUSE Bug 1254983 In the Linux kernel, the following vulnerability has been resolved: usb-storage: alauda: Fix uninit-value in alauda_check_media() Syzbot got KMSAN to complain about access to an uninitialized value in the alauda subdriver of usb-storage: BUG: KMSAN: uninit-value in alauda_transport+0x462/0x57f0 drivers/usb/storage/alauda.c:1137 CPU: 0 PID: 12279 Comm: usb-storage Not tainted 5.3.0-rc7+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x191/0x1f0 lib/dump_stack.c:113 kmsan_report+0x13a/0x2b0 mm/kmsan/kmsan_report.c:108 __msan_warning+0x73/0xe0 mm/kmsan/kmsan_instr.c:250 alauda_check_media+0x344/0x3310 drivers/usb/storage/alauda.c:460 The problem is that alauda_check_media() doesn't verify that its USB transfer succeeded before trying to use the received data. What should happen if the transfer fails isn't entirely clear, but a reasonably conservative approach is to pretend that no media is present. A similar problem exists in a usb_stor_dbg() call in alauda_get_media_status(). In this case, when an error occurs the call is redundant, because usb_stor_ctrl_transfer() already will print a debugging message. Finally, unrelated to the uninitialized memory access, is the fact that alauda_check_media() performs DMA to a buffer on the stack. Fortunately usb-storage provides a general purpose DMA-able buffer for uses like this. We'll use it instead. CVE-2023-53847 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53847.html CVE-2023-53847 https://bugzilla.suse.com/1254698 SUSE Bug 1254698 In the Linux kernel, the following vulnerability has been resolved: md/raid5-cache: fix a deadlock in r5l_exit_log() Commit b13015af94cf ("md/raid5-cache: Clear conf->log after finishing work") introduce a new problem: // caller hold reconfig_mutex r5l_exit_log flush_work(&log->disable_writeback_work) r5c_disable_writeback_async wait_event /* * conf->log is not NULL, and mddev_trylock() * will fail, wait_event() can never pass. */ conf->log = NULL Fix this problem by setting 'config->log' to NULL before wake_up() as it used to be, so that wait_event() from r5c_disable_writeback_async() can exist. In the meantime, move forward md_unregister_thread() so that null-ptr-deref this commit fixed can still be fixed. CVE-2023-53848 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53848.html CVE-2023-53848 https://bugzilla.suse.com/1254753 SUSE Bug 1254753 In the Linux kernel, the following vulnerability has been resolved: iavf: use internal state to free traffic IRQs If the system tries to close the netdev while iavf_reset_task() is running, __LINK_STATE_START will be cleared and netif_running() will return false in iavf_reinit_interrupt_scheme(). This will result in iavf_free_traffic_irqs() not being called and a leak as follows: [7632.489326] remove_proc_entry: removing non-empty directory 'irq/999', leaking at least 'iavf-enp24s0f0v0-TxRx-0' [7632.490214] WARNING: CPU: 0 PID: 10 at fs/proc/generic.c:718 remove_proc_entry+0x19b/0x1b0 is shown when pci_disable_msix() is later called. Fix by using the internal adapter state. The traffic IRQs will always exist if state == __IAVF_RUNNING. CVE-2023-53850 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53850.html CVE-2023-53850 https://bugzilla.suse.com/1254677 SUSE Bug 1254677 In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: Drop aux devices together with DP controller Using devres to depopulate the aux bus made sure that upon a probe deferral the EDP panel device would be destroyed and recreated upon next attempt. But the struct device which the devres is tied to is the DPUs (drm_dev->dev), which may be happen after the DP controller is torn down. Indications of this can be seen in the commonly seen EDID-hexdump full of zeros in the log, or the occasional/rare KASAN fault where the panel's attempt to read the EDID information causes a use after free on DP resources. It's tempting to move the devres to the DP controller's struct device, but the resources used by the device(s) on the aux bus are explicitly torn down in the error path. The KASAN-reported use-after-free also remains, as the DP aux "module" explicitly frees its devres-allocated memory in this code path. As such, explicitly depopulate the aux bus in the error path, and in the component unbind path, to avoid these issues. Patchwork: https://patchwork.freedesktop.org/patch/542163/ CVE-2023-53851 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53851.html CVE-2023-53851 https://bugzilla.suse.com/1254695 SUSE Bug 1254695 In the Linux kernel, the following vulnerability has been resolved: nvme-core: fix memory leak in dhchap_secret_store Free dhchap_secret in nvme_ctrl_dhchap_secret_store() before we return fix following kmemleack:- unreferenced object 0xffff8886376ea800 (size 64): comm "check", pid 22048, jiffies 4344316705 (age 92.199s) hex dump (first 32 bytes): 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL backtrace: [<0000000030ce5d4b>] __kmalloc+0x4b/0x130 [<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core] [<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0 [<00000000437e7ced>] vfs_write+0x2ba/0x3c0 [<00000000f9491baf>] ksys_write+0x5f/0xe0 [<000000001c46513d>] do_syscall_64+0x3b/0x90 [<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc unreferenced object 0xffff8886376eaf00 (size 64): comm "check", pid 22048, jiffies 4344316736 (age 92.168s) hex dump (first 32 bytes): 44 48 48 43 2d 31 3a 30 30 3a 6e 78 72 35 4b 67 DHHC-1:00:nxr5Kg 75 58 34 75 6f 41 78 73 4a 61 34 63 2f 68 75 4c uX4uoAxsJa4c/huL backtrace: [<0000000030ce5d4b>] __kmalloc+0x4b/0x130 [<000000009be1cdc1>] nvme_ctrl_dhchap_secret_store+0x8f/0x160 [nvme_core] [<00000000ac06c96a>] kernfs_fop_write_iter+0x12b/0x1c0 [<00000000437e7ced>] vfs_write+0x2ba/0x3c0 [<00000000f9491baf>] ksys_write+0x5f/0xe0 [<000000001c46513d>] do_syscall_64+0x3b/0x90 [<00000000ecf348fe>] entry_SYSCALL_64_after_hwframe+0x72/0xdc CVE-2023-53852 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53852.html CVE-2023-53852 https://bugzilla.suse.com/1254653 SUSE Bug 1254653 In the Linux kernel, the following vulnerability has been resolved: net: dsa: ocelot: call dsa_tag_8021q_unregister() under rtnl_lock() on driver remove When the tagging protocol in current use is "ocelot-8021q" and we unbind the driver, we see this splat: $ echo '0000:00:00.2' > /sys/bus/pci/drivers/fsl_enetc/unbind mscc_felix 0000:00:00.5 swp0: left promiscuous mode sja1105 spi2.0: Link is Down DSA: tree 1 torn down mscc_felix 0000:00:00.5 swp2: left promiscuous mode sja1105 spi2.2: Link is Down DSA: tree 3 torn down fsl_enetc 0000:00:00.2 eno2: left promiscuous mode mscc_felix 0000:00:00.5: Link is Down ------------[ cut here ]------------ RTNL: assertion failed at net/dsa/tag_8021q.c (409) WARNING: CPU: 1 PID: 329 at net/dsa/tag_8021q.c:409 dsa_tag_8021q_unregister+0x12c/0x1a0 Modules linked in: CPU: 1 PID: 329 Comm: bash Not tainted 6.5.0-rc3+ #771 pc : dsa_tag_8021q_unregister+0x12c/0x1a0 lr : dsa_tag_8021q_unregister+0x12c/0x1a0 Call trace: dsa_tag_8021q_unregister+0x12c/0x1a0 felix_tag_8021q_teardown+0x130/0x150 felix_teardown+0x3c/0xd8 dsa_tree_teardown_switches+0xbc/0xe0 dsa_unregister_switch+0x168/0x260 felix_pci_remove+0x30/0x60 pci_device_remove+0x4c/0x100 device_release_driver_internal+0x188/0x288 device_links_unbind_consumers+0xfc/0x138 device_release_driver_internal+0xe0/0x288 device_driver_detach+0x24/0x38 unbind_store+0xd8/0x108 drv_attr_store+0x30/0x50 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ RTNL: assertion failed at net/8021q/vlan_core.c (376) WARNING: CPU: 1 PID: 329 at net/8021q/vlan_core.c:376 vlan_vid_del+0x1b8/0x1f0 CPU: 1 PID: 329 Comm: bash Tainted: G W 6.5.0-rc3+ #771 pc : vlan_vid_del+0x1b8/0x1f0 lr : vlan_vid_del+0x1b8/0x1f0 dsa_tag_8021q_unregister+0x8c/0x1a0 felix_tag_8021q_teardown+0x130/0x150 felix_teardown+0x3c/0xd8 dsa_tree_teardown_switches+0xbc/0xe0 dsa_unregister_switch+0x168/0x260 felix_pci_remove+0x30/0x60 pci_device_remove+0x4c/0x100 device_release_driver_internal+0x188/0x288 device_links_unbind_consumers+0xfc/0x138 device_release_driver_internal+0xe0/0x288 device_driver_detach+0x24/0x38 unbind_store+0xd8/0x108 drv_attr_store+0x30/0x50 DSA: tree 0 torn down This was somewhat not so easy to spot, because "ocelot-8021q" is not the default tagging protocol, and thus, not everyone who tests the unbinding path may have switched to it beforehand. The default felix_tag_npi_teardown() does not require rtnl_lock() to be held. CVE-2023-53855 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53855.html CVE-2023-53855 https://bugzilla.suse.com/1254688 SUSE Bug 1254688 In the Linux kernel, the following vulnerability has been resolved: of: overlay: Call of_changeset_init() early When of_overlay_fdt_apply() fails, the changeset may be partially applied, and the caller is still expected to call of_overlay_remove() to clean up this partial state. However, of_overlay_apply() calls of_resolve_phandles() before init_overlay_changeset(). Hence if the overlay fails to apply due to an unresolved symbol, the overlay_changeset.cset.entries list is still uninitialized, and cleanup will crash with a NULL-pointer dereference in overlay_removal_is_ok(). Fix this by moving the call to of_changeset_init() from init_overlay_changeset() to of_overlay_fdt_apply(), where all other early initialization is done. CVE-2023-53856 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53856.html CVE-2023-53856 https://bugzilla.suse.com/1254661 SUSE Bug 1254661 In the Linux kernel, the following vulnerability has been resolved: bpf: bpf_sk_storage: Fix invalid wait context lockdep report './test_progs -t test_local_storage' reported a splat: [ 27.137569] ============================= [ 27.138122] [ BUG: Invalid wait context ] [ 27.138650] 6.5.0-03980-gd11ae1b16b0a #247 Tainted: G O [ 27.139542] ----------------------------- [ 27.140106] test_progs/1729 is trying to lock: [ 27.140713] ffff8883ef047b88 (stock_lock){-.-.}-{3:3}, at: local_lock_acquire+0x9/0x130 [ 27.141834] other info that might help us debug this: [ 27.142437] context-{5:5} [ 27.142856] 2 locks held by test_progs/1729: [ 27.143352] #0: ffffffff84bcd9c0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x4/0x40 [ 27.144492] #1: ffff888107deb2c0 (&storage->lock){..-.}-{2:2}, at: bpf_local_storage_update+0x39e/0x8e0 [ 27.145855] stack backtrace: [ 27.146274] CPU: 0 PID: 1729 Comm: test_progs Tainted: G O 6.5.0-03980-gd11ae1b16b0a #247 [ 27.147550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 27.149127] Call Trace: [ 27.149490] <TASK> [ 27.149867] dump_stack_lvl+0x130/0x1d0 [ 27.152609] dump_stack+0x14/0x20 [ 27.153131] __lock_acquire+0x1657/0x2220 [ 27.153677] lock_acquire+0x1b8/0x510 [ 27.157908] local_lock_acquire+0x29/0x130 [ 27.159048] obj_cgroup_charge+0xf4/0x3c0 [ 27.160794] slab_pre_alloc_hook+0x28e/0x2b0 [ 27.161931] __kmem_cache_alloc_node+0x51/0x210 [ 27.163557] __kmalloc+0xaa/0x210 [ 27.164593] bpf_map_kzalloc+0xbc/0x170 [ 27.165147] bpf_selem_alloc+0x130/0x510 [ 27.166295] bpf_local_storage_update+0x5aa/0x8e0 [ 27.167042] bpf_fd_sk_storage_update_elem+0xdb/0x1a0 [ 27.169199] bpf_map_update_value+0x415/0x4f0 [ 27.169871] map_update_elem+0x413/0x550 [ 27.170330] __sys_bpf+0x5e9/0x640 [ 27.174065] __x64_sys_bpf+0x80/0x90 [ 27.174568] do_syscall_64+0x48/0xa0 [ 27.175201] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 27.175932] RIP: 0033:0x7effb40e41ad [ 27.176357] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d8 [ 27.179028] RSP: 002b:00007ffe64c21fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000141 [ 27.180088] RAX: ffffffffffffffda RBX: 00007ffe64c22768 RCX: 00007effb40e41ad [ 27.181082] RDX: 0000000000000020 RSI: 00007ffe64c22008 RDI: 0000000000000002 [ 27.182030] RBP: 00007ffe64c21ff0 R08: 0000000000000000 R09: 00007ffe64c22788 [ 27.183038] R10: 0000000000000064 R11: 0000000000000202 R12: 0000000000000000 [ 27.184006] R13: 00007ffe64c22788 R14: 00007effb42a1000 R15: 0000000000000000 [ 27.184958] </TASK> It complains about acquiring a local_lock while holding a raw_spin_lock. It means it should not allocate memory while holding a raw_spin_lock since it is not safe for RT. raw_spin_lock is needed because bpf_local_storage supports tracing context. In particular for task local storage, it is easy to get a "current" task PTR_TO_BTF_ID in tracing bpf prog. However, task (and cgroup) local storage has already been moved to bpf mem allocator which can be used after raw_spin_lock. The splat is for the sk storage. For sk (and inode) storage, it has not been moved to bpf mem allocator. Using raw_spin_lock or not, kzalloc(GFP_ATOMIC) could theoretically be unsafe in tracing context. However, the local storage helper requires a verifier accepted sk pointer (PTR_TO_BTF_ID), it is hypothetical if that (mean running a bpf prog in a kzalloc unsafe context and also able to hold a verifier accepted sk pointer) could happen. This patch avoids kzalloc after raw_spin_lock to silent the splat. There is an existing kzalloc before the raw_spin_lock. At that point, a kzalloc is very likely required because a lookup has just been done before. Thus, this patch always does the kzalloc before acq ---truncated--- CVE-2023-53857 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53857.html CVE-2023-53857 https://bugzilla.suse.com/1254648 SUSE Bug 1254648 In the Linux kernel, the following vulnerability has been resolved: tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error If clk_get_rate() fails, the clk that has just been allocated needs to be freed. CVE-2023-53858 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53858.html CVE-2023-53858 https://bugzilla.suse.com/1254704 SUSE Bug 1254704 In the Linux kernel, the following vulnerability has been resolved: dm: don't attempt to queue IO under RCU protection dm looks up the table for IO based on the request type, with an assumption that if the request is marked REQ_NOWAIT, it's fine to attempt to submit that IO while under RCU read lock protection. This is not OK, as REQ_NOWAIT just means that we should not be sleeping waiting on other IO, it does not mean that we can't potentially schedule. A simple test case demonstrates this quite nicely: int main(int argc, char *argv[]) { struct iovec iov; int fd; fd = open("/dev/dm-0", O_RDONLY | O_DIRECT); posix_memalign(&iov.iov_base, 4096, 4096); iov.iov_len = 4096; preadv2(fd, &iov, 1, 0, RWF_NOWAIT); return 0; } which will instantly spew: BUG: sleeping function called from invalid context at include/linux/sched/mm.h:306 in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5580, name: dm-nowait preempt_count: 0, expected: 0 RCU nest depth: 1, expected: 0 INFO: lockdep is turned off. CPU: 7 PID: 5580 Comm: dm-nowait Not tainted 6.6.0-rc1-g39956d2dcd81 #132 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x11d/0x1b0 __might_resched+0x3c3/0x5e0 ? preempt_count_sub+0x150/0x150 mempool_alloc+0x1e2/0x390 ? mempool_resize+0x7d0/0x7d0 ? lock_sync+0x190/0x190 ? lock_release+0x4b7/0x670 ? internal_get_user_pages_fast+0x868/0x2d40 bio_alloc_bioset+0x417/0x8c0 ? bvec_alloc+0x200/0x200 ? internal_get_user_pages_fast+0xb8c/0x2d40 bio_alloc_clone+0x53/0x100 dm_submit_bio+0x27f/0x1a20 ? lock_release+0x4b7/0x670 ? blk_try_enter_queue+0x1a0/0x4d0 ? dm_dax_direct_access+0x260/0x260 ? rcu_is_watching+0x12/0xb0 ? blk_try_enter_queue+0x1cc/0x4d0 __submit_bio+0x239/0x310 ? __bio_queue_enter+0x700/0x700 ? kvm_clock_get_cycles+0x40/0x60 ? ktime_get+0x285/0x470 submit_bio_noacct_nocheck+0x4d9/0xb80 ? should_fail_request+0x80/0x80 ? preempt_count_sub+0x150/0x150 ? lock_release+0x4b7/0x670 ? __bio_add_page+0x143/0x2d0 ? iov_iter_revert+0x27/0x360 submit_bio_noacct+0x53e/0x1b30 submit_bio_wait+0x10a/0x230 ? submit_bio_wait_endio+0x40/0x40 __blkdev_direct_IO_simple+0x4f8/0x780 ? blkdev_bio_end_io+0x4c0/0x4c0 ? stack_trace_save+0x90/0xc0 ? __bio_clone+0x3c0/0x3c0 ? lock_release+0x4b7/0x670 ? lock_sync+0x190/0x190 ? atime_needs_update+0x3bf/0x7e0 ? timestamp_truncate+0x21b/0x2d0 ? inode_owner_or_capable+0x240/0x240 blkdev_direct_IO.part.0+0x84a/0x1810 ? rcu_is_watching+0x12/0xb0 ? lock_release+0x4b7/0x670 ? blkdev_read_iter+0x40d/0x530 ? reacquire_held_locks+0x4e0/0x4e0 ? __blkdev_direct_IO_simple+0x780/0x780 ? rcu_is_watching+0x12/0xb0 ? __mark_inode_dirty+0x297/0xd50 ? preempt_count_add+0x72/0x140 blkdev_read_iter+0x2a4/0x530 do_iter_readv_writev+0x2f2/0x3c0 ? generic_copy_file_range+0x1d0/0x1d0 ? fsnotify_perm.part.0+0x25d/0x630 ? security_file_permission+0xd8/0x100 do_iter_read+0x31b/0x880 ? import_iovec+0x10b/0x140 vfs_readv+0x12d/0x1a0 ? vfs_iter_read+0xb0/0xb0 ? rcu_is_watching+0x12/0xb0 ? rcu_is_watching+0x12/0xb0 ? lock_release+0x4b7/0x670 do_preadv+0x1b3/0x260 ? do_readv+0x370/0x370 __x64_sys_preadv2+0xef/0x150 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f5af41ad806 Code: 41 54 41 89 fc 55 44 89 c5 53 48 89 cb 48 83 ec 18 80 3d e4 dd 0d 00 00 74 7a 45 89 c1 49 89 ca 45 31 c0 b8 47 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 be 00 00 00 48 85 c0 79 4a 48 8b 0d da 55 RSP: 002b:00007ffd3145c7f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000147 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5af41ad806 RDX: 0000000000000001 RSI: 00007ffd3145c850 RDI: 0000000000000003 RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000008 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ffd3145c850 R14: 000055f5f0431dd8 R15: 0000000000000001 </TASK> where in fact it is ---truncated--- CVE-2023-53860 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53860.html CVE-2023-53860 https://bugzilla.suse.com/1254626 SUSE Bug 1254626 In the Linux kernel, the following vulnerability has been resolved: ext4: correct grp validation in ext4_mb_good_group Group corruption check will access memory of grp and will trigger kernel crash if grp is NULL. So do NULL check before corruption check. CVE-2023-53861 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53861.html CVE-2023-53861 https://bugzilla.suse.com/1254678 SUSE Bug 1254678 In the Linux kernel, the following vulnerability has been resolved: netlink: do not hard code device address lenth in fdb dumps syzbot reports that some netdev devices do not have a six bytes address [1] Replace ETH_ALEN by dev->addr_len. [1] (Case of a device where dev->addr_len = 4) BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline] BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169 instrument_copy_to_user include/linux/instrumented.h:114 [inline] copyout+0xb8/0x100 lib/iov_iter.c:169 _copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536 copy_to_iter include/linux/uio.h:206 [inline] simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513 __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419 skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527 skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline] netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970 sock_recvmsg_nosec net/socket.c:1019 [inline] sock_recvmsg net/socket.c:1040 [inline] ____sys_recvmsg+0x283/0x7f0 net/socket.c:2722 ___sys_recvmsg+0x223/0x840 net/socket.c:2764 do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 __sys_recvmmsg net/socket.c:2937 [inline] __do_sys_recvmmsg net/socket.c:2960 [inline] __se_sys_recvmmsg net/socket.c:2953 [inline] __x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was stored to memory at: __nla_put lib/nlattr.c:1009 [inline] nla_put+0x1c6/0x230 lib/nlattr.c:1067 nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071 nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline] ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456 rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629 netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268 netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995 sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019 ____sys_recvmsg+0x664/0x7f0 net/socket.c:2720 ___sys_recvmsg+0x223/0x840 net/socket.c:2764 do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858 __sys_recvmmsg net/socket.c:2937 [inline] __do_sys_recvmmsg net/socket.c:2960 [inline] __se_sys_recvmmsg net/socket.c:2953 [inline] __x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716 slab_alloc_node mm/slub.c:3451 [inline] __kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490 kmalloc_trace+0x51/0x200 mm/slab_common.c:1057 kmalloc include/linux/slab.h:559 [inline] __hw_addr_create net/core/dev_addr_lists.c:60 [inline] __hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118 __dev_mc_add net/core/dev_addr_lists.c:867 [inline] dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885 igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680 ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754 ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708 addrconf_type_change net/ipv6/addrconf.c:3731 [inline] addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699 notifier_call_chain kernel/notifier.c:93 [inline] raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461 call_netdevice_notifiers_info net/core/dev.c:1935 [inline] call_netdevice_notifiers_extack net/core/dev.c:1973 [inline] call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987 bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906 do_set_master net/core/rtnetlink.c:2626 [inline] rtnl_newlink_create net/core/rtnetlink.c:3460 [inline] __rtnl_newlink net/core/rtnetlink.c:3660 [inline] rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673 rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395 netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546 rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0xf28/0x1230 net/netlink/af_ ---truncated--- CVE-2023-53863 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53863.html CVE-2023-53863 https://bugzilla.suse.com/1254657 SUSE Bug 1254657 In the Linux kernel, the following vulnerability has been resolved: drm/mxsfb: Disable overlay plane in mxsfb_plane_overlay_atomic_disable() When disabling overlay plane in mxsfb_plane_overlay_atomic_update(), overlay plane's framebuffer pointer is NULL. So, dereferencing it would cause a kernel Oops(NULL pointer dereferencing). Fix the issue by disabling overlay plane in mxsfb_plane_overlay_atomic_disable() instead. CVE-2023-53864 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53864.html CVE-2023-53864 https://bugzilla.suse.com/1254754 SUSE Bug 1254754 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix warning when putting transaction with qgroups enabled after abort If we have a transaction abort with qgroups enabled we get a warning triggered when doing the final put on the transaction, like this: [552.6789] ------------[ cut here ]------------ [552.6815] WARNING: CPU: 4 PID: 81745 at fs/btrfs/transaction.c:144 btrfs_put_transaction+0x123/0x130 [btrfs] [552.6817] Modules linked in: btrfs blake2b_generic xor (...) [552.6819] CPU: 4 PID: 81745 Comm: btrfs-transacti Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [552.6819] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [552.6819] RIP: 0010:btrfs_put_transaction+0x123/0x130 [btrfs] [552.6821] Code: bd a0 01 00 (...) [552.6821] RSP: 0018:ffffa168c0527e28 EFLAGS: 00010286 [552.6821] RAX: ffff936042caed00 RBX: ffff93604a3eb448 RCX: 0000000000000000 [552.6821] RDX: ffff93606421b028 RSI: ffffffff92ff0878 RDI: ffff93606421b010 [552.6821] RBP: ffff93606421b000 R08: 0000000000000000 R09: ffffa168c0d07c20 [552.6821] R10: 0000000000000000 R11: ffff93608dc52950 R12: ffffa168c0527e70 [552.6821] R13: ffff93606421b000 R14: ffff93604a3eb420 R15: ffff93606421b028 [552.6821] FS: 0000000000000000(0000) GS:ffff93675fb00000(0000) knlGS:0000000000000000 [552.6821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [552.6821] CR2: 0000558ad262b000 CR3: 000000014feda005 CR4: 0000000000370ee0 [552.6822] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [552.6822] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [552.6822] Call Trace: [552.6822] <TASK> [552.6822] ? __warn+0x80/0x130 [552.6822] ? btrfs_put_transaction+0x123/0x130 [btrfs] [552.6824] ? report_bug+0x1f4/0x200 [552.6824] ? handle_bug+0x42/0x70 [552.6824] ? exc_invalid_op+0x14/0x70 [552.6824] ? asm_exc_invalid_op+0x16/0x20 [552.6824] ? btrfs_put_transaction+0x123/0x130 [btrfs] [552.6826] btrfs_cleanup_transaction+0xe7/0x5e0 [btrfs] [552.6828] ? _raw_spin_unlock_irqrestore+0x23/0x40 [552.6828] ? try_to_wake_up+0x94/0x5e0 [552.6828] ? __pfx_process_timeout+0x10/0x10 [552.6828] transaction_kthread+0x103/0x1d0 [btrfs] [552.6830] ? __pfx_transaction_kthread+0x10/0x10 [btrfs] [552.6832] kthread+0xee/0x120 [552.6832] ? __pfx_kthread+0x10/0x10 [552.6832] ret_from_fork+0x29/0x50 [552.6832] </TASK> [552.6832] ---[ end trace 0000000000000000 ]--- This corresponds to this line of code: void btrfs_put_transaction(struct btrfs_transaction *transaction) { (...) WARN_ON(!RB_EMPTY_ROOT( &transaction->delayed_refs.dirty_extent_root)); (...) } The warning happens because btrfs_qgroup_destroy_extent_records(), called in the transaction abort path, we free all entries from the rbtree "dirty_extent_root" with rbtree_postorder_for_each_entry_safe(), but we don't actually empty the rbtree - it's still pointing to nodes that were freed. So set the rbtree's root node to NULL to avoid this warning (assign RB_ROOT). CVE-2023-53865 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53865.html CVE-2023-53865 https://bugzilla.suse.com/1254762 SUSE Bug 1254762 In the Linux kernel, the following vulnerability has been resolved: arm64: mm: fix VA-range sanity check Both create_mapping_noalloc() and update_mapping_prot() sanity-check their 'virt' parameter, but the check itself doesn't make much sense. The condition used today appears to be a historical accident. The sanity-check condition: if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { [ ... warning here ... ] return; } ... can only be true for the KASAN shadow region or the module region, and there's no reason to exclude these specifically for creating and updateing mappings. When arm64 support was first upstreamed in commit: c1cc1552616d0f35 ("arm64: MMU initialisation") ... the condition was: if (virt < VMALLOC_START) { [ ... warning here ... ] return; } At the time, VMALLOC_START was the lowest kernel address, and this was checking whether 'virt' would be translated via TTBR1. Subsequently in commit: 14c127c957c1c607 ("arm64: mm: Flip kernel VA space") ... the condition was changed to: if ((virt >= VA_START) && (virt < VMALLOC_START)) { [ ... warning here ... ] return; } This appear to have been a thinko. The commit moved the linear map to the bottom of the kernel address space, with VMALLOC_START being at the halfway point. The old condition would warn for changes to the linear map below this, and at the time VA_START was the end of the linear map. Subsequently we cleaned up the naming of VA_START in commit: 77ad4ce69321abbe ("arm64: memory: rename VA_START to PAGE_END") ... keeping the erroneous condition as: if ((virt >= PAGE_END) && (virt < VMALLOC_START)) { [ ... warning here ... ] return; } Correct the condition to check against the start of the TTBR1 address space, which is currently PAGE_OFFSET. This simplifies the logic, and more clearly matches the "outside kernel range" message in the warning. CVE-2023-53989 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53989.html CVE-2023-53989 https://bugzilla.suse.com/1256302 SUSE Bug 1256302 In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: ocb: don't leave if not joined If there's no OCB state, don't ask the driver/mac80211 to leave, since that's just confusing. Since set/clear the chandef state, that's a simple check. CVE-2023-53992 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53992.html CVE-2023-53992 https://bugzilla.suse.com/1256058 SUSE Bug 1256058 In the Linux kernel, the following vulnerability has been resolved: ionic: remove WARN_ON to prevent panic_on_warn Remove unnecessary early code development check and the WARN_ON that it uses. The irq alloc and free paths have long been cleaned up and this check shouldn't have stuck around so long. CVE-2023-53994 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53994.html CVE-2023-53994 https://bugzilla.suse.com/1255570 SUSE Bug 1255570 In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix one memleak in __inet_del_ifa() I got the below warning when do fuzzing test: unregister_netdevice: waiting for bond0 to become free. Usage count = 2 It can be repoduced via: ip link add bond0 type bond sysctl -w net.ipv4.conf.bond0.promote_secondaries=1 ip addr add 4.117.174.103/0 scope 0x40 dev bond0 ip addr add 192.168.100.111/255.255.255.254 scope 0 dev bond0 ip addr add 0.0.0.4/0 scope 0x40 secondary dev bond0 ip addr del 4.117.174.103/0 scope 0x40 dev bond0 ip link delete bond0 type bond In this reproduction test case, an incorrect 'last_prim' is found in __inet_del_ifa(), as a result, the secondary address(0.0.0.4/0 scope 0x40) is lost. The memory of the secondary address is leaked and the reference of in_device and net_device is leaked. Fix this problem: Look for 'last_prim' starting at location of the deleted IP and inserting the promoted IP into the location of 'last_prim'. CVE-2023-53995 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53995.html CVE-2023-53995 https://bugzilla.suse.com/1255616 SUSE Bug 1255616 In the Linux kernel, the following vulnerability has been resolved: x86/sev: Make enc_dec_hypercall() accept a size instead of npages enc_dec_hypercall() accepted a page count instead of a size, which forced its callers to round up. As a result, non-page aligned vaddrs caused pages to be spuriously marked as decrypted via the encryption status hypercall, which in turn caused consistent corruption of pages during live migration. Live migration requires accurate encryption status information to avoid migrating pages from the wrong perspective. CVE-2023-53996 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53996.html CVE-2023-53996 https://bugzilla.suse.com/1255618 SUSE Bug 1255618 In the Linux kernel, the following vulnerability has been resolved: thermal: of: fix double-free on unregistration Since commit 3d439b1a2ad3 ("thermal/core: Alloc-copy-free the thermal zone parameters structure"), thermal_zone_device_register() allocates a copy of the tzp argument and frees it when unregistering, so thermal_of_zone_register() now ends up leaking its original tzp and double-freeing the tzp copy. Fix this by locating tzp on stack instead. CVE-2023-53997 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53997.html CVE-2023-53997 https://bugzilla.suse.com/1255632 SUSE Bug 1255632 In the Linux kernel, the following vulnerability has been resolved: hwrng: virtio - Fix race on data_avail and actual data The virtio rng device kicks off a new entropy request whenever the data available reaches zero. When a new request occurs at the end of a read operation, that is, when the result of that request is only needed by the next reader, then there is a race between the writing of the new data and the next reader. This is because there is no synchronisation whatsoever between the writer and the reader. Fix this by writing data_avail with smp_store_release and reading it with smp_load_acquire when we first enter read. The subsequent reads are safe because they're either protected by the first load acquire, or by the completion mechanism. Also remove the redundant zeroing of data_idx in random_recv_done (data_idx must already be zero at this point) and data_avail in request_entropy (ditto). CVE-2023-53998 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53998.html CVE-2023-53998 https://bugzilla.suse.com/1255578 SUSE Bug 1255578 In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: TC, Fix internal port memory leak The flow rule can be splited, and the extra post_act rules are added to post_act table. It's possible to trigger memleak when the rule forwards packets from internal port and over tunnel, in the case that, for example, CT 'new' state offload is allowed. As int_port object is assigned to the flow attribute of post_act rule, and its refcnt is incremented by mlx5e_tc_int_port_get(), but mlx5e_tc_int_port_put() is not called, the refcnt is never decremented, then int_port is never freed. The kmemleak reports the following error: unreferenced object 0xffff888128204b80 (size 64): comm "handler20", pid 50121, jiffies 4296973009 (age 642.932s) hex dump (first 32 bytes): 01 00 00 00 19 00 00 00 03 f0 00 00 04 00 00 00 ................ 98 77 67 41 81 88 ff ff 98 77 67 41 81 88 ff ff .wgA.....wgA.... backtrace: [<00000000e992680d>] kmalloc_trace+0x27/0x120 [<000000009e945a98>] mlx5e_tc_int_port_get+0x3f3/0xe20 [mlx5_core] [<0000000035a537f0>] mlx5e_tc_add_fdb_flow+0x473/0xcf0 [mlx5_core] [<0000000070c2cec6>] __mlx5e_add_fdb_flow+0x7cf/0xe90 [mlx5_core] [<000000005cc84048>] mlx5e_configure_flower+0xd40/0x4c40 [mlx5_core] [<000000004f8a2031>] mlx5e_rep_indr_offload.isra.0+0x10e/0x1c0 [mlx5_core] [<000000007df797dc>] mlx5e_rep_indr_setup_tc_cb+0x90/0x130 [mlx5_core] [<0000000016c15cc3>] tc_setup_cb_add+0x1cf/0x410 [<00000000a63305b4>] fl_hw_replace_filter+0x38f/0x670 [cls_flower] [<000000008bc9e77c>] fl_change+0x1fd5/0x4430 [cls_flower] [<00000000e7f766e4>] tc_new_tfilter+0x867/0x2010 [<00000000e101c0ef>] rtnetlink_rcv_msg+0x6fc/0x9f0 [<00000000e1111d44>] netlink_rcv_skb+0x12c/0x360 [<0000000082dd6c8b>] netlink_unicast+0x438/0x710 [<00000000fc568f70>] netlink_sendmsg+0x794/0xc50 [<0000000016e92590>] sock_sendmsg+0xc5/0x190 So fix this by moving int_port cleanup code to the flow attribute free helper, which is used by all the attribute free cases. CVE-2023-53999 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-53999.html CVE-2023-53999 https://bugzilla.suse.com/1255621 SUSE Bug 1255621 In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix deadlock issue when externel_lb and reset are executed together When externel_lb and reset are executed together, a deadlock may occur: [ 3147.217009] INFO: task kworker/u321:0:7 blocked for more than 120 seconds. [ 3147.230483] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 3147.238999] task:kworker/u321:0 state:D stack: 0 pid: 7 ppid: 2 flags:0x00000008 [ 3147.248045] Workqueue: hclge hclge_service_task [hclge] [ 3147.253957] Call trace: [ 3147.257093] __switch_to+0x7c/0xbc [ 3147.261183] __schedule+0x338/0x6f0 [ 3147.265357] schedule+0x50/0xe0 [ 3147.269185] schedule_preempt_disabled+0x18/0x24 [ 3147.274488] __mutex_lock.constprop.0+0x1d4/0x5dc [ 3147.279880] __mutex_lock_slowpath+0x1c/0x30 [ 3147.284839] mutex_lock+0x50/0x60 [ 3147.288841] rtnl_lock+0x20/0x2c [ 3147.292759] hclge_reset_prepare+0x68/0x90 [hclge] [ 3147.298239] hclge_reset_subtask+0x88/0xe0 [hclge] [ 3147.303718] hclge_reset_service_task+0x84/0x120 [hclge] [ 3147.309718] hclge_service_task+0x2c/0x70 [hclge] [ 3147.315109] process_one_work+0x1d0/0x490 [ 3147.319805] worker_thread+0x158/0x3d0 [ 3147.324240] kthread+0x108/0x13c [ 3147.328154] ret_from_fork+0x10/0x18 In externel_lb process, the hns3 driver call napi_disable() first, then the reset happen, then the restore process of the externel_lb will fail, and will not call napi_enable(). When doing externel_lb again, napi_disable() will be double call, cause a deadlock of rtnl_lock(). This patch use the HNS3_NIC_STATE_DOWN state to protect the calling of napi_disable() and napi_enable() in externel_lb process, just as the usage in ndo_stop() and ndo_start(). CVE-2023-54000 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54000.html CVE-2023-54000 https://bugzilla.suse.com/1255564 SUSE Bug 1255564 In the Linux kernel, the following vulnerability has been resolved: staging: r8712: Fix memory leak in _r8712_init_xmit_priv() In the above mentioned routine, memory is allocated in several places. If the first succeeds and a later one fails, the routine will leak memory. This patch fixes commit 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel"). A potential memory leak in r8712_xmit_resource_alloc() is also addressed. CVE-2023-54001 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54001.html CVE-2023-54001 https://bugzilla.suse.com/1255628 SUSE Bug 1255628 In the Linux kernel, the following vulnerability has been resolved: binder: fix memory leak in binder_init() In binder_init(), the destruction of binder_alloc_shrinker_init() is not performed in the wrong path, which will cause memory leaks. So this commit introduces binder_alloc_shrinker_exit() and calls it in the wrong path to fix that. CVE-2023-54005 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54005.html CVE-2023-54005 https://bugzilla.suse.com/1255629 SUSE Bug 1255629 In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix data-race around unix_tot_inflight. unix_tot_inflight is changed under spin_lock(unix_gc_lock), but unix_release_sock() reads it locklessly. Let's use READ_ONCE() for unix_tot_inflight. Note that the writer side was marked by commit 9d6d7f1cb67c ("af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress") BUG: KCSAN: data-race in unix_inflight / unix_release_sock write (marked) to 0xffffffff871852b8 of 4 bytes by task 123 on cpu 1: unix_inflight+0x130/0x180 net/unix/scm.c:64 unix_attach_fds+0x137/0x1b0 net/unix/scm.c:123 unix_scm_to_skb net/unix/af_unix.c:1832 [inline] unix_dgram_sendmsg+0x46a/0x14f0 net/unix/af_unix.c:1955 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x148/0x160 net/socket.c:747 ____sys_sendmsg+0x4e4/0x610 net/socket.c:2493 ___sys_sendmsg+0xc6/0x140 net/socket.c:2547 __sys_sendmsg+0x94/0x140 net/socket.c:2576 __do_sys_sendmsg net/socket.c:2585 [inline] __se_sys_sendmsg net/socket.c:2583 [inline] __x64_sys_sendmsg+0x45/0x50 net/socket.c:2583 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc read to 0xffffffff871852b8 of 4 bytes by task 4891 on cpu 0: unix_release_sock+0x608/0x910 net/unix/af_unix.c:671 unix_release+0x59/0x80 net/unix/af_unix.c:1058 __sock_release+0x7d/0x170 net/socket.c:653 sock_close+0x19/0x30 net/socket.c:1385 __fput+0x179/0x5e0 fs/file_table.c:321 ____fput+0x15/0x20 fs/file_table.c:349 task_work_run+0x116/0x1a0 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297 do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x72/0xdc value changed: 0x00000000 -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 4891 Comm: systemd-coredum Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 CVE-2023-54006 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54006.html CVE-2023-54006 https://bugzilla.suse.com/1255591 SUSE Bug 1255591 In the Linux kernel, the following vulnerability has been resolved: virtio_vdpa: build affinity masks conditionally We try to build affinity mask via create_affinity_masks() unconditionally which may lead several issues: - the affinity mask is not used for parent without affinity support (only VDUSE support the affinity now) - the logic of create_affinity_masks() might not work for devices other than block. For example it's not rare in the networking device where the number of queues could exceed the number of CPUs. Such case breaks the current affinity logic which is based on group_cpus_evenly() who assumes the number of CPUs are not less than the number of groups. This can trigger a warning[1]: if (ret >= 0) WARN_ON(nr_present + nr_others < numgrps); Fixing this by only build the affinity masks only when - Driver passes affinity descriptor, driver like virtio-blk can make sure to limit the number of queues when it exceeds the number of CPUs - Parent support affinity setting config ops This help to avoid the warning. More optimizations could be done on top. [1] [ 682.146655] WARNING: CPU: 6 PID: 1550 at lib/group_cpus.c:400 group_cpus_evenly+0x1aa/0x1c0 [ 682.146668] CPU: 6 PID: 1550 Comm: vdpa Not tainted 6.5.0-rc5jason+ #79 [ 682.146671] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [ 682.146673] RIP: 0010:group_cpus_evenly+0x1aa/0x1c0 [ 682.146676] Code: 4c 89 e0 5b 5d 41 5c 41 5d 41 5e c3 cc cc cc cc e8 1b c4 74 ff 48 89 ef e8 13 ac 98 ff 4c 89 e7 45 31 e4 e8 08 ac 98 ff eb c2 <0f> 0b eb b6 e8 fd 05 c3 00 45 31 e4 eb e5 cc cc cc cc cc cc cc cc [ 682.146679] RSP: 0018:ffffc9000215f498 EFLAGS: 00010293 [ 682.146682] RAX: 000000000001f1e0 RBX: 0000000000000041 RCX: 0000000000000000 [ 682.146684] RDX: ffff888109922058 RSI: 0000000000000041 RDI: 0000000000000030 [ 682.146686] RBP: ffff888109922058 R08: ffffc9000215f498 R09: ffffc9000215f4a0 [ 682.146687] R10: 00000000000198d0 R11: 0000000000000030 R12: ffff888107e02800 [ 682.146689] R13: 0000000000000030 R14: 0000000000000030 R15: 0000000000000041 [ 682.146692] FS: 00007fef52315740(0000) GS:ffff888237380000(0000) knlGS:0000000000000000 [ 682.146695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 682.146696] CR2: 00007fef52509000 CR3: 0000000110dbc004 CR4: 0000000000370ee0 [ 682.146698] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 682.146700] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 682.146701] Call Trace: [ 682.146703] <TASK> [ 682.146705] ? __warn+0x7b/0x130 [ 682.146709] ? group_cpus_evenly+0x1aa/0x1c0 [ 682.146712] ? report_bug+0x1c8/0x1e0 [ 682.146717] ? handle_bug+0x3c/0x70 [ 682.146721] ? exc_invalid_op+0x14/0x70 [ 682.146723] ? asm_exc_invalid_op+0x16/0x20 [ 682.146727] ? group_cpus_evenly+0x1aa/0x1c0 [ 682.146729] ? group_cpus_evenly+0x15c/0x1c0 [ 682.146731] create_affinity_masks+0xaf/0x1a0 [ 682.146735] virtio_vdpa_find_vqs+0x83/0x1d0 [ 682.146738] ? __pfx_default_calc_sets+0x10/0x10 [ 682.146742] virtnet_find_vqs+0x1f0/0x370 [ 682.146747] virtnet_probe+0x501/0xcd0 [ 682.146749] ? vp_modern_get_status+0x12/0x20 [ 682.146751] ? get_cap_addr.isra.0+0x10/0xc0 [ 682.146754] virtio_dev_probe+0x1af/0x260 [ 682.146759] really_probe+0x1a5/0x410 CVE-2023-54008 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54008.html CVE-2023-54008 https://bugzilla.suse.com/1255630 SUSE Bug 1255630 In the Linux kernel, the following vulnerability has been resolved: interconnect: Fix locking for runpm vs reclaim For cases where icc_bw_set() can be called in callbaths that could deadlock against shrinker/reclaim, such as runpm resume, we need to decouple the icc locking. Introduce a new icc_bw_lock for cases where we need to serialize bw aggregation and update to decouple that from paths that require memory allocation such as node/link creation/ destruction. Fixes this lockdep splat: ====================================================== WARNING: possible circular locking dependency detected 6.2.0-rc8-debug+ #554 Not tainted ------------------------------------------------------ ring0/132 is trying to acquire lock: ffffff80871916d0 (&gmu->lock){+.+.}-{3:3}, at: a6xx_pm_resume+0xf0/0x234 but task is already holding lock: ffffffdb5aee57e8 (dma_fence_map){++++}-{0:0}, at: msm_job_run+0x68/0x150 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #4 (dma_fence_map){++++}-{0:0}: __dma_fence_might_wait+0x74/0xc0 dma_resv_lockdep+0x1f4/0x2f4 do_one_initcall+0x104/0x2bc kernel_init_freeable+0x344/0x34c kernel_init+0x30/0x134 ret_from_fork+0x10/0x20 -> #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}: fs_reclaim_acquire+0x80/0xa8 slab_pre_alloc_hook.constprop.0+0x40/0x25c __kmem_cache_alloc_node+0x60/0x1cc __kmalloc+0xd8/0x100 topology_parse_cpu_capacity+0x8c/0x178 get_cpu_for_node+0x88/0xc4 parse_cluster+0x1b0/0x28c parse_cluster+0x8c/0x28c init_cpu_topology+0x168/0x188 smp_prepare_cpus+0x24/0xf8 kernel_init_freeable+0x18c/0x34c kernel_init+0x30/0x134 ret_from_fork+0x10/0x20 -> #2 (fs_reclaim){+.+.}-{0:0}: __fs_reclaim_acquire+0x3c/0x48 fs_reclaim_acquire+0x54/0xa8 slab_pre_alloc_hook.constprop.0+0x40/0x25c __kmem_cache_alloc_node+0x60/0x1cc __kmalloc+0xd8/0x100 kzalloc.constprop.0+0x14/0x20 icc_node_create_nolock+0x4c/0xc4 icc_node_create+0x38/0x58 qcom_icc_rpmh_probe+0x1b8/0x248 platform_probe+0x70/0xc4 really_probe+0x158/0x290 __driver_probe_device+0xc8/0xe0 driver_probe_device+0x44/0x100 __driver_attach+0xf8/0x108 bus_for_each_dev+0x78/0xc4 driver_attach+0x2c/0x38 bus_add_driver+0xd0/0x1d8 driver_register+0xbc/0xf8 __platform_driver_register+0x30/0x3c qnoc_driver_init+0x24/0x30 do_one_initcall+0x104/0x2bc kernel_init_freeable+0x344/0x34c kernel_init+0x30/0x134 ret_from_fork+0x10/0x20 -> #1 (icc_lock){+.+.}-{3:3}: __mutex_lock+0xcc/0x3c8 mutex_lock_nested+0x30/0x44 icc_set_bw+0x88/0x2b4 _set_opp_bw+0x8c/0xd8 _set_opp+0x19c/0x300 dev_pm_opp_set_opp+0x84/0x94 a6xx_gmu_resume+0x18c/0x804 a6xx_pm_resume+0xf8/0x234 adreno_runtime_resume+0x2c/0x38 pm_generic_runtime_resume+0x30/0x44 __rpm_callback+0x15c/0x174 rpm_callback+0x78/0x7c rpm_resume+0x318/0x524 __pm_runtime_resume+0x78/0xbc adreno_load_gpu+0xc4/0x17c msm_open+0x50/0x120 drm_file_alloc+0x17c/0x228 drm_open_helper+0x74/0x118 drm_open+0xa0/0x144 drm_stub_open+0xd4/0xe4 chrdev_open+0x1b8/0x1e4 do_dentry_open+0x2f8/0x38c vfs_open+0x34/0x40 path_openat+0x64c/0x7b4 do_filp_open+0x54/0xc4 do_sys_openat2+0x9c/0x100 do_sys_open+0x50/0x7c __arm64_sys_openat+0x28/0x34 invoke_syscall+0x8c/0x128 el0_svc_common.constprop.0+0xa0/0x11c do_el0_ ---truncated--- CVE-2023-54013 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54013.html CVE-2023-54013 https://bugzilla.suse.com/1256280 SUSE Bug 1256280 In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() Klocwork reported warning of rport maybe NULL and will be dereferenced. rport returned by call to fc_bsg_to_rport() could be NULL and dereferenced. Check valid rport returned by fc_bsg_to_rport(). CVE-2023-54014 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54014.html CVE-2023-54014 https://bugzilla.suse.com/1256300 SUSE Bug 1256300 In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix memory leak in rx_desc and tx_desc Currently when ath12k_dp_cc_desc_init() is called we allocate memory to rx_descs and tx_descs. In ath12k_dp_cc_cleanup(), during descriptor cleanup rx_descs and tx_descs memory is not freed. This is cause of memory leak. These allocated memory should be freed in ath12k_dp_cc_cleanup. In ath12k_dp_cc_desc_init(), we can save base address of rx_descs and tx_descs. In ath12k_dp_cc_cleanup(), we can free rx_descs and tx_descs memory using their base address. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 CVE-2023-54016 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54016.html CVE-2023-54016 https://bugzilla.suse.com/1256279 SUSE Bug 1256279 In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: fix possible memory leak in ibmebus_bus_init() If device_register() returns error in ibmebus_bus_init(), name of kobject which is allocated in dev_set_name() called in device_add() is leaked. As comment of device_add() says, it should call put_device() to drop the reference count that was set in device_initialize() when it fails, so the name can be freed in kobject_cleanup(). CVE-2023-54017 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54017.html CVE-2023-54017 https://bugzilla.suse.com/1255605 SUSE Bug 1255605 In the Linux kernel, the following vulnerability has been resolved: sched/psi: use kernfs polling functions for PSI trigger polling Destroying psi trigger in cgroup_file_release causes UAF issues when a cgroup is removed from under a polling process. This is happening because cgroup removal causes a call to cgroup_file_release while the actual file is still alive. Destroying the trigger at this point would also destroy its waitqueue head and if there is still a polling process on that file accessing the waitqueue, it will step on the freed pointer: do_select vfs_poll do_rmdir cgroup_rmdir kernfs_drain_open_files cgroup_file_release cgroup_pressure_release psi_trigger_destroy wake_up_pollfree(&t->event_wait) // vfs_poll is unblocked synchronize_rcu kfree(t) poll_freewait -> UAF access to the trigger's waitqueue head Patch [1] fixed this issue for epoll() case using wake_up_pollfree(), however the same issue exists for synchronous poll() case. The root cause of this issue is that the lifecycles of the psi trigger's waitqueue and of the file associated with the trigger are different. Fix this by using kernfs_generic_poll function when polling on cgroup-specific psi triggers. It internally uses kernfs_open_node->poll waitqueue head with its lifecycle tied to the file's lifecycle. This also renders the fix in [1] obsolete, so revert it. [1] commit c2dbe32d5db5 ("sched/psi: Fix use-after-free in ep_remove_wait_queue()") CVE-2023-54019 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54019.html CVE-2023-54019 https://bugzilla.suse.com/1255636 SUSE Bug 1255636 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential memory leaks at error path for UMP open The allocation and initialization errors at alloc_midi_urbs() that is called at MIDI 2.0 / UMP device are supposed to be handled at the caller side by invoking free_midi_urbs(). However, free_midi_urbs() loops only for ep->num_urbs entries, and since ep->num_entries wasn't updated yet at the allocation / init error in alloc_midi_urbs(), this entry won't be released. The intention of free_midi_urbs() is to release the whole elements, so change the loop size to NUM_URBS to scan over all elements for fixing the missed releases. Also, the call of free_midi_urbs() is missing at snd_usb_midi_v2_open(). Although it'll be released later at reopen/close or disconnection, it's better to release immediately at the error path. CVE-2023-54022 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54022.html CVE-2023-54022 https://bugzilla.suse.com/1255545 SUSE Bug 1255545 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between balance and cancel/pause Syzbot reported a panic that looks like this: assertion failed: fs_info->exclusive_operation == BTRFS_EXCLOP_BALANCE_PAUSED, in fs/btrfs/ioctl.c:465 ------------[ cut here ]------------ kernel BUG at fs/btrfs/messages.c:259! RIP: 0010:btrfs_assertfail+0x2c/0x30 fs/btrfs/messages.c:259 Call Trace: <TASK> btrfs_exclop_balance fs/btrfs/ioctl.c:465 [inline] btrfs_ioctl_balance fs/btrfs/ioctl.c:3564 [inline] btrfs_ioctl+0x531e/0x5b30 fs/btrfs/ioctl.c:4632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x197/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The reproducer is running a balance and a cancel or pause in parallel. The way balance finishes is a bit wonky, if we were paused we need to save the balance_ctl in the fs_info, but clear it otherwise and cleanup. However we rely on the return values being specific errors, or having a cancel request or no pause request. If balance completes and returns 0, but we have a pause or cancel request we won't do the appropriate cleanup, and then the next time we try to start a balance we'll trip this ASSERT. The error handling is just wrong here, we always want to clean up, unless we got -ECANCELLED and we set the appropriate pause flag in the exclusive op. With this patch the reproducer ran for an hour without tripping, previously it would trip in less than a few minutes. CVE-2023-54023 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54023.html CVE-2023-54023 https://bugzilla.suse.com/1256301 SUSE Bug 1256301 In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled In case WoWlan was never configured during the operation of the system, the hw->wiphy->wowlan_config will be NULL. rsi_config_wowlan() checks whether wowlan_config is non-NULL and if it is not, then WARNs about it. The warning is valid, as during normal operation the rsi_config_wowlan() should only ever be called with non-NULL wowlan_config. In shutdown this rsi_config_wowlan() should only ever be called if WoWlan was configured before by the user. Add checks for non-NULL wowlan_config into the shutdown hook. While at it, check whether the wiphy is also non-NULL before accessing wowlan_config . Drop the single-use wowlan_config variable, just inline it into function call. CVE-2023-54025 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54025.html CVE-2023-54025 https://bugzilla.suse.com/1255558 SUSE Bug 1255558 In the Linux kernel, the following vulnerability has been resolved: opp: Fix use-after-free in lazy_opp_tables after probe deferral When dev_pm_opp_of_find_icc_paths() in _allocate_opp_table() returns -EPROBE_DEFER, the opp_table is freed again, to wait until all the interconnect paths are available. However, if the OPP table is using required-opps then it may already have been added to the global lazy_opp_tables list. The error path does not remove the opp_table from the list again. This can cause crashes later when the provider of the required-opps is added, since we will iterate over OPP tables that have already been freed. E.g.: Unable to handle kernel NULL pointer dereference when read CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.4.0-rc3 PC is at _of_add_opp_table_v2 (include/linux/of.h:949 drivers/opp/of.c:98 drivers/opp/of.c:344 drivers/opp/of.c:404 drivers/opp/of.c:1032) -> lazy_link_required_opp_table() Fix this by calling _of_clear_opp_table() to remove the opp_table from the list and clear other allocated resources. While at it, also add the missing mutex_destroy() calls in the error path. CVE-2023-54026 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54026.html CVE-2023-54026 https://bugzilla.suse.com/1255549 SUSE Bug 1255549 In the Linux kernel, the following vulnerability has been resolved: iio: core: Prevent invalid memory access when there is no parent Commit 813665564b3d ("iio: core: Convert to use firmware node handle instead of OF node") switched the kind of nodes to use for label retrieval in device registration. Probably an unwanted change in that commit was that if the device has no parent then NULL pointer is accessed. This is what happens in the stock IIO dummy driver when a new entry is created in configfs: # mkdir /sys/kernel/config/iio/devices/dummy/foo BUG: kernel NULL pointer dereference, address: ... ... Call Trace: __iio_device_register iio_dummy_probe Since there seems to be no reason to make a parent device of an IIO dummy device mandatory, let's prevent the invalid memory access in __iio_device_register when the parent device is NULL. With this change, the IIO dummy driver works fine with configfs. CVE-2023-54027 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54027.html CVE-2023-54027 https://bugzilla.suse.com/1255579 SUSE Bug 1255579 In the Linux kernel, the following vulnerability has been resolved: io_uring/net: don't overflow multishot recv Don't allow overflowing multishot recv CQEs, it might get out of hand, hurt performance, and in the worst case scenario OOM the task. CVE-2023-54030 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54030.html CVE-2023-54030 https://bugzilla.suse.com/1255691 SUSE Bug 1255691 In the Linux kernel, the following vulnerability has been resolved: vdpa: Add queue index attr to vdpa_nl_policy for nlattr length check The vdpa_nl_policy structure is used to validate the nlattr when parsing the incoming nlmsg. It will ensure the attribute being described produces a valid nlattr pointer in info->attrs before entering into each handler in vdpa_nl_ops. That is to say, the missing part in vdpa_nl_policy may lead to illegal nlattr after parsing, which could lead to OOB read just like CVE-2023-3773. This patch adds the missing nla_policy for vdpa queue index attr to avoid such bugs. CVE-2023-54031 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54031.html CVE-2023-54031 https://bugzilla.suse.com/1255583 SUSE Bug 1255583 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race when deleting quota root from the dirty cow roots list When disabling quotas we are deleting the quota root from the list fs_info->dirty_cowonly_roots without taking the lock that protects it, which is struct btrfs_fs_info::trans_lock. This unsynchronized list manipulation may cause chaos if there's another concurrent manipulation of this list, such as when adding a root to it with ctree.c:add_root_to_dirty_list(). This can result in all sorts of weird failures caused by a race, such as the following crash: [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.279928] Code: 85 38 06 00 (...) [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [337571.282874] Call Trace: [337571.283101] <TASK> [337571.283327] ? __die_body+0x1b/0x60 [337571.283570] ? die_addr+0x39/0x60 [337571.283796] ? exc_general_protection+0x22e/0x430 [337571.284022] ? asm_exc_general_protection+0x22/0x30 [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] [337571.284803] ? _raw_spin_unlock+0x15/0x30 [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] [337571.286358] ? mod_objcg_state+0xd2/0x360 [337571.286577] ? refill_obj_stock+0xb0/0x160 [337571.286798] ? seq_release+0x25/0x30 [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 [337571.287675] __x64_sys_ioctl+0x88/0xc0 [337571.287901] do_syscall_64+0x38/0x90 [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc [337571.288352] RIP: 0033:0x7f478aaffe9b So fix this by locking struct btrfs_fs_info::trans_lock before deleting the quota root from that list. CVE-2023-54032 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54032.html CVE-2023-54032 https://bugzilla.suse.com/1255617 SUSE Bug 1255617 In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix underflow in chain reference counter Set element addition error path decrements reference counter on chains twice: once on element release and again via nft_data_release(). Then, d6b478666ffa ("netfilter: nf_tables: fix underflow in object reference counter") incorrectly fixed this by removing the stateful object reference count decrement. Restore the stateful object decrement as in b91d90368837 ("netfilter: nf_tables: fix leaking object reference count") and let nft_data_release() decrement the chain reference counter, so this is done only once. CVE-2023-54035 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54035.html CVE-2023-54035 https://bugzilla.suse.com/1255563 SUSE Bug 1255563 In the Linux kernel, the following vulnerability has been resolved: ice: prevent NULL pointer deref during reload Calling ethtool during reload can lead to call trace, because VSI isn't configured for some time, but netdev is alive. To fix it add rtnl lock for VSI deconfig and config. Set ::num_q_vectors to 0 after freeing and add a check for ::tx/rx_rings in ring related ethtool ops. Add proper unroll of filters in ice_start_eth(). Reproduction: $watch -n 0.1 -d 'ethtool -g enp24s0f0np0' $devlink dev reload pci/0000:18:00.0 action driver_reinit Call trace before fix: [66303.926205] BUG: kernel NULL pointer dereference, address: 0000000000000000 [66303.926259] #PF: supervisor read access in kernel mode [66303.926286] #PF: error_code(0x0000) - not-present page [66303.926311] PGD 0 P4D 0 [66303.926332] Oops: 0000 [#1] PREEMPT SMP PTI [66303.926358] CPU: 4 PID: 933821 Comm: ethtool Kdump: loaded Tainted: G OE 6.4.0-rc5+ #1 [66303.926400] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.00.01.0014.070920180847 07/09/2018 [66303.926446] RIP: 0010:ice_get_ringparam+0x22/0x50 [ice] [66303.926649] Code: 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 48 8b 87 c0 09 00 00 c7 46 04 e0 1f 00 00 c7 46 10 e0 1f 00 00 48 8b 50 20 <48> 8b 12 0f b7 52 3a 89 56 14 48 8b 40 28 48 8b 00 0f b7 40 58 48 [66303.926722] RSP: 0018:ffffad40472f39c8 EFLAGS: 00010246 [66303.926749] RAX: ffff98a8ada05828 RBX: ffff98a8c46dd060 RCX: ffffad40472f3b48 [66303.926781] RDX: 0000000000000000 RSI: ffff98a8c46dd068 RDI: ffff98a8b23c4000 [66303.926811] RBP: ffffad40472f3b48 R08: 00000000000337b0 R09: 0000000000000000 [66303.926843] R10: 0000000000000001 R11: 0000000000000100 R12: ffff98a8b23c4000 [66303.926874] R13: ffff98a8c46dd060 R14: 000000000000000f R15: ffffad40472f3a50 [66303.926906] FS: 00007f6397966740(0000) GS:ffff98b390900000(0000) knlGS:0000000000000000 [66303.926941] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [66303.926967] CR2: 0000000000000000 CR3: 000000011ac20002 CR4: 00000000007706e0 [66303.926999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [66303.927029] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [66303.927060] PKRU: 55555554 [66303.927075] Call Trace: [66303.927094] <TASK> [66303.927111] ? __die+0x23/0x70 [66303.927140] ? page_fault_oops+0x171/0x4e0 [66303.927176] ? exc_page_fault+0x7f/0x180 [66303.927209] ? asm_exc_page_fault+0x26/0x30 [66303.927244] ? ice_get_ringparam+0x22/0x50 [ice] [66303.927433] rings_prepare_data+0x62/0x80 [66303.927469] ethnl_default_doit+0xe2/0x350 [66303.927501] genl_family_rcv_msg_doit.isra.0+0xe3/0x140 [66303.927538] genl_rcv_msg+0x1b1/0x2c0 [66303.927561] ? __pfx_ethnl_default_doit+0x10/0x10 [66303.927590] ? __pfx_genl_rcv_msg+0x10/0x10 [66303.927615] netlink_rcv_skb+0x58/0x110 [66303.927644] genl_rcv+0x28/0x40 [66303.927665] netlink_unicast+0x19e/0x290 [66303.927691] netlink_sendmsg+0x254/0x4d0 [66303.927717] sock_sendmsg+0x93/0xa0 [66303.927743] __sys_sendto+0x126/0x170 [66303.927780] __x64_sys_sendto+0x24/0x30 [66303.928593] do_syscall_64+0x5d/0x90 [66303.929370] ? __count_memcg_events+0x60/0xa0 [66303.930146] ? count_memcg_events.constprop.0+0x1a/0x30 [66303.930920] ? handle_mm_fault+0x9e/0x350 [66303.931688] ? do_user_addr_fault+0x258/0x740 [66303.932452] ? exc_page_fault+0x7f/0x180 [66303.933193] entry_SYSCALL_64_after_hwframe+0x72/0xdc CVE-2023-54037 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54037.html CVE-2023-54037 https://bugzilla.suse.com/1255557 SUSE Bug 1255557 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link hci_connect_sco currently returns NULL when there is no link (i.e. when hci_conn_link() returns NULL). sco_connect() expects an ERR_PTR in case of any error (see line 266 in sco.c). Thus, hcon set as NULL passes through to sco_conn_add(), which tries to get hcon->hdev, resulting in dereferencing a NULL pointer as reported by syzkaller. The same issue exists for iso_connect_cis() calling hci_connect_cis(). Thus, make hci_connect_sco() and hci_connect_cis() return ERR_PTR instead of NULL. CVE-2023-54038 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54038.html CVE-2023-54038 https://bugzilla.suse.com/1255540 SUSE Bug 1255540 In the Linux kernel, the following vulnerability has been resolved: powerpc/64s: Fix VAS mm use after free The refcount on mm is dropped before the coprocessor is detached. CVE-2023-54042 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54042.html CVE-2023-54042 https://bugzilla.suse.com/1255702 SUSE Bug 1255702 https://bugzilla.suse.com/1257670 SUSE Bug 1257670 In the Linux kernel, the following vulnerability has been resolved: audit: fix possible soft lockup in __audit_inode_child() Tracefs or debugfs maybe cause hundreds to thousands of PATH records, too many PATH records maybe cause soft lockup. For example: 1. CONFIG_KASAN=y && CONFIG_PREEMPTION=n 2. auditctl -a exit,always -S open -k key 3. sysctl -w kernel.watchdog_thresh=5 4. mkdir /sys/kernel/debug/tracing/instances/test There may be a soft lockup as follows: watchdog: BUG: soft lockup - CPU#45 stuck for 7s! [mkdir:15498] Kernel panic - not syncing: softlockup: hung tasks Call trace: dump_backtrace+0x0/0x30c show_stack+0x20/0x30 dump_stack+0x11c/0x174 panic+0x27c/0x494 watchdog_timer_fn+0x2bc/0x390 __run_hrtimer+0x148/0x4fc __hrtimer_run_queues+0x154/0x210 hrtimer_interrupt+0x2c4/0x760 arch_timer_handler_phys+0x48/0x60 handle_percpu_devid_irq+0xe0/0x340 __handle_domain_irq+0xbc/0x130 gic_handle_irq+0x78/0x460 el1_irq+0xb8/0x140 __audit_inode_child+0x240/0x7bc tracefs_create_file+0x1b8/0x2a0 trace_create_file+0x18/0x50 event_create_dir+0x204/0x30c __trace_add_new_event+0xac/0x100 event_trace_add_tracer+0xa0/0x130 trace_array_create_dir+0x60/0x140 trace_array_create+0x1e0/0x370 instance_mkdir+0x90/0xd0 tracefs_syscall_mkdir+0x68/0xa0 vfs_mkdir+0x21c/0x34c do_mkdirat+0x1b4/0x1d4 __arm64_sys_mkdirat+0x4c/0x60 el0_svc_common.constprop.0+0xa8/0x240 do_el0_svc+0x8c/0xc0 el0_svc+0x20/0x30 el0_sync_handler+0xb0/0xb4 el0_sync+0x160/0x180 Therefore, we add cond_resched() to __audit_inode_child() to fix it. CVE-2023-54045 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54045.html CVE-2023-54045 https://bugzilla.suse.com/1256285 SUSE Bug 1256285 In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Prevent handling any completions after qp destroy HW may generate completions that indicates QP is destroyed. Driver should not be scheduling any more completion handlers for this QP, after the QP is destroyed. Since CQs are active during the QP destroy, driver may still schedule completion handlers. This can cause a race where the destroy_cq and poll_cq running simultaneously. Snippet of kernel panic while doing bnxt_re driver load unload in loop. This indicates a poll after the CQ is freed. [77786.481636] Call Trace: [77786.481640] <TASK> [77786.481644] bnxt_re_poll_cq+0x14a/0x620 [bnxt_re] [77786.481658] ? kvm_clock_read+0x14/0x30 [77786.481693] __ib_process_cq+0x57/0x190 [ib_core] [77786.481728] ib_cq_poll_work+0x26/0x80 [ib_core] [77786.481761] process_one_work+0x1e5/0x3f0 [77786.481768] worker_thread+0x50/0x3a0 [77786.481785] ? __pfx_worker_thread+0x10/0x10 [77786.481790] kthread+0xe2/0x110 [77786.481794] ? __pfx_kthread+0x10/0x10 [77786.481797] ret_from_fork+0x2c/0x50 To avoid this, complete all completion handlers before returning the destroy QP. If free_cq is called soon after destroy_qp, IB stack will cancel the CQ work before invoking the destroy_cq verb and this will prevent any race mentioned. CVE-2023-54048 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54048.html CVE-2023-54048 https://bugzilla.suse.com/1256395 SUSE Bug 1256395 In the Linux kernel, the following vulnerability has been resolved: rpmsg: glink: Add check for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. CVE-2023-54049 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54049.html CVE-2023-54049 https://bugzilla.suse.com/1256396 SUSE Bug 1256396 In the Linux kernel, the following vulnerability has been resolved: net: do not allow gso_size to be set to GSO_BY_FRAGS One missing check in virtio_net_hdr_to_skb() allowed syzbot to crash kernels again [1] Do not allow gso_size to be set to GSO_BY_FRAGS (0xffff), because this magic value is used by the kernel. [1] general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 0 PID: 5039 Comm: syz-executor401 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 RIP: 0010:skb_segment+0x1a52/0x3ef0 net/core/skbuff.c:4500 Code: 00 00 00 e9 ab eb ff ff e8 6b 96 5d f9 48 8b 84 24 00 01 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ea 21 00 00 48 8b 84 24 00 01 RSP: 0018:ffffc90003d3f1c8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 000000000001fffe RCX: 0000000000000000 RDX: 000000000000000e RSI: ffffffff882a3115 RDI: 0000000000000070 RBP: ffffc90003d3f378 R08: 0000000000000005 R09: 000000000000ffff R10: 000000000000ffff R11: 5ee4a93e456187d6 R12: 000000000001ffc6 R13: dffffc0000000000 R14: 0000000000000008 R15: 000000000000ffff FS: 00005555563f2380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020020000 CR3: 000000001626d000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> udp6_ufo_fragment+0x9d2/0xd50 net/ipv6/udp_offload.c:109 ipv6_gso_segment+0x5c4/0x17b0 net/ipv6/ip6_offload.c:120 skb_mac_gso_segment+0x292/0x610 net/core/gso.c:53 __skb_gso_segment+0x339/0x710 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x3a5/0xf10 net/core/dev.c:3625 __dev_queue_xmit+0x8f0/0x3d60 net/core/dev.c:4329 dev_queue_xmit include/linux/netdevice.h:3082 [inline] packet_xmit+0x257/0x380 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x24c7/0x5570 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:727 [inline] sock_sendmsg+0xd9/0x180 net/socket.c:750 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2496 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2550 __sys_sendmsg+0x117/0x1e0 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7ff27cdb34d9 CVE-2023-54051 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54051.html CVE-2023-54051 https://bugzilla.suse.com/1256394 SUSE Bug 1256394 In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU txs may be dropped if the frame is aggregated in AMSDU. When the problem shows up, some SKBs would be hold in driver to cause network stopped temporarily. Even if the problem can be recovered by txs timeout handling, mt7921 still need to disable txs in AMSDU to avoid this issue. CVE-2023-54052 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54052.html CVE-2023-54052 https://bugzilla.suse.com/1256387 SUSE Bug 1256387 In the Linux kernel, the following vulnerability has been resolved: iommufd: Set end correctly when doing batch carry Even though the test suite covers this it somehow became obscured that this wasn't working. The test iommufd_ioas.mock_domain.access_domain_destory would blow up rarely. end should be set to 1 because this just pushed an item, the carry, to the pfns list. Sometimes the test would blow up with: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 5 PID: 584 Comm: iommufd Not tainted 6.5.0-rc1-dirty #1236 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:batch_unpin+0xa2/0x100 [iommufd] Code: 17 48 81 fe ff ff 07 00 77 70 48 8b 15 b7 be 97 e2 48 85 d2 74 14 48 8b 14 fa 48 85 d2 74 0b 40 0f b6 f6 48 c1 e6 04 48 01 f2 <48> 8b 3a 48 c1 e0 06 89 ca 48 89 de 48 83 e7 f0 48 01 c7 e8 96 dc RSP: 0018:ffffc90001677a58 EFLAGS: 00010246 RAX: 00007f7e2646f000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 00000000fefc4c8d RDI: 0000000000fefc4c RBP: ffffc90001677a80 R08: 0000000000000048 R09: 0000000000000200 R10: 0000000000030b98 R11: ffffffff81f3bb40 R12: 0000000000000001 R13: ffff888101f75800 R14: ffffc90001677ad0 R15: 00000000000001fe FS: 00007f9323679740(0000) GS:ffff8881ba540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000105ede003 CR4: 00000000003706a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0x5c/0x70 ? __die+0x1f/0x60 ? page_fault_oops+0x15d/0x440 ? lock_release+0xbc/0x240 ? exc_page_fault+0x4a4/0x970 ? asm_exc_page_fault+0x27/0x30 ? batch_unpin+0xa2/0x100 [iommufd] ? batch_unpin+0xba/0x100 [iommufd] __iopt_area_unfill_domain+0x198/0x430 [iommufd] ? __mutex_lock+0x8c/0xb80 ? __mutex_lock+0x6aa/0xb80 ? xa_erase+0x28/0x30 ? iopt_table_remove_domain+0x162/0x320 [iommufd] ? lock_release+0xbc/0x240 iopt_area_unfill_domain+0xd/0x10 [iommufd] iopt_table_remove_domain+0x195/0x320 [iommufd] iommufd_hw_pagetable_destroy+0xb3/0x110 [iommufd] iommufd_object_destroy_user+0x8e/0xf0 [iommufd] iommufd_device_detach+0xc5/0x140 [iommufd] iommufd_selftest_destroy+0x1f/0x70 [iommufd] iommufd_object_destroy_user+0x8e/0xf0 [iommufd] iommufd_destroy+0x3a/0x50 [iommufd] iommufd_fops_ioctl+0xfb/0x170 [iommufd] __x64_sys_ioctl+0x40d/0x9a0 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 CVE-2023-54060 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54060.html CVE-2023-54060 https://bugzilla.suse.com/1256379 SUSE Bug 1256379 In the Linux kernel, the following vulnerability has been resolved: ipmi:ssif: Fix a memory leak when scanning for an adapter The adapter scan ssif_info_find() sets info->adapter_name if the adapter info came from SMBIOS, as it's not set in that case. However, this function can be called more than once, and it will leak the adapter name if it had already been set. So check for NULL before setting it. CVE-2023-54064 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54064.html CVE-2023-54064 https://bugzilla.suse.com/1256375 SUSE Bug 1256375 In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer In gl861_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach gl861_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") CVE-2023-54066 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54066.html CVE-2023-54066 https://bugzilla.suse.com/1256373 SUSE Bug 1256373 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race when deleting free space root from the dirty cow roots list When deleting the free space tree we are deleting the free space root from the list fs_info->dirty_cowonly_roots without taking the lock that protects it, which is struct btrfs_fs_info::trans_lock. This unsynchronized list manipulation may cause chaos if there's another concurrent manipulation of this list, such as when adding a root to it with ctree.c:add_root_to_dirty_list(). This can result in all sorts of weird failures caused by a race, such as the following crash: [337571.278245] general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] PREEMPT SMP PTI [337571.278933] CPU: 1 PID: 115447 Comm: btrfs Tainted: G W 6.4.0-rc6-btrfs-next-134+ #1 [337571.279153] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [337571.279572] RIP: 0010:commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.279928] Code: 85 38 06 00 (...) [337571.280363] RSP: 0018:ffff9f63446efba0 EFLAGS: 00010206 [337571.280582] RAX: ffff942d98ec2638 RBX: ffff9430b82b4c30 RCX: 0000000449e1c000 [337571.280798] RDX: dead000000000100 RSI: ffff9430021e4900 RDI: 0000000000036070 [337571.281015] RBP: ffff942d98ec2000 R08: ffff942d98ec2000 R09: 000000000000015b [337571.281254] R10: 0000000000000009 R11: 0000000000000001 R12: ffff942fe8fbf600 [337571.281476] R13: ffff942dabe23040 R14: ffff942dabe20800 R15: ffff942d92cf3b48 [337571.281723] FS: 00007f478adb7340(0000) GS:ffff94349fa40000(0000) knlGS:0000000000000000 [337571.281950] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [337571.282184] CR2: 00007f478ab9a3d5 CR3: 000000001e02c001 CR4: 0000000000370ee0 [337571.282416] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [337571.282647] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [337571.282874] Call Trace: [337571.283101] <TASK> [337571.283327] ? __die_body+0x1b/0x60 [337571.283570] ? die_addr+0x39/0x60 [337571.283796] ? exc_general_protection+0x22e/0x430 [337571.284022] ? asm_exc_general_protection+0x22/0x30 [337571.284251] ? commit_cowonly_roots+0x11f/0x250 [btrfs] [337571.284531] btrfs_commit_transaction+0x42e/0xf90 [btrfs] [337571.284803] ? _raw_spin_unlock+0x15/0x30 [337571.285031] ? release_extent_buffer+0x103/0x130 [btrfs] [337571.285305] reset_balance_state+0x152/0x1b0 [btrfs] [337571.285578] btrfs_balance+0xa50/0x11e0 [btrfs] [337571.285864] ? __kmem_cache_alloc_node+0x14a/0x410 [337571.286086] btrfs_ioctl+0x249a/0x3320 [btrfs] [337571.286358] ? mod_objcg_state+0xd2/0x360 [337571.286577] ? refill_obj_stock+0xb0/0x160 [337571.286798] ? seq_release+0x25/0x30 [337571.287016] ? __rseq_handle_notify_resume+0x3ba/0x4b0 [337571.287235] ? percpu_counter_add_batch+0x2e/0xa0 [337571.287455] ? __x64_sys_ioctl+0x88/0xc0 [337571.287675] __x64_sys_ioctl+0x88/0xc0 [337571.287901] do_syscall_64+0x38/0x90 [337571.288126] entry_SYSCALL_64_after_hwframe+0x72/0xdc [337571.288352] RIP: 0033:0x7f478aaffe9b So fix this by locking struct btrfs_fs_info::trans_lock before deleting the free space root from that list. CVE-2023-54067 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54067.html CVE-2023-54067 https://bugzilla.suse.com/1256369 SUSE Bug 1256369 In the Linux kernel, the following vulnerability has been resolved: ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow When we calculate the end position of ext4_free_extent, this position may be exactly where ext4_lblk_t (i.e. uint) overflows. For example, if ac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the computed end is 0x100000000, which is 0. If ac->ac_o_ex.fe_logical is not the first case of adjusting the best extent, that is, new_bex_end > 0, the following BUG_ON will be triggered: ========================================================= kernel BUG at fs/ext4/mballoc.c:5116! invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279 RIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430 Call Trace: <TASK> ext4_mb_use_best_found+0x203/0x2f0 ext4_mb_try_best_found+0x163/0x240 ext4_mb_regular_allocator+0x158/0x1550 ext4_mb_new_blocks+0x86a/0xe10 ext4_ext_map_blocks+0xb0c/0x13a0 ext4_map_blocks+0x2cd/0x8f0 ext4_iomap_begin+0x27b/0x400 iomap_iter+0x222/0x3d0 __iomap_dio_rw+0x243/0xcb0 iomap_dio_rw+0x16/0x80 ========================================================= A simple reproducer demonstrating the problem: mkfs.ext4 -F /dev/sda -b 4096 100M mount /dev/sda /tmp/test fallocate -l1M /tmp/test/tmp fallocate -l10M /tmp/test/file fallocate -i -o 1M -l16777203M /tmp/test/file fsstress -d /tmp/test -l 0 -n 100000 -p 8 & sleep 10 && killall -9 fsstress rm -f /tmp/test/tmp xfs_io -c "open -ad /tmp/test/file" -c "pwrite -S 0xff 0 8192" We simply refactor the logic for adjusting the best extent by adding a temporary ext4_free_extent ex and use extent_logical_end() to avoid overflow, which also simplifies the code. CVE-2023-54069 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54069.html CVE-2023-54069 https://bugzilla.suse.com/1256371 SUSE Bug 1256371 In the Linux kernel, the following vulnerability has been resolved: igb: clean up in all error paths when enabling SR-IOV After commit 50f303496d92 ("igb: Enable SR-IOV after reinit"), removing the igb module could hang or crash (depending on the machine) when the module has been loaded with the max_vfs parameter set to some value != 0. In case of one test machine with a dual port 82580, this hang occurred: [ 232.480687] igb 0000:41:00.1: removed PHC on enp65s0f1 [ 233.093257] igb 0000:41:00.1: IOV Disabled [ 233.329969] pcieport 0000:40:01.0: AER: Multiple Uncorrected (Non-Fatal) err0 [ 233.340302] igb 0000:41:00.0: PCIe Bus Error: severity=Uncorrected (Non-Fata) [ 233.352248] igb 0000:41:00.0: device [8086:1516] error status/mask=00100000 [ 233.361088] igb 0000:41:00.0: [20] UnsupReq (First) [ 233.368183] igb 0000:41:00.0: AER: TLP Header: 40000001 0000040f cdbfc00c c [ 233.376846] igb 0000:41:00.1: PCIe Bus Error: severity=Uncorrected (Non-Fata) [ 233.388779] igb 0000:41:00.1: device [8086:1516] error status/mask=00100000 [ 233.397629] igb 0000:41:00.1: [20] UnsupReq (First) [ 233.404736] igb 0000:41:00.1: AER: TLP Header: 40000001 0000040f cdbfc00c c [ 233.538214] pci 0000:41:00.1: AER: can't recover (no error_detected callback) [ 233.538401] igb 0000:41:00.0: removed PHC on enp65s0f0 [ 233.546197] pcieport 0000:40:01.0: AER: device recovery failed [ 234.157244] igb 0000:41:00.0: IOV Disabled [ 371.619705] INFO: task irq/35-aerdrv:257 blocked for more than 122 seconds. [ 371.627489] Not tainted 6.4.0-dirty #2 [ 371.632257] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this. [ 371.641000] task:irq/35-aerdrv state:D stack:0 pid:257 ppid:2 f0 [ 371.650330] Call Trace: [ 371.653061] <TASK> [ 371.655407] __schedule+0x20e/0x660 [ 371.659313] schedule+0x5a/0xd0 [ 371.662824] schedule_preempt_disabled+0x11/0x20 [ 371.667983] __mutex_lock.constprop.0+0x372/0x6c0 [ 371.673237] ? __pfx_aer_root_reset+0x10/0x10 [ 371.678105] report_error_detected+0x25/0x1c0 [ 371.682974] ? __pfx_report_normal_detected+0x10/0x10 [ 371.688618] pci_walk_bus+0x72/0x90 [ 371.692519] pcie_do_recovery+0xb2/0x330 [ 371.696899] aer_process_err_devices+0x117/0x170 [ 371.702055] aer_isr+0x1c0/0x1e0 [ 371.705661] ? __set_cpus_allowed_ptr+0x54/0xa0 [ 371.710723] ? __pfx_irq_thread_fn+0x10/0x10 [ 371.715496] irq_thread_fn+0x20/0x60 [ 371.719491] irq_thread+0xe6/0x1b0 [ 371.723291] ? __pfx_irq_thread_dtor+0x10/0x10 [ 371.728255] ? __pfx_irq_thread+0x10/0x10 [ 371.732731] kthread+0xe2/0x110 [ 371.736243] ? __pfx_kthread+0x10/0x10 [ 371.740430] ret_from_fork+0x2c/0x50 [ 371.744428] </TASK> The reproducer was a simple script: #!/bin/sh for i in `seq 1 5`; do modprobe -rv igb modprobe -v igb max_vfs=1 sleep 1 modprobe -rv igb done It turned out that this could only be reproduce on 82580 (quad and dual-port), but not on 82576, i350 and i210. Further debugging showed that igb_enable_sriov()'s call to pci_enable_sriov() is failing, because dev->is_physfn is 0 on 82580. Prior to commit 50f303496d92 ("igb: Enable SR-IOV after reinit"), igb_enable_sriov() jumped into the "err_out" cleanup branch. After this commit it only returned the error code. So the cleanup didn't take place, and the incorrect VF setup in the igb_adapter structure fooled the igb driver into assuming that VFs have been set up where no VF actually existed. Fix this problem by cleaning up again if pci_enable_sriov() fails. CVE-2023-54070 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54070.html CVE-2023-54070 https://bugzilla.suse.com/1256364 SUSE Bug 1256364 In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix potential data race at PCM memory allocation helpers The PCM memory allocation helpers have a sanity check against too many buffer allocations. However, the check is performed without a proper lock and the allocation isn't serialized; this allows user to allocate more memories than predefined max size. Practically seen, this isn't really a big problem, as it's more or less some "soft limit" as a sanity check, and it's not possible to allocate unlimitedly. But it's still better to address this for more consistent behavior. The patch covers the size check in do_alloc_pages() with the card->memory_mutex, and increases the allocated size there for preventing the further overflow. When the actual allocation fails, the size is decreased accordingly. CVE-2023-54072 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54072.html CVE-2023-54072 https://bugzilla.suse.com/1256291 SUSE Bug 1256291 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix missed ses refcounting Use new cifs_smb_ses_inc_refcount() helper to get an active reference of @ses and @ses->dfs_root_ses (if set). This will prevent @ses->dfs_root_ses of being put in the next call to cifs_put_smb_ses() and thus potentially causing an use-after-free bug. CVE-2023-54076 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54076.html CVE-2023-54076 https://bugzilla.suse.com/1256335 SUSE Bug 1256335 https://bugzilla.suse.com/1256450 SUSE Bug 1256450 In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: skip splitting and logical rewriting on pre-alloc write When doing a relocation, there is a chance that at the time of btrfs_reloc_clone_csums(), there is no checksum for the corresponding region. In this case, btrfs_finish_ordered_zoned()'s sum points to an invalid item and so ordered_extent's logical is set to some invalid value. Then, btrfs_lookup_block_group() in btrfs_zone_finish_endio() failed to find a block group and will hit an assert or a null pointer dereference as following. This can be reprodcued by running btrfs/028 several times (e.g, 4 to 16 times) with a null_blk setup. The device's zone size and capacity is set to 32 MB and the storage size is set to 5 GB on my setup. KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f] CPU: 6 PID: 3105720 Comm: kworker/u16:13 Tainted: G W 6.5.0-rc6-kts+ #1 Hardware name: Supermicro Super Server/X10SRL-F, BIOS 2.0 12/17/2015 Workqueue: btrfs-endio-write btrfs_work_helper [btrfs] RIP: 0010:btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs] Code: 41 54 49 89 fc 55 48 89 f5 53 e8 57 7d fc ff 48 8d b8 88 00 00 00 48 89 c3 48 b8 00 00 00 00 00 > 3c 02 00 0f 85 02 01 00 00 f6 83 88 00 00 00 01 0f 84 a8 00 00 RSP: 0018:ffff88833cf87b08 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000011 RSI: 0000000000000004 RDI: 0000000000000088 RBP: 0000000000000002 R08: 0000000000000001 R09: ffffed102877b827 R10: ffff888143bdc13b R11: ffff888125b1cbc0 R12: ffff888143bdc000 R13: 0000000000007000 R14: ffff888125b1cba8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88881e500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3ed85223d5 CR3: 00000001519b4005 CR4: 00000000001706e0 Call Trace: <TASK> ? die_addr+0x3c/0xa0 ? exc_general_protection+0x148/0x220 ? asm_exc_general_protection+0x22/0x30 ? btrfs_zone_finish_endio.part.0+0x34/0x160 [btrfs] ? btrfs_zone_finish_endio.part.0+0x19/0x160 [btrfs] btrfs_finish_one_ordered+0x7b8/0x1de0 [btrfs] ? rcu_is_watching+0x11/0xb0 ? lock_release+0x47a/0x620 ? btrfs_finish_ordered_zoned+0x59b/0x800 [btrfs] ? __pfx_btrfs_finish_one_ordered+0x10/0x10 [btrfs] ? btrfs_finish_ordered_zoned+0x358/0x800 [btrfs] ? __smp_call_single_queue+0x124/0x350 ? rcu_is_watching+0x11/0xb0 btrfs_work_helper+0x19f/0xc60 [btrfs] ? __pfx_try_to_wake_up+0x10/0x10 ? _raw_spin_unlock_irq+0x24/0x50 ? rcu_is_watching+0x11/0xb0 process_one_work+0x8c1/0x1430 ? __pfx_lock_acquire+0x10/0x10 ? __pfx_process_one_work+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 ? _raw_spin_lock_irq+0x52/0x60 worker_thread+0x100/0x12c0 ? __kthread_parkme+0xc1/0x1f0 ? __pfx_worker_thread+0x10/0x10 kthread+0x2ea/0x3c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> On the zoned mode, writing to pre-allocated region means data relocation write. Such write always uses WRITE command so there is no need of splitting and rewriting logical address. Thus, we can just skip the function for the case. CVE-2023-54080 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54080.html CVE-2023-54080 https://bugzilla.suse.com/1256367 SUSE Bug 1256367 In the Linux kernel, the following vulnerability has been resolved: xen: speed up grant-table reclaim When a grant entry is still in use by the remote domain, Linux must put it on a deferred list. Normally, this list is very short, because the PV network and block protocols expect the backend to unmap the grant first. However, Qubes OS's GUI protocol is subject to the constraints of the X Window System, and as such winds up with the frontend unmapping the window first. As a result, the list can grow very large, resulting in a massive memory leak and eventual VM freeze. To partially solve this problem, make the number of entries that the VM will attempt to free at each iteration tunable. The default is still 10, but it can be overridden via a module parameter. This is Cc: stable because (when combined with appropriate userspace changes) it fixes a severe performance and stability problem for Qubes OS users. CVE-2023-54081 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54081.html CVE-2023-54081 https://bugzilla.suse.com/1256361 SUSE Bug 1256361 In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Clear the driver reference in usb-phy dev For the dual-role port, it will assign the phy dev to usb-phy dev and use the port dev driver as the dev driver of usb-phy. When we try to destroy the port dev, it will destroy its dev driver as well. But we did not remove the reference from usb-phy dev. This might cause the use-after-free issue in KASAN. CVE-2023-54083 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54083.html CVE-2023-54083 https://bugzilla.suse.com/1256368 SUSE Bug 1256368 In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: hold queue_lock when removing blkg->q_node When blkg is removed from q->blkg_list from blkg_free_workfn(), queue_lock has to be held, otherwise, all kinds of bugs(list corruption, hard lockup, ..) can be triggered from blkg_destroy_all(). CVE-2023-54088 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54088.html CVE-2023-54088 https://bugzilla.suse.com/1256263 SUSE Bug 1256263 In the Linux kernel, the following vulnerability has been resolved: virtio_pmem: add the missing REQ_OP_WRITE for flush bio When doing mkfs.xfs on a pmem device, the following warning was ------------[ cut here ]------------ WARNING: CPU: 2 PID: 384 at block/blk-core.c:751 submit_bio_noacct Modules linked in: CPU: 2 PID: 384 Comm: mkfs.xfs Not tainted 6.4.0-rc7+ #154 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:submit_bio_noacct+0x340/0x520 ...... Call Trace: <TASK> ? submit_bio_noacct+0xd5/0x520 submit_bio+0x37/0x60 async_pmem_flush+0x79/0xa0 nvdimm_flush+0x17/0x40 pmem_submit_bio+0x370/0x390 __submit_bio+0xbc/0x190 submit_bio_noacct_nocheck+0x14d/0x370 submit_bio_noacct+0x1ef/0x520 submit_bio+0x55/0x60 submit_bio_wait+0x5a/0xc0 blkdev_issue_flush+0x44/0x60 The root cause is that submit_bio_noacct() needs bio_op() is either WRITE or ZONE_APPEND for flush bio and async_pmem_flush() doesn't assign REQ_OP_WRITE when allocating flush bio, so submit_bio_noacct just fail the flush bio. Simply fix it by adding the missing REQ_OP_WRITE for flush bio. And we could fix the flush order issue and do flush optimization later. CVE-2023-54089 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54089.html CVE-2023-54089 https://bugzilla.suse.com/1256268 SUSE Bug 1256268 In the Linux kernel, the following vulnerability has been resolved: drm/client: Fix memory leak in drm_client_target_cloned dmt_mode is allocated and never freed in this function. It was found with the ast driver, but most drivers using generic fbdev setup are probably affected. This fixes the following kmemleak report: backtrace: [<00000000b391296d>] drm_mode_duplicate+0x45/0x220 [drm] [<00000000e45bb5b3>] drm_client_target_cloned.constprop.0+0x27b/0x480 [drm] [<00000000ed2d3a37>] drm_client_modeset_probe+0x6bd/0xf50 [drm] [<0000000010e5cc9d>] __drm_fb_helper_initial_config_and_unlock+0xb4/0x2c0 [drm_kms_helper] [<00000000909f82ca>] drm_fbdev_client_hotplug+0x2bc/0x4d0 [drm_kms_helper] [<00000000063a69aa>] drm_client_register+0x169/0x240 [drm] [<00000000a8c61525>] ast_pci_probe+0x142/0x190 [ast] [<00000000987f19bb>] local_pci_probe+0xdc/0x180 [<000000004fca231b>] work_for_cpu_fn+0x4e/0xa0 [<0000000000b85301>] process_one_work+0x8b7/0x1540 [<000000003375b17c>] worker_thread+0x70a/0xed0 [<00000000b0d43cd9>] kthread+0x29f/0x340 [<000000008d770833>] ret_from_fork+0x1f/0x30 unreferenced object 0xff11000333089a00 (size 128): CVE-2023-54091 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54091.html CVE-2023-54091 https://bugzilla.suse.com/1256274 SUSE Bug 1256274 In the Linux kernel, the following vulnerability has been resolved: KVM: s390: pv: fix index value of replaced ASCE The index field of the struct page corresponding to a guest ASCE should be 0. When replacing the ASCE in s390_replace_asce(), the index of the new ASCE should also be set to 0. Having the wrong index might lead to the wrong addresses being passed around when notifying pte invalidations, and eventually to validity intercepts (VM crash) if the prefix gets unmapped and the notifier gets called with the wrong address. CVE-2023-54092 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54092.html CVE-2023-54092 https://bugzilla.suse.com/1256370 SUSE Bug 1256370 In the Linux kernel, the following vulnerability has been resolved: media: anysee: fix null-ptr-deref in anysee_master_xfer In anysee_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach anysee_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") [hverkuil: add spaces around +] CVE-2023-54093 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54093.html CVE-2023-54093 https://bugzilla.suse.com/1256273 SUSE Bug 1256273 In the Linux kernel, the following vulnerability has been resolved: net: prevent skb corruption on frag list segmentation Ian reported several skb corruptions triggered by rx-gro-list, collecting different oops alike: [ 62.624003] BUG: kernel NULL pointer dereference, address: 00000000000000c0 [ 62.631083] #PF: supervisor read access in kernel mode [ 62.636312] #PF: error_code(0x0000) - not-present page [ 62.641541] PGD 0 P4D 0 [ 62.644174] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 62.648629] CPU: 1 PID: 913 Comm: napi/eno2-79 Not tainted 6.4.0 #364 [ 62.655162] Hardware name: Supermicro Super Server/A2SDi-12C-HLN4F, BIOS 1.7a 10/13/2022 [ 62.663344] RIP: 0010:__udp_gso_segment (./include/linux/skbuff.h:2858 ./include/linux/udp.h:23 net/ipv4/udp_offload.c:228 net/ipv4/udp_offload.c:261 net/ipv4/udp_offload.c:277) [ 62.687193] RSP: 0018:ffffbd3a83b4f868 EFLAGS: 00010246 [ 62.692515] RAX: 00000000000000ce RBX: 0000000000000000 RCX: 0000000000000000 [ 62.699743] RDX: ffffa124def8a000 RSI: 0000000000000079 RDI: ffffa125952a14d4 [ 62.706970] RBP: ffffa124def8a000 R08: 0000000000000022 R09: 00002000001558c9 [ 62.714199] R10: 0000000000000000 R11: 00000000be554639 R12: 00000000000000e2 [ 62.721426] R13: ffffa125952a1400 R14: ffffa125952a1400 R15: 00002000001558c9 [ 62.728654] FS: 0000000000000000(0000) GS:ffffa127efa40000(0000) knlGS:0000000000000000 [ 62.736852] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 62.742702] CR2: 00000000000000c0 CR3: 00000001034b0000 CR4: 00000000003526e0 [ 62.749948] Call Trace: [ 62.752498] <TASK> [ 62.779267] inet_gso_segment (net/ipv4/af_inet.c:1398) [ 62.787605] skb_mac_gso_segment (net/core/gro.c:141) [ 62.791906] __skb_gso_segment (net/core/dev.c:3403 (discriminator 2)) [ 62.800492] validate_xmit_skb (./include/linux/netdevice.h:4862 net/core/dev.c:3659) [ 62.804695] validate_xmit_skb_list (net/core/dev.c:3710) [ 62.809158] sch_direct_xmit (net/sched/sch_generic.c:330) [ 62.813198] __dev_queue_xmit (net/core/dev.c:3805 net/core/dev.c:4210) net/netfilter/core.c:626) [ 62.821093] br_dev_queue_push_xmit (net/bridge/br_forward.c:55) [ 62.825652] maybe_deliver (net/bridge/br_forward.c:193) [ 62.829420] br_flood (net/bridge/br_forward.c:233) [ 62.832758] br_handle_frame_finish (net/bridge/br_input.c:215) [ 62.837403] br_handle_frame (net/bridge/br_input.c:298 net/bridge/br_input.c:416) [ 62.851417] __netif_receive_skb_core.constprop.0 (net/core/dev.c:5387) [ 62.866114] __netif_receive_skb_list_core (net/core/dev.c:5570) [ 62.871367] netif_receive_skb_list_internal (net/core/dev.c:5638 net/core/dev.c:5727) [ 62.876795] napi_complete_done (./include/linux/list.h:37 ./include/net/gro.h:434 ./include/net/gro.h:429 net/core/dev.c:6067) [ 62.881004] ixgbe_poll (drivers/net/ethernet/intel/ixgbe/ixgbe_main.c:3191) [ 62.893534] __napi_poll (net/core/dev.c:6498) [ 62.897133] napi_threaded_poll (./include/linux/netpoll.h:89 net/core/dev.c:6640) [ 62.905276] kthread (kernel/kthread.c:379) [ 62.913435] ret_from_fork (arch/x86/entry/entry_64.S:314) [ 62.917119] </TASK> In the critical scenario, rx-gro-list GRO-ed packets are fed, via a bridge, both to the local input path and to an egress device (tun). The segmentation of such packets unsafely writes to the cloned skbs with shared heads. This change addresses the issue by uncloning as needed the to-be-segmented skbs. CVE-2023-54094 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54094.html CVE-2023-54094 https://bugzilla.suse.com/1256292 SUSE Bug 1256292 In the Linux kernel, the following vulnerability has been resolved: powerpc/iommu: Fix notifiers being shared by PCI and VIO buses fail_iommu_setup() registers the fail_iommu_bus_notifier struct to both PCI and VIO buses. struct notifier_block is a linked list node, so this causes any notifiers later registered to either bus type to also be registered to the other since they share the same node. This causes issues in (at least) the vgaarb code, which registers a notifier for PCI buses. pci_notify() ends up being called on a vio device, converted with to_pci_dev() even though it's not a PCI device, and finally makes a bad access in vga_arbiter_add_pci_device() as discovered with KASAN: BUG: KASAN: slab-out-of-bounds in vga_arbiter_add_pci_device+0x60/0xe00 Read of size 4 at addr c000000264c26fdc by task swapper/0/1 Call Trace: dump_stack_lvl+0x1bc/0x2b8 (unreliable) print_report+0x3f4/0xc60 kasan_report+0x244/0x698 __asan_load4+0xe8/0x250 vga_arbiter_add_pci_device+0x60/0xe00 pci_notify+0x88/0x444 notifier_call_chain+0x104/0x320 blocking_notifier_call_chain+0xa0/0x140 device_add+0xac8/0x1d30 device_register+0x58/0x80 vio_register_device_node+0x9ac/0xce0 vio_bus_scan_register_devices+0xc4/0x13c __machine_initcall_pseries_vio_device_init+0x94/0xf0 do_one_initcall+0x12c/0xaa8 kernel_init_freeable+0xa48/0xba8 kernel_init+0x64/0x400 ret_from_kernel_thread+0x5c/0x64 Fix this by creating separate notifier_block structs for each bus type. [mpe: Add #ifdef to fix CONFIG_IBMVIO=n build] CVE-2023-54095 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54095.html CVE-2023-54095 https://bugzilla.suse.com/1256271 SUSE Bug 1256271 https://bugzilla.suse.com/1256272 SUSE Bug 1256272 In the Linux kernel, the following vulnerability has been resolved: soundwire: fix enumeration completion The soundwire subsystem uses two completion structures that allow drivers to wait for soundwire device to become enumerated on the bus and initialised by their drivers, respectively. The code implementing the signalling is currently broken as it does not signal all current and future waiters and also uses the wrong reinitialisation function, which can potentially lead to memory corruption if there are still waiters on the queue. Not signalling future waiters specifically breaks sound card probe deferrals as codec drivers can not tell that the soundwire device is already attached when being reprobed. Some codec runtime PM implementations suffer from similar problems as waiting for enumeration during resume can also timeout despite the device already having been enumerated. CVE-2023-54096 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54096.html CVE-2023-54096 https://bugzilla.suse.com/1256178 SUSE Bug 1256178 In the Linux kernel, the following vulnerability has been resolved: fs: Protect reconfiguration of sb read-write from racing writes The reconfigure / remount code takes a lot of effort to protect filesystem's reconfiguration code from racing writes on remounting read-only. However during remounting read-only filesystem to read-write mode userspace writes can start immediately once we clear SB_RDONLY flag. This is inconvenient for example for ext4 because we need to do some writes to the filesystem (such as preparation of quota files) before we can take userspace writes so we are clearing SB_RDONLY flag before we are fully ready to accept userpace writes and syzbot has found a way to exploit this [1]. Also as far as I'm reading the code the filesystem remount code was protected from racing writes in the legacy mount path by the mount's MNT_READONLY flag so this is relatively new problem. It is actually fairly easy to protect remount read-write from racing writes using sb->s_readonly_remount flag so let's just do that instead of having to workaround these races in the filesystem code. [1] https://lore.kernel.org/all/00000000000006a0df05f6667499@google.com/T/ CVE-2023-54099 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54099.html CVE-2023-54099 https://bugzilla.suse.com/1256197 SUSE Bug 1256197 In the Linux kernel, the following vulnerability has been resolved: driver: soc: xilinx: use _safe loop iterator to avoid a use after free The hash_for_each_possible() loop dereferences "eve_data" to get the next item on the list. However the loop frees eve_data so it leads to a use after free. Use hash_for_each_possible_safe() instead. CVE-2023-54101 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54101.html CVE-2023-54101 https://bugzilla.suse.com/1256153 SUSE Bug 1256153 In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: fsl_upm: Fix an off-by one test in fun_exec_op() 'op-cs' is copied in 'fun->mchip_number' which is used to access the 'mchip_offsets' and the 'rnb_gpio' arrays. These arrays have NAND_MAX_CHIPS elements, so the index must be below this limit. Fix the sanity check in order to avoid the NAND_MAX_CHIPS value. This would lead to out-of-bound accesses. CVE-2023-54104 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54104.html CVE-2023-54104 https://bugzilla.suse.com/1256145 SUSE Bug 1256145 In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fix potential memory leak in mlx5e_init_rep_rx The memory pointed to by the priv->rx_res pointer is not freed in the error path of mlx5e_init_rep_rx, which can lead to a memory leak. Fix by freeing the memory in the error path, thereby making the error path identical to mlx5e_cleanup_rep_rx(). CVE-2023-54106 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54106.html CVE-2023-54106 https://bugzilla.suse.com/1256358 SUSE Bug 1256358 In the Linux kernel, the following vulnerability has been resolved: kcm: Fix memory leak in error path of kcm_sendmsg() syzbot reported a memory leak like below: BUG: memory leak unreferenced object 0xffff88810b088c00 (size 240): comm "syz-executor186", pid 5012, jiffies 4294943306 (age 13.680s) hex dump (first 32 bytes): 00 89 08 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff83e5d5ff>] __alloc_skb+0x1ef/0x230 net/core/skbuff.c:634 [<ffffffff84606e59>] alloc_skb include/linux/skbuff.h:1289 [inline] [<ffffffff84606e59>] kcm_sendmsg+0x269/0x1050 net/kcm/kcmsock.c:815 [<ffffffff83e479c6>] sock_sendmsg_nosec net/socket.c:725 [inline] [<ffffffff83e479c6>] sock_sendmsg+0x56/0xb0 net/socket.c:748 [<ffffffff83e47f55>] ____sys_sendmsg+0x365/0x470 net/socket.c:2494 [<ffffffff83e4c389>] ___sys_sendmsg+0xc9/0x130 net/socket.c:2548 [<ffffffff83e4c536>] __sys_sendmsg+0xa6/0x120 net/socket.c:2577 [<ffffffff84ad7bb8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84ad7bb8>] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 [<ffffffff84c0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd In kcm_sendmsg(), kcm_tx_msg(head)->last_skb is used as a cursor to append newly allocated skbs to 'head'. If some bytes are copied, an error occurred, and jumped to out_error label, 'last_skb' is left unmodified. A later kcm_sendmsg() will use an obsoleted 'last_skb' reference, corrupting the 'head' frag_list and causing the leak. This patch fixes this issue by properly updating the last allocated skb in 'last_skb'. CVE-2023-54112 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54112.html CVE-2023-54112 https://bugzilla.suse.com/1256354 SUSE Bug 1256354 In the Linux kernel, the following vulnerability has been resolved: rcu: dump vmalloc memory info safely Currently, for double invoke call_rcu(), will dump rcu_head objects memory info, if the objects is not allocated from the slab allocator, the vmalloc_dump_obj() will be invoke and the vmap_area_lock spinlock need to be held, since the call_rcu() can be invoked in interrupt context, therefore, there is a possibility of spinlock deadlock scenarios. And in Preempt-RT kernel, the rcutorture test also trigger the following lockdep warning: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0 preempt_count: 1, expected: 0 RCU nest depth: 1, expected: 1 3 locks held by swapper/0/1: #0: ffffffffb534ee80 (fullstop_mutex){+.+.}-{4:4}, at: torture_init_begin+0x24/0xa0 #1: ffffffffb5307940 (rcu_read_lock){....}-{1:3}, at: rcu_torture_init+0x1ec7/0x2370 #2: ffffffffb536af40 (vmap_area_lock){+.+.}-{3:3}, at: find_vmap_area+0x1f/0x70 irq event stamp: 565512 hardirqs last enabled at (565511): [<ffffffffb379b138>] __call_rcu_common+0x218/0x940 hardirqs last disabled at (565512): [<ffffffffb5804262>] rcu_torture_init+0x20b2/0x2370 softirqs last enabled at (399112): [<ffffffffb36b2586>] __local_bh_enable_ip+0x126/0x170 softirqs last disabled at (399106): [<ffffffffb43fef59>] inet_register_protosw+0x9/0x1d0 Preemption disabled at: [<ffffffffb58040c3>] rcu_torture_init+0x1f13/0x2370 CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.5.0-rc4-rt2-yocto-preempt-rt+ #15 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x68/0xb0 dump_stack+0x14/0x20 __might_resched+0x1aa/0x280 ? __pfx_rcu_torture_err_cb+0x10/0x10 rt_spin_lock+0x53/0x130 ? find_vmap_area+0x1f/0x70 find_vmap_area+0x1f/0x70 vmalloc_dump_obj+0x20/0x60 mem_dump_obj+0x22/0x90 __call_rcu_common+0x5bf/0x940 ? debug_smp_processor_id+0x1b/0x30 call_rcu_hurry+0x14/0x20 rcu_torture_init+0x1f82/0x2370 ? __pfx_rcu_torture_leak_cb+0x10/0x10 ? __pfx_rcu_torture_leak_cb+0x10/0x10 ? __pfx_rcu_torture_init+0x10/0x10 do_one_initcall+0x6c/0x300 ? debug_smp_processor_id+0x1b/0x30 kernel_init_freeable+0x2b9/0x540 ? __pfx_kernel_init+0x10/0x10 kernel_init+0x1f/0x150 ret_from_fork+0x40/0x50 ? __pfx_kernel_init+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> The previous patch fixes this by using the deadlock-safe best-effort version of find_vm_area. However, in case of failure print the fact that the pointer was a vmalloc pointer so that we print at least something. CVE-2023-54113 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54113.html CVE-2023-54113 https://bugzilla.suse.com/1256351 SUSE Bug 1256351 In the Linux kernel, the following vulnerability has been resolved: pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db() When nonstatic_release_resource_db() frees all resources associated with an PCMCIA socket, it forgets to free socket_data too, causing a memory leak observable with kmemleak: unreferenced object 0xc28d1000 (size 64): comm "systemd-udevd", pid 297, jiffies 4294898478 (age 194.484s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 f0 85 0e c3 00 00 00 00 ................ 00 00 00 00 0c 10 8d c2 00 00 00 00 00 00 00 00 ................ backtrace: [<ffda4245>] __kmem_cache_alloc_node+0x2d7/0x4a0 [<7e51f0c8>] kmalloc_trace+0x31/0xa4 [<d52b4ca0>] nonstatic_init+0x24/0x1a4 [pcmcia_rsrc] [<a2f13e08>] pcmcia_register_socket+0x200/0x35c [pcmcia_core] [<a728be1b>] yenta_probe+0x4d8/0xa70 [yenta_socket] [<c48fac39>] pci_device_probe+0x99/0x194 [<84b7c690>] really_probe+0x181/0x45c [<8060fe6e>] __driver_probe_device+0x75/0x1f4 [<b9b76f43>] driver_probe_device+0x28/0xac [<648b766f>] __driver_attach+0xeb/0x1e4 [<6e9659eb>] bus_for_each_dev+0x61/0xb4 [<25a669f3>] driver_attach+0x1e/0x28 [<d8671d6b>] bus_add_driver+0x102/0x20c [<df0d323c>] driver_register+0x5b/0x120 [<942cd8a4>] __pci_register_driver+0x44/0x4c [<e536027e>] __UNIQUE_ID___addressable_cleanup_module188+0x1c/0xfffff000 [iTCO_vendor_support] Fix this by freeing socket_data too. Tested on a Acer Travelmate 4002WLMi by manually binding/unbinding the yenta_cardbus driver (yenta_socket). CVE-2023-54115 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54115.html CVE-2023-54115 https://bugzilla.suse.com/1256121 SUSE Bug 1256121 In the Linux kernel, the following vulnerability has been resolved: s390/dcssblk: fix kernel crash with list_add corruption Commit fb08a1908cb1 ("dax: simplify the dax_device <-> gendisk association") introduced new logic for gendisk association, requiring drivers to explicitly call dax_add_host() and dax_remove_host(). For dcssblk driver, some dax_remove_host() calls were missing, e.g. in device remove path. The commit also broke error handling for out_dax case in device add path, resulting in an extra put_device() w/o the previous get_device() in that case. This lead to stale xarray entries after device add / remove cycles. In the case when a previously used struct gendisk pointer (xarray index) would be used again, because blk_alloc_disk() happened to return such a pointer, the xa_insert() in dax_add_host() would fail and go to out_dax, doing the extra put_device() in the error path. In combination with an already flawed error handling in dcssblk (device_register() cleanup), which needs to be addressed in a separate patch, this resulted in a missing device_del() / klist_del(), and eventually in the kernel crash with list_add corruption on a subsequent device_add() / klist_add(). Fix this by adding the missing dax_remove_host() calls, and also move the put_device() in the error path to restore the previous logic. CVE-2023-54117 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54117.html CVE-2023-54117 https://bugzilla.suse.com/1256348 SUSE Bug 1256348 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix incorrect splitting in btrfs_drop_extent_map_range In production we were seeing a variety of WARN_ON()'s in the extent_map code, specifically in btrfs_drop_extent_map_range() when we have to call add_extent_mapping() for our second split. Consider the following extent map layout PINNED [0 16K) [32K, 48K) and then we call btrfs_drop_extent_map_range for [0, 36K), with skip_pinned == true. The initial loop will have start = 0 end = 36K len = 36K we will find the [0, 16k) extent, but since we are pinned we will skip it, which has this code start = em_end; if (end != (u64)-1) len = start + len - em_end; em_end here is 16K, so now the values are start = 16K len = 16K + 36K - 16K = 36K len should instead be 20K. This is a problem when we find the next extent at [32K, 48K), we need to split this extent to leave [36K, 48k), however the code for the split looks like this split->start = start + len; split->len = em_end - (start + len); In this case we have em_end = 48K split->start = 16K + 36K // this should be 16K + 20K split->len = 48K - (16K + 36K) // this overflows as 16K + 36K is 52K and now we have an invalid extent_map in the tree that potentially overlaps other entries in the extent map. Even in the non-overlapping case we will have split->start set improperly, which will cause problems with any block related calculations. We don't actually need len in this loop, we can simply use end as our end point, and only adjust start up when we find a pinned extent we need to skip. Adjust the logic to do this, which keeps us from inserting an invalid extent map. We only skip_pinned in the relocation case, so this is relatively rare, except in the case where you are running relocation a lot, which can happen with auto relocation on. CVE-2023-54121 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54121.html CVE-2023-54121 https://bugzilla.suse.com/1256267 SUSE Bug 1256267 In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Return error for inconsistent extended attributes ntfs_read_ea is called when we want to read extended attributes. There are some sanity checks for the validity of the EAs. However, it fails to return a proper error code for the inconsistent attributes, which might lead to unpredicted memory accesses after return. [ 138.916927] BUG: KASAN: use-after-free in ntfs_set_ea+0x453/0xbf0 [ 138.923876] Write of size 4 at addr ffff88800205cfac by task poc/199 [ 138.931132] [ 138.933016] CPU: 0 PID: 199 Comm: poc Not tainted 6.2.0-rc1+ #4 [ 138.938070] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 138.947327] Call Trace: [ 138.949557] <TASK> [ 138.951539] dump_stack_lvl+0x4d/0x67 [ 138.956834] print_report+0x16f/0x4a6 [ 138.960798] ? ntfs_set_ea+0x453/0xbf0 [ 138.964437] ? kasan_complete_mode_report_info+0x7d/0x200 [ 138.969793] ? ntfs_set_ea+0x453/0xbf0 [ 138.973523] kasan_report+0xb8/0x140 [ 138.976740] ? ntfs_set_ea+0x453/0xbf0 [ 138.980578] __asan_store4+0x76/0xa0 [ 138.984669] ntfs_set_ea+0x453/0xbf0 [ 138.988115] ? __pfx_ntfs_set_ea+0x10/0x10 [ 138.993390] ? kernel_text_address+0xd3/0xe0 [ 138.998270] ? __kernel_text_address+0x16/0x50 [ 139.002121] ? unwind_get_return_address+0x3e/0x60 [ 139.005659] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 139.010177] ? arch_stack_walk+0xa2/0x100 [ 139.013657] ? filter_irq_stacks+0x27/0x80 [ 139.017018] ntfs_setxattr+0x405/0x440 [ 139.022151] ? __pfx_ntfs_setxattr+0x10/0x10 [ 139.026569] ? kvmalloc_node+0x2d/0x120 [ 139.030329] ? kasan_save_stack+0x41/0x60 [ 139.033883] ? kasan_save_stack+0x2a/0x60 [ 139.037338] ? kasan_set_track+0x29/0x40 [ 139.040163] ? kasan_save_alloc_info+0x1f/0x30 [ 139.043588] ? __kasan_kmalloc+0x8b/0xa0 [ 139.047255] ? __kmalloc_node+0x68/0x150 [ 139.051264] ? kvmalloc_node+0x2d/0x120 [ 139.055301] ? vmemdup_user+0x2b/0xa0 [ 139.058584] __vfs_setxattr+0x121/0x170 [ 139.062617] ? __pfx___vfs_setxattr+0x10/0x10 [ 139.066282] __vfs_setxattr_noperm+0x97/0x300 [ 139.070061] __vfs_setxattr_locked+0x145/0x170 [ 139.073580] vfs_setxattr+0x137/0x2a0 [ 139.076641] ? __pfx_vfs_setxattr+0x10/0x10 [ 139.080223] ? __kasan_check_write+0x18/0x20 [ 139.084234] do_setxattr+0xce/0x150 [ 139.087768] setxattr+0x126/0x140 [ 139.091250] ? __pfx_setxattr+0x10/0x10 [ 139.094948] ? __virt_addr_valid+0xcb/0x140 [ 139.097838] ? __call_rcu_common.constprop.0+0x1c7/0x330 [ 139.102688] ? debug_smp_processor_id+0x1b/0x30 [ 139.105985] ? kasan_quarantine_put+0x5b/0x190 [ 139.109980] ? putname+0x84/0xa0 [ 139.113886] ? __kasan_slab_free+0x11e/0x1b0 [ 139.117961] ? putname+0x84/0xa0 [ 139.121316] ? preempt_count_sub+0x1c/0xd0 [ 139.124427] ? __mnt_want_write+0xae/0x100 [ 139.127836] ? mnt_want_write+0x8f/0x150 [ 139.130954] path_setxattr+0x164/0x180 [ 139.133998] ? __pfx_path_setxattr+0x10/0x10 [ 139.137853] ? __pfx_ksys_pwrite64+0x10/0x10 [ 139.141299] ? debug_smp_processor_id+0x1b/0x30 [ 139.145714] ? fpregs_assert_state_consistent+0x6b/0x80 [ 139.150796] __x64_sys_setxattr+0x71/0x90 [ 139.155407] do_syscall_64+0x3f/0x90 [ 139.159035] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 139.163843] RIP: 0033:0x7f108cae4469 [ 139.166481] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 [ 139.183764] RSP: 002b:00007fff87588388 EFLAGS: 00000286 ORIG_RAX: 00000000000000bc [ 139.190657] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f108cae4469 [ 139.196586] RDX: 00007fff875883b0 RSI: 00007fff875883d1 RDI: 00007fff875883b6 [ 139.201716] RBP: 00007fff8758c530 R08: 0000000000000001 R09: 00007fff8758c618 [ 139.207940] R10: 0000000000000006 R11: 0000000000000286 R12: 00000000004004c0 [ 139.214007] R13: 00007fff8758c610 R14: 0000000000000000 R15 ---truncated--- CVE-2023-54125 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54125.html CVE-2023-54125 https://bugzilla.suse.com/1256117 SUSE Bug 1256117 In the Linux kernel, the following vulnerability has been resolved: fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount() Syzkaller reported the following issue: ================================================================== BUG: KASAN: double-free in slab_free mm/slub.c:3787 [inline] BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3800 Free of addr ffff888086408000 by task syz-executor.4/12750 [...] Call Trace: <TASK> [...] kasan_report_invalid_free+0xac/0xd0 mm/kasan/report.c:482 ____kasan_slab_free+0xfb/0x120 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_umount+0x248/0x3b0 fs/jfs/jfs_umount.c:87 jfs_put_super+0x86/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x130/0x310 fs/super.c:492 kill_block_super+0x79/0xd0 fs/super.c:1386 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 cleanup_mnt+0x494/0x520 fs/namespace.c:1291 task_work_run+0x243/0x300 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop+0x124/0x150 kernel/entry/common.c:171 exit_to_user_mode_prepare+0xb2/0x140 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x26/0x60 kernel/entry/common.c:296 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] </TASK> Allocated by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380 kmalloc include/linux/slab.h:580 [inline] dbMount+0x54/0x980 fs/jfs/jfs_dmap.c:164 jfs_mount+0x1dd/0x830 fs/jfs/jfs_mount.c:121 jfs_fill_super+0x590/0xc50 fs/jfs/super.c:556 mount_bdev+0x26c/0x3a0 fs/super.c:1359 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x88/0x270 fs/super.c:1489 do_new_mount+0x289/0xad0 fs/namespace.c:3145 do_mount fs/namespace.c:3488 [inline] __do_sys_mount fs/namespace.c:3697 [inline] __se_sys_mount+0x2d3/0x3c0 fs/namespace.c:3674 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 13352: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x3d/0x60 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1781 [inline] slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807 slab_free mm/slub.c:3787 [inline] __kmem_cache_free+0x71/0x110 mm/slub.c:3800 dbUnmount+0xf4/0x110 fs/jfs/jfs_dmap.c:264 jfs_mount_rw+0x545/0x740 fs/jfs/jfs_mount.c:247 jfs_remount+0x3db/0x710 fs/jfs/super.c:454 reconfigure_super+0x3bc/0x7b0 fs/super.c:935 vfs_fsconfig_locked fs/fsopen.c:254 [inline] __do_sys_fsconfig fs/fsopen.c:439 [inline] __se_sys_fsconfig+0xad5/0x1060 fs/fsopen.c:314 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] JFS_SBI(ipbmap->i_sb)->bmap wasn't set to NULL after kfree() in dbUnmount(). Syzkaller uses faultinject to reproduce this KASAN double-free warning. The issue is triggered if either diMount() or dbMount() fail in jfs_remount(), since diUnmount() or dbUnmount() already happened in such a case - they will do double-free on next execution: jfs_umount or jfs_remount. Tested on both upstream and jfs-next by syzkaller. CVE-2023-54127 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54127.html CVE-2023-54127 https://bugzilla.suse.com/1256119 SUSE Bug 1256119 In the Linux kernel, the following vulnerability has been resolved: nfp: clean mc addresses in application firmware when closing port When moving devices from one namespace to another, mc addresses are cleaned in software while not removed from application firmware. Thus the mc addresses are remained and will cause resource leak. Now use `__dev_mc_unsync` to clean mc addresses when closing port. CVE-2023-54133 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54133.html CVE-2023-54133 https://bugzilla.suse.com/1256104 SUSE Bug 1256104 In the Linux kernel, the following vulnerability has been resolved: autofs: fix memory leak of waitqueues in autofs_catatonic_mode Syzkaller reports a memory leak: BUG: memory leak unreferenced object 0xffff88810b279e00 (size 96): comm "syz-executor399", pid 3631, jiffies 4294964921 (age 23.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 9e 27 0b 81 88 ff ff ..........'..... 08 9e 27 0b 81 88 ff ff 00 00 00 00 00 00 00 00 ..'............. backtrace: [<ffffffff814cfc90>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046 [<ffffffff81bb75ca>] kmalloc include/linux/slab.h:576 [inline] [<ffffffff81bb75ca>] autofs_wait+0x3fa/0x9a0 fs/autofs/waitq.c:378 [<ffffffff81bb88a7>] autofs_do_expire_multi+0xa7/0x3e0 fs/autofs/expire.c:593 [<ffffffff81bb8c33>] autofs_expire_multi+0x53/0x80 fs/autofs/expire.c:619 [<ffffffff81bb6972>] autofs_root_ioctl_unlocked+0x322/0x3b0 fs/autofs/root.c:897 [<ffffffff81bb6a95>] autofs_root_ioctl+0x25/0x30 fs/autofs/root.c:910 [<ffffffff81602a9c>] vfs_ioctl fs/ioctl.c:51 [inline] [<ffffffff81602a9c>] __do_sys_ioctl fs/ioctl.c:870 [inline] [<ffffffff81602a9c>] __se_sys_ioctl fs/ioctl.c:856 [inline] [<ffffffff81602a9c>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:856 [<ffffffff84608225>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff84608225>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd autofs_wait_queue structs should be freed if their wait_ctr becomes zero. Otherwise they will be lost. In this case an AUTOFS_IOC_EXPIRE_MULTI ioctl is done, then a new waitqueue struct is allocated in autofs_wait(), its initial wait_ctr equals 2. After that wait_event_killable() is interrupted (it returns -ERESTARTSYS), so that 'wq->name.name == NULL' condition may be not satisfied. Actually, this condition can be satisfied when autofs_wait_release() or autofs_catatonic_mode() is called and, what is also important, wait_ctr is decremented in those places. Upon the exit of autofs_wait(), wait_ctr is decremented to 1. Then the unmounting process begins: kill_sb calls autofs_catatonic_mode(), which should have freed the waitqueues, but it only decrements its usage counter to zero which is not a correct behaviour. edit:imk This description is of course not correct. The umount performed as a result of an expire is a umount of a mount that has been automounted, it's not the autofs mount itself. They happen independently, usually after everything mounted within the autofs file system has been expired away. If everything hasn't been expired away the automount daemon can still exit leaving mounts in place. But expires done in both cases will result in a notification that calls autofs_wait_release() with a result status. The problem case is the summary execution of of the automount daemon. In this case any waiting processes won't be woken up until either they are terminated or the mount is umounted. end edit: imk So in catatonic mode we should free waitqueues which counter becomes zero. edit: imk Initially I was concerned that the calling of autofs_wait_release() and autofs_catatonic_mode() was not mutually exclusive but that can't be the case (obviously) because the queue entry (or entries) is removed from the list when either of these two functions are called. Consequently the wait entry will be freed by only one of these functions or by the woken process in autofs_wait() depending on the order of the calls. end edit: imk CVE-2023-54134 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54134.html CVE-2023-54134 https://bugzilla.suse.com/1256106 SUSE Bug 1256106 In the Linux kernel, the following vulnerability has been resolved: maple_tree: fix potential out-of-bounds access in mas_wr_end_piv() Check the write offset end bounds before using it as the offset into the pivot array. This avoids a possible out-of-bounds access on the pivot array if the write extends to the last slot in the node, in which case the node maximum should be used as the end pivot. akpm: this doesn't affect any current callers, but new users of mapletree may encounter this problem if backported into earlier kernels, so let's fix it in -stable kernels in case of this. CVE-2023-54135 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54135.html CVE-2023-54135 https://bugzilla.suse.com/1256107 SUSE Bug 1256107 In the Linux kernel, the following vulnerability has been resolved: serial: sprd: Fix DMA buffer leak issue Release DMA buffer when _probe() returns failure to avoid memory leak. CVE-2023-54136 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54136.html CVE-2023-54136 https://bugzilla.suse.com/1256099 SUSE Bug 1256099 In the Linux kernel, the following vulnerability has been resolved: vfio/type1: fix cap_migration information leak Fix an information leak where an uninitialized hole in struct vfio_iommu_type1_info_cap_migration on the stack is exposed to userspace. The definition of struct vfio_iommu_type1_info_cap_migration contains a hole as shown in this pahole(1) output: struct vfio_iommu_type1_info_cap_migration { struct vfio_info_cap_header header; /* 0 8 */ __u32 flags; /* 8 4 */ /* XXX 4 bytes hole, try to pack */ __u64 pgsize_bitmap; /* 16 8 */ __u64 max_dirty_bitmap_size; /* 24 8 */ /* size: 32, cachelines: 1, members: 4 */ /* sum members: 28, holes: 1, sum holes: 4 */ /* last cacheline: 32 bytes */ }; The cap_mig variable is filled in without initializing the hole: static int vfio_iommu_migration_build_caps(struct vfio_iommu *iommu, struct vfio_info_cap *caps) { struct vfio_iommu_type1_info_cap_migration cap_mig; cap_mig.header.id = VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION; cap_mig.header.version = 1; cap_mig.flags = 0; /* support minimum pgsize */ cap_mig.pgsize_bitmap = (size_t)1 << __ffs(iommu->pgsize_bitmap); cap_mig.max_dirty_bitmap_size = DIRTY_BITMAP_SIZE_MAX; return vfio_info_add_capability(caps, &cap_mig.header, sizeof(cap_mig)); } The structure is then copied to a temporary location on the heap. At this point it's already too late and ioctl(VFIO_IOMMU_GET_INFO) copies it to userspace later: int vfio_info_add_capability(struct vfio_info_cap *caps, struct vfio_info_cap_header *cap, size_t size) { struct vfio_info_cap_header *header; header = vfio_info_cap_add(caps, size, cap->id, cap->version); if (IS_ERR(header)) return PTR_ERR(header); memcpy(header + 1, cap + 1, size - sizeof(*header)); return 0; } This issue was found by code inspection. CVE-2023-54137 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54137.html CVE-2023-54137 https://bugzilla.suse.com/1256100 SUSE Bug 1256100 In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse A syzbot stress test using a corrupted disk image reported that mark_buffer_dirty() called from __nilfs_mark_inode_dirty() or nilfs_palloc_commit_alloc_entry() may output a kernel warning, and can panic if the kernel is booted with panic_on_warn. This is because nilfs2 keeps buffer pointers in local structures for some metadata and reuses them, but such buffers may be forcibly discarded by nilfs_clear_dirty_page() in some critical situations. This issue is reported to appear after commit 28a65b49eb53 ("nilfs2: do not write dirty data after degenerating to read-only"), but the issue has potentially existed before. Fix this issue by checking the uptodate flag when attempting to reuse an internally held buffer, and reloading the metadata instead of reusing the buffer if the flag was lost. CVE-2023-54140 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54140.html CVE-2023-54140 https://bugzilla.suse.com/1256093 SUSE Bug 1256093 In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Add missing hw_ops->get_ring_selector() for IPQ5018 During sending data after clients connected, hw_ops->get_ring_selector() will be called. But for IPQ5018, this member isn't set, and the following NULL pointer exception will be occurred: [ 38.840478] 8<--- cut here --- [ 38.840517] Unable to handle kernel NULL pointer dereference at virtual address 00000000 ... [ 38.923161] PC is at 0x0 [ 38.927930] LR is at ath11k_dp_tx+0x70/0x730 [ath11k] ... [ 39.063264] Process hostapd (pid: 1034, stack limit = 0x801ceb3d) [ 39.068994] Stack: (0x856a9a68 to 0x856aa000) ... [ 39.438467] [<7f323804>] (ath11k_dp_tx [ath11k]) from [<7f314e6c>] (ath11k_mac_op_tx+0x80/0x190 [ath11k]) [ 39.446607] [<7f314e6c>] (ath11k_mac_op_tx [ath11k]) from [<7f17dbe0>] (ieee80211_handle_wake_tx_queue+0x7c/0xc0 [mac80211]) [ 39.456162] [<7f17dbe0>] (ieee80211_handle_wake_tx_queue [mac80211]) from [<7f174450>] (ieee80211_probereq_get+0x584/0x704 [mac80211]) [ 39.467443] [<7f174450>] (ieee80211_probereq_get [mac80211]) from [<7f178c40>] (ieee80211_tx_prepare_skb+0x1f8/0x248 [mac80211]) [ 39.479334] [<7f178c40>] (ieee80211_tx_prepare_skb [mac80211]) from [<7f179e28>] (__ieee80211_subif_start_xmit+0x32c/0x3d4 [mac80211]) [ 39.491053] [<7f179e28>] (__ieee80211_subif_start_xmit [mac80211]) from [<7f17af08>] (ieee80211_tx_control_port+0x19c/0x288 [mac80211]) [ 39.502946] [<7f17af08>] (ieee80211_tx_control_port [mac80211]) from [<7f0fc704>] (nl80211_tx_control_port+0x174/0x1d4 [cfg80211]) [ 39.515017] [<7f0fc704>] (nl80211_tx_control_port [cfg80211]) from [<808ceac4>] (genl_rcv_msg+0x154/0x340) [ 39.526814] [<808ceac4>] (genl_rcv_msg) from [<808cdb74>] (netlink_rcv_skb+0xb8/0x11c) [ 39.536446] [<808cdb74>] (netlink_rcv_skb) from [<808ce1d0>] (genl_rcv+0x28/0x34) [ 39.544344] [<808ce1d0>] (genl_rcv) from [<808cd234>] (netlink_unicast+0x174/0x274) [ 39.551895] [<808cd234>] (netlink_unicast) from [<808cd510>] (netlink_sendmsg+0x1dc/0x440) [ 39.559362] [<808cd510>] (netlink_sendmsg) from [<808596e0>] (____sys_sendmsg+0x1a8/0x1fc) [ 39.567697] [<808596e0>] (____sys_sendmsg) from [<8085b1a8>] (___sys_sendmsg+0xa4/0xdc) [ 39.575941] [<8085b1a8>] (___sys_sendmsg) from [<8085b310>] (sys_sendmsg+0x44/0x74) [ 39.583841] [<8085b310>] (sys_sendmsg) from [<80300060>] (ret_fast_syscall+0x0/0x40) ... [ 39.620734] Code: bad PC value [ 39.625869] ---[ end trace 8aef983ad3cbc032 ]--- CVE-2023-54141 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54141.html CVE-2023-54141 https://bugzilla.suse.com/1256094 SUSE Bug 1256094 In the Linux kernel, the following vulnerability has been resolved: gtp: Fix use-after-free in __gtp_encap_destroy(). syzkaller reported use-after-free in __gtp_encap_destroy(). [0] It shows the same process freed sk and touched it illegally. Commit e198987e7dd7 ("gtp: fix suspicious RCU usage") added lock_sock() and release_sock() in __gtp_encap_destroy() to protect sk->sk_user_data, but release_sock() is called after sock_put() releases the last refcnt. [0]: BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:186 [inline] BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff88800dbef398 by task syz-executor.2/2401 CPU: 1 PID: 2401 Comm: syz-executor.2 Not tainted 6.4.0-rc5-01219-gfa0e21fa4443 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:351 [inline] print_report+0xcc/0x620 mm/kasan/report.c:462 kasan_report+0xb2/0xe0 mm/kasan/report.c:572 check_region_inline mm/kasan/generic.c:181 [inline] kasan_check_range+0x39/0x1c0 mm/kasan/generic.c:187 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:186 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] _raw_spin_lock_bh+0x75/0xe0 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:355 [inline] release_sock+0x1f/0x1a0 net/core/sock.c:3526 gtp_encap_disable_sock drivers/net/gtp.c:651 [inline] gtp_encap_disable+0xb9/0x220 drivers/net/gtp.c:664 gtp_dev_uninit+0x19/0x50 drivers/net/gtp.c:728 unregister_netdevice_many_notify+0x97e/0x1520 net/core/dev.c:10841 rtnl_delete_link net/core/rtnetlink.c:3216 [inline] rtnl_dellink+0x3c0/0xb30 net/core/rtnetlink.c:3268 rtnetlink_rcv_msg+0x450/0xb10 net/core/rtnetlink.c:6423 netlink_rcv_skb+0x15d/0x450 net/netlink/af_netlink.c:2548 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x700/0x930 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x91c/0xe30 net/netlink/af_netlink.c:1913 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0x1b7/0x200 net/socket.c:747 ____sys_sendmsg+0x75a/0x990 net/socket.c:2493 ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2547 __sys_sendmsg+0xfe/0x1d0 net/socket.c:2576 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3f/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f1168b1fe5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007f1167edccc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007f1168b1fe5d RDX: 0000000000000000 RSI: 00000000200002c0 RDI: 0000000000000003 RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007f1168b80530 R15: 0000000000000000 </TASK> Allocated by task 1483: kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x ---truncated--- CVE-2023-54142 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54142.html CVE-2023-54142 https://bugzilla.suse.com/1256095 SUSE Bug 1256095 https://bugzilla.suse.com/1256097 SUSE Bug 1256097 In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: fix resource leaks in vdec_msg_queue_init() If we encounter any error in the vdec_msg_queue_init() then we need to set "msg_queue->wdma_addr.size = 0;". Normally, this is done inside the vdec_msg_queue_deinit() function. However, if the first call to allocate &msg_queue->wdma_addr fails, then the vdec_msg_queue_deinit() function is a no-op. For that situation, just set the size to zero explicitly and return. There were two other error paths which did not clean up before returning. Change those error paths to goto mem_alloc_err. CVE-2023-54143 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54143.html CVE-2023-54143 https://bugzilla.suse.com/1256096 SUSE Bug 1256096 In the Linux kernel, the following vulnerability has been resolved: bpf: drop unnecessary user-triggerable WARN_ONCE in verifierl log It's trivial for user to trigger "verifier log line truncated" warning, as verifier has a fixed-sized buffer of 1024 bytes (as of now), and there are at least two pieces of user-provided information that can be output through this buffer, and both can be arbitrarily sized by user: - BTF names; - BTF.ext source code lines strings. Verifier log buffer should be properly sized for typical verifier state output. But it's sort-of expected that this buffer won't be long enough in some circumstances. So let's drop the check. In any case code will work correctly, at worst truncating a part of a single line output. CVE-2023-54145 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54145.html CVE-2023-54145 https://bugzilla.suse.com/1256090 SUSE Bug 1256090 In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Move representor neigh cleanup to profile cleanup_tx For IP tunnel encapsulation in ECMP (Equal-Cost Multipath) mode, as the flow is duplicated to the peer eswitch, the related neighbour information on the peer uplink representor is created as well. In the cited commit, eswitch devcom unpair is moved to uplink unload API, specifically the profile->cleanup_tx. If there is a encap rule offloaded in ECMP mode, when one eswitch does unpair (because of unloading the driver, for instance), and the peer rule from the peer eswitch is going to be deleted, the use-after-free error is triggered while accessing neigh info, as it is already cleaned up in uplink's profile->disable, which is before its profile->cleanup_tx. To fix this issue, move the neigh cleanup to profile's cleanup_tx callback, and after mlx5e_cleanup_uplink_rep_tx is called. The neigh init is moved to init_tx for symmeter. [ 2453.376299] BUG: KASAN: slab-use-after-free in mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.379125] Read of size 4 at addr ffff888127af9008 by task modprobe/2496 [ 2453.381542] CPU: 7 PID: 2496 Comm: modprobe Tainted: G B 6.4.0-rc7+ #15 [ 2453.383386] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 2453.384335] Call Trace: [ 2453.384625] <TASK> [ 2453.384891] dump_stack_lvl+0x33/0x50 [ 2453.385285] print_report+0xc2/0x610 [ 2453.385667] ? __virt_addr_valid+0xb1/0x130 [ 2453.386091] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.386757] kasan_report+0xae/0xe0 [ 2453.387123] ? mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.387798] mlx5e_rep_neigh_entry_release+0x109/0x3a0 [mlx5_core] [ 2453.388465] mlx5e_rep_encap_entry_detach+0xa6/0xe0 [mlx5_core] [ 2453.389111] mlx5e_encap_dealloc+0xa7/0x100 [mlx5_core] [ 2453.389706] mlx5e_tc_tun_encap_dests_unset+0x61/0xb0 [mlx5_core] [ 2453.390361] mlx5_free_flow_attr_actions+0x11e/0x340 [mlx5_core] [ 2453.391015] ? complete_all+0x43/0xd0 [ 2453.391398] ? free_flow_post_acts+0x38/0x120 [mlx5_core] [ 2453.392004] mlx5e_tc_del_fdb_flow+0x4ae/0x690 [mlx5_core] [ 2453.392618] mlx5e_tc_del_fdb_peers_flow+0x308/0x370 [mlx5_core] [ 2453.393276] mlx5e_tc_clean_fdb_peer_flows+0xf5/0x140 [mlx5_core] [ 2453.393925] mlx5_esw_offloads_unpair+0x86/0x540 [mlx5_core] [ 2453.394546] ? mlx5_esw_offloads_set_ns_peer.isra.0+0x180/0x180 [mlx5_core] [ 2453.395268] ? down_write+0xaa/0x100 [ 2453.395652] mlx5_esw_offloads_devcom_event+0x203/0x530 [mlx5_core] [ 2453.396317] mlx5_devcom_send_event+0xbb/0x190 [mlx5_core] [ 2453.396917] mlx5_esw_offloads_devcom_cleanup+0xb0/0xd0 [mlx5_core] [ 2453.397582] mlx5e_tc_esw_cleanup+0x42/0x120 [mlx5_core] [ 2453.398182] mlx5e_rep_tc_cleanup+0x15/0x30 [mlx5_core] [ 2453.398768] mlx5e_cleanup_rep_tx+0x6c/0x80 [mlx5_core] [ 2453.399367] mlx5e_detach_netdev+0xee/0x120 [mlx5_core] [ 2453.399957] mlx5e_netdev_change_profile+0x84/0x170 [mlx5_core] [ 2453.400598] mlx5e_vport_rep_unload+0xe0/0xf0 [mlx5_core] [ 2453.403781] mlx5_eswitch_unregister_vport_reps+0x15e/0x190 [mlx5_core] [ 2453.404479] ? mlx5_eswitch_register_vport_reps+0x200/0x200 [mlx5_core] [ 2453.405170] ? up_write+0x39/0x60 [ 2453.405529] ? kernfs_remove_by_name_ns+0xb7/0xe0 [ 2453.405985] auxiliary_bus_remove+0x2e/0x40 [ 2453.406405] device_release_driver_internal+0x243/0x2d0 [ 2453.406900] ? kobject_put+0x42/0x2d0 [ 2453.407284] bus_remove_device+0x128/0x1d0 [ 2453.407687] device_del+0x240/0x550 [ 2453.408053] ? waiting_for_supplier_show+0xe0/0xe0 [ 2453.408511] ? kobject_put+0xfa/0x2d0 [ 2453.408889] ? __kmem_cache_free+0x14d/0x280 [ 2453.409310] mlx5_rescan_drivers_locked.part.0+0xcd/0x2b0 [mlx5_core] [ 2453.409973] mlx5_unregister_device+0x40/0x50 [mlx5_core] [ 2453.410561] mlx5_uninit_one+0x3d/0x110 [mlx5_core] [ 2453.411111] remove_one+0x89/0x130 [mlx5_core] [ 24 ---truncated--- CVE-2023-54148 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54148.html CVE-2023-54148 https://bugzilla.suse.com/1256084 SUSE Bug 1256084 In the Linux kernel, the following vulnerability has been resolved: net: dsa: avoid suspicious RCU usage for synced VLAN-aware MAC addresses When using the felix driver (the only one which supports UC filtering and MC filtering) as a DSA master for a random other DSA switch, one can see the following stack trace when the downstream switch ports join a VLAN-aware bridge: ============================= WARNING: suspicious RCU usage ----------------------------- net/8021q/vlan_core.c:238 suspicious rcu_dereference_protected() usage! stack backtrace: Workqueue: dsa_ordered dsa_slave_switchdev_event_work Call trace: lockdep_rcu_suspicious+0x170/0x210 vlan_for_each+0x8c/0x188 dsa_slave_sync_uc+0x128/0x178 __hw_addr_sync_dev+0x138/0x158 dsa_slave_set_rx_mode+0x58/0x70 __dev_set_rx_mode+0x88/0xa8 dev_uc_add+0x74/0xa0 dsa_port_bridge_host_fdb_add+0xec/0x180 dsa_slave_switchdev_event_work+0x7c/0x1c8 process_one_work+0x290/0x568 What it's saying is that vlan_for_each() expects rtnl_lock() context and it's not getting it, when it's called from the DSA master's ndo_set_rx_mode(). The caller of that - dsa_slave_set_rx_mode() - is the slave DSA interface's dsa_port_bridge_host_fdb_add() which comes from the deferred dsa_slave_switchdev_event_work(). We went to great lengths to avoid the rtnl_lock() context in that call path in commit 0faf890fc519 ("net: dsa: drop rtnl_lock from dsa_slave_switchdev_event_work"), and calling rtnl_lock() is simply not an option due to the possibility of deadlocking when calling dsa_flush_workqueue() from the call paths that do hold rtnl_lock() - basically all of them. So, when the DSA master calls vlan_for_each() from its ndo_set_rx_mode(), the state of the 8021q driver on this device is really not protected from concurrent access by anything. Looking at net/8021q/, I don't think that vlan_info->vid_list was particularly designed with RCU traversal in mind, so introducing an RCU read-side form of vlan_for_each() - vlan_for_each_rcu() - won't be so easy, and it also wouldn't be exactly what we need anyway. In general I believe that the solution isn't in net/8021q/ anyway; vlan_for_each() is not cut out for this task. DSA doesn't need rtnl_lock() to be held per se - since it's not a netdev state change that we're blocking, but rather, just concurrent additions/removals to a VLAN list. We don't even need sleepable context - the callback of vlan_for_each() just schedules deferred work. The proposed escape is to remove the dependency on vlan_for_each() and to open-code a non-sleepable, rtnl-free alternative to that, based on copies of the VLAN list modified from .ndo_vlan_rx_add_vid() and .ndo_vlan_rx_kill_vid(). CVE-2023-54149 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54149.html CVE-2023-54149 https://bugzilla.suse.com/1256085 SUSE Bug 1256085 In the Linux kernel, the following vulnerability has been resolved: ext4: turn quotas off if mount failed after enabling quotas Yi found during a review of the patch "ext4: don't BUG on inconsistent journal feature" that when ext4_mark_recovery_complete() returns an error value, the error handling path does not turn off the enabled quotas, which triggers the following kmemleak: ================================================================ unreferenced object 0xffff8cf68678e7c0 (size 64): comm "mount", pid 746, jiffies 4294871231 (age 11.540s) hex dump (first 32 bytes): 00 90 ef 82 f6 8c ff ff 00 00 00 00 41 01 00 00 ............A... c7 00 00 00 bd 00 00 00 0a 00 00 00 48 00 00 00 ............H... backtrace: [<00000000c561ef24>] __kmem_cache_alloc_node+0x4d4/0x880 [<00000000d4e621d7>] kmalloc_trace+0x39/0x140 [<00000000837eee74>] v2_read_file_info+0x18a/0x3a0 [<0000000088f6c877>] dquot_load_quota_sb+0x2ed/0x770 [<00000000340a4782>] dquot_load_quota_inode+0xc6/0x1c0 [<0000000089a18bd5>] ext4_enable_quotas+0x17e/0x3a0 [ext4] [<000000003a0268fa>] __ext4_fill_super+0x3448/0x3910 [ext4] [<00000000b0f2a8a8>] ext4_fill_super+0x13d/0x340 [ext4] [<000000004a9489c4>] get_tree_bdev+0x1dc/0x370 [<000000006e723bf1>] ext4_get_tree+0x1d/0x30 [ext4] [<00000000c7cb663d>] vfs_get_tree+0x31/0x160 [<00000000320e1bed>] do_new_mount+0x1d5/0x480 [<00000000c074654c>] path_mount+0x22e/0xbe0 [<0000000003e97a8e>] do_mount+0x95/0xc0 [<000000002f3d3736>] __x64_sys_mount+0xc4/0x160 [<0000000027d2140c>] do_syscall_64+0x3f/0x90 ================================================================ To solve this problem, we add a "failed_mount10" tag, and call ext4_quota_off_umount() in this tag to release the enabled qoutas. CVE-2023-54153 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54153.html CVE-2023-54153 https://bugzilla.suse.com/1256081 SUSE Bug 1256081 In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Fix target_cmd_counter leak The target_cmd_counter struct allocated via target_alloc_cmd_counter() is never freed, resulting in leaks across various transport types, e.g.: unreferenced object 0xffff88801f920120 (size 96): comm "sh", pid 102, jiffies 4294892535 (age 713.412s) hex dump (first 32 bytes): 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 38 01 92 1f 80 88 ff ff ........8....... backtrace: [<00000000e58a6252>] kmalloc_trace+0x11/0x20 [<0000000043af4b2f>] target_alloc_cmd_counter+0x17/0x90 [target_core_mod] [<000000007da2dfa7>] target_setup_session+0x2d/0x140 [target_core_mod] [<0000000068feef86>] tcm_loop_tpg_nexus_store+0x19b/0x350 [tcm_loop] [<000000006a80e021>] configfs_write_iter+0xb1/0x120 [<00000000e9f4d860>] vfs_write+0x2e4/0x3c0 [<000000008143433b>] ksys_write+0x80/0xb0 [<00000000a7df29b2>] do_syscall_64+0x42/0x90 [<0000000053f45fb8>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Free the structure alongside the corresponding iscsit_conn / se_sess parent. CVE-2023-54154 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54154.html CVE-2023-54154 https://bugzilla.suse.com/1256082 SUSE Bug 1256082 In the Linux kernel, the following vulnerability has been resolved: net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail() Syzkaller reported the following issue: ======================================= Too BIG xdp->frame_sz = 131072 WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline] WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103 ... Call Trace: <TASK> bpf_prog_4add87e5301a4105+0x1a/0x1c __bpf_prog_run include/linux/filter.h:600 [inline] bpf_prog_run_xdp include/linux/filter.h:775 [inline] bpf_prog_run_generic_xdp+0x57e/0x11e0 net/core/dev.c:4721 netif_receive_generic_xdp net/core/dev.c:4807 [inline] do_xdp_generic+0x35c/0x770 net/core/dev.c:4866 tun_get_user+0x2340/0x3ca0 drivers/net/tun.c:1919 tun_chr_write_iter+0xe8/0x210 drivers/net/tun.c:2043 call_write_iter include/linux/fs.h:1871 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x650/0xe40 fs/read_write.c:584 ksys_write+0x12f/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd xdp->frame_sz > PAGE_SIZE check was introduced in commit c8741e2bfe87 ("xdp: Allow bpf_xdp_adjust_tail() to grow packet size"). But Jesper Dangaard Brouer <jbrouer@redhat.com> noted that after introducing the xdp_init_buff() which all XDP driver use - it's safe to remove this check. The original intend was to catch cases where XDP drivers have not been updated to use xdp.frame_sz, but that is not longer a concern (since xdp_init_buff). Running the initial syzkaller repro it was discovered that the contiguous physical memory allocation is used for both xdp paths in tun_get_user(), e.g. tun_build_skb() and tun_alloc_skb(). It was also stated by Jesper Dangaard Brouer <jbrouer@redhat.com> that XDP can work on higher order pages, as long as this is contiguous physical memory (e.g. a page). CVE-2023-54155 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54155.html CVE-2023-54155 https://bugzilla.suse.com/1256083 SUSE Bug 1256083 In the Linux kernel, the following vulnerability has been resolved: sfc: fix crash when reading stats while NIC is resetting efx_net_stats() (.ndo_get_stats64) can be called during an ethtool selftest, during which time nic_data->mc_stats is NULL as the NIC has been fini'd. In this case do not attempt to fetch the latest stats from the hardware, else we will crash on a NULL dereference: BUG: kernel NULL pointer dereference, address: 0000000000000038 RIP efx_nic_update_stats abridged calltrace: efx_ef10_update_stats_pf efx_net_stats dev_get_stats dev_seq_printf_stats Skipping the read is safe, we will simply give out stale stats. To ensure that the free in efx_ef10_fini_nic() does not race against efx_ef10_update_stats_pf(), which could cause a TOCTTOU bug, take the efx->stats_lock in fini_nic (it is already held across update_stats). CVE-2023-54156 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54156.html CVE-2023-54156 https://bugzilla.suse.com/1255704 SUSE Bug 1255704 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: fix iso_conn related locking and validity issues sk->sk_state indicates whether iso_pi(sk)->conn is valid. Operations that check/update sk_state and access conn should hold lock_sock, otherwise they can race. The order of taking locks is hci_dev_lock > lock_sock > iso_conn_lock, which is how it is in connect/disconnect_cfm -> iso_conn_del -> iso_chan_del. Fix locking in iso_connect_cis/bis and sendmsg/recvmsg to take lock_sock around updating sk_state and conn. iso_conn_del must not occur during iso_connect_cis/bis, as it frees the iso_conn. Hold hdev->lock longer to prevent that. This should not reintroduce the issue fixed in commit 241f51931c35 ("Bluetooth: ISO: Avoid circular locking dependency"), since the we acquire locks in order. We retain the fix in iso_sock_connect to release lock_sock before iso_connect_* acquires hdev->lock. Similarly for commit 6a5ad251b7cd ("Bluetooth: ISO: Fix possible circular locking dependency"). We retain the fix in iso_conn_ready to not acquire iso_conn_lock before lock_sock. iso_conn_add shall return iso_conn with valid hcon. Make it so also when reusing an old CIS connection waiting for disconnect timeout (see __iso_sock_close where conn->hcon is set to NULL). Trace with iso_conn_del after iso_chan_add in iso_connect_cis: =============================================================== iso_sock_create:771: sock 00000000be9b69b7 iso_sock_init:693: sk 000000004dff667e iso_sock_bind:827: sk 000000004dff667e 70:1a:b8:98:ff:a2 type 1 iso_sock_setsockopt:1289: sk 000000004dff667e iso_sock_setsockopt:1289: sk 000000004dff667e iso_sock_setsockopt:1289: sk 000000004dff667e iso_sock_connect:875: sk 000000004dff667e iso_connect_cis:353: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da hci_get_route:1199: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da hci_conn_add:1005: hci0 dst 28:3d:c2:4a:7e:da iso_conn_add:140: hcon 000000007b65d182 conn 00000000daf8625e __iso_chan_add:214: conn 00000000daf8625e iso_connect_cfm:1700: hcon 000000007b65d182 bdaddr 28:3d:c2:4a:7e:da status 12 iso_conn_del:187: hcon 000000007b65d182 conn 00000000daf8625e, err 16 iso_sock_clear_timer:117: sock 000000004dff667e state 3 <Note: sk_state is BT_BOUND (3), so iso_connect_cis is still running at this point> iso_chan_del:153: sk 000000004dff667e, conn 00000000daf8625e, err 16 hci_conn_del:1151: hci0 hcon 000000007b65d182 handle 65535 hci_conn_unlink:1102: hci0: hcon 000000007b65d182 hci_chan_list_flush:2780: hcon 000000007b65d182 iso_sock_getsockopt:1376: sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_getsockopt:1376: sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_getname:1070: sock 00000000be9b69b7, sk 000000004dff667e iso_sock_shutdown:1434: sock 00000000be9b69b7, sk 000000004dff667e, how 1 __iso_sock_close:632: sk 000000004dff667e state 5 socket 00000000be9b69b7 <Note: sk_state is BT_CONNECT (5), even though iso_chan_del sets BT_CLOSED (6). Only iso_connect_cis sets it to BT_CONNECT, so it must be that iso_chan_del occurred between iso_chan_add and end of iso_connect_cis.> BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 8000000006467067 P4D 8000000006467067 PUD 3f5f067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014 RIP: 0010:__iso_sock_close (net/bluetooth/iso.c:664) bluetooth =============================================================== Trace with iso_conn_del before iso_chan_add in iso_connect_cis: =============================================================== iso_connect_cis:356: 70:1a:b8:98:ff:a2 -> 28:3d:c2:4a:7e:da ... iso_conn_add:140: hcon 0000000093bc551f conn 00000000768ae504 hci_dev_put:1487: hci0 orig refcnt 21 hci_event_packet:7607: hci0: e ---truncated--- CVE-2023-54164 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54164.html CVE-2023-54164 https://bugzilla.suse.com/1256071 SUSE Bug 1256071 In the Linux kernel, the following vulnerability has been resolved: igc: Fix Kernel Panic during ndo_tx_timeout callback The Xeon validation group has been carrying out some loaded tests with various HW configurations, and they have seen some transmit queue time out happening during the test. This will cause the reset adapter function to be called by igc_tx_timeout(). Similar race conditions may arise when the interface is being brought down and up in igc_reinit_locked(), an interrupt being generated, and igc_clean_tx_irq() being called to complete the TX. When the igc_tx_timeout() function is invoked, this patch will turn off all TX ring HW queues during igc_down() process. TX ring HW queues will be activated again during the igc_configure_tx_ring() process when performing the igc_up() procedure later. This patch also moved existing igc_disable_tx_ring_hw() to avoid using forward declaration. Kernel trace: [ 7678.747813] ------------[ cut here ]------------ [ 7678.757914] NETDEV WATCHDOG: enp1s0 (igc): transmit queue 2 timed out [ 7678.770117] WARNING: CPU: 0 PID: 13 at net/sched/sch_generic.c:525 dev_watchdog+0x1ae/0x1f0 [ 7678.784459] Modules linked in: xt_conntrack nft_chain_nat xt_MASQUERADE xt_addrtype nft_compat nf_tables nfnetlink br_netfilter bridge stp llc overlay dm_mod emrcha(PO) emriio(PO) rktpm(PO) cegbuf_mod(PO) patch_update(PO) se(PO) sgx_tgts(PO) mktme(PO) keylocker(PO) svtdx(PO) svfs_pci_hotplug(PO) vtd_mod(PO) davemem(PO) svmabort(PO) svindexio(PO) usbx2(PO) ehci_sched(PO) svheartbeat(PO) ioapic(PO) sv8259(PO) svintr(PO) lt(PO) pcierootport(PO) enginefw_mod(PO) ata(PO) smbus(PO) spiflash_cdf(PO) arden(PO) dsa_iax(PO) oobmsm_punit(PO) cpm(PO) svkdb(PO) ebg_pch(PO) pch(PO) sviotargets(PO) svbdf(PO) svmem(PO) svbios(PO) dram(PO) svtsc(PO) targets(PO) superio(PO) svkernel(PO) cswitch(PO) mcf(PO) pentiumIII_mod(PO) fs_svfs(PO) mdevdefdb(PO) svfs_os_services(O) ixgbe mdio mdio_devres libphy emeraldrapids_svdefs(PO) regsupport(O) libnvdimm nls_cp437 snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hwdep x86_pkg_temp_thermal snd_hda_core snd_pcm snd_timer isst_if_mbox_pci [ 7678.784496] input_leds isst_if_mmio sg snd isst_if_common soundcore wmi button sad9(O) drm fuse backlight configfs efivarfs ip_tables x_tables vmd sdhci led_class rtl8150 r8152 hid_generic pegasus mmc_block usbhid mmc_core hid megaraid_sas ixgb igb i2c_algo_bit ice i40e hpsa scsi_transport_sas e1000e e1000 e100 ax88179_178a usbnet xhci_pci sd_mod xhci_hcd t10_pi crc32c_intel crc64_rocksoft igc crc64 crc_t10dif usbcore crct10dif_generic ptp crct10dif_common usb_common pps_core [ 7679.200403] RIP: 0010:dev_watchdog+0x1ae/0x1f0 [ 7679.210201] Code: 28 e9 53 ff ff ff 4c 89 e7 c6 05 06 42 b9 00 01 e8 17 d1 fb ff 44 89 e9 4c 89 e6 48 c7 c7 40 ad fb 81 48 89 c2 e8 52 62 82 ff <0f> 0b e9 72 ff ff ff 65 8b 05 80 7d 7c 7e 89 c0 48 0f a3 05 0a c1 [ 7679.245438] RSP: 0018:ffa00000001f7d90 EFLAGS: 00010282 [ 7679.256021] RAX: 0000000000000000 RBX: ff11000109938440 RCX: 0000000000000000 [ 7679.268710] RDX: ff11000361e26cd8 RSI: ff11000361e1b880 RDI: ff11000361e1b880 [ 7679.281314] RBP: ffa00000001f7da8 R08: ff1100035f8fffe8 R09: 0000000000027ffb [ 7679.293840] R10: 0000000000001f0a R11: ff1100035f840000 R12: ff11000109938000 [ 7679.306276] R13: 0000000000000002 R14: dead000000000122 R15: ffa00000001f7e18 [ 7679.318648] FS: 0000000000000000(0000) GS:ff11000361e00000(0000) knlGS:0000000000000000 [ 7679.332064] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 7679.342757] CR2: 00007ffff7fca168 CR3: 000000013b08a006 CR4: 0000000000471ef8 [ 7679.354984] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 7679.367207] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 7679.379370] PKRU: 55555554 [ 7679.386446] Call Trace: [ 7679.393152] <TASK> [ 7679.399363] ? __pfx_dev_watchdog+0x10/0x10 [ 7679.407870] call_timer_fn+0x31/0x110 [ 7679.415698] e ---truncated--- CVE-2023-54166 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54166.html CVE-2023-54166 https://bugzilla.suse.com/1256074 SUSE Bug 1256074 In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: fix memory leak in mlx5e_ptp_open When kvzalloc_node or kvzalloc failed in mlx5e_ptp_open, the memory pointed by "c" or "cparams" is not freed, which can lead to a memory leak. Fix by freeing the array in the error path. CVE-2023-54169 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54169.html CVE-2023-54169 https://bugzilla.suse.com/1256050 SUSE Bug 1256050 In the Linux kernel, the following vulnerability has been resolved: keys: Fix linking a duplicate key to a keyring's assoc_array When making a DNS query inside the kernel using dns_query(), the request code can in rare cases end up creating a duplicate index key in the assoc_array of the destination keyring. It is eventually found by a BUG_ON() check in the assoc_array implementation and results in a crash. Example report: [2158499.700025] kernel BUG at ../lib/assoc_array.c:652! [2158499.700039] invalid opcode: 0000 [#1] SMP PTI [2158499.700065] CPU: 3 PID: 31985 Comm: kworker/3:1 Kdump: loaded Not tainted 5.3.18-150300.59.90-default #1 SLE15-SP3 [2158499.700096] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [2158499.700351] Workqueue: cifsiod cifs_resolve_server [cifs] [2158499.700380] RIP: 0010:assoc_array_insert+0x85f/0xa40 [2158499.700401] Code: ff 74 2b 48 8b 3b 49 8b 45 18 4c 89 e6 48 83 e7 fe e8 95 ec 74 00 3b 45 88 7d db 85 c0 79 d4 0f 0b 0f 0b 0f 0b e8 41 f2 be ff <0f> 0b 0f 0b 81 7d 88 ff ff ff 7f 4c 89 eb 4c 8b ad 58 ff ff ff 0f [2158499.700448] RSP: 0018:ffffc0bd6187faf0 EFLAGS: 00010282 [2158499.700470] RAX: ffff9f1ea7da2fe8 RBX: ffff9f1ea7da2fc1 RCX: 0000000000000005 [2158499.700492] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 [2158499.700515] RBP: ffffc0bd6187fbb0 R08: ffff9f185faf1100 R09: 0000000000000000 [2158499.700538] R10: ffff9f1ea7da2cc0 R11: 000000005ed8cec8 R12: ffffc0bd6187fc28 [2158499.700561] R13: ffff9f15feb8d000 R14: ffff9f1ea7da2fc0 R15: ffff9f168dc0d740 [2158499.700585] FS: 0000000000000000(0000) GS:ffff9f185fac0000(0000) knlGS:0000000000000000 [2158499.700610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [2158499.700630] CR2: 00007fdd94fca238 CR3: 0000000809d8c006 CR4: 00000000003706e0 [2158499.700702] Call Trace: [2158499.700741] ? key_alloc+0x447/0x4b0 [2158499.700768] ? __key_link_begin+0x43/0xa0 [2158499.700790] __key_link_begin+0x43/0xa0 [2158499.700814] request_key_and_link+0x2c7/0x730 [2158499.700847] ? dns_resolver_read+0x20/0x20 [dns_resolver] [2158499.700873] ? key_default_cmp+0x20/0x20 [2158499.700898] request_key_tag+0x43/0xa0 [2158499.700926] dns_query+0x114/0x2ca [dns_resolver] [2158499.701127] dns_resolve_server_name_to_ip+0x194/0x310 [cifs] [2158499.701164] ? scnprintf+0x49/0x90 [2158499.701190] ? __switch_to_asm+0x40/0x70 [2158499.701211] ? __switch_to_asm+0x34/0x70 [2158499.701405] reconn_set_ipaddr_from_hostname+0x81/0x2a0 [cifs] [2158499.701603] cifs_resolve_server+0x4b/0xd0 [cifs] [2158499.701632] process_one_work+0x1f8/0x3e0 [2158499.701658] worker_thread+0x2d/0x3f0 [2158499.701682] ? process_one_work+0x3e0/0x3e0 [2158499.701703] kthread+0x10d/0x130 [2158499.701723] ? kthread_park+0xb0/0xb0 [2158499.701746] ret_from_fork+0x1f/0x40 The situation occurs as follows: * Some kernel facility invokes dns_query() to resolve a hostname, for example, "abcdef". The function registers its global DNS resolver cache as current->cred.thread_keyring and passes the query to request_key_net() -> request_key_tag() -> request_key_and_link(). * Function request_key_and_link() creates a keyring_search_context object. Its match_data.cmp method gets set via a call to type->match_preparse() (resolves to dns_resolver_match_preparse()) to dns_resolver_cmp(). * Function request_key_and_link() continues and invokes search_process_keyrings_rcu() which returns that a given key was not found. The control is then passed to request_key_and_link() -> construct_alloc_key(). * Concurrently to that, a second task similarly makes a DNS query for "abcdef." and its result gets inserted into the DNS resolver cache. * Back on the first task, function construct_alloc_key() first runs __key_link_begin() to determine an assoc_array_edit operation to insert a new key. Index keys in the array are compared exactly as-is, using keyring_compare_object(). The operation ---truncated--- CVE-2023-54170 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54170.html CVE-2023-54170 https://bugzilla.suse.com/1256045 SUSE Bug 1256045 In the Linux kernel, the following vulnerability has been resolved: tracing: Fix memory leak of iter->temp when reading trace_pipe kmemleak reports: unreferenced object 0xffff88814d14e200 (size 256): comm "cat", pid 336, jiffies 4294871818 (age 779.490s) hex dump (first 32 bytes): 04 00 01 03 00 00 00 00 08 00 00 00 00 00 00 00 ................ 0c d8 c8 9b ff ff ff ff 04 5a ca 9b ff ff ff ff .........Z...... backtrace: [<ffffffff9bdff18f>] __kmalloc+0x4f/0x140 [<ffffffff9bc9238b>] trace_find_next_entry+0xbb/0x1d0 [<ffffffff9bc9caef>] trace_print_lat_context+0xaf/0x4e0 [<ffffffff9bc94490>] print_trace_line+0x3e0/0x950 [<ffffffff9bc95499>] tracing_read_pipe+0x2d9/0x5a0 [<ffffffff9bf03a43>] vfs_read+0x143/0x520 [<ffffffff9bf04c2d>] ksys_read+0xbd/0x160 [<ffffffff9d0f0edf>] do_syscall_64+0x3f/0x90 [<ffffffff9d2000aa>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 when reading file 'trace_pipe', 'iter->temp' is allocated or relocated in trace_find_next_entry() but not freed before 'trace_pipe' is closed. To fix it, free 'iter->temp' in tracing_release_pipe(). CVE-2023-54171 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54171.html CVE-2023-54171 https://bugzilla.suse.com/1256034 SUSE Bug 1256034 In the Linux kernel, the following vulnerability has been resolved: x86/hyperv: Disable IBT when hypercall page lacks ENDBR instruction On hardware that supports Indirect Branch Tracking (IBT), Hyper-V VMs with ConfigVersion 9.3 or later support IBT in the guest. However, current versions of Hyper-V have a bug in that there's not an ENDBR64 instruction at the beginning of the hypercall page. Since hypercalls are made with an indirect call to the hypercall page, all hypercall attempts fail with an exception and Linux panics. A Hyper-V fix is in progress to add ENDBR64. But guard against the Linux panic by clearing X86_FEATURE_IBT if the hypercall page doesn't start with ENDBR. The VM will boot and run without IBT. If future Linux 32-bit kernels were to support IBT, additional hypercall page hackery would be needed to make IBT work for such kernels in a Hyper-V VM. CVE-2023-54172 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54172.html CVE-2023-54172 https://bugzilla.suse.com/1256033 SUSE Bug 1256033 In the Linux kernel, the following vulnerability has been resolved: bpf: Disable preemption in bpf_event_output We received report [1] of kernel crash, which is caused by using nesting protection without disabled preemption. The bpf_event_output can be called by programs executed by bpf_prog_run_array_cg function that disabled migration but keeps preemption enabled. This can cause task to be preempted by another one inside the nesting protection and lead eventually to two tasks using same perf_sample_data buffer and cause crashes like: BUG: kernel NULL pointer dereference, address: 0000000000000001 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page ... ? perf_output_sample+0x12a/0x9a0 ? finish_task_switch.isra.0+0x81/0x280 ? perf_event_output+0x66/0xa0 ? bpf_event_output+0x13a/0x190 ? bpf_event_output_data+0x22/0x40 ? bpf_prog_dfc84bbde731b257_cil_sock4_connect+0x40a/0xacb ? xa_load+0x87/0xe0 ? __cgroup_bpf_run_filter_sock_addr+0xc1/0x1a0 ? release_sock+0x3e/0x90 ? sk_setsockopt+0x1a1/0x12f0 ? udp_pre_connect+0x36/0x50 ? inet_dgram_connect+0x93/0xa0 ? __sys_connect+0xb4/0xe0 ? udp_setsockopt+0x27/0x40 ? __pfx_udp_push_pending_frames+0x10/0x10 ? __sys_setsockopt+0xdf/0x1a0 ? __x64_sys_connect+0xf/0x20 ? do_syscall_64+0x3a/0x90 ? entry_SYSCALL_64_after_hwframe+0x72/0xdc Fixing this by disabling preemption in bpf_event_output. [1] https://github.com/cilium/cilium/issues/26756 CVE-2023-54173 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54173.html CVE-2023-54173 https://bugzilla.suse.com/1255996 SUSE Bug 1255996 In the Linux kernel, the following vulnerability has been resolved: quota: fix warning in dqgrab() There's issue as follows when do fault injection: WARNING: CPU: 1 PID: 14870 at include/linux/quotaops.h:51 dquot_disable+0x13b7/0x18c0 Modules linked in: CPU: 1 PID: 14870 Comm: fsconfig Not tainted 6.3.0-next-20230505-00006-g5107a9c821af-dirty #541 RIP: 0010:dquot_disable+0x13b7/0x18c0 RSP: 0018:ffffc9000acc79e0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88825e41b980 RDX: 0000000000000000 RSI: ffff88825e41b980 RDI: 0000000000000002 RBP: ffff888179f68000 R08: ffffffff82087ca7 R09: 0000000000000000 R10: 0000000000000001 R11: ffffed102f3ed026 R12: ffff888179f68130 R13: ffff888179f68110 R14: dffffc0000000000 R15: ffff888179f68118 FS: 00007f450a073740(0000) GS:ffff88882fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe96f2efd8 CR3: 000000025c8ad000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> dquot_load_quota_sb+0xd53/0x1060 dquot_resume+0x172/0x230 ext4_reconfigure+0x1dc6/0x27b0 reconfigure_super+0x515/0xa90 __x64_sys_fsconfig+0xb19/0xd20 do_syscall_64+0x39/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Above issue may happens as follows: ProcessA ProcessB ProcessC sys_fsconfig vfs_fsconfig_locked reconfigure_super ext4_remount dquot_suspend -> suspend all type quota sys_fsconfig vfs_fsconfig_locked reconfigure_super ext4_remount dquot_resume ret = dquot_load_quota_sb add_dquot_ref do_open -> open file O_RDWR vfs_open do_dentry_open get_write_access atomic_inc_unless_negative(&inode->i_writecount) ext4_file_open dquot_file_open dquot_initialize __dquot_initialize dqget atomic_inc(&dquot->dq_count); __dquot_initialize __dquot_initialize dqget if (!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) ext4_acquire_dquot -> Return error DQ_ACTIVE_B flag isn't set dquot_disable invalidate_dquots if (atomic_read(&dquot->dq_count)) dqgrab WARN_ON_ONCE(!test_bit(DQ_ACTIVE_B, &dquot->dq_flags)) -> Trigger warning In the above scenario, 'dquot->dq_flags' has no DQ_ACTIVE_B is normal when dqgrab(). To solve above issue just replace the dqgrab() use in invalidate_dquots() with atomic_inc(&dquot->dq_count). CVE-2023-54177 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54177.html CVE-2023-54177 https://bugzilla.suse.com/1255993 SUSE Bug 1255993 In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name() when kmalloc() fail to allocate memory in kasprintf(), name or full_name will be NULL, strcmp() will cause null pointer dereference. CVE-2023-54178 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54178.html CVE-2023-54178 https://bugzilla.suse.com/1255992 SUSE Bug 1255992 In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Array index may go out of bound Klocwork reports array 'vha->host_str' of size 16 may use index value(s) 16..19. Use snprintf() instead of sprintf(). CVE-2023-54179 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54179.html CVE-2023-54179 https://bugzilla.suse.com/1255994 SUSE Bug 1255994 In the Linux kernel, the following vulnerability has been resolved: bpf: Fix issue in verifying allow_ptr_leaks After we converted the capabilities of our networking-bpf program from cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program failed to start. Because it failed the bpf verifier, and the error log is "R3 pointer comparison prohibited". A simple reproducer as follows, SEC("cls-ingress") int ingress(struct __sk_buff *skb) { struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); if ((long)(iph + 1) > (long)skb->data_end) return TC_ACT_STOLEN; return TC_ACT_OK; } Per discussion with Yonghong and Alexei [1], comparison of two packet pointers is not a pointer leak. This patch fixes it. Our local kernel is 6.1.y and we expect this fix to be backported to 6.1.y, so stable is CCed. [1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/ CVE-2023-54181 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54181.html CVE-2023-54181 https://bugzilla.suse.com/1255988 SUSE Bug 1255988 In the Linux kernel, the following vulnerability has been resolved: media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link() If fwnode_graph_get_remote_endpoint() fails, 'fwnode' is known to be NULL, so fwnode_handle_put() is a no-op. Release the reference taken from a previous fwnode_graph_get_port_parent() call instead. Also handle fwnode_graph_get_port_parent() failures. In order to fix these issues, add an error handling path to the function and the needed gotos. CVE-2023-54183 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54183.html CVE-2023-54183 https://bugzilla.suse.com/1255990 SUSE Bug 1255990 In the Linux kernel, the following vulnerability has been resolved: btrfs: remove BUG_ON()'s in add_new_free_space() At add_new_free_space() we have these BUG_ON()'s that are there to deal with any failure to add free space to the in memory free space cache. Such failures are mostly -ENOMEM that should be very rare. However there's no need to have these BUG_ON()'s, we can just return any error to the caller and all callers and their upper call chain are already dealing with errors. So just make add_new_free_space() return any errors, while removing the BUG_ON()'s, and returning the total amount of added free space to an optional u64 pointer argument. CVE-2023-54185 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54185.html CVE-2023-54185 https://bugzilla.suse.com/1255984 SUSE Bug 1255984 In the Linux kernel, the following vulnerability has been resolved: pstore/ram: Add check for kstrdup Add check for the return value of kstrdup() and return the error if it fails in order to avoid NULL pointer dereference. CVE-2023-54189 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54189.html CVE-2023-54189 https://bugzilla.suse.com/1255978 SUSE Bug 1255978 In the Linux kernel, the following vulnerability has been resolved: exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree The call stack shown below is a scenario in the Linux 4.19 kernel. Allocating memory failed where exfat fs use kmalloc_array due to system memory fragmentation, while the u-disk was inserted without recognition. Devices such as u-disk using the exfat file system are pluggable and may be insert into the system at any time. However, long-term running systems cannot guarantee the continuity of physical memory. Therefore, it's necessary to address this issue. Binder:2632_6: page allocation failure: order:4, mode:0x6040c0(GFP_KERNEL|__GFP_COMP), nodemask=(null) Call trace: [242178.097582] dump_backtrace+0x0/0x4 [242178.097589] dump_stack+0xf4/0x134 [242178.097598] warn_alloc+0xd8/0x144 [242178.097603] __alloc_pages_nodemask+0x1364/0x1384 [242178.097608] kmalloc_order+0x2c/0x510 [242178.097612] kmalloc_order_trace+0x40/0x16c [242178.097618] __kmalloc+0x360/0x408 [242178.097624] load_alloc_bitmap+0x160/0x284 [242178.097628] exfat_fill_super+0xa3c/0xe7c [242178.097635] mount_bdev+0x2e8/0x3a0 [242178.097638] exfat_fs_mount+0x40/0x50 [242178.097643] mount_fs+0x138/0x2e8 [242178.097649] vfs_kern_mount+0x90/0x270 [242178.097655] do_mount+0x798/0x173c [242178.097659] ksys_mount+0x114/0x1ac [242178.097665] __arm64_sys_mount+0x24/0x34 [242178.097671] el0_svc_common+0xb8/0x1b8 [242178.097676] el0_svc_handler+0x74/0x90 [242178.097681] el0_svc+0x8/0x340 By analyzing the exfat code,we found that continuous physical memory is not required here,so kvmalloc_array is used can solve this problem. CVE-2023-54194 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54194.html CVE-2023-54194 https://bugzilla.suse.com/1255974 SUSE Bug 1255974 In the Linux kernel, the following vulnerability has been resolved: RDMA/efa: Fix wrong resources deallocation order When trying to destroy QP or CQ, we first decrease the refcount and potentially free memory regions allocated for the object and then request the device to destroy the object. If the device fails, the object isn't fully destroyed so the user/IB core can try to destroy the object again which will lead to underflow when trying to decrease an already zeroed refcount. Deallocate resources in reverse order of allocating them to safely free them. CVE-2023-54201 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54201.html CVE-2023-54201 https://bugzilla.suse.com/1255964 SUSE Bug 1255964 In the Linux kernel, the following vulnerability has been resolved: mmc: sunplus: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, 1. the memory allocated in mmc_alloc_host() will be leaked 2. null-ptr-deref will happen when calling mmc_remove_host() in remove function spmmc_drv_remove() because deleting not added device. Fix this by checking the return value of mmc_add_host(). Moreover, I fixed the error handling path of spmmc_drv_probe() to clean up. CVE-2023-54204 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54204.html CVE-2023-54204 https://bugzilla.suse.com/1255967 SUSE Bug 1255967 In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Correct devm device reference for hidinput input_dev name Reference the HID device rather than the input device for the devm allocation of the input_dev name. Referencing the input_dev would lead to a use-after-free when the input_dev was unregistered and subsequently fires a uevent that depends on the name. At the point of firing the uevent, the name would be freed by devres management. Use devm_kasprintf to simplify the logic for allocating memory and formatting the input_dev name string. CVE-2023-54207 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54207.html CVE-2023-54207 https://bugzilla.suse.com/1255961 SUSE Bug 1255961 In the Linux kernel, the following vulnerability has been resolved: block: fix blktrace debugfs entries leakage Commit 99d055b4fd4b ("block: remove per-disk debugfs files in blk_unregister_queue") moves blk_trace_shutdown() from blk_release_queue() to blk_unregister_queue(), this is safe if blktrace is created through sysfs, however, there is a regression in corner case. blktrace can still be enabled after del_gendisk() through ioctl if the disk is opened before del_gendisk(), and if blktrace is not shutdown through ioctl before closing the disk, debugfs entries will be leaked. Fix this problem by shutdown blktrace in disk_release(), this is safe because blk_trace_remove() is reentrant. CVE-2023-54209 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54209.html CVE-2023-54209 https://bugzilla.suse.com/1255963 SUSE Bug 1255963 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor() KASAN reports that there's a use-after-free in hci_remove_adv_monitor(). Trawling through the disassembly, you can see that the complaint is from the access in bt_dev_dbg() under the HCI_ADV_MONITOR_EXT_MSFT case. The problem case happens because msft_remove_monitor() can end up freeing the monitor structure. Specifically: hci_remove_adv_monitor() -> msft_remove_monitor() -> msft_remove_monitor_sync() -> msft_le_cancel_monitor_advertisement_cb() -> hci_free_adv_monitor() Let's fix the problem by just stashing the relevant data when it's still valid. CVE-2023-54210 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54210.html CVE-2023-54210 https://bugzilla.suse.com/1255955 SUSE Bug 1255955 https://bugzilla.suse.com/1255956 SUSE Bug 1255956 In the Linux kernel, the following vulnerability has been resolved: tracing: Fix warning in trace_buffered_event_disable() Warning happened in trace_buffered_event_disable() at WARN_ON_ONCE(!trace_buffered_event_ref) Call Trace: ? __warn+0xa5/0x1b0 ? trace_buffered_event_disable+0x189/0x1b0 __ftrace_event_enable_disable+0x19e/0x3e0 free_probe_data+0x3b/0xa0 unregister_ftrace_function_probe_func+0x6b8/0x800 event_enable_func+0x2f0/0x3d0 ftrace_process_regex.isra.0+0x12d/0x1b0 ftrace_filter_write+0xe6/0x140 vfs_write+0x1c9/0x6f0 [...] The cause of the warning is in __ftrace_event_enable_disable(), trace_buffered_event_enable() was called once while trace_buffered_event_disable() was called twice. Reproduction script show as below, for analysis, see the comments: ``` #!/bin/bash cd /sys/kernel/tracing/ # 1. Register a 'disable_event' command, then: # 1) SOFT_DISABLED_BIT was set; # 2) trace_buffered_event_enable() was called first time; echo 'cmdline_proc_show:disable_event:initcall:initcall_finish' > \ set_ftrace_filter # 2. Enable the event registered, then: # 1) SOFT_DISABLED_BIT was cleared; # 2) trace_buffered_event_disable() was called first time; echo 1 > events/initcall/initcall_finish/enable # 3. Try to call into cmdline_proc_show(), then SOFT_DISABLED_BIT was # set again!!! cat /proc/cmdline # 4. Unregister the 'disable_event' command, then: # 1) SOFT_DISABLED_BIT was cleared again; # 2) trace_buffered_event_disable() was called second time!!! echo '!cmdline_proc_show:disable_event:initcall:initcall_finish' > \ set_ftrace_filter ``` To fix it, IIUC, we can change to call trace_buffered_event_enable() at fist time soft-mode enabled, and call trace_buffered_event_disable() at last time soft-mode disabled. CVE-2023-54211 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54211.html CVE-2023-54211 https://bugzilla.suse.com/1255843 SUSE Bug 1255843 In the Linux kernel, the following vulnerability has been resolved: virtio-vdpa: Fix cpumask memory leak in virtio_vdpa_find_vqs() Free the cpumask allocated by create_affinity_masks() before returning from the function. CVE-2023-54215 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54215.html CVE-2023-54215 https://bugzilla.suse.com/1255957 SUSE Bug 1255957 In the Linux kernel, the following vulnerability has been resolved: Revert "IB/isert: Fix incorrect release of isert connection" Commit: 699826f4e30a ("IB/isert: Fix incorrect release of isert connection") is causing problems on OPA when DEVICE_REMOVAL is happening. ------------[ cut here ]------------ WARNING: CPU: 52 PID: 2117247 at drivers/infiniband/core/cq.c:359 ib_cq_pool_cleanup+0xac/0xb0 [ib_core] Modules linked in: nfsd nfs_acl target_core_user uio tcm_fc libfc scsi_transport_fc tcm_loop target_core_pscsi target_core_iblock target_core_file rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill rpcrdma rdma_ucm ib_srpt sunrpc ib_isert iscsi_target_mod target_core_mod opa_vnic ib_iser libiscsi ib_umad scsi_transport_iscsi rdma_cm ib_ipoib iw_cm ib_cm hfi1(-) rdmavt ib_uverbs intel_rapl_msr intel_rapl_common sb_edac ib_core x86_pkg_temp_thermal intel_powerclamp coretemp i2c_i801 mxm_wmi rapl iTCO_wdt ipmi_si iTCO_vendor_support mei_me ipmi_devintf mei intel_cstate ioatdma intel_uncore i2c_smbus joydev pcspkr lpc_ich ipmi_msghandler acpi_power_meter acpi_pad xfs libcrc32c sr_mod sd_mod cdrom t10_pi sg crct10dif_pclmul crc32_pclmul crc32c_intel drm_kms_helper drm_shmem_helper ahci libahci ghash_clmulni_intel igb drm libata dca i2c_algo_bit wmi fuse CPU: 52 PID: 2117247 Comm: modprobe Not tainted 6.5.0-rc1+ #1 Hardware name: Intel Corporation S2600CWR/S2600CW, BIOS SE5C610.86B.01.01.0014.121820151719 12/18/2015 RIP: 0010:ib_cq_pool_cleanup+0xac/0xb0 [ib_core] Code: ff 48 8b 43 40 48 8d 7b 40 48 83 e8 40 4c 39 e7 75 b3 49 83 c4 10 4d 39 fc 75 94 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc <0f> 0b eb a1 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f RSP: 0018:ffffc10bea13fc80 EFLAGS: 00010206 RAX: 000000000000010c RBX: ffff9bf5c7e66c00 RCX: 000000008020001d RDX: 000000008020001e RSI: fffff175221f9900 RDI: ffff9bf5c7e67640 RBP: ffff9bf5c7e67600 R08: ffff9bf5c7e64400 R09: 000000008020001d R10: 0000000040000000 R11: 0000000000000000 R12: ffff9bee4b1e8a18 R13: dead000000000122 R14: dead000000000100 R15: ffff9bee4b1e8a38 FS: 00007ff1e6d38740(0000) GS:ffff9bfd9fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005652044ecc68 CR3: 0000000889b5c005 CR4: 00000000001706e0 Call Trace: <TASK> ? __warn+0x80/0x130 ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core] ? report_bug+0x195/0x1a0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? ib_cq_pool_cleanup+0xac/0xb0 [ib_core] disable_device+0x9d/0x160 [ib_core] __ib_unregister_device+0x42/0xb0 [ib_core] ib_unregister_device+0x22/0x30 [ib_core] rvt_unregister_device+0x20/0x90 [rdmavt] hfi1_unregister_ib_device+0x16/0xf0 [hfi1] remove_one+0x55/0x1a0 [hfi1] pci_device_remove+0x36/0xa0 device_release_driver_internal+0x193/0x200 driver_detach+0x44/0x90 bus_remove_driver+0x69/0xf0 pci_unregister_driver+0x2a/0xb0 hfi1_mod_cleanup+0xc/0x3c [hfi1] __do_sys_delete_module.constprop.0+0x17a/0x2f0 ? exit_to_user_mode_prepare+0xc4/0xd0 ? syscall_trace_enter.constprop.0+0x126/0x1a0 do_syscall_64+0x5c/0x90 ? syscall_exit_to_user_mode+0x12/0x30 ? do_syscall_64+0x69/0x90 ? syscall_exit_work+0x103/0x130 ? syscall_exit_to_user_mode+0x12/0x30 ? do_syscall_64+0x69/0x90 ? exc_page_fault+0x65/0x150 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7ff1e643f5ab Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007ffec9103cc8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 RAX: ffffffffffffffda RBX: 00005615267fdc50 RCX: 00007ff1e643f5ab RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00005615267fdcb8 RBP: 00005615267fdc50 R08: 0000000000000000 R09: 0000000000000000 R10: 00007ff1e659eac0 R11: 0000000000000206 R12: 00005615267fdcb8 R13: 00000000000 ---truncated--- CVE-2023-54219 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54219.html CVE-2023-54219 https://bugzilla.suse.com/1256231 SUSE Bug 1256231 In the Linux kernel, the following vulnerability has been resolved: serial: 8250: Fix oops for port->pm on uart_change_pm() Unloading a hardware specific 8250 driver can produce error "Unable to handle kernel paging request at virtual address" about ten seconds after unloading the driver. This happens on uart_hangup() calling uart_change_pm(). Turns out commit 04e82793f068 ("serial: 8250: Reinit port->pm on port specific driver unbind") was only a partial fix. If the hardware specific driver has initialized port->pm function, we need to clear port->pm too. Just reinitializing port->ops does not do this. Otherwise serial8250_pm() will call port->pm() instead of serial8250_do_pm(). CVE-2023-54220 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54220.html CVE-2023-54220 https://bugzilla.suse.com/1255949 SUSE Bug 1255949 In the Linux kernel, the following vulnerability has been resolved: clk: imx93: fix memory leak and missing unwind goto in imx93_clocks_probe In function probe(), it returns directly without unregistered hws when error occurs. Fix this by adding 'goto unregister_hws;' on line 295 and line 310. Use devm_kzalloc() instead of kzalloc() to automatically free the memory using devm_kfree() when error occurs. Replace of_iomap() with devm_of_iomap() to automatically handle the unused ioremap region and delete 'iounmap(anatop_base);' in unregister_hws. CVE-2023-54221 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54221.html CVE-2023-54221 https://bugzilla.suse.com/1255842 SUSE Bug 1255842 In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: xsk: Fix invalid buffer access for legacy rq The below crash can be encountered when using xdpsock in rx mode for legacy rq: the buffer gets released in the XDP_REDIRECT path, and then once again in the driver. This fix sets the flag to avoid releasing on the driver side. XSK handling of buffers for legacy rq was relying on the caller to set the skip release flag. But the referenced fix started using fragment counts for pages instead of the skip flag. Crash log: general protection fault, probably for non-canonical address 0xffff8881217e3a: 0000 [#1] SMP CPU: 0 PID: 14 Comm: ksoftirqd/0 Not tainted 6.5.0-rc1+ #31 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:bpf_prog_03b13f331978c78c+0xf/0x28 Code: ... RSP: 0018:ffff88810082fc98 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888138404901 RCX: c0ffffc900027cbc RDX: ffffffffa000b514 RSI: 00ffff8881217e32 RDI: ffff888138404901 RBP: ffff88810082fc98 R08: 0000000000091100 R09: 0000000000000006 R10: 0000000000000800 R11: 0000000000000800 R12: ffffc9000027a000 R13: ffff8881217e2dc0 R14: ffff8881217e2910 R15: ffff8881217e2f00 FS: 0000000000000000(0000) GS:ffff88852c800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000564cb2e2cde0 CR3: 000000010e603004 CR4: 0000000000370eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? die_addr+0x32/0x80 ? exc_general_protection+0x192/0x390 ? asm_exc_general_protection+0x22/0x30 ? 0xffffffffa000b514 ? bpf_prog_03b13f331978c78c+0xf/0x28 mlx5e_xdp_handle+0x48/0x670 [mlx5_core] ? dev_gro_receive+0x3b5/0x6e0 mlx5e_xsk_skb_from_cqe_linear+0x6e/0x90 [mlx5_core] mlx5e_handle_rx_cqe+0x55/0x100 [mlx5_core] mlx5e_poll_rx_cq+0x87/0x6e0 [mlx5_core] mlx5e_napi_poll+0x45e/0x6b0 [mlx5_core] __napi_poll+0x25/0x1a0 net_rx_action+0x28a/0x300 __do_softirq+0xcd/0x279 ? sort_range+0x20/0x20 run_ksoftirqd+0x1a/0x20 smpboot_thread_fn+0xa2/0x130 kthread+0xc9/0xf0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 </TASK> Modules linked in: mlx5_ib mlx5_core rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay zram zsmalloc fuse [last unloaded: mlx5_core] ---[ end trace 0000000000000000 ]--- CVE-2023-54223 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54223.html CVE-2023-54223 https://bugzilla.suse.com/1256233 SUSE Bug 1256233 https://bugzilla.suse.com/1256253 SUSE Bug 1256253 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix lockdep splat and potential deadlock after failure running delayed items When running delayed items we are holding a delayed node's mutex and then we will attempt to modify a subvolume btree to insert/update/delete the delayed items. However if have an error during the insertions for example, btrfs_insert_delayed_items() may return with a path that has locked extent buffers (a leaf at the very least), and then we attempt to release the delayed node at __btrfs_run_delayed_items(), which requires taking the delayed node's mutex, causing an ABBA type of deadlock. This was reported by syzbot and the lockdep splat is the following: WARNING: possible circular locking dependency detected 6.5.0-rc7-syzkaller-00024-g93f5de5f648d #0 Not tainted ------------------------------------------------------ syz-executor.2/13257 is trying to acquire lock: ffff88801835c0c0 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256 but task is already holding lock: ffff88802a5ab8e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_lock+0x3c/0x2a0 fs/btrfs/locking.c:198 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{3:3}: __lock_release kernel/locking/lockdep.c:5475 [inline] lock_release+0x36f/0x9d0 kernel/locking/lockdep.c:5781 up_write+0x79/0x580 kernel/locking/rwsem.c:1625 btrfs_tree_unlock_rw fs/btrfs/locking.h:189 [inline] btrfs_unlock_up_safe+0x179/0x3b0 fs/btrfs/locking.c:239 search_leaf fs/btrfs/ctree.c:1986 [inline] btrfs_search_slot+0x2511/0x2f80 fs/btrfs/ctree.c:2230 btrfs_insert_empty_items+0x9c/0x180 fs/btrfs/ctree.c:4376 btrfs_insert_delayed_item fs/btrfs/delayed-inode.c:746 [inline] btrfs_insert_delayed_items fs/btrfs/delayed-inode.c:824 [inline] __btrfs_commit_inode_delayed_items+0xd24/0x2410 fs/btrfs/delayed-inode.c:1111 __btrfs_run_delayed_items+0x1db/0x430 fs/btrfs/delayed-inode.c:1153 flush_space+0x269/0xe70 fs/btrfs/space-info.c:723 btrfs_async_reclaim_metadata_space+0x106/0x350 fs/btrfs/space-info.c:1078 process_one_work+0x92c/0x12c0 kernel/workqueue.c:2600 worker_thread+0xa63/0x1210 kernel/workqueue.c:2751 kthread+0x2b8/0x350 kernel/kthread.c:389 ret_from_fork+0x2e/0x60 arch/x86/kernel/process.c:145 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 -> #0 (&delayed_node->mutex){+.+.}-{3:3}: check_prev_add kernel/locking/lockdep.c:3142 [inline] check_prevs_add kernel/locking/lockdep.c:3261 [inline] validate_chain kernel/locking/lockdep.c:3876 [inline] __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761 __mutex_lock_common+0x1d8/0x2530 kernel/locking/mutex.c:603 __mutex_lock kernel/locking/mutex.c:747 [inline] mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:799 __btrfs_release_delayed_node+0x9a/0xaa0 fs/btrfs/delayed-inode.c:256 btrfs_release_delayed_node fs/btrfs/delayed-inode.c:281 [inline] __btrfs_run_delayed_items+0x2b5/0x430 fs/btrfs/delayed-inode.c:1156 btrfs_commit_transaction+0x859/0x2ff0 fs/btrfs/transaction.c:2276 btrfs_sync_file+0xf56/0x1330 fs/btrfs/file.c:1988 vfs_fsync_range fs/sync.c:188 [inline] vfs_fsync fs/sync.c:202 [inline] do_fsync fs/sync.c:212 [inline] __do_sys_fsync fs/sync.c:220 [inline] __se_sys_fsync fs/sync.c:218 [inline] __x64_sys_fsync+0x196/0x1e0 fs/sync.c:218 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd other info that ---truncated--- CVE-2023-54224 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54224.html CVE-2023-54224 https://bugzilla.suse.com/1255951 SUSE Bug 1255951 In the Linux kernel, the following vulnerability has been resolved: net: ipa: only reset hashed tables when supported Last year, the code that manages GSI channel transactions switched from using spinlock-protected linked lists to using indexes into the ring buffer used for a channel. Recently, Google reported seeing transaction reference count underflows occasionally during shutdown. Doug Anderson found a way to reproduce the issue reliably, and bisected the issue to the commit that eliminated the linked lists and the lock. The root cause was ultimately determined to be related to unused transactions being committed as part of the modem shutdown cleanup activity. Unused transactions are not normally expected (except in error cases). The modem uses some ranges of IPA-resident memory, and whenever it shuts down we zero those ranges. In ipa_filter_reset_table() a transaction is allocated to zero modem filter table entries. If hashing is not supported, hashed table memory should not be zeroed. But currently nothing prevents that, and the result is an unused transaction. Something similar occurs when we zero routing table entries for the modem. By preventing any attempt to clear hashed tables when hashing is not supported, the reference count underflow is avoided in this case. Note that there likely remains an issue with properly freeing unused transactions (if they occur due to errors). This patch addresses only the underflows that Google originally reported. CVE-2023-54225 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54225.html CVE-2023-54225 https://bugzilla.suse.com/1256234 SUSE Bug 1256234 In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix tags leak when shrink nr_hw_queues Although we don't need to realloc set->tags[] when shrink nr_hw_queues, we need to free them. Or these tags will be leaked. How to reproduce: 1. mount -t configfs configfs /mnt 2. modprobe null_blk nr_devices=0 submit_queues=8 3. mkdir /mnt/nullb/nullb0 4. echo 1 > /mnt/nullb/nullb0/power 5. echo 4 > /mnt/nullb/nullb0/submit_queues 6. rmdir /mnt/nullb/nullb0 In step 4, will alloc 9 tags (8 submit queues and 1 poll queue), then in step 5, new_nr_hw_queues = 5 (4 submit queues and 1 poll queue). At last in step 6, only these 5 tags are freed, the other 4 tags leaked. CVE-2023-54227 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54227.html CVE-2023-54227 https://bugzilla.suse.com/1255952 SUSE Bug 1255952 In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix registration of 6Ghz-only phy without the full channel range Because of what seems to be a typo, a 6Ghz-only phy for which the BDF does not allow the 7115Mhz channel will fail to register: WARNING: CPU: 2 PID: 106 at net/wireless/core.c:907 wiphy_register+0x914/0x954 Modules linked in: ath11k_pci sbsa_gwdt CPU: 2 PID: 106 Comm: kworker/u8:5 Not tainted 6.3.0-rc7-next-20230418-00549-g1e096a17625a-dirty #9 Hardware name: Freebox V7R Board (DT) Workqueue: ath11k_qmi_driver_event ath11k_qmi_driver_event_work pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : wiphy_register+0x914/0x954 lr : ieee80211_register_hw+0x67c/0xc10 sp : ffffff800b123aa0 x29: ffffff800b123aa0 x28: 0000000000000000 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000006 x24: ffffffc008d51418 x23: ffffffc008cb0838 x22: ffffff80176c2460 x21: 0000000000000168 x20: ffffff80176c0000 x19: ffffff80176c03e0 x18: 0000000000000014 x17: 00000000cbef338c x16: 00000000d2a26f21 x15: 00000000ad6bb85f x14: 0000000000000020 x13: 0000000000000020 x12: 00000000ffffffbd x11: 0000000000000208 x10: 00000000fffffdf7 x9 : ffffffc009394718 x8 : ffffff80176c0528 x7 : 000000007fffffff x6 : 0000000000000006 x5 : 0000000000000005 x4 : ffffff800b304284 x3 : ffffff800b304284 x2 : ffffff800b304d98 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: wiphy_register+0x914/0x954 ieee80211_register_hw+0x67c/0xc10 ath11k_mac_register+0x7c4/0xe10 ath11k_core_qmi_firmware_ready+0x1f4/0x570 ath11k_qmi_driver_event_work+0x198/0x590 process_one_work+0x1b8/0x328 worker_thread+0x6c/0x414 kthread+0x100/0x104 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- ath11k_pci 0002:01:00.0: ieee80211 registration failed: -22 ath11k_pci 0002:01:00.0: failed register the radio with mac80211: -22 ath11k_pci 0002:01:00.0: failed to create pdev core: -22 CVE-2023-54229 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54229.html CVE-2023-54229 https://bugzilla.suse.com/1255924 SUSE Bug 1255924 In the Linux kernel, the following vulnerability has been resolved: amba: bus: fix refcount leak commit 5de1540b7bc4 ("drivers/amba: create devices from device tree") increases the refcount of of_node, but not releases it in amba_device_release, so there is refcount leak. By using of_node_put to avoid refcount leak. CVE-2023-54230 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54230.html CVE-2023-54230 https://bugzilla.suse.com/1255925 SUSE Bug 1255925 In the Linux kernel, the following vulnerability has been resolved: PCI/DOE: Fix destroy_work_on_stack() race The following debug object splat was observed in testing: ODEBUG: free active (active state 0) object: 0000000097d23782 object type: work_struct hint: doe_statemachine_work+0x0/0x510 WARNING: CPU: 1 PID: 71 at lib/debugobjects.c:514 debug_print_object+0x7d/0xb0 ... Workqueue: pci 0000:36:00.0 DOE [1 doe_statemachine_work RIP: 0010:debug_print_object+0x7d/0xb0 ... Call Trace: ? debug_print_object+0x7d/0xb0 ? __pfx_doe_statemachine_work+0x10/0x10 debug_object_free.part.0+0x11b/0x150 doe_statemachine_work+0x45e/0x510 process_one_work+0x1d4/0x3c0 This occurs because destroy_work_on_stack() was called after signaling the completion in the calling thread. This creates a race between destroy_work_on_stack() and the task->work struct going out of scope in pci_doe(). Signal the work complete after destroying the work struct. This is safe because signal_task_complete() is the final thing the work item does and the workqueue code is careful not to access the work struct after. CVE-2023-54235 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54235.html CVE-2023-54235 https://bugzilla.suse.com/1255921 SUSE Bug 1255921 In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all() rule_locs is allocated in ethtool_get_rxnfc and the size is determined by rule_cnt from user space. So rule_cnt needs to be check before using rule_locs to avoid NULL pointer dereference. CVE-2023-54240 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54240.html CVE-2023-54240 https://bugzilla.suse.com/1255918 SUSE Bug 1255918 In the Linux kernel, the following vulnerability has been resolved: MIPS: KVM: Fix NULL pointer dereference After commit 45c7e8af4a5e3f0bea4ac209 ("MIPS: Remove KVM_TE support") we get a NULL pointer dereference when creating a KVM guest: [ 146.243409] Starting KVM with MIPS VZ extensions [ 149.849151] CPU 3 Unable to handle kernel paging request at virtual address 0000000000000300, epc == ffffffffc06356ec, ra == ffffffffc063568c [ 149.849177] Oops[#1]: [ 149.849182] CPU: 3 PID: 2265 Comm: qemu-system-mip Not tainted 6.4.0-rc3+ #1671 [ 149.849188] Hardware name: THTF CX TL630 Series/THTF-LS3A4000-7A1000-ML4A, BIOS KL4.1F.TF.D.166.201225.R 12/25/2020 [ 149.849192] $ 0 : 0000000000000000 000000007400cce0 0000000000400004 ffffffff8119c740 [ 149.849209] $ 4 : 000000007400cce1 000000007400cce1 0000000000000000 0000000000000000 [ 149.849221] $ 8 : 000000240058bb36 ffffffff81421ac0 0000000000000000 0000000000400dc0 [ 149.849233] $12 : 9800000102a07cc8 ffffffff80e40e38 0000000000000001 0000000000400dc0 [ 149.849245] $16 : 0000000000000000 9800000106cd0000 9800000106cd0000 9800000100cce000 [ 149.849257] $20 : ffffffffc0632b28 ffffffffc05b31b0 9800000100ccca00 0000000000400000 [ 149.849269] $24 : 9800000106cd09ce ffffffff802f69d0 [ 149.849281] $28 : 9800000102a04000 9800000102a07cd0 98000001106a8000 ffffffffc063568c [ 149.849293] Hi : 00000335b2111e66 [ 149.849295] Lo : 6668d90061ae0ae9 [ 149.849298] epc : ffffffffc06356ec kvm_vz_vcpu_setup+0xc4/0x328 [kvm] [ 149.849324] ra : ffffffffc063568c kvm_vz_vcpu_setup+0x64/0x328 [kvm] [ 149.849336] Status: 7400cce3 KX SX UX KERNEL EXL IE [ 149.849351] Cause : 1000000c (ExcCode 03) [ 149.849354] BadVA : 0000000000000300 [ 149.849357] PrId : 0014c004 (ICT Loongson-3) [ 149.849360] Modules linked in: kvm nfnetlink_queue nfnetlink_log nfnetlink fuse sha256_generic libsha256 cfg80211 rfkill binfmt_misc vfat fat snd_hda_codec_hdmi input_leds led_class snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_pcm snd_timer snd serio_raw xhci_pci radeon drm_suballoc_helper drm_display_helper xhci_hcd ip_tables x_tables [ 149.849432] Process qemu-system-mip (pid: 2265, threadinfo=00000000ae2982d2, task=0000000038e09ad4, tls=000000ffeba16030) [ 149.849439] Stack : 9800000000000003 9800000100ccca00 9800000100ccc000 ffffffffc062cef4 [ 149.849453] 9800000102a07d18 c89b63a7ab338e00 0000000000000000 ffffffff811a0000 [ 149.849465] 0000000000000000 9800000106cd0000 ffffffff80e59938 98000001106a8920 [ 149.849476] ffffffff80e57f30 ffffffffc062854c ffffffff811a0000 9800000102bf4240 [ 149.849488] ffffffffc05b0000 ffffffff80e3a798 000000ff78000000 000000ff78000010 [ 149.849500] 0000000000000255 98000001021f7de0 98000001023f0078 ffffffff81434000 [ 149.849511] 0000000000000000 0000000000000000 9800000102ae0000 980000025e92ae28 [ 149.849523] 0000000000000000 c89b63a7ab338e00 0000000000000001 ffffffff8119dce0 [ 149.849535] 000000ff78000010 ffffffff804f3d3c 9800000102a07eb0 0000000000000255 [ 149.849546] 0000000000000000 ffffffff8049460c 000000ff78000010 0000000000000255 [ 149.849558] ... [ 149.849565] Call Trace: [ 149.849567] [<ffffffffc06356ec>] kvm_vz_vcpu_setup+0xc4/0x328 [kvm] [ 149.849586] [<ffffffffc062cef4>] kvm_arch_vcpu_create+0x184/0x228 [kvm] [ 149.849605] [<ffffffffc062854c>] kvm_vm_ioctl+0x64c/0xf28 [kvm] [ 149.849623] [<ffffffff805209c0>] sys_ioctl+0xc8/0x118 [ 149.849631] [<ffffffff80219eb0>] syscall_common+0x34/0x58 The root cause is the deletion of kvm_mips_commpage_init() leaves vcpu ->arch.cop0 NULL. So fix it by making cop0 from a pointer to an embedded object. CVE-2023-54241 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54241.html CVE-2023-54241 https://bugzilla.suse.com/1255838 SUSE Bug 1255838 In the Linux kernel, the following vulnerability has been resolved: rcuscale: Move rcu_scale_writer() schedule_timeout_uninterruptible() to _idle() The rcuscale.holdoff module parameter can be used to delay the start of rcu_scale_writer() kthread. However, the hung-task timeout will trigger when the timeout specified by rcuscale.holdoff is greater than hung_task_timeout_secs: runqemu kvm nographic slirp qemuparams="-smp 4 -m 2048M" bootparams="rcuscale.shutdown=0 rcuscale.holdoff=300" [ 247.071753] INFO: task rcu_scale_write:59 blocked for more than 122 seconds. [ 247.072529] Not tainted 6.4.0-rc1-00134-gb9ed6de8d4ff #7 [ 247.073400] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 247.074331] task:rcu_scale_write state:D stack:30144 pid:59 ppid:2 flags:0x00004000 [ 247.075346] Call Trace: [ 247.075660] <TASK> [ 247.075965] __schedule+0x635/0x1280 [ 247.076448] ? __pfx___schedule+0x10/0x10 [ 247.076967] ? schedule_timeout+0x2dc/0x4d0 [ 247.077471] ? __pfx_lock_release+0x10/0x10 [ 247.078018] ? enqueue_timer+0xe2/0x220 [ 247.078522] schedule+0x84/0x120 [ 247.078957] schedule_timeout+0x2e1/0x4d0 [ 247.079447] ? __pfx_schedule_timeout+0x10/0x10 [ 247.080032] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.080591] ? __pfx_process_timeout+0x10/0x10 [ 247.081163] ? __pfx_sched_set_fifo_low+0x10/0x10 [ 247.081760] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.082287] rcu_scale_writer+0x6b1/0x7f0 [ 247.082773] ? mark_held_locks+0x29/0xa0 [ 247.083252] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.083865] ? __pfx_rcu_scale_writer+0x10/0x10 [ 247.084412] kthread+0x179/0x1c0 [ 247.084759] ? __pfx_kthread+0x10/0x10 [ 247.085098] ret_from_fork+0x2c/0x50 [ 247.085433] </TASK> This commit therefore replaces schedule_timeout_uninterruptible() with schedule_timeout_idle(). CVE-2023-54246 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54246.html CVE-2023-54246 https://bugzilla.suse.com/1255915 SUSE Bug 1255915 In the Linux kernel, the following vulnerability has been resolved: bpf: Silence a warning in btf_type_id_size() syzbot reported a warning in [1] with the following stacktrace: WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 ... RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988 ... Call Trace: <TASK> map_check_btf kernel/bpf/syscall.c:1024 [inline] map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198 __sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040 __do_sys_bpf kernel/bpf/syscall.c:5162 [inline] __se_sys_bpf kernel/bpf/syscall.c:5160 [inline] __x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd With the following btf [1] DECL_TAG 'a' type_id=4 component_idx=-1 [2] PTR '(anon)' type_id=0 [3] TYPE_TAG 'a' type_id=2 [4] VAR 'a' type_id=3, linkage=static and when the bpf_attr.btf_key_type_id = 1 (DECL_TAG), the following WARN_ON_ONCE in btf_type_id_size() is triggered: if (WARN_ON_ONCE(!btf_type_is_modifier(size_type) && !btf_type_is_var(size_type))) return NULL; Note that 'return NULL' is the correct behavior as we don't want a DECL_TAG type to be used as a btf_{key,value}_type_id even for the case like 'DECL_TAG -> STRUCT'. So there is no correctness issue here, we just want to silence warning. To silence the warning, I added DECL_TAG as one of kinds in btf_type_nosize() which will cause btf_type_id_size() returning NULL earlier without the warning. [1] https://lore.kernel.org/bpf/000000000000e0df8d05fc75ba86@google.com/ CVE-2023-54247 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54247.html CVE-2023-54247 https://bugzilla.suse.com/1255892 SUSE Bug 1255892 In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX. syzkaller found zero division error [0] in div_s64_rem() called from get_cycle_time_elapsed(), where sched->cycle_time is the divisor. We have tests in parse_taprio_schedule() so that cycle_time will never be 0, and actually cycle_time is not 0 in get_cycle_time_elapsed(). The problem is that the types of divisor are different; cycle_time is s64, but the argument of div_s64_rem() is s32. syzkaller fed this input and 0x100000000 is cast to s32 to be 0. @TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME={0xc, 0x8, 0x100000000} We use s64 for cycle_time to cast it to ktime_t, so let's keep it and set max for cycle_time. While at it, we prevent overflow in setup_txtime() and add another test in parse_taprio_schedule() to check if cycle_time overflows. Also, we add a new tdc test case for this issue. [0]: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 1 PID: 103 Comm: kworker/1:3 Not tainted 6.5.0-rc1-00330-g60cc1f7d0605 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:div_s64_rem include/linux/math64.h:42 [inline] RIP: 0010:get_cycle_time_elapsed net/sched/sch_taprio.c:223 [inline] RIP: 0010:find_entry_to_transmit+0x252/0x7e0 net/sched/sch_taprio.c:344 Code: 3c 02 00 0f 85 5e 05 00 00 48 8b 4c 24 08 4d 8b bd 40 01 00 00 48 8b 7c 24 48 48 89 c8 4c 29 f8 48 63 f7 48 99 48 89 74 24 70 <48> f7 fe 48 29 d1 48 8d 04 0f 49 89 cc 48 89 44 24 20 49 8d 85 10 RSP: 0018:ffffc90000acf260 EFLAGS: 00010206 RAX: 177450e0347560cf RBX: 0000000000000000 RCX: 177450e0347560cf RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000100000000 RBP: 0000000000000056 R08: 0000000000000000 R09: ffffed10020a0934 R10: ffff8880105049a7 R11: ffff88806cf3a520 R12: ffff888010504800 R13: ffff88800c00d800 R14: ffff8880105049a0 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0edf84f0e8 CR3: 000000000d73c002 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: <TASK> get_packet_txtime net/sched/sch_taprio.c:508 [inline] taprio_enqueue_one+0x900/0xff0 net/sched/sch_taprio.c:577 taprio_enqueue+0x378/0xae0 net/sched/sch_taprio.c:658 dev_qdisc_enqueue+0x46/0x170 net/core/dev.c:3732 __dev_xmit_skb net/core/dev.c:3821 [inline] __dev_queue_xmit+0x1b2f/0x3000 net/core/dev.c:4169 dev_queue_xmit include/linux/netdevice.h:3088 [inline] neigh_resolve_output net/core/neighbour.c:1552 [inline] neigh_resolve_output+0x4a7/0x780 net/core/neighbour.c:1532 neigh_output include/net/neighbour.h:544 [inline] ip6_finish_output2+0x924/0x17d0 net/ipv6/ip6_output.c:135 __ip6_finish_output+0x620/0xaa0 net/ipv6/ip6_output.c:196 ip6_finish_output net/ipv6/ip6_output.c:207 [inline] NF_HOOK_COND include/linux/netfilter.h:292 [inline] ip6_output+0x206/0x410 net/ipv6/ip6_output.c:228 dst_output include/net/dst.h:458 [inline] NF_HOOK.constprop.0+0xea/0x260 include/linux/netfilter.h:303 ndisc_send_skb+0x872/0xe80 net/ipv6/ndisc.c:508 ndisc_send_ns+0xb5/0x130 net/ipv6/ndisc.c:666 addrconf_dad_work+0xc14/0x13f0 net/ipv6/addrconf.c:4175 process_one_work+0x92c/0x13a0 kernel/workqueue.c:2597 worker_thread+0x60f/0x1240 kernel/workqueue.c:2748 kthread+0x2fe/0x3f0 kernel/kthread.c:389 ret_from_fork+0x2c/0x50 arch/x86/entry/entry_64.S:308 </TASK> Modules linked in: CVE-2023-54251 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54251.html CVE-2023-54251 https://bugzilla.suse.com/1255888 SUSE Bug 1255888 In the Linux kernel, the following vulnerability has been resolved: btrfs: set page extent mapped after read_folio in relocate_one_page One of the CI runs triggered the following panic assertion failed: PagePrivate(page) && page->private, in fs/btrfs/subpage.c:229 ------------[ cut here ]------------ kernel BUG at fs/btrfs/subpage.c:229! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 0 PID: 923660 Comm: btrfs Not tainted 6.5.0-rc3+ #1 pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : btrfs_subpage_assert+0xbc/0xf0 lr : btrfs_subpage_assert+0xbc/0xf0 sp : ffff800093213720 x29: ffff800093213720 x28: ffff8000932138b4 x27: 000000000c280000 x26: 00000001b5d00000 x25: 000000000c281000 x24: 000000000c281fff x23: 0000000000001000 x22: 0000000000000000 x21: ffffff42b95bf880 x20: ffff42b9528e0000 x19: 0000000000001000 x18: ffffffffffffffff x17: 667274622f736620 x16: 6e69202c65746176 x15: 0000000000000028 x14: 0000000000000003 x13: 00000000002672d7 x12: 0000000000000000 x11: ffffcd3f0ccd9204 x10: ffffcd3f0554ae50 x9 : ffffcd3f0379528c x8 : ffff800093213428 x7 : 0000000000000000 x6 : ffffcd3f091771e8 x5 : ffff42b97f333948 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff42b9556cde80 x0 : 000000000000004f Call trace: btrfs_subpage_assert+0xbc/0xf0 btrfs_subpage_set_dirty+0x38/0xa0 btrfs_page_set_dirty+0x58/0x88 relocate_one_page+0x204/0x5f0 relocate_file_extent_cluster+0x11c/0x180 relocate_data_extent+0xd0/0xf8 relocate_block_group+0x3d0/0x4e8 btrfs_relocate_block_group+0x2d8/0x490 btrfs_relocate_chunk+0x54/0x1a8 btrfs_balance+0x7f4/0x1150 btrfs_ioctl+0x10f0/0x20b8 __arm64_sys_ioctl+0x120/0x11d8 invoke_syscall.constprop.0+0x80/0xd8 do_el0_svc+0x6c/0x158 el0_svc+0x50/0x1b0 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x194/0x198 Code: 91098021 b0007fa0 91346000 97e9c6d2 (d4210000) This is the same problem outlined in 17b17fcd6d44 ("btrfs: set_page_extent_mapped after read_folio in btrfs_cont_expand") , and the fix is the same. I originally looked for the same pattern elsewhere in our code, but mistakenly skipped over this code because I saw the page cache readahead before we set_page_extent_mapped, not realizing that this was only in the !page case, that we can still end up with a !uptodate page and then do the btrfs_read_folio further down. The fix here is the same as the above mentioned patch, move the set_page_extent_mapped call to after the btrfs_read_folio() block to make sure that we have the subpage blocksize stuff setup properly before using the page. CVE-2023-54253 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54253.html CVE-2023-54253 https://bugzilla.suse.com/1255891 SUSE Bug 1255891 In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Don't leak a resource on eviction error On eviction errors other than -EMULTIHOP we were leaking a resource. Fix. v2: - Avoid yet another goto (Andi Shyti) CVE-2023-54254 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54254.html CVE-2023-54254 https://bugzilla.suse.com/1255890 SUSE Bug 1255890 In the Linux kernel, the following vulnerability has been resolved: sh: dma: Fix DMA channel offset calculation Various SoCs of the SH3, SH4 and SH4A family, which use this driver, feature a differing number of DMA channels, which can be distributed between up to two DMAC modules. The existing implementation fails to correctly accommodate for all those variations, resulting in wrong channel offset calculations and leading to kernel panics. Rewrite dma_base_addr() in order to properly calculate channel offsets in a DMAC module. Fix dmaor_read_reg() and dmaor_write_reg(), so that the correct DMAC module base is selected for the DMAOR register. CVE-2023-54255 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54255.html CVE-2023-54255 https://bugzilla.suse.com/1255884 SUSE Bug 1255884 In the Linux kernel, the following vulnerability has been resolved: cifs: fix potential oops in cifs_oplock_break With deferred close we can have closes that race with lease breaks, and so with the current checks for whether to send the lease response, oplock_response(), this can mean that an unmount (kill_sb) can occur just before we were checking if the tcon->ses is valid. See below: [Fri Aug 4 04:12:50 2023] RIP: 0010:cifs_oplock_break+0x1f7/0x5b0 [cifs] [Fri Aug 4 04:12:50 2023] Code: 7d a8 48 8b 7d c0 c0 e9 02 48 89 45 b8 41 89 cf e8 3e f5 ff ff 4c 89 f7 41 83 e7 01 e8 82 b3 03 f2 49 8b 45 50 48 85 c0 74 5e <48> 83 78 60 00 74 57 45 84 ff 75 52 48 8b 43 98 48 83 eb 68 48 39 [Fri Aug 4 04:12:50 2023] RSP: 0018:ffffb30607ddbdf8 EFLAGS: 00010206 [Fri Aug 4 04:12:50 2023] RAX: 632d223d32612022 RBX: ffff97136944b1e0 RCX: 0000000080100009 [Fri Aug 4 04:12:50 2023] RDX: 0000000000000001 RSI: 0000000080100009 RDI: ffff97136944b188 [Fri Aug 4 04:12:50 2023] RBP: ffffb30607ddbe58 R08: 0000000000000001 R09: ffffffffc08e0900 [Fri Aug 4 04:12:50 2023] R10: 0000000000000001 R11: 000000000000000f R12: ffff97136944b138 [Fri Aug 4 04:12:50 2023] R13: ffff97149147c000 R14: ffff97136944b188 R15: 0000000000000000 [Fri Aug 4 04:12:50 2023] FS: 0000000000000000(0000) GS:ffff9714f7c00000(0000) knlGS:0000000000000000 [Fri Aug 4 04:12:50 2023] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [Fri Aug 4 04:12:50 2023] CR2: 00007fd8de9c7590 CR3: 000000011228e000 CR4: 0000000000350ef0 [Fri Aug 4 04:12:50 2023] Call Trace: [Fri Aug 4 04:12:50 2023] <TASK> [Fri Aug 4 04:12:50 2023] process_one_work+0x225/0x3d0 [Fri Aug 4 04:12:50 2023] worker_thread+0x4d/0x3e0 [Fri Aug 4 04:12:50 2023] ? process_one_work+0x3d0/0x3d0 [Fri Aug 4 04:12:50 2023] kthread+0x12a/0x150 [Fri Aug 4 04:12:50 2023] ? set_kthread_struct+0x50/0x50 [Fri Aug 4 04:12:50 2023] ret_from_fork+0x22/0x30 [Fri Aug 4 04:12:50 2023] </TASK> To fix this change the ordering of the checks before sending the oplock_response to first check if the openFileList is empty. CVE-2023-54258 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54258.html CVE-2023-54258 https://bugzilla.suse.com/1255886 SUSE Bug 1255886 In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Add missing gfx11 MQD manager callbacks mqd_stride function was introduced in commit 2f77b9a242a2 ("drm/amdkfd: Update MQD management on multi XCC setup") but not assigned for gfx11. Fixes a NULL dereference in debugfs. CVE-2023-54261 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54261.html CVE-2023-54261 https://bugzilla.suse.com/1255879 SUSE Bug 1255879 In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/kms/nv50-: init hpd_irq_lock for PIOR DP Fixes OOPS on boards with ANX9805 DP encoders. CVE-2023-54263 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54263.html CVE-2023-54263 https://bugzilla.suse.com/1255883 SUSE Bug 1255883 In the Linux kernel, the following vulnerability has been resolved: fs/sysv: Null check to prevent null-ptr-deref bug sb_getblk(inode->i_sb, parent) return a null ptr and taking lock on that leads to the null-ptr-deref bug. CVE-2023-54264 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54264.html CVE-2023-54264 https://bugzilla.suse.com/1255872 SUSE Bug 1255872 In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer() 'read' is freed when it is known to be NULL, but not when a read error occurs. Revert the logic to avoid a small leak, should a m920x_read() call fail. CVE-2023-54266 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54266.html CVE-2023-54266 https://bugzilla.suse.com/1255875 SUSE Bug 1255875 In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT lppaca_shared_proc() takes a pointer to the lppaca which is typically accessed through get_lppaca(). With DEBUG_PREEMPT enabled, this leads to checking if preemption is enabled, for example: BUG: using smp_processor_id() in preemptible [00000000] code: grep/10693 caller is lparcfg_data+0x408/0x19a0 CPU: 4 PID: 10693 Comm: grep Not tainted 6.5.0-rc3 #2 Call Trace: dump_stack_lvl+0x154/0x200 (unreliable) check_preemption_disabled+0x214/0x220 lparcfg_data+0x408/0x19a0 ... This isn't actually a problem however, as it does not matter which lppaca is accessed, the shared proc state will be the same. vcpudispatch_stats_procfs_init() already works around this by disabling preemption, but the lparcfg code does not, erroring any time /proc/powerpc/lparcfg is accessed with DEBUG_PREEMPT enabled. Instead of disabling preemption on the caller side, rework lppaca_shared_proc() to not take a pointer and instead directly access the lppaca, bypassing any potential preemption checks. [mpe: Rework to avoid needing a definition in paca.h and lppaca.h] CVE-2023-54267 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54267.html CVE-2023-54267 https://bugzilla.suse.com/1255899 SUSE Bug 1255899 In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init blk-iocost sometimes causes the following crash: BUG: kernel NULL pointer dereference, address: 00000000000000e0 ... RIP: 0010:_raw_spin_lock+0x17/0x30 Code: be 01 02 00 00 e8 79 38 39 ff 31 d2 89 d0 5d c3 0f 1f 00 0f 1f 44 00 00 55 48 89 e5 65 ff 05 48 d0 34 7e b9 01 00 00 00 31 c0 <f0> 0f b1 0f 75 02 5d c3 89 c6 e8 ea 04 00 00 5d c3 0f 1f 84 00 00 RSP: 0018:ffffc900023b3d40 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 00000000000000e0 RCX: 0000000000000001 RDX: ffffc900023b3d20 RSI: ffffc900023b3cf0 RDI: 00000000000000e0 RBP: ffffc900023b3d40 R08: ffffc900023b3c10 R09: 0000000000000003 R10: 0000000000000064 R11: 000000000000000a R12: ffff888102337000 R13: fffffffffffffff2 R14: ffff88810af408c8 R15: ffff8881070c3600 FS: 00007faaaf364fc0(0000) GS:ffff88842fdc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000e0 CR3: 00000001097b1000 CR4: 0000000000350ea0 Call Trace: <TASK> ioc_weight_write+0x13d/0x410 cgroup_file_write+0x7a/0x130 kernfs_fop_write_iter+0xf5/0x170 vfs_write+0x298/0x370 ksys_write+0x5f/0xb0 __x64_sys_write+0x1b/0x20 do_syscall_64+0x3d/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 This happens because iocg->ioc is NULL. The field is initialized by ioc_pd_init() and never cleared. The NULL deref is caused by blkcg_activate_policy() installing blkg_policy_data before initializing it. blkcg_activate_policy() was doing the following: 1. Allocate pd's for all existing blkg's and install them in blkg->pd[]. 2. Initialize all pd's. 3. Online all pd's. blkcg_activate_policy() only grabs the queue_lock and may release and re-acquire the lock as allocation may need to sleep. ioc_weight_write() grabs blkcg->lock and iterates all its blkg's. The two can race and if ioc_weight_write() runs during #1 or between #1 and #2, it can encounter a pd which is not initialized yet, leading to crash. The crash can be reproduced with the following script: #!/bin/bash echo +io > /sys/fs/cgroup/cgroup.subtree_control systemd-run --unit touch-sda --scope dd if=/dev/sda of=/dev/null bs=1M count=1 iflag=direct echo 100 > /sys/fs/cgroup/system.slice/io.weight bash -c "echo '8:0 enable=1' > /sys/fs/cgroup/io.cost.qos" & sleep .2 echo 100 > /sys/fs/cgroup/system.slice/io.weight with the following patch applied: > diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c > index fc49be622e05..38d671d5e10c 100644 > --- a/block/blk-cgroup.c > +++ b/block/blk-cgroup.c > @@ -1553,6 +1553,12 @@ int blkcg_activate_policy(struct gendisk *disk, const struct blkcg_policy *pol) > pd->online = false; > } > > + if (system_state == SYSTEM_RUNNING) { > + spin_unlock_irq(&q->queue_lock); > + ssleep(1); > + spin_lock_irq(&q->queue_lock); > + } > + > /* all allocated, init in the same order */ > if (pol->pd_init_fn) > list_for_each_entry_reverse(blkg, &q->blkg_list, q_node) I don't see a reason why all pd's should be allocated, initialized and onlined together. The only ordering requirement is that parent blkgs to be initialized and onlined before children, which is guaranteed from the walking order. Let's fix the bug by allocating, initializing and onlining pd for each blkg and holding blkcg->lock over initialization and onlining. This ensures that an installed blkg is always fully initialized and onlined removing the the race window. CVE-2023-54271 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54271.html CVE-2023-54271 https://bugzilla.suse.com/1255902 SUSE Bug 1255902 In the Linux kernel, the following vulnerability has been resolved: nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net Commit f5f9d4a314da ("nfsd: move reply cache initialization into nfsd startup") moved the initialization of the reply cache into nfsd startup, but didn't account for the stats counters, which can be accessed before nfsd is ever started. The result can be a NULL pointer dereference when someone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still shut down. This is a regression and a user-triggerable oops in the right situation: - non-x86_64 arch - /proc/fs/nfsd is mounted in the namespace - nfsd is not started in the namespace - unprivileged user calls "cat /proc/fs/nfsd/reply_cache_stats" Although this is easy to trigger on some arches (like aarch64), on x86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the fixed_percpu_data. That struct looks just enough like a newly initialized percpu var to allow nfsd_reply_cache_stats_show to access it without Oopsing. Move the initialization of the per-net+per-cpu reply-cache counters back into nfsd_init_net, while leaving the rest of the reply cache allocations to be done at nfsd startup time. Kudos to Eirik who did most of the legwork to track this down. CVE-2023-54276 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54276.html CVE-2023-54276 https://bugzilla.suse.com/1255907 SUSE Bug 1255907 In the Linux kernel, the following vulnerability has been resolved: s390/vmem: split pages when debug pagealloc is enabled Since commit bb1520d581a3 ("s390/mm: start kernel with DAT enabled") the kernel crashes early during boot when debug pagealloc is enabled: mem auto-init: stack:off, heap alloc:off, heap free:off addressing exception: 0005 ilc:2 [#1] SMP DEBUG_PAGEALLOC Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 6.5.0-rc3-09759-gc5666c912155 #630 [..] Krnl Code: 00000000001325f6: ec5600248064 cgrj %r5,%r6,8,000000000013263e 00000000001325fc: eb880002000c srlg %r8,%r8,2 #0000000000132602: b2210051 ipte %r5,%r1,%r0,0 >0000000000132606: b90400d1 lgr %r13,%r1 000000000013260a: 41605008 la %r6,8(%r5) 000000000013260e: a7db1000 aghi %r13,4096 0000000000132612: b221006d ipte %r6,%r13,%r0,0 0000000000132616: e3d0d0000171 lay %r13,4096(%r13) Call Trace: __kernel_map_pages+0x14e/0x320 __free_pages_ok+0x23a/0x5a8) free_low_memory_core_early+0x214/0x2c8 memblock_free_all+0x28/0x58 mem_init+0xb6/0x228 mm_core_init+0xb6/0x3b0 start_kernel+0x1d2/0x5a8 startup_continue+0x36/0x40 Kernel panic - not syncing: Fatal exception: panic_on_oops This is caused by using large mappings on machines with EDAT1/EDAT2. Add the code to split the mappings into 4k pages if debug pagealloc is enabled by CONFIG_DEBUG_PAGEALLOC_ENABLE_DEFAULT or the debug_pagealloc kernel command line option. CVE-2023-54278 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54278.html CVE-2023-54278 https://bugzilla.suse.com/1255911 SUSE Bug 1255911 In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before inode lookup during the ino lookup ioctl During the ino lookup ioctl we can end up calling btrfs_iget() to get an inode reference while we are holding on a root's btree. If btrfs_iget() needs to lookup the inode from the root's btree, because it's not currently loaded in memory, then it will need to lock another or the same path in the same root btree. This may result in a deadlock and trigger the following lockdep splat: WARNING: possible circular locking dependency detected 6.5.0-rc7-syzkaller-00004-gf7757129e3de #0 Not tainted ------------------------------------------------------ syz-executor277/5012 is trying to acquire lock: ffff88802df41710 (btrfs-tree-01){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 but task is already holding lock: ffff88802df418e8 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{3:3}: down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645 __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 btrfs_search_slot+0x13a4/0x2f80 fs/btrfs/ctree.c:2302 btrfs_init_root_free_objectid+0x148/0x320 fs/btrfs/disk-io.c:4955 btrfs_init_fs_root fs/btrfs/disk-io.c:1128 [inline] btrfs_get_root_ref+0x5ae/0xae0 fs/btrfs/disk-io.c:1338 btrfs_get_fs_root fs/btrfs/disk-io.c:1390 [inline] open_ctree+0x29c8/0x3030 fs/btrfs/disk-io.c:3494 btrfs_fill_super+0x1c7/0x2f0 fs/btrfs/super.c:1154 btrfs_mount_root+0x7e0/0x910 fs/btrfs/super.c:1519 legacy_get_tree+0xef/0x190 fs/fs_context.c:611 vfs_get_tree+0x8c/0x270 fs/super.c:1519 fc_mount fs/namespace.c:1112 [inline] vfs_kern_mount+0xbc/0x150 fs/namespace.c:1142 btrfs_mount+0x39f/0xb50 fs/btrfs/super.c:1579 legacy_get_tree+0xef/0x190 fs/fs_context.c:611 vfs_get_tree+0x8c/0x270 fs/super.c:1519 do_new_mount+0x28f/0xae0 fs/namespace.c:3335 do_mount fs/namespace.c:3675 [inline] __do_sys_mount fs/namespace.c:3884 [inline] __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd -> #0 (btrfs-tree-01){++++}-{3:3}: check_prev_add kernel/locking/lockdep.c:3142 [inline] check_prevs_add kernel/locking/lockdep.c:3261 [inline] validate_chain kernel/locking/lockdep.c:3876 [inline] __lock_acquire+0x39ff/0x7f70 kernel/locking/lockdep.c:5144 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5761 down_read_nested+0x49/0x2f0 kernel/locking/rwsem.c:1645 __btrfs_tree_read_lock+0x2f/0x220 fs/btrfs/locking.c:136 btrfs_tree_read_lock fs/btrfs/locking.c:142 [inline] btrfs_read_lock_root_node+0x292/0x3c0 fs/btrfs/locking.c:281 btrfs_search_slot_get_root fs/btrfs/ctree.c:1832 [inline] btrfs_search_slot+0x4ff/0x2f80 fs/btrfs/ctree.c:2154 btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:412 btrfs_read_locked_inode fs/btrfs/inode.c:3892 [inline] btrfs_iget_path+0x2d9/0x1520 fs/btrfs/inode.c:5716 btrfs_search_path_in_tree_user fs/btrfs/ioctl.c:1961 [inline] btrfs_ioctl_ino_lookup_user+0x77a/0xf50 fs/btrfs/ioctl.c:2105 btrfs_ioctl+0xb0b/0xd40 fs/btrfs/ioctl.c:4683 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd other info ---truncated--- CVE-2023-54281 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54281.html CVE-2023-54281 https://bugzilla.suse.com/1255820 SUSE Bug 1255820 In the Linux kernel, the following vulnerability has been resolved: media: tuners: qt1010: replace BUG_ON with a regular error BUG_ON is unnecessary here, and in addition it confuses smatch. Replacing this with an error return help resolve this smatch warning: drivers/media/tuners/qt1010.c:350 qt1010_init() error: buffer overflow 'i2c_data' 34 <= 34 CVE-2023-54282 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54282.html CVE-2023-54282 https://bugzilla.suse.com/1255810 SUSE Bug 1255810 In the Linux kernel, the following vulnerability has been resolved: bpf: Address KCSAN report on bpf_lru_list KCSAN reported a data-race when accessing node->ref. Although node->ref does not have to be accurate, take this chance to use a more common READ_ONCE() and WRITE_ONCE() pattern instead of data_race(). There is an existing bpf_lru_node_is_ref() and bpf_lru_node_set_ref(). This patch also adds bpf_lru_node_clear_ref() to do the WRITE_ONCE(node->ref, 0) also. ================================================================== BUG: KCSAN: data-race in __bpf_lru_list_rotate / __htab_lru_percpu_map_update_elem write to 0xffff888137038deb of 1 bytes by task 11240 on cpu 1: __bpf_lru_node_move kernel/bpf/bpf_lru_list.c:113 [inline] __bpf_lru_list_rotate_active kernel/bpf/bpf_lru_list.c:149 [inline] __bpf_lru_list_rotate+0x1bf/0x750 kernel/bpf/bpf_lru_list.c:240 bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:329 [inline] bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] bpf_lru_pop_free+0x638/0xe20 kernel/bpf/bpf_lru_list.c:499 prealloc_lru_pop kernel/bpf/hashtab.c:290 [inline] __htab_lru_percpu_map_update_elem+0xe7/0x820 kernel/bpf/hashtab.c:1316 bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 __sys_bpf+0x338/0x810 __do_sys_bpf kernel/bpf/syscall.c:5096 [inline] __se_sys_bpf kernel/bpf/syscall.c:5094 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd read to 0xffff888137038deb of 1 bytes by task 11241 on cpu 0: bpf_lru_node_set_ref kernel/bpf/bpf_lru_list.h:70 [inline] __htab_lru_percpu_map_update_elem+0x2f1/0x820 kernel/bpf/hashtab.c:1332 bpf_percpu_hash_update+0x5e/0x90 kernel/bpf/hashtab.c:2313 bpf_map_update_value+0x2a9/0x370 kernel/bpf/syscall.c:200 generic_map_update_batch+0x3ae/0x4f0 kernel/bpf/syscall.c:1687 bpf_map_do_batch+0x2d9/0x3d0 kernel/bpf/syscall.c:4534 __sys_bpf+0x338/0x810 __do_sys_bpf kernel/bpf/syscall.c:5096 [inline] __se_sys_bpf kernel/bpf/syscall.c:5094 [inline] __x64_sys_bpf+0x43/0x50 kernel/bpf/syscall.c:5094 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0x01 -> 0x00 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 11241 Comm: syz-executor.3 Not tainted 6.3.0-rc7-syzkaller-00136-g6a66fdd29ea1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 ================================================================== CVE-2023-54283 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54283.html CVE-2023-54283 https://bugzilla.suse.com/1255809 SUSE Bug 1255809 In the Linux kernel, the following vulnerability has been resolved: iomap: Fix possible overflow condition in iomap_write_delalloc_scan folio_next_index() returns an unsigned long value which left shifted by PAGE_SHIFT could possibly cause an overflow on 32-bit system. Instead use folio_pos(folio) + folio_size(folio), which does this correctly. CVE-2023-54285 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54285.html CVE-2023-54285 https://bugzilla.suse.com/1255807 SUSE Bug 1255807 In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Fix NULL dereference in error handling Smatch reported: drivers/scsi/qedf/qedf_main.c:3056 qedf_alloc_global_queues() warn: missing unwind goto? At this point in the function, nothing has been allocated so we can return directly. In particular the "qedf->global_queues" have not been allocated so calling qedf_free_global_queues() will lead to a NULL dereference when we check if (!gl[i]) and "gl" is NULL. CVE-2023-54289 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54289.html CVE-2023-54289 https://bugzilla.suse.com/1255806 SUSE Bug 1255806 In the Linux kernel, the following vulnerability has been resolved: vduse: fix NULL pointer dereference vduse_vdpa_set_vq_affinity callback can be called with NULL value as cpu_mask when deleting the vduse device. This patch resets virtqueue's IRQ affinity mask value to set all CPUs instead of dereferencing NULL cpu_mask. [ 4760.952149] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 4760.959110] #PF: supervisor read access in kernel mode [ 4760.964247] #PF: error_code(0x0000) - not-present page [ 4760.969385] PGD 0 P4D 0 [ 4760.971927] Oops: 0000 [#1] PREEMPT SMP PTI [ 4760.976112] CPU: 13 PID: 2346 Comm: vdpa Not tainted 6.4.0-rc6+ #4 [ 4760.982291] Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.8.1 06/26/2020 [ 4760.989769] RIP: 0010:memcpy_orig+0xc5/0x130 [ 4760.994049] Code: 16 f8 4c 89 07 4c 89 4f 08 4c 89 54 17 f0 4c 89 5c 17 f8 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 fa 08 72 1b <4c> 8b 06 4c 8b 4c 16 f8 4c 89 07 4c 89 4c 17 f8 c3 cc cc cc cc 66 [ 4761.012793] RSP: 0018:ffffb1d565abb830 EFLAGS: 00010246 [ 4761.018020] RAX: ffff9f4bf6b27898 RBX: ffff9f4be23969c0 RCX: ffff9f4bcadf6400 [ 4761.025152] RDX: 0000000000000008 RSI: 0000000000000000 RDI: ffff9f4bf6b27898 [ 4761.032286] RBP: 0000000000000000 R08: 0000000000000008 R09: 0000000000000000 [ 4761.039416] R10: 0000000000000000 R11: 0000000000000600 R12: 0000000000000000 [ 4761.046549] R13: 0000000000000000 R14: 0000000000000080 R15: ffffb1d565abbb10 [ 4761.053680] FS: 00007f64c2ec2740(0000) GS:ffff9f635f980000(0000) knlGS:0000000000000000 [ 4761.061765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4761.067513] CR2: 0000000000000000 CR3: 0000001875270006 CR4: 00000000007706e0 [ 4761.074645] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4761.081775] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4761.088909] PKRU: 55555554 [ 4761.091620] Call Trace: [ 4761.094074] <TASK> [ 4761.096180] ? __die+0x1f/0x70 [ 4761.099238] ? page_fault_oops+0x171/0x4f0 [ 4761.103340] ? exc_page_fault+0x7b/0x180 [ 4761.107265] ? asm_exc_page_fault+0x22/0x30 [ 4761.111460] ? memcpy_orig+0xc5/0x130 [ 4761.115126] vduse_vdpa_set_vq_affinity+0x3e/0x50 [vduse] [ 4761.120533] virtnet_clean_affinity.part.0+0x3d/0x90 [virtio_net] [ 4761.126635] remove_vq_common+0x1a4/0x250 [virtio_net] [ 4761.131781] virtnet_remove+0x5d/0x70 [virtio_net] [ 4761.136580] virtio_dev_remove+0x3a/0x90 [ 4761.140509] device_release_driver_internal+0x19b/0x200 [ 4761.145742] bus_remove_device+0xc2/0x130 [ 4761.149755] device_del+0x158/0x3e0 [ 4761.153245] ? kernfs_find_ns+0x35/0xc0 [ 4761.157086] device_unregister+0x13/0x60 [ 4761.161010] unregister_virtio_device+0x11/0x20 [ 4761.165543] device_release_driver_internal+0x19b/0x200 [ 4761.170770] bus_remove_device+0xc2/0x130 [ 4761.174782] device_del+0x158/0x3e0 [ 4761.178276] ? __pfx_vdpa_name_match+0x10/0x10 [vdpa] [ 4761.183336] device_unregister+0x13/0x60 [ 4761.187260] vdpa_nl_cmd_dev_del_set_doit+0x63/0xe0 [vdpa] CVE-2023-54291 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54291.html CVE-2023-54291 https://bugzilla.suse.com/1255798 SUSE Bug 1255798 In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix data race on CQP request done KCSAN detects a data race on cqp_request->request_done memory location which is accessed locklessly in irdma_handle_cqp_op while being updated in irdma_cqp_ce_handler. Annotate lockless intent with READ_ONCE/WRITE_ONCE to avoid any compiler optimizations like load fusing and/or KCSAN warning. [222808.417128] BUG: KCSAN: data-race in irdma_cqp_ce_handler [irdma] / irdma_wait_event [irdma] [222808.417532] write to 0xffff8e44107019dc of 1 bytes by task 29658 on cpu 5: [222808.417610] irdma_cqp_ce_handler+0x21e/0x270 [irdma] [222808.417725] cqp_compl_worker+0x1b/0x20 [irdma] [222808.417827] process_one_work+0x4d1/0xa40 [222808.417835] worker_thread+0x319/0x700 [222808.417842] kthread+0x180/0x1b0 [222808.417852] ret_from_fork+0x22/0x30 [222808.417918] read to 0xffff8e44107019dc of 1 bytes by task 29688 on cpu 1: [222808.417995] irdma_wait_event+0x1e2/0x2c0 [irdma] [222808.418099] irdma_handle_cqp_op+0xae/0x170 [irdma] [222808.418202] irdma_cqp_cq_destroy_cmd+0x70/0x90 [irdma] [222808.418308] irdma_puda_dele_rsrc+0x46d/0x4d0 [irdma] [222808.418411] irdma_rt_deinit_hw+0x179/0x1d0 [irdma] [222808.418514] irdma_ib_dealloc_device+0x11/0x40 [irdma] [222808.418618] ib_dealloc_device+0x2a/0x120 [ib_core] [222808.418823] __ib_unregister_device+0xde/0x100 [ib_core] [222808.418981] ib_unregister_device+0x22/0x40 [ib_core] [222808.419142] irdma_ib_unregister_device+0x70/0x90 [irdma] [222808.419248] i40iw_close+0x6f/0xc0 [irdma] [222808.419352] i40e_client_device_unregister+0x14a/0x180 [i40e] [222808.419450] i40iw_remove+0x21/0x30 [irdma] [222808.419554] auxiliary_bus_remove+0x31/0x50 [222808.419563] device_remove+0x69/0xb0 [222808.419572] device_release_driver_internal+0x293/0x360 [222808.419582] driver_detach+0x7c/0xf0 [222808.419592] bus_remove_driver+0x8c/0x150 [222808.419600] driver_unregister+0x45/0x70 [222808.419610] auxiliary_driver_unregister+0x16/0x30 [222808.419618] irdma_exit_module+0x18/0x1e [irdma] [222808.419733] __do_sys_delete_module.constprop.0+0x1e2/0x310 [222808.419745] __x64_sys_delete_module+0x1b/0x30 [222808.419755] do_syscall_64+0x39/0x90 [222808.419763] entry_SYSCALL_64_after_hwframe+0x63/0xcd [222808.419829] value changed: 0x01 -> 0x03 CVE-2023-54292 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54292.html CVE-2023-54292 https://bugzilla.suse.com/1255800 SUSE Bug 1255800 In the Linux kernel, the following vulnerability has been resolved: bcache: fixup btree_cache_wait list damage We get a kernel crash about "list_add corruption. next->prev should be prev (ffff9c801bc01210), but was ffff9c77b688237c. (next=ffffae586d8afe68)." crash> struct list_head 0xffff9c801bc01210 struct list_head { next = 0xffffae586d8afe68, prev = 0xffffae586d8afe68 } crash> struct list_head 0xffff9c77b688237c struct list_head { next = 0x0, prev = 0x0 } crash> struct list_head 0xffffae586d8afe68 struct list_head struct: invalid kernel virtual address: ffffae586d8afe68 type: "gdb_readmem_callback" Cannot access memory at address 0xffffae586d8afe68 [230469.019492] Call Trace: [230469.032041] prepare_to_wait+0x8a/0xb0 [230469.044363] ? bch_btree_keys_free+0x6c/0xc0 [escache] [230469.056533] mca_cannibalize_lock+0x72/0x90 [escache] [230469.068788] mca_alloc+0x2ae/0x450 [escache] [230469.080790] bch_btree_node_get+0x136/0x2d0 [escache] [230469.092681] bch_btree_check_thread+0x1e1/0x260 [escache] [230469.104382] ? finish_wait+0x80/0x80 [230469.115884] ? bch_btree_check_recurse+0x1a0/0x1a0 [escache] [230469.127259] kthread+0x112/0x130 [230469.138448] ? kthread_flush_work_fn+0x10/0x10 [230469.149477] ret_from_fork+0x35/0x40 bch_btree_check_thread() and bch_dirty_init_thread() may call mca_cannibalize() to cannibalize other cached btree nodes. Only one thread can do it at a time, so the op of other threads will be added to the btree_cache_wait list. We must call finish_wait() to remove op from btree_cache_wait before free it's memory address. Otherwise, the list will be damaged. Also should call bch_cannibalize_unlock() to release the btree_cache_alloc_lock and wake_up other waiters. CVE-2023-54293 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54293.html CVE-2023-54293 https://bugzilla.suse.com/1255801 SUSE Bug 1255801 In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Get source vCPUs from source VM for SEV-ES intrahost migration Fix a goof where KVM tries to grab source vCPUs from the destination VM when doing intrahost migration. Grabbing the wrong vCPU not only hoses the guest, it also crashes the host due to the VMSA pointer being left NULL. BUG: unable to handle page fault for address: ffffe38687000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 39 PID: 17143 Comm: sev_migrate_tes Tainted: GO 6.5.0-smp--fff2e47e6c3b-next #151 Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.28.0 07/10/2023 RIP: 0010:__free_pages+0x15/0xd0 RSP: 0018:ffff923fcf6e3c78 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffe38687000000 RCX: 0000000000000100 RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffe38687000000 RBP: ffff923fcf6e3c88 R08: ffff923fcafb0000 R09: 0000000000000000 R10: 0000000000000000 R11: ffffffff83619b90 R12: ffff923fa9540000 R13: 0000000000080007 R14: ffff923f6d35d000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff929d0d7c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffe38687000000 CR3: 0000005224c34005 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: <TASK> sev_free_vcpu+0xcb/0x110 [kvm_amd] svm_vcpu_free+0x75/0xf0 [kvm_amd] kvm_arch_vcpu_destroy+0x36/0x140 [kvm] kvm_destroy_vcpus+0x67/0x100 [kvm] kvm_arch_destroy_vm+0x161/0x1d0 [kvm] kvm_put_kvm+0x276/0x560 [kvm] kvm_vm_release+0x25/0x30 [kvm] __fput+0x106/0x280 ____fput+0x12/0x20 task_work_run+0x86/0xb0 do_exit+0x2e3/0x9c0 do_group_exit+0xb1/0xc0 __x64_sys_exit_group+0x1b/0x20 do_syscall_64+0x41/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK> CR2: ffffe38687000000 CVE-2023-54296 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54296.html CVE-2023-54296 https://bugzilla.suse.com/1255793 SUSE Bug 1255793 In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix memory leak after finding block group with super blocks At exclude_super_stripes(), if we happen to find a block group that has super blocks mapped to it and we are on a zoned filesystem, we error out as this is not supposed to happen, indicating either a bug or maybe some memory corruption for example. However we are exiting the function without freeing the memory allocated for the logical address of the super blocks. Fix this by freeing the logical address. CVE-2023-54297 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54297.html CVE-2023-54297 https://bugzilla.suse.com/1255795 SUSE Bug 1255795 In the Linux kernel, the following vulnerability has been resolved: usb: typec: bus: verify partner exists in typec_altmode_attention Some usb hubs will negotiate DisplayPort Alt mode with the device but will then negotiate a data role swap after entering the alt mode. The data role swap causes the device to unregister all alt modes, however the usb hub will still send Attention messages even after failing to reregister the Alt Mode. type_altmode_attention currently does not verify whether or not a device's altmode partner exists, which results in a NULL pointer error when dereferencing the typec_altmode and typec_altmode_ops belonging to the altmode partner. Verify the presence of a device's altmode partner before sending the Attention message to the Alt Mode driver. CVE-2023-54299 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54299.html CVE-2023-54299 https://bugzilla.suse.com/1255789 SUSE Bug 1255789 In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx For the reasons also described in commit b383e8abed41 ("wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should validate pkt_len before accessing the SKB. For example, the obtained SKB may have been badly constructed with pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr but after being processed in ath9k_htc_rx_msg() and passed to ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI command header which should be located inside its data payload. Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit memory can be referenced. Tested on Qualcomm Atheros Communications AR9271 802.11n . Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2023-54300 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54300.html CVE-2023-54300 https://bugzilla.suse.com/1255790 SUSE Bug 1255790 In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix data race on CQP completion stats CQP completion statistics is read lockesly in irdma_wait_event and irdma_check_cqp_progress while it can be updated in the completion thread irdma_sc_ccq_get_cqe_info on another CPU as KCSAN reports. Make completion statistics an atomic variable to reflect coherent updates to it. This will also avoid load/store tearing logic bug potentially possible by compiler optimizations. [77346.170861] BUG: KCSAN: data-race in irdma_handle_cqp_op [irdma] / irdma_sc_ccq_get_cqe_info [irdma] [77346.171383] write to 0xffff8a3250b108e0 of 8 bytes by task 9544 on cpu 4: [77346.171483] irdma_sc_ccq_get_cqe_info+0x27a/0x370 [irdma] [77346.171658] irdma_cqp_ce_handler+0x164/0x270 [irdma] [77346.171835] cqp_compl_worker+0x1b/0x20 [irdma] [77346.172009] process_one_work+0x4d1/0xa40 [77346.172024] worker_thread+0x319/0x700 [77346.172037] kthread+0x180/0x1b0 [77346.172054] ret_from_fork+0x22/0x30 [77346.172136] read to 0xffff8a3250b108e0 of 8 bytes by task 9838 on cpu 2: [77346.172234] irdma_handle_cqp_op+0xf4/0x4b0 [irdma] [77346.172413] irdma_cqp_aeq_cmd+0x75/0xa0 [irdma] [77346.172592] irdma_create_aeq+0x390/0x45a [irdma] [77346.172769] irdma_rt_init_hw.cold+0x212/0x85d [irdma] [77346.172944] irdma_probe+0x54f/0x620 [irdma] [77346.173122] auxiliary_bus_probe+0x66/0xa0 [77346.173137] really_probe+0x140/0x540 [77346.173154] __driver_probe_device+0xc7/0x220 [77346.173173] driver_probe_device+0x5f/0x140 [77346.173190] __driver_attach+0xf0/0x2c0 [77346.173208] bus_for_each_dev+0xa8/0xf0 [77346.173225] driver_attach+0x29/0x30 [77346.173240] bus_add_driver+0x29c/0x2f0 [77346.173255] driver_register+0x10f/0x1a0 [77346.173272] __auxiliary_driver_register+0xbc/0x140 [77346.173287] irdma_init_module+0x55/0x1000 [irdma] [77346.173460] do_one_initcall+0x7d/0x410 [77346.173475] do_init_module+0x81/0x2c0 [77346.173491] load_module+0x1232/0x12c0 [77346.173506] __do_sys_finit_module+0x101/0x180 [77346.173522] __x64_sys_finit_module+0x3c/0x50 [77346.173538] do_syscall_64+0x39/0x90 [77346.173553] entry_SYSCALL_64_after_hwframe+0x63/0xcd [77346.173634] value changed: 0x0000000000000094 -> 0x0000000000000095 CVE-2023-54302 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54302.html CVE-2023-54302 https://bugzilla.suse.com/1255792 SUSE Bug 1255792 In the Linux kernel, the following vulnerability has been resolved: bpf: Disable preemption in bpf_perf_event_output The nesting protection in bpf_perf_event_output relies on disabled preemption, which is guaranteed for kprobes and tracepoints. However bpf_perf_event_output can be also called from uprobes context through bpf_prog_run_array_sleepable function which disables migration, but keeps preemption enabled. This can cause task to be preempted by another one inside the nesting protection and lead eventually to two tasks using same perf_sample_data buffer and cause crashes like: kernel tried to execute NX-protected page - exploit attempt? (uid: 0) BUG: unable to handle page fault for address: ffffffff82be3eea ... Call Trace: ? __die+0x1f/0x70 ? page_fault_oops+0x176/0x4d0 ? exc_page_fault+0x132/0x230 ? asm_exc_page_fault+0x22/0x30 ? perf_output_sample+0x12b/0x910 ? perf_event_output+0xd0/0x1d0 ? bpf_perf_event_output+0x162/0x1d0 ? bpf_prog_c6271286d9a4c938_krava1+0x76/0x87 ? __uprobe_perf_func+0x12b/0x540 ? uprobe_dispatcher+0x2c4/0x430 ? uprobe_notify_resume+0x2da/0xce0 ? atomic_notifier_call_chain+0x7b/0x110 ? exit_to_user_mode_prepare+0x13e/0x290 ? irqentry_exit_to_user_mode+0x5/0x30 ? asm_exc_int3+0x35/0x40 Fixing this by disabling preemption in bpf_perf_event_output. CVE-2023-54303 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54303.html CVE-2023-54303 https://bugzilla.suse.com/1255785 SUSE Bug 1255785 In the Linux kernel, the following vulnerability has been resolved: firmware: meson_sm: fix to avoid potential NULL pointer dereference of_match_device() may fail and returns a NULL pointer. Fix this by checking the return value of of_match_device. CVE-2023-54304 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54304.html CVE-2023-54304 https://bugzilla.suse.com/1255786 SUSE Bug 1255786 In the Linux kernel, the following vulnerability has been resolved: tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation /dev/vtpmx is made visible before 'workqueue' is initialized, which can lead to a memory corruption in the worst case scenario. Address this by initializing 'workqueue' as the very first step of the driver initialization. CVE-2023-54309 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54309.html CVE-2023-54309 https://bugzilla.suse.com/1255780 SUSE Bug 1255780 In the Linux kernel, the following vulnerability has been resolved: samples/bpf: Fix buffer overflow in tcp_basertt Using sizeof(nv) or strlen(nv)+1 is correct. CVE-2023-54312 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54312.html CVE-2023-54312 https://bugzilla.suse.com/1255774 SUSE Bug 1255774 In the Linux kernel, the following vulnerability has been resolved: ovl: fix null pointer dereference in ovl_get_acl_rcu() Following process: P1 P2 path_openat link_path_walk may_lookup inode_permission(rcu) ovl_permission acl_permission_check check_acl get_cached_acl_rcu ovl_get_inode_acl realinode = ovl_inode_real(ovl_inode) drop_cache __dentry_kill(ovl_dentry) iput(ovl_inode) ovl_destroy_inode(ovl_inode) dput(oi->__upperdentry) dentry_kill(upperdentry) dentry_unlink_inode upperdentry->d_inode = NULL ovl_inode_upper upperdentry = ovl_i_dentry_upper(ovl_inode) d_inode(upperdentry) // returns NULL IS_POSIXACL(realinode) // NULL pointer dereference , will trigger an null pointer dereference at realinode: [ 205.472797] BUG: kernel NULL pointer dereference, address: 0000000000000028 [ 205.476701] CPU: 2 PID: 2713 Comm: ls Not tainted 6.3.0-12064-g2edfa098e750-dirty #1216 [ 205.478754] RIP: 0010:do_ovl_get_acl+0x5d/0x300 [ 205.489584] Call Trace: [ 205.489812] <TASK> [ 205.490014] ovl_get_inode_acl+0x26/0x30 [ 205.490466] get_cached_acl_rcu+0x61/0xa0 [ 205.490908] generic_permission+0x1bf/0x4e0 [ 205.491447] ovl_permission+0x79/0x1b0 [ 205.491917] inode_permission+0x15e/0x2c0 [ 205.492425] link_path_walk+0x115/0x550 [ 205.493311] path_lookupat.isra.0+0xb2/0x200 [ 205.493803] filename_lookup+0xda/0x240 [ 205.495747] vfs_fstatat+0x7b/0xb0 Fetch a reproducer in [Link]. Use the helper ovl_i_path_realinode() to get realinode and then do non-nullptr checking. CVE-2023-54313 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54313.html CVE-2023-54313 https://bugzilla.suse.com/1255775 SUSE Bug 1255775 In the Linux kernel, the following vulnerability has been resolved: media: af9005: Fix null-ptr-deref in af9005_i2c_xfer In af9005_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach af9005_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") CVE-2023-54314 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54314.html CVE-2023-54314 https://bugzilla.suse.com/1255776 SUSE Bug 1255776 In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv/sriov: perform null check on iov before dereferencing iov Currently pointer iov is being dereferenced before the null check of iov which can lead to null pointer dereference errors. Fix this by moving the iov null check before the dereferencing. Detected using cppcheck static analysis: linux/arch/powerpc/platforms/powernv/pci-sriov.c:597:12: warning: Either the condition '!iov' is redundant or there is possible null pointer dereference: iov. [nullPointerRedundantCheck] num_vfs = iov->num_vfs; ^ CVE-2023-54315 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54315.html CVE-2023-54315 https://bugzilla.suse.com/1255769 SUSE Bug 1255769 In the Linux kernel, the following vulnerability has been resolved: refscale: Fix uninitalized use of wait_queue_head_t Running the refscale test occasionally crashes the kernel with the following error: [ 8569.952896] BUG: unable to handle page fault for address: ffffffffffffffe8 [ 8569.952900] #PF: supervisor read access in kernel mode [ 8569.952902] #PF: error_code(0x0000) - not-present page [ 8569.952904] PGD c4b048067 P4D c4b049067 PUD c4b04b067 PMD 0 [ 8569.952910] Oops: 0000 [#1] PREEMPT_RT SMP NOPTI [ 8569.952916] Hardware name: Dell Inc. PowerEdge R750/0WMWCR, BIOS 1.2.4 05/28/2021 [ 8569.952917] RIP: 0010:prepare_to_wait_event+0x101/0x190 : [ 8569.952940] Call Trace: [ 8569.952941] <TASK> [ 8569.952944] ref_scale_reader+0x380/0x4a0 [refscale] [ 8569.952959] kthread+0x10e/0x130 [ 8569.952966] ret_from_fork+0x1f/0x30 [ 8569.952973] </TASK> The likely cause is that init_waitqueue_head() is called after the call to the torture_create_kthread() function that creates the ref_scale_reader kthread. Although this init_waitqueue_head() call will very likely complete before this kthread is created and starts running, it is possible that the calling kthread will be delayed between the calls to torture_create_kthread() and init_waitqueue_head(). In this case, the new kthread will use the waitqueue head before it is properly initialized, which is not good for the kernel's health and well-being. The above crash happened here: static inline void __add_wait_queue(...) { : if (!(wq->flags & WQ_FLAG_PRIORITY)) <=== Crash here The offset of flags from list_head entry in wait_queue_entry is -0x18. If reader_tasks[i].wq.head.next is NULL as allocated reader_task structure is zero initialized, the instruction will try to access address 0xffffffffffffffe8, which is exactly the fault address listed above. This commit therefore invokes init_waitqueue_head() before creating the kthread. CVE-2023-54316 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54316.html CVE-2023-54316 https://bugzilla.suse.com/1255770 SUSE Bug 1255770 In the Linux kernel, the following vulnerability has been resolved: net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add While doing smcr_port_add, there maybe linkgroup add into or delete from smc_lgr_list.list at the same time, which may result kernel crash. So, use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add. The crash calltrace show below: BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 0 PID: 559726 Comm: kworker/0:92 Kdump: loaded Tainted: G Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 449e491 04/01/2014 Workqueue: events smc_ib_port_event_work [smc] RIP: 0010:smcr_port_add+0xa6/0xf0 [smc] RSP: 0000:ffffa5a2c8f67de0 EFLAGS: 00010297 RAX: 0000000000000001 RBX: ffff9935e0650000 RCX: 0000000000000000 RDX: 0000000000000010 RSI: ffff9935e0654290 RDI: ffff9935c8560000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffff9934c0401918 R10: 0000000000000000 R11: ffffffffb4a5c278 R12: ffff99364029aae4 R13: ffff99364029aa00 R14: 00000000ffffffed R15: ffff99364029ab08 FS: 0000000000000000(0000) GS:ffff994380600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000f06a10003 CR4: 0000000002770ef0 PKRU: 55555554 Call Trace: smc_ib_port_event_work+0x18f/0x380 [smc] process_one_work+0x19b/0x340 worker_thread+0x30/0x370 ? process_one_work+0x340/0x340 kthread+0x114/0x130 ? __kthread_cancel_work+0x50/0x50 ret_from_fork+0x1f/0x30 CVE-2023-54318 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54318.html CVE-2023-54318 https://bugzilla.suse.com/1255772 SUSE Bug 1255772 In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91-pio4: check return value of devm_kasprintf() devm_kasprintf() returns a pointer to dynamically allocated memory. Pointer could be NULL in case allocation fails. Check pointer validity. Identified with coccinelle (kmerr.cocci script). Depends-on: 1c4e5c470a56 ("pinctrl: at91: use devm_kasprintf() to avoid potential leaks") Depends-on: 5a8f9cf269e8 ("pinctrl: at91-pio4: use proper format specifier for unsigned int") CVE-2023-54319 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54319.html CVE-2023-54319 https://bugzilla.suse.com/1255760 SUSE Bug 1255760 In the Linux kernel, the following vulnerability has been resolved: arm64: set __exception_irq_entry with __irq_entry as a default filter_irq_stacks() is supposed to cut entries which are related irq entries from its call stack. And in_irqentry_text() which is called by filter_irq_stacks() uses __irqentry_text_start/end symbol to find irq entries in callstack. But it doesn't work correctly as without "CONFIG_FUNCTION_GRAPH_TRACER", arm64 kernel doesn't include gic_handle_irq which is entry point of arm64 irq between __irqentry_text_start and __irqentry_text_end as we discussed in below link. https://lore.kernel.org/all/CACT4Y+aReMGLYua2rCLHgFpS9io5cZC04Q8GLs-uNmrn1ezxYQ@mail.gmail.com/#t This problem can makes unintentional deep call stack entries especially in KASAN enabled situation as below. [ 2479.383395]I[0:launcher-loader: 1719] Stack depot reached limit capacity [ 2479.383538]I[0:launcher-loader: 1719] WARNING: CPU: 0 PID: 1719 at lib/stackdepot.c:129 __stack_depot_save+0x464/0x46c [ 2479.385693]I[0:launcher-loader: 1719] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--) [ 2479.385724]I[0:launcher-loader: 1719] pc : __stack_depot_save+0x464/0x46c [ 2479.385751]I[0:launcher-loader: 1719] lr : __stack_depot_save+0x460/0x46c [ 2479.385774]I[0:launcher-loader: 1719] sp : ffffffc0080073c0 [ 2479.385793]I[0:launcher-loader: 1719] x29: ffffffc0080073e0 x28: ffffffd00b78a000 x27: 0000000000000000 [ 2479.385839]I[0:launcher-loader: 1719] x26: 000000000004d1dd x25: ffffff891474f000 x24: 00000000ca64d1dd [ 2479.385882]I[0:launcher-loader: 1719] x23: 0000000000000200 x22: 0000000000000220 x21: 0000000000000040 [ 2479.385925]I[0:launcher-loader: 1719] x20: ffffffc008007440 x19: 0000000000000000 x18: 0000000000000000 [ 2479.385969]I[0:launcher-loader: 1719] x17: 2065726568207475 x16: 000000000000005e x15: 2d2d2d2d2d2d2d20 [ 2479.386013]I[0:launcher-loader: 1719] x14: 5d39313731203a72 x13: 00000000002f6b30 x12: 00000000002f6af8 [ 2479.386057]I[0:launcher-loader: 1719] x11: 00000000ffffffff x10: ffffffb90aacf000 x9 : e8a74a6c16008800 [ 2479.386101]I[0:launcher-loader: 1719] x8 : e8a74a6c16008800 x7 : 00000000002f6b30 x6 : 00000000002f6af8 [ 2479.386145]I[0:launcher-loader: 1719] x5 : ffffffc0080070c8 x4 : ffffffd00b192380 x3 : ffffffd0092b313c [ 2479.386189]I[0:launcher-loader: 1719] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000022 [ 2479.386231]I[0:launcher-loader: 1719] Call trace: [ 2479.386248]I[0:launcher-loader: 1719] __stack_depot_save+0x464/0x46c [ 2479.386273]I[0:launcher-loader: 1719] kasan_save_stack+0x58/0x70 [ 2479.386303]I[0:launcher-loader: 1719] save_stack_info+0x34/0x138 [ 2479.386331]I[0:launcher-loader: 1719] kasan_save_free_info+0x18/0x24 [ 2479.386358]I[0:launcher-loader: 1719] ____kasan_slab_free+0x16c/0x170 [ 2479.386385]I[0:launcher-loader: 1719] __kasan_slab_free+0x10/0x20 [ 2479.386410]I[0:launcher-loader: 1719] kmem_cache_free+0x238/0x53c [ 2479.386435]I[0:launcher-loader: 1719] mempool_free_slab+0x1c/0x28 [ 2479.386460]I[0:launcher-loader: 1719] mempool_free+0x7c/0x1a0 [ 2479.386484]I[0:launcher-loader: 1719] bvec_free+0x34/0x80 [ 2479.386514]I[0:launcher-loader: 1719] bio_free+0x60/0x98 [ 2479.386540]I[0:launcher-loader: 1719] bio_put+0x50/0x21c [ 2479.386567]I[0:launcher-loader: 1719] f2fs_write_end_io+0x4ac/0x4d0 [ 2479.386594]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 [ 2479.386622]I[0:launcher-loader: 1719] __dm_io_complete+0x324/0x37c [ 2479.386650]I[0:launcher-loader: 1719] dm_io_dec_pending+0x60/0xa4 [ 2479.386676]I[0:launcher-loader: 1719] clone_endio+0xf8/0x2f0 [ 2479.386700]I[0:launcher-loader: 1719] bio_endio+0x2dc/0x300 [ 2479.386727]I[0:launcher-loader: 1719] blk_update_request+0x258/0x63c [ 2479.386754]I[0:launcher-loader: 1719] scsi_end_request+0x50/0x304 [ 2479.386782]I[0:launcher-loader: 1719] scsi_io_completion+0x88/0x160 [ 2479.386808]I[0:launcher-loader: 1719] scsi_finish_command+0x17c/0x194 [ 2479.386833]I ---truncated--- CVE-2023-54322 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54322.html CVE-2023-54322 https://bugzilla.suse.com/1255763 SUSE Bug 1255763 In the Linux kernel, the following vulnerability has been resolved: dm: fix a race condition in retrieve_deps There's a race condition in the multipath target when retrieve_deps races with multipath_message calling dm_get_device and dm_put_device. retrieve_deps walks the list of open devices without holding any lock but multipath may add or remove devices to the list while it is running. The end result may be memory corruption or use-after-free memory access. See this description of a UAF with multipath_message(): https://listman.redhat.com/archives/dm-devel/2022-October/052373.html Fix this bug by introducing a new rw semaphore "devices_lock". We grab devices_lock for read in retrieve_deps and we grab it for write in dm_get_device and dm_put_device. CVE-2023-54324 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54324.html CVE-2023-54324 https://bugzilla.suse.com/1255759 SUSE Bug 1255759 In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Free IRQs before removing the device In pci_endpoint_test_remove(), freeing the IRQs after removing the device creates a small race window for IRQs to be received with the test device memory already released, causing the IRQ handler to access invalid memory, resulting in an oops. Free the device IRQs before removing the device to avoid this issue. CVE-2023-54326 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2023-54326.html CVE-2023-54326 https://bugzilla.suse.com/1255758 SUSE Bug 1255758 In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free in do_zone_finish() Shinichiro reported the following use-after-free triggered by the device replace operation in fstests btrfs/070. BTRFS info (device nullb1): scrub: finished on devid 1 with status: 0 ================================================================== BUG: KASAN: slab-use-after-free in do_zone_finish+0x91a/0xb90 [btrfs] Read of size 8 at addr ffff8881543c8060 by task btrfs-cleaner/3494007 CPU: 0 PID: 3494007 Comm: btrfs-cleaner Tainted: G W 6.8.0-rc5-kts #1 Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020 Call Trace: <TASK> dump_stack_lvl+0x5b/0x90 print_report+0xcf/0x670 ? __virt_addr_valid+0x200/0x3e0 kasan_report+0xd8/0x110 ? do_zone_finish+0x91a/0xb90 [btrfs] ? do_zone_finish+0x91a/0xb90 [btrfs] do_zone_finish+0x91a/0xb90 [btrfs] btrfs_delete_unused_bgs+0x5e1/0x1750 [btrfs] ? __pfx_btrfs_delete_unused_bgs+0x10/0x10 [btrfs] ? btrfs_put_root+0x2d/0x220 [btrfs] ? btrfs_clean_one_deleted_snapshot+0x299/0x430 [btrfs] cleaner_kthread+0x21e/0x380 [btrfs] ? __pfx_cleaner_kthread+0x10/0x10 [btrfs] kthread+0x2e3/0x3c0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x31/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 </TASK> Allocated by task 3493983: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 btrfs_alloc_device+0xb3/0x4e0 [btrfs] device_list_add.constprop.0+0x993/0x1630 [btrfs] btrfs_scan_one_device+0x219/0x3d0 [btrfs] btrfs_control_ioctl+0x26e/0x310 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 3494056: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3f/0x60 poison_slab_object+0x102/0x170 __kasan_slab_free+0x32/0x70 kfree+0x11b/0x320 btrfs_rm_dev_replace_free_srcdev+0xca/0x280 [btrfs] btrfs_dev_replace_finishing+0xd7e/0x14f0 [btrfs] btrfs_dev_replace_by_ioctl+0x1286/0x25a0 [btrfs] btrfs_ioctl+0xb27/0x57d0 [btrfs] __x64_sys_ioctl+0x134/0x1b0 do_syscall_64+0x99/0x190 entry_SYSCALL_64_after_hwframe+0x6e/0x76 The buggy address belongs to the object at ffff8881543c8000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 96 bytes inside of freed 1024-byte region [ffff8881543c8000, ffff8881543c8400) The buggy address belongs to the physical page: page:00000000fe2c1285 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1543c8 head:00000000fe2c1285 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x17ffffc0000840(slab|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000840 ffff888100042dc0 ffffea0019e8f200 dead000000000002 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881543c7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881543c7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8881543c8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881543c8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881543c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb This UAF happens because we're accessing stale zone information of a already removed btrfs_device in do_zone_finish(). The sequence of events is as follows: btrfs_dev_replace_start btrfs_scrub_dev btrfs_dev_replace_finishing btrfs_dev_replace_update_device_in_mapping_tree <-- devices replaced btrfs_rm_dev_replace_free_srcdev btrfs_free_device <-- device freed cleaner_kthread btrfs_delete_unused_bgs btrfs_zone_finish do_zone_finish <-- refers the freed device The reason for this is that we're using a ---truncated--- CVE-2024-26944 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2024-26944.html CVE-2024-26944 https://bugzilla.suse.com/1223731 SUSE Bug 1223731 In the Linux kernel, the following vulnerability has been resolved: interconnect: Don't access req_list while it's being manipulated The icc_lock mutex was split into separate icc_lock and icc_bw_lock mutexes in [1] to avoid lockdep splats. However, this didn't adequately protect access to icc_node::req_list. The icc_set_bw() function will eventually iterate over req_list while only holding icc_bw_lock, but req_list can be modified while only holding icc_lock. This causes races between icc_set_bw(), of_icc_get(), and icc_put(). Example A: CPU0 CPU1 ---- ---- icc_set_bw(path_a) mutex_lock(&icc_bw_lock); icc_put(path_b) mutex_lock(&icc_lock); aggregate_requests() hlist_for_each_entry(r, ... hlist_del(... <r = invalid pointer> Example B: CPU0 CPU1 ---- ---- icc_set_bw(path_a) mutex_lock(&icc_bw_lock); path_b = of_icc_get() of_icc_get_by_index() mutex_lock(&icc_lock); path_find() path_init() aggregate_requests() hlist_for_each_entry(r, ... hlist_add_head(... <r = invalid pointer> Fix this by ensuring icc_bw_lock is always held before manipulating icc_node::req_list. The additional places icc_bw_lock is held don't perform any memory allocations, so we should still be safe from the original lockdep splats that motivated the separate locks. [1] commit af42269c3523 ("interconnect: Fix locking for runpm vs reclaim") CVE-2024-27005 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2024-27005.html CVE-2024-27005 https://bugzilla.suse.com/1223800 SUSE Bug 1223800 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix adding block group to a reclaim list and the unused list during reclaim There is a potential parallel list adding for retrying in btrfs_reclaim_bgs_work and adding to the unused list. Since the block group is removed from the reclaim list and it is on a relocation work, it can be added into the unused list in parallel. When that happens, adding it to the reclaim list will corrupt the list head and trigger list corruption like below. Fix it by taking fs_info->unused_bgs_lock. [177.504][T2585409] BTRFS error (device nullb1): error relocating ch= unk 2415919104 [177.514][T2585409] list_del corruption. next->prev should be ff1100= 0344b119c0, but was ff11000377e87c70. (next=3Dff110002390cd9c0) [177.529][T2585409] ------------[ cut here ]------------ [177.537][T2585409] kernel BUG at lib/list_debug.c:65! [177.545][T2585409] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI [177.555][T2585409] CPU: 9 PID: 2585409 Comm: kworker/u128:2 Tainted: G W 6.10.0-rc5-kts #1 [177.568][T2585409] Hardware name: Supermicro SYS-520P-WTR/X12SPW-TF, BIOS 1.2 02/14/2022 [177.579][T2585409] Workqueue: events_unbound btrfs_reclaim_bgs_work[btrfs] [177.589][T2585409] RIP: 0010:__list_del_entry_valid_or_report.cold+0x70/0x72 [177.624][T2585409] RSP: 0018:ff11000377e87a70 EFLAGS: 00010286 [177.633][T2585409] RAX: 000000000000006d RBX: ff11000344b119c0 RCX:0000000000000000 [177.644][T2585409] RDX: 000000000000006d RSI: 0000000000000008 RDI:ffe21c006efd0f40 [177.655][T2585409] RBP: ff110002e0509f78 R08: 0000000000000001 R09:ffe21c006efd0f08 [177.665][T2585409] R10: ff11000377e87847 R11: 0000000000000000 R12:ff110002390cd9c0 [177.676][T2585409] R13: ff11000344b119c0 R14: ff110002e0508000 R15:dffffc0000000000 [177.687][T2585409] FS: 0000000000000000(0000) GS:ff11000fec880000(0000) knlGS:0000000000000000 [177.700][T2585409] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [177.709][T2585409] CR2: 00007f06bc7b1978 CR3: 0000001021e86005 CR4:0000000000771ef0 [177.720][T2585409] DR0: 0000000000000000 DR1: 0000000000000000 DR2:0000000000000000 [177.731][T2585409] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:0000000000000400 [177.742][T2585409] PKRU: 55555554 [177.748][T2585409] Call Trace: [177.753][T2585409] <TASK> [177.759][T2585409] ? __die_body.cold+0x19/0x27 [177.766][T2585409] ? die+0x2e/0x50 [177.772][T2585409] ? do_trap+0x1ea/0x2d0 [177.779][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.788][T2585409] ? do_error_trap+0xa3/0x160 [177.795][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.805][T2585409] ? handle_invalid_op+0x2c/0x40 [177.812][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.820][T2585409] ? exc_invalid_op+0x2d/0x40 [177.827][T2585409] ? asm_exc_invalid_op+0x1a/0x20 [177.834][T2585409] ? __list_del_entry_valid_or_report.cold+0x70/0x72 [177.843][T2585409] btrfs_delete_unused_bgs+0x3d9/0x14c0 [btrfs] There is a similar retry_list code in btrfs_delete_unused_bgs(), but it is safe, AFAICS. Since the block group was in the unused list, the used bytes should be 0 when it was added to the unused list. Then, it checks block_group->{used,reserved,pinned} are still 0 under the block_group->lock. So, they should be still eligible for the unused list, not the reclaim list. The reason it is safe there it's because because we're holding space_info->groups_sem in write mode. That means no other task can allocate from the block group, so while we are at deleted_unused_bgs() it's not possible for other tasks to allocate and deallocate extents from the block group, so it can't be added to the unused list or the reclaim list by anyone else. The bug can be reproduced by btrfs/166 after a few rounds. In practice this can be hit when relocation cannot find more chunk space and ends with ENOSPC. CVE-2024-42103 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2024-42103.html CVE-2024-42103 https://bugzilla.suse.com/1228490 SUSE Bug 1228490 In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: fix fault at system suspend if device was already runtime suspended If the device was already runtime suspended then during system suspend we cannot access the device registers else it will crash. Also we cannot access any registers after dwc3_core_exit() on some platforms so move the dwc3_enable_susphy() call to the top. CVE-2024-53070 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2024-53070.html CVE-2024-53070 https://bugzilla.suse.com/1233563 SUSE Bug 1233563 In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: glink: fix off-by-one in connector_status UCSI connector's indices start from 1 up to 3, PMIC_GLINK_MAX_PORTS. Correct the condition in the pmic_glink_ucsi_connector_status() callback, fixing Type-C orientation reporting for the third USB-C connector. CVE-2024-53149 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2024-53149.html CVE-2024-53149 https://bugzilla.suse.com/1234842 SUSE Bug 1234842 In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix __apply_microcode_amd()'s return value When verify_sha256_digest() fails, __apply_microcode_amd() should propagate the failure by returning false (and not -1 which is promoted to true). CVE-2025-22047 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-22047.html CVE-2025-22047 https://bugzilla.suse.com/1241437 SUSE Bug 1241437 In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix invalid pointer dereference in Etron workaround This check is performed before prepare_transfer() and prepare_ring(), so enqueue can already point at the final link TRB of a segment. And indeed it will, some 0.4% of times this code is called. Then enqueue + 1 is an invalid pointer. It will crash the kernel right away or load some junk which may look like a link TRB and cause the real link TRB to be replaced with a NOOP. This wouldn't end well. Use a functionally equivalent test which doesn't dereference the pointer and always gives correct result. Something has crashed my machine twice in recent days while playing with an Etron HC, and a control transfer stress test ran for confirmation has just crashed it again. The same test passes with this patch applied. CVE-2025-37813 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-37813.html CVE-2025-37813 https://bugzilla.suse.com/1242909 SUSE Bug 1242909 In the Linux kernel, the following vulnerability has been resolved: btrfs: fix invalid inode pointer dereferences during log replay In a few places where we call read_one_inode(), if we get a NULL pointer we end up jumping into an error path, or fallthrough in case of __add_inode_ref(), where we then do something like this: iput(&inode->vfs_inode); which results in an invalid inode pointer that triggers an invalid memory access, resulting in a crash. Fix this by making sure we don't do such dereferences. CVE-2025-38243 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-38243.html CVE-2025-38243 https://bugzilla.suse.com/1246184 SUSE Bug 1246184 In the Linux kernel, the following vulnerability has been resolved: smb: Log an error when close_all_cached_dirs fails Under low-memory conditions, close_all_cached_dirs() can't move the dentries to a separate list to dput() them once the locks are dropped. This will result in a "Dentry still in use" error, so add an error message that makes it clear this is what happened: [ 495.281119] CIFS: VFS: \\otters.example.com\share Out of memory while dropping dentries [ 495.281595] ------------[ cut here ]------------ [ 495.281887] BUG: Dentry ffff888115531138{i=78,n=/} still in use (2) [unmount of cifs cifs] [ 495.282391] WARNING: CPU: 1 PID: 2329 at fs/dcache.c:1536 umount_check+0xc8/0xf0 Also, bail out of looping through all tcons as soon as a single allocation fails, since we're already in trouble, and kmalloc() attempts for subseqeuent tcons are likely to fail just like the first one did. CVE-2025-38321 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-38321.html CVE-2025-38321 https://bugzilla.suse.com/1246328 SUSE Bug 1246328 In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix crash in icl_update_topdown_event() The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 CPU: 23 UID: 0 PID: 0 Comm: swapper/23 Tainted: [W]=WARN Hardware name: Dell Inc. Precision 9660/0VJ762 RIP: 0010:native_read_pmc+0x7/0x40 Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ... RSP: 000:fffb03100273de8 EFLAGS: 00010046 .... Call Trace: <TASK> icl_update_topdown_event+0x165/0x190 ? ktime_get+0x38/0xd0 intel_pmu_read_event+0xf9/0x210 __perf_event_read+0xf9/0x210 CPUs 16-23 are E-core CPUs that don't support the perf metrics feature. The icl_update_topdown_event() should not be invoked on these CPUs. It's a regression of commit: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") The bug introduced by that commit is that the is_topdown_event() function is mistakenly used to replace the is_topdown_count() call to check if the topdown functions for the perf metrics feature should be invoked. Fix it. CVE-2025-38322 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-38322.html CVE-2025-38322 https://bugzilla.suse.com/1246447 SUSE Bug 1246447 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix warning when reconnecting channel When reconnecting a channel in smb2_reconnect_server(), a dummy tcon is passed down to smb2_reconnect() with ->query_interface uninitialized, so we can't call queue_delayed_work() on it. Fix the following warning by ensuring that we're queueing the delayed worker from correct tcon. WARNING: CPU: 4 PID: 1126 at kernel/workqueue.c:2498 __queue_delayed_work+0x1d2/0x200 Modules linked in: cifs cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CPU: 4 UID: 0 PID: 1126 Comm: kworker/4:0 Not tainted 6.16.0-rc3 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-4.fc42 04/01/2014 Workqueue: cifsiod smb2_reconnect_server [cifs] RIP: 0010:__queue_delayed_work+0x1d2/0x200 Code: 41 5e 41 5f e9 7f ee ff ff 90 0f 0b 90 e9 5d ff ff ff bf 02 00 00 00 e8 6c f3 07 00 89 c3 eb bd 90 0f 0b 90 e9 57 f> 0b 90 e9 65 fe ff ff 90 0f 0b 90 e9 72 fe ff ff 90 0f 0b 90 e9 RSP: 0018:ffffc900014afad8 EFLAGS: 00010003 RAX: 0000000000000000 RBX: ffff888124d99988 RCX: ffffffff81399cc1 RDX: dffffc0000000000 RSI: ffff888114326e00 RDI: ffff888124d999f0 RBP: 000000000000ea60 R08: 0000000000000001 R09: ffffed10249b3331 R10: ffff888124d9998f R11: 0000000000000004 R12: 0000000000000040 R13: ffff888114326e00 R14: ffff888124d999d8 R15: ffff888114939020 FS: 0000000000000000(0000) GS:ffff88829f7fe000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe7a2b4038 CR3: 0000000120a6f000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> queue_delayed_work_on+0xb4/0xc0 smb2_reconnect+0xb22/0xf50 [cifs] smb2_reconnect_server+0x413/0xd40 [cifs] ? __pfx_smb2_reconnect_server+0x10/0x10 [cifs] ? local_clock_noinstr+0xd/0xd0 ? local_clock+0x15/0x30 ? lock_release+0x29b/0x390 process_one_work+0x4c5/0xa10 ? __pfx_process_one_work+0x10/0x10 ? __list_add_valid_or_report+0x37/0x120 worker_thread+0x2f1/0x5a0 ? __kthread_parkme+0xde/0x100 ? __pfx_worker_thread+0x10/0x10 kthread+0x1fe/0x380 ? kthread+0x10f/0x380 ? __pfx_kthread+0x10/0x10 ? local_clock_noinstr+0xd/0xd0 ? ret_from_fork+0x1b/0x1f0 ? local_clock+0x15/0x30 ? lock_release+0x29b/0x390 ? rcu_is_watching+0x20/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x15b/0x1f0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> irq event stamp: 1116206 hardirqs last enabled at (1116205): [<ffffffff8143af42>] __up_console_sem+0x52/0x60 hardirqs last disabled at (1116206): [<ffffffff81399f0e>] queue_delayed_work_on+0x6e/0xc0 softirqs last enabled at (1116138): [<ffffffffc04562fd>] __smb_send_rqst+0x42d/0x950 [cifs] softirqs last disabled at (1116136): [<ffffffff823d35e1>] release_sock+0x21/0xf0 CVE-2025-38379 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-38379.html CVE-2025-38379 https://bugzilla.suse.com/1247030 SUSE Bug 1247030 In the Linux kernel, the following vulnerability has been resolved: tracing: Add down_write(trace_event_sem) when adding trace event When a module is loaded, it adds trace events defined by the module. It may also need to modify the modules trace printk formats to replace enum names with their values. If two modules are loaded at the same time, the adding of the event to the ftrace_events list can corrupt the walking of the list in the code that is modifying the printk format strings and crash the kernel. The addition of the event should take the trace_event_sem for write while it adds the new event. Also add a lockdep_assert_held() on that semaphore in __trace_add_event_dirs() as it iterates the list. CVE-2025-38539 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-38539.html CVE-2025-38539 https://bugzilla.suse.com/1248211 SUSE Bug 1248211 In the Linux kernel, the following vulnerability has been resolved: smb3: fix for slab out of bounds on mount to ksmbd With KASAN enabled, it is possible to get a slab out of bounds during mount to ksmbd due to missing check in parse_server_interfaces() (see below): BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x14ee/0x1880 [cifs] Read of size 4 at addr ffff8881433dba98 by task mount/9827 CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary) Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: Dell Inc. Precision Tower 3620/0MWYPT, BIOS 2.13.1 06/14/2019 Call Trace: <TASK> dump_stack_lvl+0x9f/0xf0 print_report+0xd1/0x670 __virt_addr_valid+0x22c/0x430 ? parse_server_interfaces+0x14ee/0x1880 [cifs] ? kasan_complete_mode_report_info+0x2a/0x1f0 ? parse_server_interfaces+0x14ee/0x1880 [cifs] kasan_report+0xd6/0x110 parse_server_interfaces+0x14ee/0x1880 [cifs] __asan_report_load_n_noabort+0x13/0x20 parse_server_interfaces+0x14ee/0x1880 [cifs] ? __pfx_parse_server_interfaces+0x10/0x10 [cifs] ? trace_hardirqs_on+0x51/0x60 SMB3_request_interfaces+0x1ad/0x3f0 [cifs] ? __pfx_SMB3_request_interfaces+0x10/0x10 [cifs] ? SMB2_tcon+0x23c/0x15d0 [cifs] smb3_qfs_tcon+0x173/0x2b0 [cifs] ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] ? cifs_get_tcon+0x105d/0x2120 [cifs] ? do_raw_spin_unlock+0x5d/0x200 ? cifs_get_tcon+0x105d/0x2120 [cifs] ? __pfx_smb3_qfs_tcon+0x10/0x10 [cifs] cifs_mount_get_tcon+0x369/0xb90 [cifs] ? dfs_cache_find+0xe7/0x150 [cifs] dfs_mount_share+0x985/0x2970 [cifs] ? check_path.constprop.0+0x28/0x50 ? save_trace+0x54/0x370 ? __pfx_dfs_mount_share+0x10/0x10 [cifs] ? __lock_acquire+0xb82/0x2ba0 ? __kasan_check_write+0x18/0x20 cifs_mount+0xbc/0x9e0 [cifs] ? __pfx_cifs_mount+0x10/0x10 [cifs] ? do_raw_spin_unlock+0x5d/0x200 ? cifs_setup_cifs_sb+0x29d/0x810 [cifs] cifs_smb3_do_mount+0x263/0x1990 [cifs] CVE-2025-38728 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-38728.html CVE-2025-38728 https://bugzilla.suse.com/1249256 SUSE Bug 1249256 In the Linux kernel, the following vulnerability has been resolved: ftrace: Also allocate and copy hash for reading of filter files Currently the reader of set_ftrace_filter and set_ftrace_notrace just adds the pointer to the global tracer hash to its iterator. Unlike the writer that allocates a copy of the hash, the reader keeps the pointer to the filter hashes. This is problematic because this pointer is static across function calls that release the locks that can update the global tracer hashes. This can cause UAF and similar bugs. Allocate and copy the hash for reading the filter files like it is done for the writers. This not only fixes UAF bugs, but also makes the code a bit simpler as it doesn't have to differentiate when to free the iterator's hash between writers and readers. CVE-2025-39689 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-39689.html CVE-2025-39689 https://bugzilla.suse.com/1249307 SUSE Bug 1249307 In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix potential warning in trace_printk_seq during ftrace_dump When calling ftrace_dump_one() concurrently with reading trace_pipe, a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race condition. The issue occurs because: CPU0 (ftrace_dump) CPU1 (reader) echo z > /proc/sysrq-trigger !trace_empty(&iter) trace_iterator_reset(&iter) <- len = size = 0 cat /sys/kernel/tracing/trace_pipe trace_find_next_entry_inc(&iter) __find_next_entry ring_buffer_empty_cpu <- all empty return NULL trace_printk_seq(&iter.seq) WARN_ON_ONCE(s->seq.len >= s->seq.size) In the context between trace_empty() and trace_find_next_entry_inc() during ftrace_dump, the ring buffer data was consumed by other readers. This caused trace_find_next_entry_inc to return NULL, failing to populate `iter.seq`. At this point, due to the prior trace_iterator_reset, both `iter.seq.len` and `iter.seq.size` were set to 0. Since they are equal, the WARN_ON_ONCE condition is triggered. Move the trace_printk_seq() into the if block that checks to make sure the return value of trace_find_next_entry_inc() is non-NULL in ftrace_dump_one(), ensuring the 'iter.seq' is properly populated before subsequent operations. CVE-2025-39813 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-39813.html CVE-2025-39813 https://bugzilla.suse.com/1250032 SUSE Bug 1250032 In the Linux kernel, the following vulnerability has been resolved: trace/fgraph: Fix the warning caused by missing unregister notifier This warning was triggered during testing on v6.16: notifier callback ftrace_suspend_notifier_call already registered WARNING: CPU: 2 PID: 86 at kernel/notifier.c:23 notifier_chain_register+0x44/0xb0 ... Call Trace: <TASK> blocking_notifier_chain_register+0x34/0x60 register_ftrace_graph+0x330/0x410 ftrace_profile_write+0x1e9/0x340 vfs_write+0xf8/0x420 ? filp_flush+0x8a/0xa0 ? filp_close+0x1f/0x30 ? do_dup2+0xaf/0x160 ksys_write+0x65/0xe0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f When writing to the function_profile_enabled interface, the notifier was not unregistered after start_graph_tracing failed, causing a warning the next time function_profile_enabled was written. Fixed by adding unregister_pm_notifier in the exception path. CVE-2025-39829 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-39829.html CVE-2025-39829 https://bugzilla.suse.com/1250082 SUSE Bug 1250082 In the Linux kernel, the following vulnerability has been resolved: libceph: fix invalid accesses to ceph_connection_v1_info There is a place where generic code in messenger.c is reading and another place where it is writing to con->v1 union member without checking that the union member is active (i.e. msgr1 is in use). On 64-bit systems, con->v1.auth_retry overlaps with con->v2.out_iter, so such a read is almost guaranteed to return a bogus value instead of 0 when msgr2 is in use. This ends up being fairly benign because the side effect is just the invalidation of the authorizer and successive fetching of new tickets. con->v1.connect_seq overlaps with con->v2.conn_bufs and the fact that it's being written to can cause more serious consequences, but luckily it's not something that happens often. CVE-2025-39880 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-39880.html CVE-2025-39880 https://bugzilla.suse.com/1250388 SUSE Bug 1250388 In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event Currently, in ath12k_service_ready_ext_event(), svc_rdy_ext.mac_phy_caps is not freed in the failure case, causing a memory leak. The following trace is observed in kmemleak: unreferenced object 0xffff8b3eb5789c00 (size 1024): comm "softirq", pid 0, jiffies 4294942577 hex dump (first 32 bytes): 00 00 00 00 01 00 00 00 00 00 00 00 7b 00 00 10 ............{... 01 00 00 00 00 00 00 00 01 00 00 00 1f 38 00 00 .............8.. backtrace (crc 44e1c357): __kmalloc_noprof+0x30b/0x410 ath12k_wmi_mac_phy_caps_parse+0x84/0x100 [ath12k] ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k] ath12k_wmi_svc_rdy_ext_parse+0x308/0x4c0 [ath12k] ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k] ath12k_service_ready_ext_event.isra.0+0x44/0xd0 [ath12k] ath12k_wmi_op_rx+0x2eb/0xd70 [ath12k] ath12k_htc_rx_completion_handler+0x1f4/0x330 [ath12k] ath12k_ce_recv_process_cb+0x218/0x300 [ath12k] ath12k_pci_ce_workqueue+0x1b/0x30 [ath12k] process_one_work+0x219/0x680 bh_worker+0x198/0x1f0 tasklet_action+0x13/0x30 handle_softirqs+0xca/0x460 __irq_exit_rcu+0xbe/0x110 irq_exit_rcu+0x9/0x30 Free svc_rdy_ext.mac_phy_caps in the error case to fix this memory leak. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 CVE-2025-39890 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-39890.html CVE-2025-39890 https://bugzilla.suse.com/1250334 SUSE Bug 1250334 https://bugzilla.suse.com/1250488 SUSE Bug 1250488 In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. syzbot reported the splat below. [0] The repro does the following: 1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes) 2. Attach the prog to a SOCKMAP 3. Add a socket to the SOCKMAP 4. Activate fault injection 5. Send data less than cork_bytes At 5., the data is carried over to the next sendmsg() as it is smaller than the cork_bytes specified by bpf_msg_cork_bytes(). Then, tcp_bpf_send_verdict() tries to allocate psock->cork to hold the data, but this fails silently due to fault injection + __GFP_NOWARN. If the allocation fails, we need to revert the sk->sk_forward_alloc change done by sk_msg_alloc(). Let's call sk_msg_free() when tcp_bpf_send_verdict fails to allocate psock->cork. The "*copied" also needs to be updated such that a proper error can be returned to the caller, sendmsg. It fails to allocate psock->cork. Nothing has been corked so far, so this patch simply sets "*copied" to 0. [0]: WARNING: net/ipv4/af_inet.c:156 at inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156, CPU#1: syz-executor/5983 Modules linked in: CPU: 1 UID: 0 PID: 5983 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:inet_sock_destruct+0x623/0x730 net/ipv4/af_inet.c:156 Code: 0f 0b 90 e9 62 fe ff ff e8 7a db b5 f7 90 0f 0b 90 e9 95 fe ff ff e8 6c db b5 f7 90 0f 0b 90 e9 bb fe ff ff e8 5e db b5 f7 90 <0f> 0b 90 e9 e1 fe ff ff 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 9f fc RSP: 0018:ffffc90000a08b48 EFLAGS: 00010246 RAX: ffffffff8a09d0b2 RBX: dffffc0000000000 RCX: ffff888024a23c80 RDX: 0000000000000100 RSI: 0000000000000fff RDI: 0000000000000000 RBP: 0000000000000fff R08: ffff88807e07c627 R09: 1ffff1100fc0f8c4 R10: dffffc0000000000 R11: ffffed100fc0f8c5 R12: ffff88807e07c380 R13: dffffc0000000000 R14: ffff88807e07c60c R15: 1ffff1100fc0f872 FS: 00005555604c4500(0000) GS:ffff888125af1000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005555604df5c8 CR3: 0000000032b06000 CR4: 00000000003526f0 Call Trace: <IRQ> __sk_destruct+0x86/0x660 net/core/sock.c:2339 rcu_do_batch kernel/rcu/tree.c:2605 [inline] rcu_core+0xca8/0x1770 kernel/rcu/tree.c:2861 handle_softirqs+0x286/0x870 kernel/softirq.c:579 __do_softirq kernel/softirq.c:613 [inline] invoke_softirq kernel/softirq.c:453 [inline] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052 </IRQ> CVE-2025-39913 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-39913.html CVE-2025-39913 https://bugzilla.suse.com/1250705 SUSE Bug 1250705 In the Linux kernel, the following vulnerability has been resolved: futex: Prevent use-after-free during requeue-PI syzbot managed to trigger the following race: T1 T2 futex_wait_requeue_pi() futex_do_wait() schedule() futex_requeue() futex_proxy_trylock_atomic() futex_requeue_pi_prepare() requeue_pi_wake_futex() futex_requeue_pi_complete() /* preempt */ * timeout/ signal wakes T1 * futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED futex_hash_put() // back to userland, on stack futex_q is garbage /* back */ wake_up_state(q->task, TASK_NORMAL); In this scenario futex_wait_requeue_pi() is able to leave without using futex_q::lock_ptr for synchronization. This can be prevented by reading futex_q::task before updating the futex_q::requeue_state. A reference on the task_struct is not needed because requeue_pi_wake_futex() is invoked with a spinlock_t held which implies a RCU read section. Even if T1 terminates immediately after, the task_struct will remain valid during T2's wake_up_state(). A READ_ONCE on futex_q::task before futex_requeue_pi_complete() is enough because it ensures that the variable is read before the state is updated. Read futex_q::task before updating the requeue state, use it for the following wakeup. CVE-2025-39977 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-39977.html CVE-2025-39977 https://bugzilla.suse.com/1252046 SUSE Bug 1252046 https://bugzilla.suse.com/1252048 SUSE Bug 1252048 In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix folio is still mapped when deleted Migration may be raced with fallocating hole. remove_inode_single_folio will unmap the folio if the folio is still mapped. However, it's called without folio lock. If the folio is migrated and the mapped pte has been converted to migration entry, folio_mapped() returns false, and won't unmap it. Due to extra refcount held by remove_inode_single_folio, migration fails, restores migration entry to normal pte, and the folio is mapped again. As a result, we triggered BUG in filemap_unaccount_folio. The log is as follows: BUG: Bad page cache in process hugetlb pfn:156c00 page: refcount:515 mapcount:0 mapping:0000000099fef6e1 index:0x0 pfn:0x156c00 head: order:9 mapcount:1 entire_mapcount:1 nr_pages_mapped:0 pincount:0 aops:hugetlbfs_aops ino:dcc dentry name(?):"my_hugepage_file" flags: 0x17ffffc00000c1(locked|waiters|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: f4(hugetlb) page dumped because: still mapped when deleted CPU: 1 UID: 0 PID: 395 Comm: hugetlb Not tainted 6.17.0-rc5-00044-g7aac71907bde-dirty #484 NONE Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x4f/0x70 filemap_unaccount_folio+0xc4/0x1c0 __filemap_remove_folio+0x38/0x1c0 filemap_remove_folio+0x41/0xd0 remove_inode_hugepages+0x142/0x250 hugetlbfs_fallocate+0x471/0x5a0 vfs_fallocate+0x149/0x380 Hold folio lock before checking if the folio is mapped to avold race with migration. CVE-2025-40006 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40006.html CVE-2025-40006 https://bugzilla.suse.com/1252342 SUSE Bug 1252342 In the Linux kernel, the following vulnerability has been resolved: vhost: Take a reference on the task in struct vhost_task. vhost_task_create() creates a task and keeps a reference to its task_struct. That task may exit early via a signal and its task_struct will be released. A pending vhost_task_wake() will then attempt to wake the task and access a task_struct which is no longer there. Acquire a reference on the task_struct while creating the thread and release the reference while the struct vhost_task itself is removed. If the task exits early due to a signal, then the vhost_task_wake() will still access a valid task_struct. The wake is safe and will be skipped in this case. CVE-2025-40024 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40024.html CVE-2025-40024 https://bugzilla.suse.com/1252686 SUSE Bug 1252686 In the Linux kernel, the following vulnerability has been resolved: remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable() pru_rproc_set_ctable() accessed rproc->priv before the IS_ERR_OR_NULL check, which could lead to a null pointer dereference. Move the pru assignment, ensuring we never dereference a NULL rproc pointer. CVE-2025-40033 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40033.html CVE-2025-40033 https://bugzilla.suse.com/1252824 SUSE Bug 1252824 In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race condition in kprobe initialization causing NULL pointer dereference There is a critical race condition in kprobe initialization that can lead to NULL pointer dereference and kernel crash. [1135630.084782] Unable to handle kernel paging request at virtual address 0000710a04630000 ... [1135630.260314] pstate: 404003c9 (nZcv DAIF +PAN -UAO) [1135630.269239] pc : kprobe_perf_func+0x30/0x260 [1135630.277643] lr : kprobe_dispatcher+0x44/0x60 [1135630.286041] sp : ffffaeff4977fa40 [1135630.293441] x29: ffffaeff4977fa40 x28: ffffaf015340e400 [1135630.302837] x27: 0000000000000000 x26: 0000000000000000 [1135630.312257] x25: ffffaf029ed108a8 x24: ffffaf015340e528 [1135630.321705] x23: ffffaeff4977fc50 x22: ffffaeff4977fc50 [1135630.331154] x21: 0000000000000000 x20: ffffaeff4977fc50 [1135630.340586] x19: ffffaf015340e400 x18: 0000000000000000 [1135630.349985] x17: 0000000000000000 x16: 0000000000000000 [1135630.359285] x15: 0000000000000000 x14: 0000000000000000 [1135630.368445] x13: 0000000000000000 x12: 0000000000000000 [1135630.377473] x11: 0000000000000000 x10: 0000000000000000 [1135630.386411] x9 : 0000000000000000 x8 : 0000000000000000 [1135630.395252] x7 : 0000000000000000 x6 : 0000000000000000 [1135630.403963] x5 : 0000000000000000 x4 : 0000000000000000 [1135630.412545] x3 : 0000710a04630000 x2 : 0000000000000006 [1135630.421021] x1 : ffffaeff4977fc50 x0 : 0000710a04630000 [1135630.429410] Call trace: [1135630.434828] kprobe_perf_func+0x30/0x260 [1135630.441661] kprobe_dispatcher+0x44/0x60 [1135630.448396] aggr_pre_handler+0x70/0xc8 [1135630.454959] kprobe_breakpoint_handler+0x140/0x1e0 [1135630.462435] brk_handler+0xbc/0xd8 [1135630.468437] do_debug_exception+0x84/0x138 [1135630.475074] el1_dbg+0x18/0x8c [1135630.480582] security_file_permission+0x0/0xd0 [1135630.487426] vfs_write+0x70/0x1c0 [1135630.493059] ksys_write+0x5c/0xc8 [1135630.498638] __arm64_sys_write+0x24/0x30 [1135630.504821] el0_svc_common+0x78/0x130 [1135630.510838] el0_svc_handler+0x38/0x78 [1135630.516834] el0_svc+0x8/0x1b0 kernel/trace/trace_kprobe.c: 1308 0xffff3df8995039ec <kprobe_perf_func+0x2c>: ldr x21, [x24,#120] include/linux/compiler.h: 294 0xffff3df8995039f0 <kprobe_perf_func+0x30>: ldr x1, [x21,x0] kernel/trace/trace_kprobe.c 1308: head = this_cpu_ptr(call->perf_events); 1309: if (hlist_empty(head)) 1310: return 0; crash> struct trace_event_call -o struct trace_event_call { ... [120] struct hlist_head *perf_events; //(call->perf_event) ... } crash> struct trace_event_call ffffaf015340e528 struct trace_event_call { ... perf_events = 0xffff0ad5fa89f088, //this value is correct, but x21 = 0 ... } Race Condition Analysis: The race occurs between kprobe activation and perf_events initialization: CPU0 CPU1 ==== ==== perf_kprobe_init perf_trace_event_init tp_event->perf_events = list;(1) tp_event->class->reg (2)<- KPROBE ACTIVE Debug exception triggers ... kprobe_dispatcher kprobe_perf_func (tk->tp.flags & TP_FLAG_PROFILE) head = this_cpu_ptr(call->perf_events)(3) (perf_events is still NULL) Problem: 1. CPU0 executes (1) assigning tp_event->perf_events = list 2. CPU0 executes (2) enabling kprobe functionality via class->reg() 3. CPU1 triggers and reaches kprobe_dispatcher 4. CPU1 checks TP_FLAG_PROFILE - condition passes (step 2 completed) 5. CPU1 calls kprobe_perf_func() and crashes at (3) because call->perf_events is still NULL CPU1 sees that kprobe functionality is enabled but does not see that perf_events has been assigned. Add pairing read an ---truncated--- CVE-2025-40042 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40042.html CVE-2025-40042 https://bugzilla.suse.com/1252861 SUSE Bug 1252861 In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh allocation failure The driver did not handle failure of `netdev_alloc_skb_ip_align()`. If the allocation failed, dereferencing `skb->protocol` could lead to a NULL pointer dereference. This patch tries to allocate `skb`. If the allocation fails, it falls back to the normal path. Tested-on: D-Link DGE-550T Rev-A3 CVE-2025-40053 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40053.html CVE-2025-40053 https://bugzilla.suse.com/1252808 SUSE Bug 1252808 In the Linux kernel, the following vulnerability has been resolved: perf: arm_spe: Prevent overflow in PERF_IDX2OFF() Cast nr_pages to unsigned long to avoid overflow when handling large AUX buffer sizes (>= 2 GiB). CVE-2025-40081 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40081.html CVE-2025-40081 https://bugzilla.suse.com/1252776 SUSE Bug 1252776 In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign |-> component_master_add_with_match( ... match) |-> component_match_realloc(match, match->num); // dereference Add IS_ERR() check to prevent the crash. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-40097 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40097.html CVE-2025-40097 https://bugzilla.suse.com/1252900 SUSE Bug 1252900 In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG() in exception_target_el() during the next injection: kernel BUG at arch/arm64/kvm/inject_fault.c:40! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP CPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT Hardware name: linux,dummy-virt (DT) pstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : exception_target_el+0x88/0x8c lr : pend_serror_exception+0x18/0x13c sp : ffff800082f03a10 x29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000 x26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000 x23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004 x20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20 Call trace: exception_target_el+0x88/0x8c (P) kvm_inject_serror_esr+0x40/0x3b4 __kvm_arm_vcpu_set_events+0xf0/0x100 kvm_arch_vcpu_ioctl+0x180/0x9d4 kvm_vcpu_ioctl+0x60c/0x9f4 __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000) Reject the ioctls outright as no sane VMM would call these before KVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been thrown away by the eventual reset of the vCPU's state. CVE-2025-40102 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40102.html CVE-2025-40102 https://bugzilla.suse.com/1252919 SUSE Bug 1252919 In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error when the device processes data in the interrupt handler path. Add a check for zero chanlist_len at the beginning of the function, similar to the existing checks for !map and CMDF_RAWDATA flag. When chanlist_len is zero, update munge_count and return early, indicating the data was handled without munging. This prevents potential kernel panics from malformed user commands. CVE-2025-40106 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40106.html CVE-2025-40106 https://bugzilla.suse.com/1252891 SUSE Bug 1252891 In the Linux kernel, the following vulnerability has been resolved: bpf: Enforce expected_attach_type for tailcall compatibility Yinhao et al. recently reported: Our fuzzer tool discovered an uninitialized pointer issue in the bpf_prog_test_run_xdp() function within the Linux kernel's BPF subsystem. This leads to a NULL pointer dereference when a BPF program attempts to deference the txq member of struct xdp_buff object. The test initializes two programs of BPF_PROG_TYPE_XDP: progA acts as the entry point for bpf_prog_test_run_xdp() and its expected_attach_type can neither be of be BPF_XDP_DEVMAP nor BPF_XDP_CPUMAP. progA calls into a slot of a tailcall map it owns. progB's expected_attach_type must be BPF_XDP_DEVMAP to pass xdp_is_valid_access() validation. The program returns struct xdp_md's egress_ifindex, and the latter is only allowed to be accessed under mentioned expected_attach_type. progB is then inserted into the tailcall which progA calls. The underlying issue goes beyond XDP though. Another example are programs of type BPF_PROG_TYPE_CGROUP_SOCK_ADDR. sock_addr_is_valid_access() as well as sock_addr_func_proto() have different logic depending on the programs' expected_attach_type. Similarly, a program attached to BPF_CGROUP_INET4_GETPEERNAME should not be allowed doing a tailcall into a program which calls bpf_bind() out of BPF which is only enabled for BPF_CGROUP_INET4_CONNECT. In short, specifying expected_attach_type allows to open up additional functionality or restrictions beyond what the basic bpf_prog_type enables. The use of tailcalls must not violate these constraints. Fix it by enforcing expected_attach_type in __bpf_prog_map_compatible(). Note that we only enforce this for tailcall maps, but not for BPF devmaps or cpumaps: There, the programs are invoked through dev_map_bpf_prog_run*() and cpu_map_bpf_prog_run*() which set up a new environment / context and therefore these situations are not prone to this issue. CVE-2025-40123 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40123.html CVE-2025-40123 https://bugzilla.suse.com/1253365 SUSE Bug 1253365 In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes: BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 6 PID: 6798 Comm: dmsetup Not tainted 6.6.0-g7e52f5f0ca9b #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:blk_mq_wait_quiesce_done+0x0/0x50 Call Trace: <TASK> blk_mq_quiesce_queue+0x2c/0x50 dm_stop_queue+0xd/0x20 __dm_suspend+0x130/0x330 dm_suspend+0x11a/0x180 dev_suspend+0x27e/0x560 ctl_ioctl+0x4cf/0x850 dm_ctl_ioctl+0xd/0x20 vfs_ioctl+0x1d/0x50 __se_sys_ioctl+0x9b/0xc0 __x64_sys_ioctl+0x19/0x30 x64_sys_call+0x2c4a/0x4620 do_syscall_64+0x9e/0x1b0 The issue can be triggered as below: T1 T2 dm_suspend table_load __dm_suspend dm_setup_md_queue dm_mq_init_request_queue blk_mq_init_allocated_queue => q->mq_ops = set->ops; (1) dm_stop_queue / dm_wait_for_completion => q->tag_set NULL pointer! (2) => q->tag_set = set; (3) Fix this by checking if a valid table (map) exists before performing request-based suspend and waiting for target I/O. When map is NULL, skip these table-dependent suspend steps. Even when map is NULL, no I/O can reach any target because there is no table loaded; I/O submitted in this state will fail early in the DM layer. Skipping the table-dependent suspend logic in this case is safe and avoids NULL pointer dereferences. CVE-2025-40134 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40134.html CVE-2025-40134 https://bugzilla.suse.com/1253386 SUSE Bug 1253386 In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_xmit() Use RCU in ip6_xmit() in order to use dst_dev_rcu() to prevent possible UAF. CVE-2025-40135 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40135.html CVE-2025-40135 https://bugzilla.suse.com/1253342 SUSE Bug 1253342 In the Linux kernel, the following vulnerability has been resolved: mm: hugetlb: avoid soft lockup when mprotect to large memory area When calling mprotect() to a large hugetlb memory area in our customer's workload (~300GB hugetlb memory), soft lockup was observed: watchdog: BUG: soft lockup - CPU#98 stuck for 23s! [t2_new_sysv:126916] CPU: 98 PID: 126916 Comm: t2_new_sysv Kdump: loaded Not tainted 6.17-rc7 Hardware name: GIGACOMPUTING R2A3-T40-AAV1/Jefferson CIO, BIOS 5.4.4.1 07/15/2025 pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mte_clear_page_tags+0x14/0x24 lr : mte_sync_tags+0x1c0/0x240 sp : ffff80003150bb80 x29: ffff80003150bb80 x28: ffff00739e9705a8 x27: 0000ffd2d6a00000 x26: 0000ff8e4bc00000 x25: 00e80046cde00f45 x24: 0000000000022458 x23: 0000000000000000 x22: 0000000000000004 x21: 000000011b380000 x20: ffff000000000000 x19: 000000011b379f40 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffc875e0aa5e2c x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : fffffc01ce7a5c00 x4 : 00000000046cde00 x3 : fffffc0000000000 x2 : 0000000000000004 x1 : 0000000000000040 x0 : ffff0046cde7c000 Call trace: mte_clear_page_tags+0x14/0x24 set_huge_pte_at+0x25c/0x280 hugetlb_change_protection+0x220/0x430 change_protection+0x5c/0x8c mprotect_fixup+0x10c/0x294 do_mprotect_pkey.constprop.0+0x2e0/0x3d4 __arm64_sys_mprotect+0x24/0x44 invoke_syscall+0x50/0x160 el0_svc_common+0x48/0x144 do_el0_svc+0x30/0xe0 el0_svc+0x30/0xf0 el0t_64_sync_handler+0xc4/0x148 el0t_64_sync+0x1a4/0x1a8 Soft lockup is not triggered with THP or base page because there is cond_resched() called for each PMD size. Although the soft lockup was triggered by MTE, it should be not MTE specific. The other processing which takes long time in the loop may trigger soft lockup too. So add cond_resched() for hugetlb to avoid soft lockup. CVE-2025-40153 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40153.html CVE-2025-40153 https://bugzilla.suse.com/1253408 SUSE Bug 1253408 In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU in ip6_output() Use RCU in ip6_output() in order to use dst_dev_rcu() to prevent possible UAF. We can remove rcu_read_lock()/rcu_read_unlock() pairs from ip6_finish_output2(). CVE-2025-40158 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40158.html CVE-2025-40158 https://bugzilla.suse.com/1253402 SUSE Bug 1253402 In the Linux kernel, the following vulnerability has been resolved: xen/events: Return -EEXIST for bound VIRQs Change find_virq() to return -EEXIST when a VIRQ is bound to a different CPU than the one passed in. With that, remove the BUG_ON() from bind_virq_to_irq() to propogate the error upwards. Some VIRQs are per-cpu, but others are per-domain or global. Those must be bound to CPU0 and can then migrate elsewhere. The lookup for per-domain and global will probably fail when migrated off CPU 0, especially when the current CPU is tracked. This now returns -EEXIST instead of BUG_ON(). A second call to bind a per-domain or global VIRQ is not expected, but make it non-fatal to avoid trying to look up the irq, since we don't know which per_cpu(virq_to_irq) it will be in. CVE-2025-40160 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40160.html CVE-2025-40160 https://bugzilla.suse.com/1253400 SUSE Bug 1253400 In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode. CVE-2025-40167 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40167.html CVE-2025-40167 https://bugzilla.suse.com/1253458 SUSE Bug 1253458 In the Linux kernel, the following vulnerability has been resolved: net: use dst_dev_rcu() in sk_setup_caps() Use RCU to protect accesses to dst->dev from sk_setup_caps() and sk_dst_gso_max_size(). Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(), and ip_dst_mtu_maybe_forward(). ip4_dst_hoplimit() can use dst_dev_net_rcu(). CVE-2025-40170 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40170.html CVE-2025-40170 https://bugzilla.suse.com/1253413 SUSE Bug 1253413 In the Linux kernel, the following vulnerability has been resolved: pid: Add a judgment for ns null in pid_nr_ns __task_pid_nr_ns ns = task_active_pid_ns(current); pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns); if (pid && ns->level <= pid->level) { Sometimes null is returned for task_active_pid_ns. Then it will trigger kernel panic in pid_nr_ns. For example: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 39-bit VAs, pgdp=00000002175aa000 [0000000000000058] pgd=08000002175ab003, p4d=08000002175ab003, pud=08000002175ab003, pmd=08000002175be003, pte=0000000000000000 pstate: 834000c5 (Nzcv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : __task_pid_nr_ns+0x74/0xd0 lr : __task_pid_nr_ns+0x24/0xd0 sp : ffffffc08001bd10 x29: ffffffc08001bd10 x28: ffffffd4422b2000 x27: 0000000000000001 x26: ffffffd442821168 x25: ffffffd442821000 x24: 00000f89492eab31 x23: 00000000000000c0 x22: ffffff806f5693c0 x21: ffffff806f5693c0 x20: 0000000000000001 x19: 0000000000000000 x18: 0000000000000000 x17: 00000000529c6ef0 x16: 00000000529c6ef0 x15: 00000000023a1adc x14: 0000000000000003 x13: 00000000007ef6d8 x12: 001167c391c78800 x11: 00ffffffffffffff x10: 0000000000000000 x9 : 0000000000000001 x8 : ffffff80816fa3c0 x7 : 0000000000000000 x6 : 49534d702d535449 x5 : ffffffc080c4c2c0 x4 : ffffffd43ee128c8 x3 : ffffffd43ee124dc x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffffff806f5693c0 Call trace: __task_pid_nr_ns+0x74/0xd0 ... __handle_irq_event_percpu+0xd4/0x284 handle_irq_event+0x48/0xb0 handle_fasteoi_irq+0x160/0x2d8 generic_handle_domain_irq+0x44/0x60 gic_handle_irq+0x4c/0x114 call_on_irq_stack+0x3c/0x74 do_interrupt_handler+0x4c/0x84 el1_interrupt+0x34/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c account_kernel_stack+0x60/0x144 exit_task_stack_account+0x1c/0x80 do_exit+0x7e4/0xaf8 ... get_signal+0x7bc/0x8d8 do_notify_resume+0x128/0x828 el0_svc+0x6c/0x70 el0t_64_sync_handler+0x68/0xbc el0t_64_sync+0x1a8/0x1ac Code: 35fffe54 911a02a8 f9400108 b4000128 (b9405a69) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception in interrupt CVE-2025-40178 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40178.html CVE-2025-40178 https://bugzilla.suse.com/1253463 SUSE Bug 1253463 In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan files can lead to big amounts of memory consumed. Limit orphan file size to a sane value and also use kvmalloc() for allocating array of block descriptor structures to avoid large order allocations for sane but large orphan files. CVE-2025-40179 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40179.html CVE-2025-40179 https://bugzilla.suse.com/1253442 SUSE Bug 1253442 In the Linux kernel, the following vulnerability has been resolved: net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() If new_asoc->peer.adaptation_ind=0 and sctp_ulpevent_make_authkey=0 and sctp_ulpevent_make_authkey() returns 0, then the variable ai_ev remains zero and the zero will be dereferenced in the sctp_ulpevent_free() function. CVE-2025-40187 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40187.html CVE-2025-40187 https://bugzilla.suse.com/1253647 SUSE Bug 1253647 In the Linux kernel, the following vulnerability has been resolved: ext4: guard against EA inode refcount underflow in xattr update syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA inode refcount that is already <= 0 and then applies ref_change (often -1). That lets the refcount underflow and we proceed with a bogus value, triggering errors like: EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1 EXT4-fs warning: ea_inode dec ref err=-117 Make the invariant explicit: if the current refcount is non-positive, treat this as on-disk corruption, emit ext4_error_inode(), and fail the operation with -EFSCORRUPTED instead of updating the refcount. Delete the WARN_ONCE() as negative refcounts are now impossible; keep error reporting in ext4_error_inode(). This prevents the underflow and the follow-on orphan/cleanup churn. CVE-2025-40190 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40190.html CVE-2025-40190 https://bugzilla.suse.com/1253623 SUSE Bug 1253623 In the Linux kernel, the following vulnerability has been resolved: ipmi: Rework user message limit handling The limit on the number of user messages had a number of issues, improper counting in some cases and a use after free. Restructure how this is all done to handle more in the receive message allocation routine, so all refcouting and user message limit counts are done in that routine. It's a lot cleaner and safer. CVE-2025-40202 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40202.html CVE-2025-40202 https://bugzilla.suse.com/1253451 SUSE Bug 1253451 In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by calling cancel_delayed_work_sync() for each device's switch_brightness_work in acpi_video_bus_remove_notify_handler() after removing the notify handler that queues the work. This ensures the work completes before the memory is freed. [ rjw: Changelog edit ] CVE-2025-40211 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40211.html CVE-2025-40211 https://bugzilla.suse.com/1254126 SUSE Bug 1254126 In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state synchronously on net exit path") is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we currently drop dst")). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can't guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we're going to lock x->tunnel while x is locked. CVE-2025-40215 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40215.html CVE-2025-40215 https://bugzilla.suse.com/1254959 SUSE Bug 1254959 https://bugzilla.suse.com/1255054 SUSE Bug 1255054 In the Linux kernel, the following vulnerability has been resolved: PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV Before disabling SR-IOV via config space accesses to the parent PF, sriov_disable() first removes the PCI devices representing the VFs. Since commit 9d16947b7583 ("PCI: Add global pci_lock_rescan_remove()") such removal operations are serialized against concurrent remove and rescan using the pci_rescan_remove_lock. No such locking was ever added in sriov_disable() however. In particular when commit 18f9e9d150fc ("PCI/IOV: Factor out sriov_add_vfs()") factored out the PCI device removal into sriov_del_vfs() there was still no locking around the pci_iov_remove_virtfn() calls. On s390 the lack of serialization in sriov_disable() may cause double remove and list corruption with the below (amended) trace being observed: PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56) GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001 00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480 0000000000000001 0000000000000000 0000000000000000 0000000180692828 00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8 #0 [3800313fb20] device_del at c9158ad5c #1 [3800313fb88] pci_remove_bus_device at c915105ba #2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198 #3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0 #4 [3800313fc60] zpci_bus_remove_device at c90fb6104 #5 [3800313fca0] __zpci_event_availability at c90fb3dca #6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2 #7 [3800313fd60] crw_collect_info at c91905822 #8 [3800313fe10] kthread at c90feb390 #9 [3800313fe68] __ret_from_fork at c90f6aa64 #10 [3800313fe98] ret_from_fork at c9194f3f2. This is because in addition to sriov_disable() removing the VFs, the platform also generates hot-unplug events for the VFs. This being the reverse operation to the hotplug events generated by sriov_enable() and handled via pdev->no_vf_scan. And while the event processing takes pci_rescan_remove_lock and checks whether the struct pci_dev still exists, the lack of synchronization makes this checking racy. Other races may also be possible of course though given that this lack of locking persisted so long observable races seem very rare. Even on s390 the list corruption was only observed with certain devices since the platform events are only triggered by config accesses after the removal, so as long as the removal finished synchronously they would not race. Either way the locking is missing so fix this by adding it to the sriov_del_vfs() helper. Just like PCI rescan-remove, locking is also missing in sriov_add_vfs() including for the error case where pci_stop_and_remove_bus_device() is called without the PCI rescan-remove lock being held. Even in the non-error case, adding new PCI devices and buses should be serialized via the PCI rescan-remove lock. Add the necessary locking. CVE-2025-40219 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40219.html CVE-2025-40219 https://bugzilla.suse.com/1254518 SUSE Bug 1254518 In the Linux kernel, the following vulnerability has been resolved: fuse: fix livelock in synchronous file put from fuseblk workers I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor, and closes the file descriptor before the writes complete. Unsurprisingly, the AIO exerciser threads are mostly stuck waiting for responses from the fuseblk server: # cat /proc/372265/task/372313/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_do_getattr+0xfc/0x1f0 [fuse] [<0>] fuse_file_read_iter+0xbe/0x1c0 [fuse] [<0>] aio_read+0x130/0x1e0 [<0>] io_submit_one+0x542/0x860 [<0>] __x64_sys_io_submit+0x98/0x1a0 [<0>] do_syscall_64+0x37/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 But the /weird/ part is that the fuseblk server threads are waiting for responses from itself: # cat /proc/372210/task/372232/stack [<0>] request_wait_answer+0x1fe/0x2a0 [fuse] [<0>] __fuse_simple_request+0xd3/0x2b0 [fuse] [<0>] fuse_file_put+0x9a/0xd0 [fuse] [<0>] fuse_release+0x36/0x50 [fuse] [<0>] __fput+0xec/0x2b0 [<0>] task_work_run+0x55/0x90 [<0>] syscall_exit_to_user_mode+0xe9/0x100 [<0>] do_syscall_64+0x43/0xf0 [<0>] entry_SYSCALL_64_after_hwframe+0x4b/0x53 The fuseblk server is fuse2fs so there's nothing all that exciting in the server itself. So why is the fuse server calling fuse_file_put? The commit message for the fstest sheds some light on that: "By closing the file descriptor before calling io_destroy, you pretty much guarantee that the last put on the ioctx will be done in interrupt context (during I/O completion). Aha. AIO fgets a new struct file from the fd when it queues the ioctx. The completion of the FUSE_WRITE command from userspace causes the fuse server to call the AIO completion function. The completion puts the struct file, queuing a delayed fput to the fuse server task. When the fuse server task returns to userspace, it has to run the delayed fput, which in the case of a fuseblk server, it does synchronously. Sending the FUSE_RELEASE command sychronously from fuse server threads is a bad idea because a client program can initiate enough simultaneous AIOs such that all the fuse server threads end up in delayed_fput, and now there aren't any threads left to handle the queued fuse commands. Fix this by only using asynchronous fputs when closing files, and leave a comment explaining why. CVE-2025-40220 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40220.html CVE-2025-40220 https://bugzilla.suse.com/1254520 SUSE Bug 1254520 In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below. CVE-2025-40223 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40223.html CVE-2025-40223 https://bugzilla.suse.com/1254957 SUSE Bug 1254957 In the Linux kernel, the following vulnerability has been resolved: vsock: fix lock inversion in vsock_assign_transport() Syzbot reported a potential lock inversion deadlock between vsock_register_mutex and sk_lock-AF_VSOCK when vsock_linger() is called. The issue was introduced by commit 687aa0c5581b ("vsock: Fix transport_* TOCTOU") which added vsock_register_mutex locking in vsock_assign_transport() around the transport->release() call, that can call vsock_linger(). vsock_assign_transport() can be called with sk_lock held. vsock_linger() calls sk_wait_event() that temporarily releases and re-acquires sk_lock. During this window, if another thread hold vsock_register_mutex while trying to acquire sk_lock, a circular dependency is created. Fix this by releasing vsock_register_mutex before calling transport->release() and vsock_deassign_transport(). This is safe because we don't need to hold vsock_register_mutex while releasing the old transport, and we ensure the new transport won't disappear by obtaining a module reference first via try_module_get(). CVE-2025-40231 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40231.html CVE-2025-40231 https://bugzilla.suse.com/1254815 SUSE Bug 1254815 In the Linux kernel, the following vulnerability has been resolved: ocfs2: clear extent cache after moving/defragmenting extents The extent map cache can become stale when extents are moved or defragmented, causing subsequent operations to see outdated extent flags. This triggers a BUG_ON in ocfs2_refcount_cal_cow_clusters(). The problem occurs when: 1. copy_file_range() creates a reflinked extent with OCFS2_EXT_REFCOUNTED 2. ioctl(FITRIM) triggers ocfs2_move_extents() 3. __ocfs2_move_extents_range() reads and caches the extent (flags=0x2) 4. ocfs2_move_extent()/ocfs2_defrag_extent() calls __ocfs2_move_extent() which clears OCFS2_EXT_REFCOUNTED flag on disk (flags=0x0) 5. The extent map cache is not invalidated after the move 6. Later write() operations read stale cached flags (0x2) but disk has updated flags (0x0), causing a mismatch 7. BUG_ON(!(rec->e_flags & OCFS2_EXT_REFCOUNTED)) triggers Fix by clearing the extent map cache after each extent move/defrag operation in __ocfs2_move_extents_range(). This ensures subsequent operations read fresh extent data from disk. CVE-2025-40233 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40233.html CVE-2025-40233 https://bugzilla.suse.com/1254813 SUSE Bug 1254813 In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix IPsec cleanup over MPV device When we do mlx5e_detach_netdev() we eventually disable blocking events notifier, among those events are IPsec MPV events from IB to core. So before disabling those blocking events, make sure to also unregister the devcom device and mark all this device operations as complete, in order to prevent the other device from using invalid netdev during future devcom events which could cause the trace below. BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 146427067 P4D 146427067 PUD 146488067 PMD 0 Oops: Oops: 0000 [#1] SMP CPU: 1 UID: 0 PID: 7735 Comm: devlink Tainted: GW 6.12.0-rc6_for_upstream_min_debug_2024_11_08_00_46 #1 Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] Code: 00 01 48 83 05 23 32 1e 00 01 41 b8 ed ff ff ff e9 60 ff ff ff 48 83 05 00 32 1e 00 01 eb e3 66 0f 1f 44 00 00 0f 1f 44 00 00 <48> 8b 47 10 48 83 05 5f 32 1e 00 01 48 8b 50 40 48 85 d2 74 05 40 RSP: 0018:ffff88811a5c35f8 EFLAGS: 00010206 RAX: ffff888106e8ab80 RBX: ffff888107d7e200 RCX: ffff88810d6f0a00 RDX: ffff88810d6f0a00 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88811a17e620 R08: 0000000000000040 R09: 0000000000000000 R10: ffff88811a5c3618 R11: 0000000de85d51bd R12: ffff88811a17e600 R13: ffff88810d6f0a00 R14: 0000000000000000 R15: ffff8881034bda80 FS: 00007f27bdf89180(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000010f159005 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_devcom_comp_set_ready+0x5/0x40 [mlx5_core] mlx5e_devcom_event_mpv+0x42/0x60 [mlx5_core] mlx5_devcom_send_event+0x8c/0x170 [mlx5_core] blocking_event+0x17b/0x230 [mlx5_core] notifier_call_chain+0x35/0xa0 blocking_notifier_call_chain+0x3d/0x60 mlx5_blocking_notifier_call_chain+0x22/0x30 [mlx5_core] mlx5_core_mp_event_replay+0x12/0x20 [mlx5_core] mlx5_ib_bind_slave_port+0x228/0x2c0 [mlx5_ib] mlx5_ib_stage_init_init+0x664/0x9d0 [mlx5_ib] ? idr_alloc_cyclic+0x50/0xb0 ? __kmalloc_cache_noprof+0x167/0x340 ? __kmalloc_noprof+0x1a7/0x430 __mlx5_ib_add+0x34/0xd0 [mlx5_ib] mlx5r_probe+0xe9/0x310 [mlx5_ib] ? kernfs_add_one+0x107/0x150 ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] auxiliary_bus_probe+0x3e/0x90 really_probe+0xc5/0x3a0 ? driver_probe_device+0x90/0x90 __driver_probe_device+0x80/0x160 driver_probe_device+0x1e/0x90 __device_attach_driver+0x7d/0x100 bus_for_each_drv+0x80/0xd0 __device_attach+0xbc/0x1f0 bus_probe_device+0x86/0xa0 device_add+0x62d/0x830 __auxiliary_device_add+0x3b/0xa0 ? auxiliary_device_init+0x41/0x90 add_adev+0xd1/0x150 [mlx5_core] mlx5_rescan_drivers_locked+0x21c/0x300 [mlx5_core] esw_mode_change+0x6c/0xc0 [mlx5_core] mlx5_devlink_eswitch_mode_set+0x21e/0x640 [mlx5_core] devlink_nl_eswitch_set_doit+0x60/0xe0 genl_family_rcv_msg_doit+0xd0/0x120 genl_rcv_msg+0x180/0x2b0 ? devlink_get_from_attrs_lock+0x170/0x170 ? devlink_nl_eswitch_get_doit+0x290/0x290 ? devlink_nl_pre_doit_port_optional+0x50/0x50 ? genl_family_rcv_msg_dumpit+0xf0/0xf0 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x1fc/0x2d0 netlink_sendmsg+0x1e4/0x410 __sock_sendmsg+0x38/0x60 ? sockfd_lookup_light+0x12/0x60 __sys_sendto+0x105/0x160 ? __sys_recvmsg+0x4e/0x90 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f27bc91b13a Code: bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 8b 05 fa 96 2c 00 45 89 c9 4c 63 d1 48 63 ff 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff ---truncated--- CVE-2025-40238 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40238.html CVE-2025-40238 https://bugzilla.suse.com/1254871 SUSE Bug 1254871 In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition. CVE-2025-40240 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40240.html CVE-2025-40240 https://bugzilla.suse.com/1254869 SUSE Bug 1254869 In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix unlikely race in gdlm_put_lock In gdlm_put_lock(), there is a small window of time in which the DFL_UNMOUNT flag has been set but the lockspace hasn't been released, yet. In that window, dlm may still call gdlm_ast() and gdlm_bast(). To prevent it from dereferencing freed glock objects, only free the glock if the lockspace has actually been released. CVE-2025-40242 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40242.html CVE-2025-40242 https://bugzilla.suse.com/1255075 SUSE Bug 1255075 https://bugzilla.suse.com/1255076 SUSE Bug 1255076 In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() The syzbot reported issue in __hfsplus_ext_cache_extent(): [ 70.194323][ T9350] BUG: KMSAN: uninit-value in __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195022][ T9350] __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.195530][ T9350] hfsplus_file_extend+0x74f/0x1cf0 [ 70.195998][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.196458][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.196959][ T9350] cont_write_begin+0x1000/0x1950 [ 70.197416][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.197873][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.198374][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.198892][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.199393][ T9350] vfs_write+0xb0f/0x14e0 [ 70.199771][ T9350] ksys_write+0x23e/0x490 [ 70.200149][ T9350] __x64_sys_write+0x97/0xf0 [ 70.200570][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.201065][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.201506][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.202054][ T9350] [ 70.202279][ T9350] Uninit was created at: [ 70.202693][ T9350] __kmalloc_noprof+0x621/0xf80 [ 70.203149][ T9350] hfsplus_find_init+0x8d/0x1d0 [ 70.203602][ T9350] hfsplus_file_extend+0x6ca/0x1cf0 [ 70.204087][ T9350] hfsplus_get_block+0xe16/0x17b0 [ 70.204561][ T9350] __block_write_begin_int+0x962/0x2ce0 [ 70.205074][ T9350] cont_write_begin+0x1000/0x1950 [ 70.205547][ T9350] hfsplus_write_begin+0x85/0x130 [ 70.206017][ T9350] generic_perform_write+0x3e8/0x1060 [ 70.206519][ T9350] __generic_file_write_iter+0x215/0x460 [ 70.207042][ T9350] generic_file_write_iter+0x109/0x5e0 [ 70.207552][ T9350] vfs_write+0xb0f/0x14e0 [ 70.207961][ T9350] ksys_write+0x23e/0x490 [ 70.208375][ T9350] __x64_sys_write+0x97/0xf0 [ 70.208810][ T9350] x64_sys_call+0x3015/0x3cf0 [ 70.209255][ T9350] do_syscall_64+0xd9/0x1d0 [ 70.209680][ T9350] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.210230][ T9350] [ 70.210454][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Not tainted 6.12.0-rc5 #5 [ 70.211174][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.212115][ T9350] ===================================================== [ 70.212734][ T9350] Disabling lock debugging due to kernel taint [ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic set ... [ 70.213858][ T9350] CPU: 2 UID: 0 PID: 9350 Comm: repro Tainted: G B 6.12.0-rc5 #5 [ 70.214679][ T9350] Tainted: [B]=BAD_PAGE [ 70.215057][ T9350] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.215999][ T9350] Call Trace: [ 70.216309][ T9350] <TASK> [ 70.216585][ T9350] dump_stack_lvl+0x1fd/0x2b0 [ 70.217025][ T9350] dump_stack+0x1e/0x30 [ 70.217421][ T9350] panic+0x502/0xca0 [ 70.217803][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 [ 70.218294][ Message fromT sy9350] kmsan_report+0x296/slogd@syzkaller 0x2aat Aug 18 22:11:058 ... kernel :[ 70.213284][ T9350] Kernel panic - not syncing: kmsan.panic [ 70.220179][ T9350] ? kmsan_get_metadata+0x13e/0x1c0 set ... [ 70.221254][ T9350] ? __msan_warning+0x96/0x120 [ 70.222066][ T9350] ? __hfsplus_ext_cache_extent+0x7d0/0x990 [ 70.223023][ T9350] ? hfsplus_file_extend+0x74f/0x1cf0 [ 70.224120][ T9350] ? hfsplus_get_block+0xe16/0x17b0 [ 70.224946][ T9350] ? __block_write_begin_int+0x962/0x2ce0 [ 70.225756][ T9350] ? cont_write_begin+0x1000/0x1950 [ 70.226337][ T9350] ? hfsplus_write_begin+0x85/0x130 [ 70.226852][ T9350] ? generic_perform_write+0x3e8/0x1060 [ 70.227405][ T9350] ? __generic_file_write_iter+0x215/0x460 [ 70.227979][ T9350] ? generic_file_write_iter+0x109/0x5e0 [ 70.228540][ T9350] ? vfs_write+0xb0f/0x14e0 [ 70.228997][ T9350] ? ksys_write+0x23e/0x490 ---truncated--- CVE-2025-40244 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40244.html CVE-2025-40244 https://bugzilla.suse.com/1255033 SUSE Bug 1255033 In the Linux kernel, the following vulnerability has been resolved: vsock: Ignore signal/timeout on connect() if already established During connect(), acting on a signal/timeout by disconnecting an already established socket leads to several issues: 1. connect() invoking vsock_transport_cancel_pkt() -> virtio_transport_purge_skbs() may race with sendmsg() invoking virtio_transport_get_credit(). This results in a permanently elevated `vvs->bytes_unsent`. Which, in turn, confuses the SOCK_LINGER handling. 2. connect() resetting a connected socket's state may race with socket being placed in a sockmap. A disconnected socket remaining in a sockmap breaks sockmap's assumptions. And gives rise to WARNs. 3. connect() transitioning SS_CONNECTED -> SS_UNCONNECTED allows for a transport change/drop after TCP_ESTABLISHED. Which poses a problem for any simultaneous sendmsg() or connect() and may result in a use-after-free/null-ptr-deref. Do not disconnect socket on signal/timeout. Keep the logic for unconnected sockets: they don't linger, can't be placed in a sockmap, are rejected by sendmsg(). [1]: https://lore.kernel.org/netdev/e07fd95c-9a38-4eea-9638-133e38c2ec9b@rbox.co/ [2]: https://lore.kernel.org/netdev/20250317-vsock-trans-signal-race-v4-0-fc8837f3f1d4@rbox.co/ [3]: https://lore.kernel.org/netdev/60f1b7db-3099-4f6a-875e-af9f6ef194f6@rbox.co/ CVE-2025-40248 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40248.html CVE-2025-40248 https://bugzilla.suse.com/1254864 SUSE Bug 1254864 In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Clean up only new IRQ glue on request_irq() failure The mlx5_irq_alloc() function can inadvertently free the entire rmap and end up in a crash[1] when the other threads tries to access this, when request_irq() fails due to exhausted IRQ vectors. This commit modifies the cleanup to remove only the specific IRQ mapping that was just added. This prevents removal of other valid mappings and ensures precise cleanup of the failed IRQ allocation's associated glue object. Note: This error is observed when both fwctl and rds configs are enabled. [1] mlx5_core 0000:05:00.0: Successfully registered panic handler for port 1 mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to request irq. err = -28 infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while trying to test write-combining support mlx5_core 0000:05:00.0: Successfully unregistered panic handler for port 1 mlx5_core 0000:06:00.0: Successfully registered panic handler for port 1 mlx5_core 0000:06:00.0: mlx5_irq_alloc:293:(pid 66740): Failed to request irq. err = -28 infiniband mlx5_0: mlx5_ib_test_wc:290:(pid 66740): Error -28 while trying to test write-combining support mlx5_core 0000:06:00.0: Successfully unregistered panic handler for port 1 mlx5_core 0000:03:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to request irq. err = -28 mlx5_core 0000:05:00.0: mlx5_irq_alloc:293:(pid 28895): Failed to request irq. err = -28 general protection fault, probably for non-canonical address 0xe277a58fde16f291: 0000 [#1] SMP NOPTI RIP: 0010:free_irq_cpu_rmap+0x23/0x7d Call Trace: <TASK> ? show_trace_log_lvl+0x1d6/0x2f9 ? show_trace_log_lvl+0x1d6/0x2f9 ? mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] ? __die_body.cold+0x8/0xa ? die_addr+0x39/0x53 ? exc_general_protection+0x1c4/0x3e9 ? dev_vprintk_emit+0x5f/0x90 ? asm_exc_general_protection+0x22/0x27 ? free_irq_cpu_rmap+0x23/0x7d mlx5_irq_alloc.cold+0x5d/0xf3 [mlx5_core] irq_pool_request_vector+0x7d/0x90 [mlx5_core] mlx5_irq_request+0x2e/0xe0 [mlx5_core] mlx5_irq_request_vector+0xad/0xf7 [mlx5_core] comp_irq_request_pci+0x64/0xf0 [mlx5_core] create_comp_eq+0x71/0x385 [mlx5_core] ? mlx5e_open_xdpsq+0x11c/0x230 [mlx5_core] mlx5_comp_eqn_get+0x72/0x90 [mlx5_core] ? xas_load+0x8/0x91 mlx5_comp_irqn_get+0x40/0x90 [mlx5_core] mlx5e_open_channel+0x7d/0x3c7 [mlx5_core] mlx5e_open_channels+0xad/0x250 [mlx5_core] mlx5e_open_locked+0x3e/0x110 [mlx5_core] mlx5e_open+0x23/0x70 [mlx5_core] __dev_open+0xf1/0x1a5 __dev_change_flags+0x1e1/0x249 dev_change_flags+0x21/0x5c do_setlink+0x28b/0xcc4 ? __nla_parse+0x22/0x3d ? inet6_validate_link_af+0x6b/0x108 ? cpumask_next+0x1f/0x35 ? __snmp6_fill_stats64.constprop.0+0x66/0x107 ? __nla_validate_parse+0x48/0x1e6 __rtnl_newlink+0x5ff/0xa57 ? kmem_cache_alloc_trace+0x164/0x2ce rtnl_newlink+0x44/0x6e rtnetlink_rcv_msg+0x2bb/0x362 ? __netlink_sendskb+0x4c/0x6c ? netlink_unicast+0x28f/0x2ce ? rtnl_calcit.isra.0+0x150/0x146 netlink_rcv_skb+0x5f/0x112 netlink_unicast+0x213/0x2ce netlink_sendmsg+0x24f/0x4d9 __sock_sendmsg+0x65/0x6a ____sys_sendmsg+0x28f/0x2c9 ? import_iovec+0x17/0x2b ___sys_sendmsg+0x97/0xe0 __sys_sendmsg+0x81/0xd8 do_syscall_64+0x35/0x87 entry_SYSCALL_64_after_hwframe+0x6e/0x0 RIP: 0033:0x7fc328603727 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 0b ed ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 44 ed ff ff 48 RSP: 002b:00007ffe8eb3f1a0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc328603727 RDX: 0000000000000000 RSI: 00007ffe8eb3f1f0 RDI: 000000000000000d RBP: 00007ffe8eb3f1f0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00000000000 ---truncated--- CVE-2025-40250 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40250.html CVE-2025-40250 https://bugzilla.suse.com/1254854 SUSE Bug 1254854 In the Linux kernel, the following vulnerability has been resolved: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy The function devl_rate_nodes_destroy is documented to "Unset parent for all rate objects". However, it was only calling the driver-specific `rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing the parent's refcount, without actually setting the `devlink_rate->parent` pointer to NULL. This leaves a dangling pointer in the `devlink_rate` struct, which cause refcount error in netdevsim[1] and mlx5[2]. In addition, this is inconsistent with the behavior of `devlink_nl_rate_parent_node_set`, where the parent pointer is correctly cleared. This patch fixes the issue by explicitly setting `devlink_rate->parent` to NULL after notifying the driver, thus fulfilling the function's documented behavior for all rate objects. [1] repro steps: echo 1 > /sys/bus/netdevsim/new_device devlink dev eswitch set netdevsim/netdevsim1 mode switchdev echo 1 > /sys/bus/netdevsim/devices/netdevsim1/sriov_numvfs devlink port function rate add netdevsim/netdevsim1/test_node devlink port function rate set netdevsim/netdevsim1/128 parent test_node echo 1 > /sys/bus/netdevsim/del_device dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 8 PID: 1530 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 8 UID: 0 PID: 1530 Comm: bash Not tainted 6.18.0-rc4+ #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace: <TASK> devl_rate_leaf_destroy+0x8d/0x90 __nsim_dev_port_del+0x6c/0x70 [netdevsim] nsim_dev_reload_destroy+0x11c/0x140 [netdevsim] nsim_drv_remove+0x2b/0xb0 [netdevsim] device_release_driver_internal+0x194/0x1f0 bus_remove_device+0xc6/0x130 device_del+0x159/0x3c0 device_unregister+0x1a/0x60 del_device_store+0x111/0x170 [netdevsim] kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x55/0x10f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [2] devlink dev eswitch set pci/0000:08:00.0 mode switchdev devlink port add pci/0000:08:00.0 flavour pcisf pfnum 0 sfnum 1000 devlink port function rate add pci/0000:08:00.0/group1 devlink port function rate set pci/0000:08:00.0/32768 parent group1 modprobe -r mlx5_ib mlx5_fwctl mlx5_core dmesg: refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 7 PID: 16151 at lib/refcount.c:31 refcount_warn_saturate+0x42/0xe0 CPU: 7 UID: 0 PID: 16151 Comm: bash Not tainted 6.17.0-rc7_for_upstream_min_debug_2025_10_02_12_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:refcount_warn_saturate+0x42/0xe0 Call Trace: <TASK> devl_rate_leaf_destroy+0x8d/0x90 mlx5_esw_offloads_devlink_port_unregister+0x33/0x60 [mlx5_core] mlx5_esw_offloads_unload_rep+0x3f/0x50 [mlx5_core] mlx5_eswitch_unload_sf_vport+0x40/0x90 [mlx5_core] mlx5_sf_esw_event+0xc4/0x120 [mlx5_core] notifier_call_chain+0x33/0xa0 blocking_notifier_call_chain+0x3b/0x50 mlx5_eswitch_disable_locked+0x50/0x110 [mlx5_core] mlx5_eswitch_disable+0x63/0x90 [mlx5_core] mlx5_unload+0x1d/0x170 [mlx5_core] mlx5_uninit_one+0xa2/0x130 [mlx5_core] remove_one+0x78/0xd0 [mlx5_core] pci_device_remove+0x39/0xa0 device_release_driver_internal+0x194/0x1f0 unbind_store+0x99/0xa0 kernfs_fop_write_iter+0x12e/0x1e0 vfs_write+0x215/0x3d0 ksys_write+0x5f/0xd0 do_syscall_64+0x53/0x1f0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 CVE-2025-40251 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40251.html CVE-2025-40251 https://bugzilla.suse.com/1254856 SUSE Bug 1254856 In the Linux kernel, the following vulnerability has been resolved: net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end() The loops in 'qede_tpa_cont()' and 'qede_tpa_end()', iterate over 'cqe->len_list[]' using only a zero-length terminator as the stopping condition. If the terminator was missing or malformed, the loop could run past the end of the fixed-size array. Add an explicit bound check using ARRAY_SIZE() in both loops to prevent a potential out-of-bounds access. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-40252 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40252.html CVE-2025-40252 https://bugzilla.suse.com/1254849 SUSE Bug 1254849 In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: remove never-working support for setting nsh fields The validation of the set(nsh(...)) action is completely wrong. It runs through the nsh_key_put_from_nlattr() function that is the same function that validates NSH keys for the flow match and the push_nsh() action. However, the set(nsh(...)) has a very different memory layout. Nested attributes in there are doubled in size in case of the masked set(). That makes proper validation impossible. There is also confusion in the code between the 'masked' flag, that says that the nested attributes are doubled in size containing both the value and the mask, and the 'is_mask' that says that the value we're parsing is the mask. This is causing kernel crash on trying to write into mask part of the match with SW_FLOW_KEY_PUT() during validation, while validate_nsh() doesn't allocate any memory for it: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 1c2383067 P4D 1c2383067 PUD 20b703067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 8 UID: 0 Kdump: loaded Not tainted 6.17.0-rc4+ #107 PREEMPT(voluntary) RIP: 0010:nsh_key_put_from_nlattr+0x19d/0x610 [openvswitch] Call Trace: <TASK> validate_nsh+0x60/0x90 [openvswitch] validate_set.constprop.0+0x270/0x3c0 [openvswitch] __ovs_nla_copy_actions+0x477/0x860 [openvswitch] ovs_nla_copy_actions+0x8d/0x100 [openvswitch] ovs_packet_cmd_execute+0x1cc/0x310 [openvswitch] genl_family_rcv_msg_doit+0xdb/0x130 genl_family_rcv_msg+0x14b/0x220 genl_rcv_msg+0x47/0xa0 netlink_rcv_skb+0x53/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x280/0x3b0 netlink_sendmsg+0x1f7/0x430 ____sys_sendmsg+0x36b/0x3a0 ___sys_sendmsg+0x87/0xd0 __sys_sendmsg+0x6d/0xd0 do_syscall_64+0x7b/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The third issue with this process is that while trying to convert the non-masked set into masked one, validate_set() copies and doubles the size of the OVS_KEY_ATTR_NSH as if it didn't have any nested attributes. It should be copying each nested attribute and doubling them in size independently. And the process must be properly reversed during the conversion back from masked to a non-masked variant during the flow dump. In the end, the only two outcomes of trying to use this action are either validation failure or a kernel crash. And if somehow someone manages to install a flow with such an action, it will most definitely not do what it is supposed to, since all the keys and the masks are mixed up. Fixing all the issues is a complex task as it requires re-writing most of the validation code. Given that and the fact that this functionality never worked since introduction, let's just remove it altogether. It's better to re-introduce it later with a proper implementation instead of trying to fix it in stable releases. CVE-2025-40254 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40254.html CVE-2025-40254 https://bugzilla.suse.com/1254852 SUSE Bug 1254852 In the Linux kernel, the following vulnerability has been resolved: xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added In commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x"), I missed the case where state creation fails between full initialization (->init_state has been called) and being inserted on the lists. In this situation, ->init_state has been called, so for IPcomp tunnels, the fallback tunnel has been created and added onto the lists, but the user state never gets added, because we fail before that. The user state doesn't go through __xfrm_state_delete, so we don't call xfrm_state_delete_tunnel for those states, and we end up leaking the FB tunnel. There are several codepaths affected by this: the add/update paths, in both net/key and xfrm, and the migrate code (xfrm_migrate, xfrm_state_migrate). A "proper" rollback of the init_state work would probably be doable in the add/update code, but for migrate it gets more complicated as multiple states may be involved. At some point, the new (not-inserted) state will be destroyed, so call xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states will have their fallback tunnel cleaned up during __xfrm_state_delete, which solves the issue that b441cf3f8c4b (and other patches before it) aimed at. All states (including FB tunnels) will be removed from the lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work). CVE-2025-40256 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40256.html CVE-2025-40256 https://bugzilla.suse.com/1254851 SUSE Bug 1254851 In the Linux kernel, the following vulnerability has been resolved: mptcp: fix a race in mptcp_pm_del_add_timer() mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer) while another might have free entry already, as reported by syzbot. Add RCU protection to fix this issue. Also change confusing add_timer variable with stop_timer boolean. syzbot report: BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44 CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Workqueue: events mptcp_worker Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631 mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362 mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174 tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361 tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441 tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931 tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374 ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6079 [inline] __netif_receive_skb+0x143/0x380 net/core/dev.c:6192 process_backlog+0x31e/0x900 net/core/dev.c:6544 __napi_poll+0xb6/0x540 net/core/dev.c:7594 napi_poll net/core/dev.c:7657 [inline] net_rx_action+0x5f7/0xda0 net/core/dev.c:7784 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302 mptcp_pm_send_ack net/mptcp/pm.c:210 [inline] mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1 mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 44: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748 kmalloc_noprof include/linux/slab.h:957 [inline] mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385 mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355 mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline] __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529 mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008 mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6630: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object m ---truncated--- CVE-2025-40257 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40257.html CVE-2025-40257 https://bugzilla.suse.com/1254842 SUSE Bug 1254842 https://bugzilla.suse.com/1257242 SUSE Bug 1257242 In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race condition in mptcp_schedule_work() syzbot reported use-after-free in mptcp_schedule_work() [1] Issue here is that mptcp_schedule_work() schedules a work, then gets a refcount on sk->sk_refcnt if the work was scheduled. This refcount will be released by mptcp_worker(). [A] if (schedule_work(...)) { [B] sock_hold(sk); return true; } Problem is that mptcp_worker() can run immediately and complete before [B] We need instead : sock_hold(sk); if (schedule_work(...)) return true; sock_put(sk); [1] refcount_t: addition on 0; use-after-free. WARNING: CPU: 1 PID: 29 at lib/refcount.c:25 refcount_warn_saturate+0xfa/0x1d0 lib/refcount.c:25 Call Trace: <TASK> __refcount_add include/linux/refcount.h:-1 [inline] __refcount_inc include/linux/refcount.h:366 [inline] refcount_inc include/linux/refcount.h:383 [inline] sock_hold include/net/sock.h:816 [inline] mptcp_schedule_work+0x164/0x1a0 net/mptcp/protocol.c:943 mptcp_tout_timer+0x21/0xa0 net/mptcp/protocol.c:2316 call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747 expire_timers kernel/time/timer.c:1798 [inline] __run_timers kernel/time/timer.c:2372 [inline] __run_timer_base+0x648/0x970 kernel/time/timer.c:2384 run_timer_base kernel/time/timer.c:2393 [inline] run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403 handle_softirqs+0x22f/0x710 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] run_ktimerd+0xcf/0x190 kernel/softirq.c:1138 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 CVE-2025-40258 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40258.html CVE-2025-40258 https://bugzilla.suse.com/1254843 SUSE Bug 1254843 https://bugzilla.suse.com/1255053 SUSE Bug 1255053 In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Do not sleep in atomic context sg_finish_rem_req() calls blk_rq_unmap_user(). The latter function may sleep. Hence, call sg_finish_rem_req() with interrupts enabled instead of disabled. CVE-2025-40259 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40259.html CVE-2025-40259 https://bugzilla.suse.com/1254845 SUSE Bug 1254845 In the Linux kernel, the following vulnerability has been resolved: nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() nvme_fc_delete_assocation() waits for pending I/O to complete before returning, and an error can cause ->ioerr_work to be queued after cancel_work_sync() had been called. Move the call to cancel_work_sync() to be after nvme_fc_delete_association() to ensure ->ioerr_work is not running when the nvme_fc_ctrl object is freed. Otherwise the following can occur: [ 1135.911754] list_del corruption, ff2d24c8093f31f8->next is NULL [ 1135.917705] ------------[ cut here ]------------ [ 1135.922336] kernel BUG at lib/list_debug.c:52! [ 1135.926784] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 1135.931851] CPU: 48 UID: 0 PID: 726 Comm: kworker/u449:23 Kdump: loaded Not tainted 6.12.0 #1 PREEMPT(voluntary) [ 1135.943490] Hardware name: Dell Inc. PowerEdge R660/0HGTK9, BIOS 2.5.4 01/16/2025 [ 1135.950969] Workqueue: 0x0 (nvme-wq) [ 1135.954673] RIP: 0010:__list_del_entry_valid_or_report.cold+0xf/0x6f [ 1135.961041] Code: c7 c7 98 68 72 94 e8 26 45 fe ff 0f 0b 48 c7 c7 70 68 72 94 e8 18 45 fe ff 0f 0b 48 89 fe 48 c7 c7 80 69 72 94 e8 07 45 fe ff <0f> 0b 48 89 d1 48 c7 c7 a0 6a 72 94 48 89 c2 e8 f3 44 fe ff 0f 0b [ 1135.979788] RSP: 0018:ff579b19482d3e50 EFLAGS: 00010046 [ 1135.985015] RAX: 0000000000000033 RBX: ff2d24c8093f31f0 RCX: 0000000000000000 [ 1135.992148] RDX: 0000000000000000 RSI: ff2d24d6bfa1d0c0 RDI: ff2d24d6bfa1d0c0 [ 1135.999278] RBP: ff2d24c8093f31f8 R08: 0000000000000000 R09: ffffffff951e2b08 [ 1136.006413] R10: ffffffff95122ac8 R11: 0000000000000003 R12: ff2d24c78697c100 [ 1136.013546] R13: fffffffffffffff8 R14: 0000000000000000 R15: ff2d24c78697c0c0 [ 1136.020677] FS: 0000000000000000(0000) GS:ff2d24d6bfa00000(0000) knlGS:0000000000000000 [ 1136.028765] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1136.034510] CR2: 00007fd207f90b80 CR3: 000000163ea22003 CR4: 0000000000f73ef0 [ 1136.041641] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1136.048776] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 1136.055910] PKRU: 55555554 [ 1136.058623] Call Trace: [ 1136.061074] <TASK> [ 1136.063179] ? show_trace_log_lvl+0x1b0/0x2f0 [ 1136.067540] ? show_trace_log_lvl+0x1b0/0x2f0 [ 1136.071898] ? move_linked_works+0x4a/0xa0 [ 1136.075998] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.081744] ? __die_body.cold+0x8/0x12 [ 1136.085584] ? die+0x2e/0x50 [ 1136.088469] ? do_trap+0xca/0x110 [ 1136.091789] ? do_error_trap+0x65/0x80 [ 1136.095543] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.101289] ? exc_invalid_op+0x50/0x70 [ 1136.105127] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.110874] ? asm_exc_invalid_op+0x1a/0x20 [ 1136.115059] ? __list_del_entry_valid_or_report.cold+0xf/0x6f [ 1136.120806] move_linked_works+0x4a/0xa0 [ 1136.124733] worker_thread+0x216/0x3a0 [ 1136.128485] ? __pfx_worker_thread+0x10/0x10 [ 1136.132758] kthread+0xfa/0x240 [ 1136.135904] ? __pfx_kthread+0x10/0x10 [ 1136.139657] ret_from_fork+0x31/0x50 [ 1136.143236] ? __pfx_kthread+0x10/0x10 [ 1136.146988] ret_from_fork_asm+0x1a/0x30 [ 1136.150915] </TASK> CVE-2025-40261 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40261.html CVE-2025-40261 https://bugzilla.suse.com/1254839 SUSE Bug 1254839 In the Linux kernel, the following vulnerability has been resolved: Input: imx_sc_key - fix memory corruption on unload This is supposed to be "priv" but we accidentally pass "&priv" which is an address in the stack and so it will lead to memory corruption when the imx_sc_key_action() function is called. Remove the &. CVE-2025-40262 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40262.html CVE-2025-40262 https://bugzilla.suse.com/1254840 SUSE Bug 1254840 In the Linux kernel, the following vulnerability has been resolved: Input: cros_ec_keyb - fix an invalid memory access If cros_ec_keyb_register_matrix() isn't called (due to `buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains NULL. An invalid memory access is observed in cros_ec_keyb_process() when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_keyb_work() in such case. Unable to handle kernel read from unreadable memory at virtual address 0000000000000028 ... x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: input_event cros_ec_keyb_work blocking_notifier_call_chain ec_irq_thread It's still unknown about why the kernel receives such malformed event, in any cases, the kernel shouldn't access `ckdev->idev` and friends if the driver doesn't intend to initialize them. CVE-2025-40263 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40263.html CVE-2025-40263 https://bugzilla.suse.com/1255077 SUSE Bug 1255077 In the Linux kernel, the following vulnerability has been resolved: be2net: pass wrb_params in case of OS2BMC be_insert_vlan_in_pkt() is called with the wrb_params argument being NULL at be_send_pkt_to_bmc() call site. This may lead to dereferencing a NULL pointer when processing a workaround for specific packet, as commit bc0c3405abbb ("be2net: fix a Tx stall bug caused by a specific ipv6 packet") states. The correct way would be to pass the wrb_params from be_xmit(). CVE-2025-40264 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40264.html CVE-2025-40264 https://bugzilla.suse.com/1254835 SUSE Bug 1254835 In the Linux kernel, the following vulnerability has been resolved: cifs: client: fix memory leak in smb3_fs_context_parse_param The user calls fsconfig twice, but when the program exits, free() only frees ctx->source for the second fsconfig, not the first. Regarding fc->source, there is no code in the fs context related to its memory reclamation. To fix this memory leak, release the source memory corresponding to ctx or fc before each parsing. syzbot reported: BUG: memory leak unreferenced object 0xffff888128afa360 (size 96): backtrace (crc 79c9c7ba): kstrdup+0x3c/0x80 mm/util.c:84 smb3_fs_context_parse_param+0x229b/0x36c0 fs/smb/client/fs_context.c:1444 BUG: memory leak unreferenced object 0xffff888112c7d900 (size 96): backtrace (crc 79c9c7ba): smb3_fs_context_fullpath+0x70/0x1b0 fs/smb/client/fs_context.c:629 smb3_fs_context_parse_param+0x2266/0x36c0 fs/smb/client/fs_context.c:1438 CVE-2025-40268 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40268.html CVE-2025-40268 https://bugzilla.suse.com/1255082 SUSE Bug 1255082 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential overflow of PCM transfer buffer The PCM stream data in USB-audio driver is transferred over USB URB packet buffers, and each packet size is determined dynamically. The packet sizes are limited by some factors such as wMaxPacketSize USB descriptor. OTOH, in the current code, the actually used packet sizes are determined only by the rate and the PPS, which may be bigger than the size limit above. This results in a buffer overflow, as reported by syzbot. Basically when the limit is smaller than the calculated packet size, it implies that something is wrong, most likely a weird USB descriptor. So the best option would be just to return an error at the parameter setup time before doing any further operations. This patch introduces such a sanity check, and returns -EINVAL when the packet size is greater than maxpacksize. The comparison with ep->packsize[1] alone should suffice since it's always equal or greater than ep->packsize[0]. CVE-2025-40269 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40269.html CVE-2025-40269 https://bugzilla.suse.com/1255035 SUSE Bug 1255035 In the Linux kernel, the following vulnerability has been resolved: fs/proc: fix uaf in proc_readdir_de() Pde is erased from subdir rbtree through rb_erase(), but not set the node to EMPTY, which may result in uaf access. We should use RB_CLEAR_NODE() set the erased node to EMPTY, then pde_subdir_next() will return NULL to avoid uaf access. We found an uaf issue while using stress-ng testing, need to run testcase getdent and tun in the same time. The steps of the issue is as follows: 1) use getdent to traverse dir /proc/pid/net/dev_snmp6/, and current pde is tun3; 2) in the [time windows] unregister netdevice tun3 and tun2, and erase them from rbtree. erase tun3 first, and then erase tun2. the pde(tun2) will be released to slab; 3) continue to getdent process, then pde_subdir_next() will return pde(tun2) which is released, it will case uaf access. CPU 0 | CPU 1 ------------------------------------------------------------------------- traverse dir /proc/pid/net/dev_snmp6/ | unregister_netdevice(tun->dev) //tun3 tun2 sys_getdents64() | iterate_dir() | proc_readdir() | proc_readdir_de() | snmp6_unregister_dev() pde_get(de); | proc_remove() read_unlock(&proc_subdir_lock); | remove_proc_subtree() | write_lock(&proc_subdir_lock); [time window] | rb_erase(&root->subdir_node, &parent->subdir); | write_unlock(&proc_subdir_lock); read_lock(&proc_subdir_lock); | next = pde_subdir_next(de); | pde_put(de); | de = next; //UAF | rbtree of dev_snmp6 | pde(tun3) / \ NULL pde(tun2) CVE-2025-40271 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40271.html CVE-2025-40271 https://bugzilla.suse.com/1255297 SUSE Bug 1255297 In the Linux kernel, the following vulnerability has been resolved: mm/secretmem: fix use-after-free race in fault handler When a page fault occurs in a secret memory file created with `memfd_secret(2)`, the kernel will allocate a new folio for it, mark the underlying page as not-present in the direct map, and add it to the file mapping. If two tasks cause a fault in the same page concurrently, both could end up allocating a folio and removing the page from the direct map, but only one would succeed in adding the folio to the file mapping. The task that failed undoes the effects of its attempt by (a) freeing the folio again and (b) putting the page back into the direct map. However, by doing these two operations in this order, the page becomes available to the allocator again before it is placed back in the direct mapping. If another task attempts to allocate the page between (a) and (b), and the kernel tries to access it via the direct map, it would result in a supervisor not-present page fault. Fix the ordering to restore the direct map before the folio is freed. CVE-2025-40272 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40272.html CVE-2025-40272 https://bugzilla.suse.com/1254832 SUSE Bug 1254832 In the Linux kernel, the following vulnerability has been resolved: NFSD: free copynotify stateid in nfs4_free_ol_stateid() Typically copynotify stateid is freed either when parent's stateid is being close/freed or in nfsd4_laundromat if the stateid hasn't been used in a lease period. However, in case when the server got an OPEN (which created a parent stateid), followed by a COPY_NOTIFY using that stateid, followed by a client reboot. New client instance while doing CREATE_SESSION would force expire previous state of this client. It leads to the open state being freed thru release_openowner-> nfs4_free_ol_stateid() and it finds that it still has copynotify stateid associated with it. We currently print a warning and is triggerred WARNING: CPU: 1 PID: 8858 at fs/nfsd/nfs4state.c:1550 nfs4_free_ol_stateid+0xb0/0x100 [nfsd] This patch, instead, frees the associated copynotify stateid here. If the parent stateid is freed (without freeing the copynotify stateids associated with it), it leads to the list corruption when laundromat ends up freeing the copynotify state later. [ 1626.839430] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 1626.842828] Modules linked in: nfnetlink_queue nfnetlink_log bluetooth cfg80211 rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd nfs_acl lockd grace nfs_localio ext4 crc16 mbcache jbd2 overlay uinput snd_seq_dummy snd_hrtimer qrtr rfkill vfat fat uvcvideo snd_hda_codec_generic videobuf2_vmalloc videobuf2_memops snd_hda_intel uvc snd_intel_dspcfg videobuf2_v4l2 videobuf2_common snd_hda_codec snd_hda_core videodev snd_hwdep snd_seq mc snd_seq_device snd_pcm snd_timer snd soundcore sg loop auth_rpcgss vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs 8021q garp stp llc mrp nvme ghash_ce e1000e nvme_core sr_mod nvme_keyring nvme_auth cdrom vmwgfx drm_ttm_helper ttm sunrpc dm_mirror dm_region_hash dm_log iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi fuse dm_multipath dm_mod nfnetlink [ 1626.855594] CPU: 2 UID: 0 PID: 199 Comm: kworker/u24:33 Kdump: loaded Tainted: G B W 6.17.0-rc7+ #22 PREEMPT(voluntary) [ 1626.857075] Tainted: [B]=BAD_PAGE, [W]=WARN [ 1626.857573] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 1626.858724] Workqueue: nfsd4 laundromat_main [nfsd] [ 1626.859304] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1626.860010] pc : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.860601] lr : __list_del_entry_valid_or_report+0x148/0x200 [ 1626.861182] sp : ffff8000881d7a40 [ 1626.861521] x29: ffff8000881d7a40 x28: 0000000000000018 x27: ffff0000c2a98200 [ 1626.862260] x26: 0000000000000600 x25: 0000000000000000 x24: ffff8000881d7b20 [ 1626.862986] x23: ffff0000c2a981e8 x22: 1fffe00012410e7d x21: ffff0000920873e8 [ 1626.863701] x20: ffff0000920873e8 x19: ffff000086f22998 x18: 0000000000000000 [ 1626.864421] x17: 20747562202c3839 x16: 3932326636383030 x15: 3030666666662065 [ 1626.865092] x14: 6220646c756f6873 x13: 0000000000000001 x12: ffff60004fd9e4a3 [ 1626.865713] x11: 1fffe0004fd9e4a2 x10: ffff60004fd9e4a2 x9 : dfff800000000000 [ 1626.866320] x8 : 00009fffb0261b5e x7 : ffff00027ecf2513 x6 : 0000000000000001 [ 1626.866938] x5 : ffff00027ecf2510 x4 : ffff60004fd9e4a3 x3 : 0000000000000000 [ 1626.867553] x2 : 0000000000000000 x1 : ffff000096069640 x0 : 000000000000006d [ 1626.868167] Call trace: [ 1626.868382] __list_del_entry_valid_or_report+0x148/0x200 (P) [ 1626.868876] _free_cpntf_state_locked+0xd0/0x268 [nfsd] [ 1626.869368] nfs4_laundromat+0x6f8/0x1058 [nfsd] [ 1626.869813] laundromat_main+0x24/0x60 [nfsd] [ 1626.870231] process_one_work+0x584/0x1050 [ 1626.870595] worker_thread+0x4c4/0xc60 [ 1626.870893] kthread+0x2f8/0x398 [ 1626.871146] ret_from_fork+0x10/0x20 [ 1626.871422] Code: aa1303e1 aa1403e3 910e8000 97bc55d7 (d4210000) [ 1626.871892] SMP: stopping secondary CPUs CVE-2025-40273 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40273.html CVE-2025-40273 https://bugzilla.suse.com/1254828 SUSE Bug 1254828 In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifying the memslot side of the binding in kvm_gmem_release() will write to freed memory, as detected by syzbot+KASAN: ================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 Write of size 8 at addr ffff88807befa508 by task syz.0.17/6022 CPU: 0 UID: 0 PID: 6022 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 kvm_gmem_release+0x176/0x440 virt/kvm/guest_memfd.c:353 __fput+0x44c/0xa70 fs/file_table.c:468 task_work_run+0x1d4/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline] do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fbeeff8efc9 </TASK> Allocated by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:262 [inline] __kmalloc_cache_noprof+0x3e2/0x700 mm/slub.c:5758 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] kvm_set_memory_region+0x747/0xb90 virt/kvm/kvm_main.c:2104 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6023: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2533 [inline] slab_free mm/slub.c:6622 [inline] kfree+0x19a/0x6d0 mm/slub.c:6829 kvm_set_memory_region+0x9c4/0xb90 virt/kvm/kvm_main.c:2130 kvm_vm_ioctl_set_memory_region+0x6f/0xd0 virt/kvm/kvm_main.c:2154 kvm_vm_ioctl+0x957/0xc60 virt/kvm/kvm_main.c:5201 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Deliberately don't acquire filemap invalid lock when the file is dying as the lifecycle of f_mapping is outside the purview of KVM. Dereferencing the mapping is *probably* fine, but there's no need to invalidate anything as memslot deletion is responsible for zapping SPTEs, and the only code that can access the dying file is kvm_gmem_release(), whose core code is mutual ---truncated--- CVE-2025-40274 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40274.html CVE-2025-40274 https://bugzilla.suse.com/1254830 SUSE Bug 1254830 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd In snd_usb_create_streams(), for UAC version 3 devices, the Interface Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this call fails, a fallback routine attempts to obtain the IAD from the next interface and sets a BADD profile. However, snd_usb_mixer_controls_badd() assumes that the IAD retrieved from usb_ifnum_to_if() is always valid, without performing a NULL check. This can lead to a NULL pointer dereference when usb_ifnum_to_if() fails to find the interface descriptor. This patch adds a NULL pointer check after calling usb_ifnum_to_if() in snd_usb_mixer_controls_badd() to prevent the dereference. This issue was discovered by syzkaller, which triggered the bug by sending a crafted USB device descriptor. CVE-2025-40275 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40275.html CVE-2025-40275 https://bugzilla.suse.com/1254829 SUSE Bug 1254829 In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE This data originates from userspace and is used in buffer offset calculations which could potentially overflow causing an out-of-bounds access. CVE-2025-40277 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40277.html CVE-2025-40277 https://bugzilla.suse.com/1254894 SUSE Bug 1254894 In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. This change silences the KMSAN report and prevents potential information leaks from the kernel memory. This fix has been tested and validated by syzbot. This patch closes the bug reported at the following syzkaller link and ensures no infoleak. CVE-2025-40278 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40278.html CVE-2025-40278 https://bugzilla.suse.com/1254825 SUSE Bug 1254825 In the Linux kernel, the following vulnerability has been resolved: net: sched: act_connmark: initialize struct tc_ife to fix kernel leak In tcf_connmark_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are reamined uninitialized. nla_put() copies the entire structure into a netlink message, these uninitialized bytes leaked to userspace. Initialize the structure with memset before assigning its fields to ensure all members and padding are cleared prior to beign copied. CVE-2025-40279 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40279.html CVE-2025-40279 https://bugzilla.suse.com/1254846 SUSE Bug 1254846 In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_mon_reinit_self(). syzbot reported use-after-free of tipc_net(net)->monitors[] in tipc_mon_reinit_self(). [0] The array is protected by RTNL, but tipc_mon_reinit_self() iterates over it without RTNL. tipc_mon_reinit_self() is called from tipc_net_finalize(), which is always under RTNL except for tipc_net_finalize_work(). Let's hold RTNL in tipc_net_finalize_work(). [0]: BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff88805eae1030 by task kworker/0:7/5989 CPU: 0 UID: 0 PID: 5989 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Workqueue: events tipc_net_finalize_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:568 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa7/0xf0 kernel/locking/spinlock.c:162 rtlock_slowlock kernel/locking/rtmutex.c:1894 [inline] rwbase_rtmutex_lock_state kernel/locking/spinlock_rt.c:160 [inline] rwbase_write_lock+0xd3/0x7e0 kernel/locking/rwbase_rt.c:244 rt_write_lock+0x76/0x110 kernel/locking/spinlock_rt.c:243 write_lock_bh include/linux/rwlock_rt.h:99 [inline] tipc_mon_reinit_self+0x79/0x430 net/tipc/monitor.c:718 tipc_net_finalize+0x115/0x190 net/tipc/net.c:140 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x439/0x7d0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 6089: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x1a8/0x320 mm/slub.c:4407 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tipc_mon_create+0xc3/0x4d0 net/tipc/monitor.c:657 tipc_enable_bearer net/tipc/bearer.c:357 [inline] __tipc_nl_bearer_enable+0xe16/0x13f0 net/tipc/bearer.c:1047 __tipc_nl_compat_doit net/tipc/netlink_compat.c:371 [inline] tipc_nl_compat_doit+0x3bc/0x5f0 net/tipc/netlink_compat.c:393 tipc_nl_compat_handle net/tipc/netlink_compat.c:-1 [inline] tipc_nl_compat_recv+0x83c/0xbe0 net/tipc/netlink_compat.c:1321 genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x508/0x820 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/ ---truncated--- CVE-2025-40280 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40280.html CVE-2025-40280 https://bugzilla.suse.com/1254847 SUSE Bug 1254847 https://bugzilla.suse.com/1254951 SUSE Bug 1254951 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: 6lowpan: reset link-local header on ipv6 recv path Bluetooth 6lowpan.c netdev has header_ops, so it must set link-local header for RX skb, otherwise things crash, eg. with AF_PACKET SOCK_RAW Add missing skb_reset_mac_header() for uncompressed ipv6 RX path. For the compressed one, it is done in lowpan_header_decompress(). Log: (BlueZ 6lowpan-tester Client Recv Raw - Success) ------ kernel BUG at net/core/skbuff.c:212! Call Trace: <IRQ> ... packet_rcv (net/packet/af_packet.c:2152) ... <TASK> __local_bh_enable_ip (kernel/softirq.c:407) netif_rx (net/core/dev.c:5648) chan_recv_cb (net/bluetooth/6lowpan.c:294 net/bluetooth/6lowpan.c:359) ------ CVE-2025-40282 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40282.html CVE-2025-40282 https://bugzilla.suse.com/1254850 SUSE Bug 1254850 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF There is a KASAN: slab-use-after-free read in btusb_disconnect(). Calling "usb_driver_release_interface(&btusb_driver, data->intf)" will free the btusb data associated with the interface. The same data is then used later in the function, hence the UAF. Fix by moving the accesses to btusb data to before the data is free'd. CVE-2025-40283 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40283.html CVE-2025-40283 https://bugzilla.suse.com/1254858 SUSE Bug 1254858 https://bugzilla.suse.com/1254859 SUSE Bug 1254859 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in "Mesh - Send cancel - 1" test). Log: ------ BUG: KASAN: slab-use-after-free in run_timer_softirq+0x76b/0x7d0 ... Freed by task 36: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kfree+0x103/0x500 device_release+0x9a/0x210 kobject_put+0x100/0x1e0 vhci_release+0x18b/0x240 ------ CVE-2025-40284 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40284.html CVE-2025-40284 https://bugzilla.suse.com/1254860 SUSE Bug 1254860 https://bugzilla.suse.com/1257669 SUSE Bug 1257669 In the Linux kernel, the following vulnerability has been resolved: exfat: fix improper check of dentry.stream.valid_size We found an infinite loop bug in the exFAT file system that can lead to a Denial-of-Service (DoS) condition. When a dentry in an exFAT filesystem is malformed, the following system calls - SYS_openat, SYS_ftruncate, and SYS_pwrite64 - can cause the kernel to hang. Root cause analysis shows that the size validation code in exfat_find() does not check whether dentry.stream.valid_size is negative. As a result, the system calls mentioned above can succeed and eventually trigger the DoS issue. This patch adds a check for negative dentry.stream.valid_size to prevent this vulnerability. CVE-2025-40287 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40287.html CVE-2025-40287 https://bugzilla.suse.com/1255030 SUSE Bug 1255030 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix NULL pointer dereference in VRAM logic for APU devices Previously, APU platforms (and other scenarios with uninitialized VRAM managers) triggered a NULL pointer dereference in `ttm_resource_manager_usage()`. The root cause is not that the `struct ttm_resource_manager *man` pointer itself is NULL, but that `man->bdev` (the backing device pointer within the manager) remains uninitialized (NULL) on APUs-since APUs lack dedicated VRAM and do not fully set up VRAM manager structures. When `ttm_resource_manager_usage()` attempts to acquire `man->bdev->lru_lock`, it dereferences the NULL `man->bdev`, leading to a kernel OOPS. 1. **amdgpu_cs.c**: Extend the existing bandwidth control check in `amdgpu_cs_get_threshold_for_moves()` to include a check for `ttm_resource_manager_used()`. If the manager is not used (uninitialized `bdev`), return 0 for migration thresholds immediately-skipping VRAM-specific logic that would trigger the NULL dereference. 2. **amdgpu_kms.c**: Update the `AMDGPU_INFO_VRAM_USAGE` ioctl and memory info reporting to use a conditional: if the manager is used, return the real VRAM usage; otherwise, return 0. This avoids accessing `man->bdev` when it is NULL. 3. **amdgpu_virt.c**: Modify the vf2pf (virtual function to physical function) data write path. Use `ttm_resource_manager_used()` to check validity: if the manager is usable, calculate `fb_usage` from VRAM usage; otherwise, set `fb_usage` to 0 (APUs have no discrete framebuffer to report). This approach is more robust than APU-specific checks because it: - Works for all scenarios where the VRAM manager is uninitialized (not just APUs), - Aligns with TTM's design by using its native helper function, - Preserves correct behavior for discrete GPUs (which have fully initialized `man->bdev` and pass the `ttm_resource_manager_used()` check). v4: use ttm_resource_manager_used(&adev->mman.vram_mgr.manager) instead of checking the adev->gmc.is_app_apu flag (Christian) CVE-2025-40288 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40288.html CVE-2025-40288 https://bugzilla.suse.com/1255057 SUSE Bug 1255057 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: hide VRAM sysfs attributes on GPUs without VRAM Otherwise accessing them can cause a crash. CVE-2025-40289 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40289.html CVE-2025-40289 https://bugzilla.suse.com/1255042 SUSE Bug 1255042 In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net driver's get_rx_bufs is modified to announce incorrect length), we need a check in virtio_net receive path. Currently, the check is not adapted to the new change which can lead to NULL page pointer dereference in the below while loop when receiving length that is larger than the allocated one. This commit fixes the received length check corresponding to the new change. CVE-2025-40292 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40292.html CVE-2025-40292 https://bugzilla.suse.com/1255175 SUSE Bug 1255175 In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows. CVE-2025-40293 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40293.html CVE-2025-40293 https://bugzilla.suse.com/1255179 SUSE Bug 1255179 In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabled can lead to fdb learning at a time when it shouldn't happen while the port is being deleted. VLAN filtering must be disabled because we flush the port VLANs when it's being deleted which will stop learning. This fix adds a check for the port's vlan group which is initialized to NULL when the port is getting deleted, that avoids the port state bypass. When MST is enabled there would be a minimal new overhead in the fast-path because the port's vlan group pointer is cache-hot. [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be CVE-2025-40297 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40297.html CVE-2025-40297 https://bugzilla.suse.com/1255187 SUSE Bug 1255187 https://bugzilla.suse.com/1255895 SUSE Bug 1255895 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->data. CVE-2025-40301 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40301.html CVE-2025-40301 https://bugzilla.suse.com/1255193 SUSE Bug 1255193 In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer size mismatches. Without the character count update, bit_putcs_aligned and bit_putcs_unaligned receive mismatched parameters where the buffer is allocated for the clipped width but cnt reflects the original larger count, causing out-of-bounds writes. CVE-2025-40304 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40304.html CVE-2025-40304 https://bugzilla.suse.com/1255034 SUSE Bug 1255034 In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau <w@1wt.eu> forwarded me a message from Disclosure <disclosure@aisle.com> with the following warning: > The helper `xattr_key()` uses the pointer variable in the loop condition > rather than dereferencing it. As `key` is incremented, it remains non-NULL > (until it runs into unmapped memory), so the loop does not terminate on > valid C strings and will walk memory indefinitely, consuming CPU or hanging > the thread. I easily reproduced this with setfattr and getfattr, causing a kernel oops, hung user processes and corrupted orangefs files. Disclosure sent along a diff (not a patch) with a suggested fix, which I based this patch on. After xattr_key started working right, xfstest generic/069 exposed an xattr related memory leak that lead to OOM. xattr_key returns a hashed key. When adding xattrs to the orangefs xattr cache, orangefs used hash_add, a kernel hashing macro. hash_add also hashes the key using hash_log which resulted in additions to the xattr cache going to the wrong hash bucket. generic/069 tortures a single file and orangefs does a getattr for the xattr "security.capability" every time. Orangefs negative caches on xattrs which includes a kmalloc. Since adds to the xattr cache were going to the wrong bucket, every getattr for "security.capability" resulted in another kmalloc, none of which were ever freed. I changed the two uses of hash_add to hlist_add_head instead and the memory leak ceased and generic/069 quit throwing furniture. CVE-2025-40306 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40306.html CVE-2025-40306 https://bugzilla.suse.com/1255062 SUSE Bug 1255062 In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can reallocate the allocated entries. In addition, the allocation bitmap is also zeroed out, so cluster 6 can be reallocated. This patch adds exfat_test_bitmap_range to validate that clusters used for the allocation bitmap are correctly marked as in-use. CVE-2025-40307 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40307.html CVE-2025-40307 https://bugzilla.suse.com/1255039 SUSE Bug 1255039 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace: <TASK> hci_uart_tty_receive+0x194/0x220 drivers/bluetooth/hci_ldisc.c:627 tiocsti+0x23c/0x2c0 drivers/tty/tty_io.c:2290 tty_ioctl+0x626/0xde0 drivers/tty/tty_io.c:2706 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f To prevent this, ensure that the HCI_UART_REGISTERED flag is set before processing received data. If the protocol is not registered, return -EUNATCH. CVE-2025-40308 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40308.html CVE-2025-40308 https://bugzilla.suse.com/1255064 SUSE Bug 1255064 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: slab-use-after-free in sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 Write of size 8 at addr ffff88811cb96b50 by task kworker/u17:4/352 CPU: 1 UID: 0 PID: 352 Comm: kworker/u17:4 Not tainted 6.17.0-rc5-g717368f83676 #4 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci13 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x10b/0x170 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x191/0x550 mm/kasan/report.c:482 kasan_report+0xc4/0x100 mm/kasan/report.c:595 sco_conn_free net/bluetooth/sco.c:87 [inline] kref_put include/linux/kref.h:65 [inline] sco_conn_put+0xdd/0x410 net/bluetooth/sco.c:107 sco_connect_cfm+0xb4/0xae0 net/bluetooth/sco.c:1441 hci_connect_cfm include/net/bluetooth/hci_core.h:2082 [inline] hci_conn_failed+0x20a/0x2e0 net/bluetooth/hci_conn.c:1313 hci_conn_unlink+0x55f/0x810 net/bluetooth/hci_conn.c:1121 hci_conn_del+0xb6/0x1110 net/bluetooth/hci_conn.c:1147 hci_abort_conn_sync+0x8c5/0xbb0 net/bluetooth/hci_sync.c:5689 hci_cmd_sync_work+0x281/0x380 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0x77e/0x1040 kernel/workqueue.c:3319 worker_thread+0xbee/0x1200 kernel/workqueue.c:3400 kthread+0x3c7/0x870 kernel/kthread.c:463 ret_from_fork+0x13a/0x1e0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 31370: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:388 [inline] __kasan_kmalloc+0x82/0x90 mm/kasan/common.c:405 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4382 [inline] __kmalloc_noprof+0x22f/0x390 mm/slub.c:4394 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xae/0x220 net/core/sock.c:2239 sk_alloc+0x34/0x5a0 net/core/sock.c:2295 bt_sock_alloc+0x3c/0x330 net/bluetooth/af_bluetooth.c:151 sco_sock_alloc net/bluetooth/sco.c:562 [inline] sco_sock_create+0xc0/0x350 net/bluetooth/sco.c:593 bt_sock_create+0x161/0x3b0 net/bluetooth/af_bluetooth.c:135 __sock_create+0x3ad/0x780 net/socket.c:1589 sock_create net/socket.c:1647 [inline] __sys_socket_create net/socket.c:1684 [inline] __sys_socket+0xd5/0x330 net/socket.c:1731 __do_sys_socket net/socket.c:1745 [inline] __se_sys_socket net/socket.c:1743 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1743 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x240 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 31374: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x30/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:243 [inline] __kasan_slab_free+0x3d/0x50 mm/kasan/common.c:275 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2428 [inline] slab_free mm/slub.c:4701 [inline] kfree+0x199/0x3b0 mm/slub.c:4900 sk_prot_free net/core/sock.c:2278 [inline] __sk_destruct+0x4aa/0x630 net/core/sock.c:2373 sco_sock_release+0x2ad/0x300 net/bluetooth/sco.c:1333 __sock_release net/socket.c:649 [inline] sock_close+0xb8/0x230 net/socket.c:1439 __fput+0x3d1/0x9e0 fs/file_table.c:468 task_work_run+0x206/0x2a0 kernel/task_work.c:227 get_signal+0x1201/0x1410 kernel/signal.c:2807 arch_do_signal_or_restart+0x34/0x740 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x68/0xc0 kernel/entry/common.c:40 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline] s ---truncated--- CVE-2025-40309 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40309.html CVE-2025-40309 https://bugzilla.suse.com/1255065 SUSE Bug 1255065 https://bugzilla.suse.com/1255066 SUSE Bug 1255066 In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD interrupt generated. kernel panic log: BUG: kernel NULL pointer dereference, address: 0000000000000098 amdgpu 0000:c8:00.0: amdgpu: Requesting 4 partitions through PSP PGD d78c68067 P4D d78c68067 kfd kfd: amdgpu: Allocated 3969056 bytes on gart PUD 1465b8067 PMD @ Oops: @002 [#1] SMP NOPTI kfd kfd: amdgpu: Total number of KFD nodes to be created: 4 CPU: 115 PID: @ Comm: swapper/115 Kdump: loaded Tainted: G S W OE K RIP: 0010:_raw_spin_lock_irqsave+0x12/0x40 Code: 89 e@ 41 5c c3 cc cc cc cc 66 66 2e Of 1f 84 00 00 00 00 00 OF 1f 40 00 Of 1f 44% 00 00 41 54 9c 41 5c fa 31 cO ba 01 00 00 00 <fO> OF b1 17 75 Ba 4c 89 e@ 41 Sc 89 c6 e8 07 38 5d RSP: 0018: ffffc90@1a6b0e28 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000018 0000000000000001 RSI: ffff8883bb623e00 RDI: 0000000000000098 ffff8883bb000000 RO8: ffff888100055020 ROO: ffff888100055020 0000000000000000 R11: 0000000000000000 R12: 0900000000000002 ffff888F2b97da0@ R14: @000000000000098 R15: ffff8883babdfo00 CS: 010 DS: 0000 ES: 0000 CRO: 0000000080050033 CR2: 0000000000000098 CR3: 0000000e7cae2006 CR4: 0000000002770ce0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 0000000000000000 DR6: 00000000fffeO7FO DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> kgd2kfd_interrupt+@x6b/0x1f@ [amdgpu] ? amdgpu_fence_process+0xa4/0x150 [amdgpu] kfd kfd: amdgpu: Node: 0, interrupt_bitmap: 3 YcpxFl Rant tErace amdgpu_irq_dispatch+0x165/0x210 [amdgpu] amdgpu_ih_process+0x80/0x100 [amdgpu] amdgpu: Virtual CRAT table created for GPU amdgpu_irq_handler+0x1f/@x60 [amdgpu] __handle_irq_event_percpu+0x3d/0x170 amdgpu: Topology: Add dGPU node [0x74a2:0x1002] handle_irq_event+0x5a/@xcO handle_edge_irq+0x93/0x240 kfd kfd: amdgpu: KFD node 1 partition @ size 49148M asm_call_irq_on_stack+0xf/@x20 </IRQ> common_interrupt+0xb3/0x130 asm_common_interrupt+0x1le/0x40 5.10.134-010.a1i5000.a18.x86_64 #1 CVE-2025-40310 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40310.html CVE-2025-40310 https://bugzilla.suse.com/1255041 SUSE Bug 1255041 In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes. The memory is still driver-allocated and cannot be accessed directly by userspace. CVE-2025-40311 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40311.html CVE-2025-40311 https://bugzilla.suse.com/1255068 SUSE Bug 1255068 In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 ("isofs: Verify inode mode when loading from disk") does. CVE-2025-40312 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40312.html CVE-2025-40312 https://bugzilla.suse.com/1255046 SUSE Bug 1255046 In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By separating the usb_del_gadget_udc() operation into distinct "del" and "put" steps, cdnsp_gadget_free_endpoints() can be executed prior to the final release of the gadget structure with usb_put_gadget(). A patch similar to bb9c74a5bd14("usb: dwc3: gadget: Free gadget structure only after freeing endpoints"). CVE-2025-40314 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40314.html CVE-2025-40314 https://bugzilla.suse.com/1255072 SUSE Bug 1255072 In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ffs_data_clear() and ffs_data_close() functions, and its modification is protected by the spinlock ffs->eps_lock. And the whole ffs_func_eps_enable() function is also protected by ffs->eps_lock. Thus, add NULL pointer handling for ffs->epfiles in the ffs_func_eps_enable() function to fix issues CVE-2025-40315 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40315.html CVE-2025-40315 https://bugzilla.suse.com/1255083 SUSE Bug 1255083 In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b ("drm/mediatek: Fix kobject put for component sub-drivers"). This results in a reference imbalance on component bind() failures and on unbind() which could lead to a user-after-free. Make sure to only drop the references after retrieving the driver data by effectively reverting the previous partial fix. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. CVE-2025-40316 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40316.html CVE-2025-40316 https://bugzilla.suse.com/1254797 SUSE Bug 1254797 In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") revealed the problem in the slimbus regmap. That commit breaks audio playback, for instance, on sdm845 Thundercomm Dragonboard 845c board: Unable to handle kernel paging request at virtual address ffff8000847cbad4 ... CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT Hardware name: Thundercomm Dragonboard 845c (DT) ... Call trace: slim_xfer_msg+0x24/0x1ac [slimbus] (P) slim_read+0x48/0x74 [slimbus] regmap_slimbus_read+0x18/0x24 [regmap_slimbus] _regmap_raw_read+0xe8/0x174 _regmap_bus_read+0x44/0x80 _regmap_read+0x60/0xd8 _regmap_update_bits+0xf4/0x140 _regmap_select_page+0xa8/0x124 _regmap_raw_write_impl+0x3b8/0x65c _regmap_bus_raw_write+0x60/0x80 _regmap_write+0x58/0xc0 regmap_write+0x4c/0x80 wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] snd_pcm_hw_params+0x124/0x464 [snd_pcm] snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] snd_pcm_ioctl+0x34/0x4c [snd_pcm] __arm64_sys_ioctl+0xac/0x104 invoke_syscall+0x48/0x104 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xec el0t_64_sync_handler+0xa0/0xf0 el0t_64_sync+0x198/0x19c The __devm_regmap_init_slimbus() started to be used instead of __regmap_init_slimbus() after the commit mentioned above and turns out the incorrect bus_context pointer (3rd argument) was used in __devm_regmap_init_slimbus(). It should be just "slimbus" (which is equal to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or the first user of devm_regmap_init_slimbus() but we should fix it till the point where __devm_regmap_init_slimbus() was introduced therefore two "Fixes" tags. While at this, also correct the same argument in __regmap_init_slimbus(). CVE-2025-40317 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40317.html CVE-2025-40317 https://bugzilla.suse.com/1254796 SUSE Bug 1254796 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the same entry, leading to double list_del() and "UAF". Fix this by holding cmd_sync_work_lock across both lookup and cancel, so that the entry cannot be removed concurrently. CVE-2025-40318 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40318.html CVE-2025-40318 https://bugzilla.suse.com/1254798 SUSE Bug 1254798 In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer. CVE-2025-40319 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40319.html CVE-2025-40319 https://bugzilla.suse.com/1254794 SUSE Bug 1254794 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitialize cfid to NULL under the replay label. Example trace (trimmed): refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 11224 at ../lib/refcount.c:28 refcount_warn_saturate+0x9c/0x110 [...] RIP: 0010:refcount_warn_saturate+0x9c/0x110 [...] Call Trace: <TASK> smb2_query_info_compound+0x29c/0x5c0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? step_into+0x10d/0x690 ? __legitimize_path+0x28/0x60 smb2_queryfs+0x6a/0xf0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] smb311_queryfs+0x12d/0x140 [cifs f90b72658819bd21c94769b6a652029a07a7172f] ? kmem_cache_alloc+0x18a/0x340 ? getname_flags+0x46/0x1e0 cifs_statfs+0x9f/0x2b0 [cifs f90b72658819bd21c94769b6a652029a07a7172f] statfs_by_dentry+0x67/0x90 vfs_statfs+0x16/0xd0 user_statfs+0x54/0xa0 __do_sys_statfs+0x20/0x50 do_syscall_64+0x58/0x80 CVE-2025-40320 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40320.html CVE-2025-40320 https://bugzilla.suse.com/1254793 SUSE Bug 1254793 In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the "actframe" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives an ANQP Query REQ Action frame even from an un-associated STA, the brcmfmac driver tries to use an uninitialized P2P vif pointer for sending the IOVAR to firmware. This NULL pointer dereferencing triggers a driver crash. [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [...] [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [...] [ 1417.075653] Call trace: [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac] [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac] [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211] [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211] [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158 [ 1417.076302] genl_rcv_msg+0x220/0x2a0 [ 1417.076317] netlink_rcv_skb+0x68/0x140 [ 1417.076330] genl_rcv+0x40/0x60 [ 1417.076343] netlink_unicast+0x330/0x3b8 [ 1417.076357] netlink_sendmsg+0x19c/0x3f8 [ 1417.076370] __sock_sendmsg+0x64/0xc0 [ 1417.076391] ____sys_sendmsg+0x268/0x2a0 [ 1417.076408] ___sys_sendmsg+0xb8/0x118 [ 1417.076427] __sys_sendmsg+0x90/0xf8 [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40 [ 1417.076465] invoke_syscall+0x50/0x120 [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0 [ 1417.076506] do_el0_svc+0x24/0x38 [ 1417.076525] el0_svc+0x30/0x100 [ 1417.076548] el0t_64_sync_handler+0x100/0x130 [ 1417.076569] el0t_64_sync+0x190/0x198 [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000) Fix this, by always using the vif corresponding to the wdev on which the Action frame Transmission request was initiated by the userspace. This way, even if P2P vif is not available, the IOVAR is sent to firmware on AP vif and the ANQP Query RESP Action frame is transmitted without crashing the driver. Move init_completion() for "send_af_done" from brcmf_p2p_create_p2pdev() to brcmf_p2p_attach(). Because the former function would not get executed when only hostapd is managing wlan interface, and it is not safe to do reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior init_completion(). And in the brcmf_p2p_tx_action_frame() function, the condition check for P2P Presence response frame is not needed, since the wpa_supplicant is properly sending the P2P Presense Response frame on the P2P-GO vif instead of the P2P-Device vif. [Cc stable] CVE-2025-40321 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40321.html CVE-2025-40321 https://bugzilla.suse.com/1254795 SUSE Bug 1254795 In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot. CVE-2025-40322 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40322.html CVE-2025-40322 https://bugzilla.suse.com/1255092 SUSE Bug 1255092 In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace: <TASK> dump_stack_lvl+0xab/0xe0 print_address_description.constprop.0+0x2c/0x390 print_report+0xb9/0x280 kasan_report+0xb8/0xf0 fb_mode_is_equal+0x285/0x2f0 fbcon_mode_deleted+0x129/0x180 fb_set_var+0xe7f/0x11d0 do_fb_ioctl+0x6a0/0x750 fb_ioctl+0xe0/0x140 __x64_sys_ioctl+0x193/0x210 do_syscall_64+0x5f/0x9c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Based on experimentation and analysis, during framebuffer unregistration, only the memory of fb_info->modelist is freed, without setting the corresponding fb_display[i]->mode to NULL for the freed modes. This leads to UAF issues during subsequent accesses. Here's an example of reproduction steps: 1. With /dev/fb0 already registered in the system, load a kernel module to register a new device /dev/fb1; 2. Set fb1's mode to the global fb_display[] array (via FBIOPUT_CON2FBMAP); 3. Switch console from fb to VGA (to allow normal rmmod of the ko); 4. Unload the kernel module, at this point fb1's modelist is freed, leaving a wild pointer in fb_display[]; 5. Trigger the bug via system calls through fb0 attempting to delete a mode from fb0. Add a check in do_unregister_framebuffer(): if the mode to be freed exists in fb_display[], set the corresponding mode pointer to NULL. CVE-2025-40323 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40323.html CVE-2025-40323 https://bugzilla.suse.com/1255094 SUSE Bug 1255094 In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test. CVE-2025-40324 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40324.html CVE-2025-40324 https://bugzilla.suse.com/1254791 SUSE Bug 1254791 In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in smb2_close_cached_fid() find_or_create_cached_dir() could grab a new reference after kref_put() had seen the refcount drop to zero but before cfid_list_lock is acquired in smb2_close_cached_fid(), leading to use-after-free. Switch to kref_put_lock() so cfid_release() is called with cfid_list_lock held, closing that gap. CVE-2025-40328 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40328.html CVE-2025-40328 https://bugzilla.suse.com/1254624 SUSE Bug 1254624 In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb The Mesa issue referenced below pointed out a possible deadlock: [ 1231.611031] Possible interrupt unsafe locking scenario: [ 1231.611033] CPU0 CPU1 [ 1231.611034] ---- ---- [ 1231.611035] lock(&xa->xa_lock#17); [ 1231.611038] local_irq_disable(); [ 1231.611039] lock(&fence->lock); [ 1231.611041] lock(&xa->xa_lock#17); [ 1231.611044] <Interrupt> [ 1231.611045] lock(&fence->lock); [ 1231.611047] *** DEADLOCK *** In this example, CPU0 would be any function accessing job->dependencies through the xa_* functions that don't disable interrupts (eg: drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling callback so in an interrupt context. It will deadlock when trying to grab the xa_lock which is already held by CPU0. Replacing all xa_* usage by their xa_*_irq counterparts would fix this issue, but Christian pointed out another issue: dma_fence_signal takes fence.lock and so does dma_fence_add_callback. dma_fence_signal() // locks f1.lock -> drm_sched_entity_kill_jobs_cb() -> foreach dependencies -> dma_fence_add_callback() // locks f2.lock This will deadlock if f1 and f2 share the same spinlock. To fix both issues, the code iterating on dependencies and re-arming them is moved out to drm_sched_entity_kill_jobs_work(). [phasta: commit message nits] CVE-2025-40329 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40329.html CVE-2025-40329 https://bugzilla.suse.com/1254621 SUSE Bug 1254621 In the Linux kernel, the following vulnerability has been resolved: sctp: Prevent TOCTOU out-of-bounds write For the following path not holding the sock lock, sctp_diag_dump() -> sctp_for_each_endpoint() -> sctp_ep_dump() make sure not to exceed bounds in case the address list has grown between buffer allocation (time-of-check) and write (time-of-use). CVE-2025-40331 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40331.html CVE-2025-40331 https://bugzilla.suse.com/1254615 SUSE Bug 1254615 In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Correctly handle Rx checksum offload errors The stmmac_rx function would previously set skb->ip_summed to CHECKSUM_UNNECESSARY if hardware checksum offload (CoE) was enabled and the packet was of a known IP ethertype. However, this logic failed to check if the hardware had actually reported a checksum error. The hardware status, indicating a header or payload checksum failure, was being ignored at this stage. This could cause corrupt packets to be passed up the network stack as valid. This patch corrects the logic by checking the `csum_none` status flag, which is set when the hardware reports a checksum error. If this flag is set, skb->ip_summed is now correctly set to CHECKSUM_NONE, ensuring the kernel's network stack will perform its own validation and properly handle the corrupt packet. CVE-2025-40337 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40337.html CVE-2025-40337 https://bugzilla.suse.com/1255081 SUSE Bug 1255081 In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Do not share the name pointer between components By sharing 'name' directly, tearing down components may lead to use-after-free errors. Duplicate the name to avoid that. At the same time, update the order of operations - since commit cee28113db17 ("ASoC: dmaengine_pcm: Allow passing component name via config") the framework does not override component->name if set before invoking the initializer. CVE-2025-40338 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40338.html CVE-2025-40338 https://bugzilla.suse.com/1255273 SUSE Bug 1255273 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix nullptr err of vm_handle_moved If a amdgpu_bo_va is fpriv->prt_va, the bo of this one is always NULL. So, such kind of amdgpu_bo_va should be updated separately before amdgpu_vm_handle_moved. CVE-2025-40339 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40339.html CVE-2025-40339 https://bugzilla.suse.com/1255428 SUSE Bug 1255428 In the Linux kernel, the following vulnerability has been resolved: nvme-fc: use lock accessing port_state and rport state nvme_fc_unregister_remote removes the remote port on a lport object at any point in time when there is no active association. This races with with the reconnect logic, because nvme_fc_create_association is not taking a lock to check the port_state and atomically increase the active count on the rport. CVE-2025-40342 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40342.html CVE-2025-40342 https://bugzilla.suse.com/1255274 SUSE Bug 1255274 https://bugzilla.suse.com/1255275 SUSE Bug 1255275 In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: avoid scheduling association deletion twice When forcefully shutting down a port via the configfs interface, nvmet_port_subsys_drop_link() first calls nvmet_port_del_ctrls() and then nvmet_disable_port(). Both functions will eventually schedule all remaining associations for deletion. The current implementation checks whether an association is about to be removed, but only after the work item has already been scheduled. As a result, it is possible for the first scheduled work item to free all resources, and then for the same work item to be scheduled again for deletion. Because the association list is an RCU list, it is not possible to take a lock and remove the list entry directly, so it cannot be looked up again. Instead, a flag (terminating) must be used to determine whether the association is already in the process of being deleted. CVE-2025-40343 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40343.html CVE-2025-40343 https://bugzilla.suse.com/1255276 SUSE Bug 1255276 https://bugzilla.suse.com/1255278 SUSE Bug 1255278 In the Linux kernel, the following vulnerability has been resolved: usb: storage: sddr55: Reject out-of-bound new_pba Discovered by Atuin - Automated Vulnerability Discovery Engine. new_pba comes from the status packet returned after each write. A bogus device could report values beyond the block count derived from info->capacity, letting the driver walk off the end of pba_to_lba[] and corrupt heap memory. Reject PBAs that exceed the computed block count and fail the transfer so we avoid touching out-of-range mapping entries. CVE-2025-40345 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40345.html CVE-2025-40345 https://bugzilla.suse.com/1255279 SUSE Bug 1255279 In the Linux kernel, the following vulnerability has been resolved: arch_topology: Fix incorrect error check in topology_parse_cpu_capacity() Fix incorrect use of PTR_ERR_OR_ZERO() in topology_parse_cpu_capacity() which causes the code to proceed with NULL clock pointers. The current logic uses !PTR_ERR_OR_ZERO(cpu_clk) which evaluates to true for both valid pointers and NULL, leading to potential NULL pointer dereference in clk_get_rate(). Per include/linux/err.h documentation, PTR_ERR_OR_ZERO(ptr) returns: "The error code within @ptr if it is an error pointer; 0 otherwise." This means PTR_ERR_OR_ZERO() returns 0 for both valid pointers AND NULL pointers. Therefore !PTR_ERR_OR_ZERO(cpu_clk) evaluates to true (proceed) when cpu_clk is either valid or NULL, causing clk_get_rate(NULL) to be called when of_clk_get() returns NULL. Replace with !IS_ERR_OR_NULL(cpu_clk) which only proceeds for valid pointers, preventing potential NULL pointer dereference in clk_get_rate(). CVE-2025-40346 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40346.html CVE-2025-40346 https://bugzilla.suse.com/1255318 SUSE Bug 1255318 In the Linux kernel, the following vulnerability has been resolved: net: enetc: fix the deadlock of enetc_mdio_lock After applying the workaround for err050089, the LS1028A platform experiences RCU stalls on RT kernel. This issue is caused by the recursive acquisition of the read lock enetc_mdio_lock. Here list some of the call stacks identified under the enetc_poll path that may lead to a deadlock: enetc_poll -> enetc_lock_mdio -> enetc_clean_rx_ring OR napi_complete_done -> napi_gro_receive -> enetc_start_xmit -> enetc_lock_mdio -> enetc_map_tx_buffs -> enetc_unlock_mdio -> enetc_unlock_mdio After enetc_poll acquires the read lock, a higher-priority writer attempts to acquire the lock, causing preemption. The writer detects that a read lock is already held and is scheduled out. However, readers under enetc_poll cannot acquire the read lock again because a writer is already waiting, leading to a thread hang. Currently, the deadlock is avoided by adjusting enetc_lock_mdio to prevent recursive lock acquisition. CVE-2025-40347 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40347.html CVE-2025-40347 https://bugzilla.suse.com/1255262 SUSE Bug 1255262 In the Linux kernel, the following vulnerability has been resolved: hfs: validate record offset in hfsplus_bmap_alloc hfsplus_bmap_alloc can trigger a crash if a record offset or length is larger than node_size [ 15.264282] BUG: KASAN: slab-out-of-bounds in hfsplus_bmap_alloc+0x887/0x8b0 [ 15.265192] Read of size 8 at addr ffff8881085ca188 by task test/183 [ 15.265949] [ 15.266163] CPU: 0 UID: 0 PID: 183 Comm: test Not tainted 6.17.0-rc2-gc17b750b3ad9 #14 PREEMPT(voluntary) [ 15.266165] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 15.266167] Call Trace: [ 15.266168] <TASK> [ 15.266169] dump_stack_lvl+0x53/0x70 [ 15.266173] print_report+0xd0/0x660 [ 15.266181] kasan_report+0xce/0x100 [ 15.266185] hfsplus_bmap_alloc+0x887/0x8b0 [ 15.266208] hfs_btree_inc_height.isra.0+0xd5/0x7c0 [ 15.266217] hfsplus_brec_insert+0x870/0xb00 [ 15.266222] __hfsplus_ext_write_extent+0x428/0x570 [ 15.266225] __hfsplus_ext_cache_extent+0x5e/0x910 [ 15.266227] hfsplus_ext_read_extent+0x1b2/0x200 [ 15.266233] hfsplus_file_extend+0x5a7/0x1000 [ 15.266237] hfsplus_get_block+0x12b/0x8c0 [ 15.266238] __block_write_begin_int+0x36b/0x12c0 [ 15.266251] block_write_begin+0x77/0x110 [ 15.266252] cont_write_begin+0x428/0x720 [ 15.266259] hfsplus_write_begin+0x51/0x100 [ 15.266262] cont_write_begin+0x272/0x720 [ 15.266270] hfsplus_write_begin+0x51/0x100 [ 15.266274] generic_perform_write+0x321/0x750 [ 15.266285] generic_file_write_iter+0xc3/0x310 [ 15.266289] __kernel_write_iter+0x2fd/0x800 [ 15.266296] dump_user_range+0x2ea/0x910 [ 15.266301] elf_core_dump+0x2a94/0x2ed0 [ 15.266320] vfs_coredump+0x1d85/0x45e0 [ 15.266349] get_signal+0x12e3/0x1990 [ 15.266357] arch_do_signal_or_restart+0x89/0x580 [ 15.266362] irqentry_exit_to_user_mode+0xab/0x110 [ 15.266364] asm_exc_page_fault+0x26/0x30 [ 15.266366] RIP: 0033:0x41bd35 [ 15.266367] Code: bc d1 f3 0f 7f 27 f3 0f 7f 6f 10 f3 0f 7f 77 20 f3 0f 7f 7f 30 49 83 c0 0f 49 29 d0 48 8d 7c 17 31 e9 9f 0b 00 00 66 0f ef c0 <f3> 0f 6f 0e f3 0f 6f 56 10 66 0f 74 c1 66 0f d7 d0 49 83 f8f [ 15.266369] RSP: 002b:00007ffc9e62d078 EFLAGS: 00010283 [ 15.266371] RAX: 00007ffc9e62d100 RBX: 0000000000000000 RCX: 0000000000000000 [ 15.266372] RDX: 00000000000000e0 RSI: 0000000000000000 RDI: 00007ffc9e62d100 [ 15.266373] RBP: 0000400000000040 R08: 00000000000000e0 R09: 0000000000000000 [ 15.266374] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 15.266375] R13: 0000000000000000 R14: 0000000000000000 R15: 0000400000000000 [ 15.266376] </TASK> When calling hfsplus_bmap_alloc to allocate a free node, this function first retrieves the bitmap from header node and map node using node->page together with the offset and length from hfs_brec_lenoff ``` len = hfs_brec_lenoff(node, 2, &off16); off = off16; off += node->page_offset; pagep = node->page + (off >> PAGE_SHIFT); data = kmap_local_page(*pagep); ``` However, if the retrieved offset or length is invalid(i.e. exceeds node_size), the code may end up accessing pages outside the allocated range for this node. This patch adds proper validation of both offset and length before use, preventing out-of-bounds page access. Move is_bnode_offset_valid and check_and_correct_requested_length to hfsplus_fs.h, as they may be required by other functions. CVE-2025-40349 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40349.html CVE-2025-40349 https://bugzilla.suse.com/1255280 SUSE Bug 1255280 In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix generating skb from non-linear xdp_buff for striding RQ XDP programs can change the layout of an xdp_buff through bpf_xdp_adjust_tail() and bpf_xdp_adjust_head(). Therefore, the driver cannot assume the size of the linear data area nor fragments. Fix the bug in mlx5 by generating skb according to xdp_buff after XDP programs run. Currently, when handling multi-buf XDP, the mlx5 driver assumes the layout of an xdp_buff to be unchanged. That is, the linear data area continues to be empty and fragments remain the same. This may cause the driver to generate erroneous skb or triggering a kernel warning. When an XDP program added linear data through bpf_xdp_adjust_head(), the linear data will be ignored as mlx5e_build_linear_skb() builds an skb without linear data and then pull data from fragments to fill the linear data area. When an XDP program has shrunk the non-linear data through bpf_xdp_adjust_tail(), the delta passed to __pskb_pull_tail() may exceed the actual nonlinear data size and trigger the BUG_ON in it. To fix the issue, first record the original number of fragments. If the number of fragments changes after the XDP program runs, rewind the end fragment pointer by the difference and recalculate the truesize. Then, build the skb with the linear data area matching the xdp_buff. Finally, only pull data in if there is non-linear data and fill the linear part up to 256 bytes. CVE-2025-40350 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40350.html CVE-2025-40350 https://bugzilla.suse.com/1255260 SUSE Bug 1255260 In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() The syzbot reported issue in hfsplus_delete_cat(): [ 70.682285][ T9333] ===================================================== [ 70.682943][ T9333] BUG: KMSAN: uninit-value in hfsplus_subfolders_dec+0x1d7/0x220 [ 70.683640][ T9333] hfsplus_subfolders_dec+0x1d7/0x220 [ 70.684141][ T9333] hfsplus_delete_cat+0x105d/0x12b0 [ 70.684621][ T9333] hfsplus_rmdir+0x13d/0x310 [ 70.685048][ T9333] vfs_rmdir+0x5ba/0x810 [ 70.685447][ T9333] do_rmdir+0x964/0xea0 [ 70.685833][ T9333] __x64_sys_rmdir+0x71/0xb0 [ 70.686260][ T9333] x64_sys_call+0xcd8/0x3cf0 [ 70.686695][ T9333] do_syscall_64+0xd9/0x1d0 [ 70.687119][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.687646][ T9333] [ 70.687856][ T9333] Uninit was stored to memory at: [ 70.688311][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 [ 70.688779][ T9333] hfsplus_create_cat+0x148e/0x1800 [ 70.689231][ T9333] hfsplus_mknod+0x27f/0x600 [ 70.689730][ T9333] hfsplus_mkdir+0x5a/0x70 [ 70.690146][ T9333] vfs_mkdir+0x483/0x7a0 [ 70.690545][ T9333] do_mkdirat+0x3f2/0xd30 [ 70.690944][ T9333] __x64_sys_mkdir+0x9a/0xf0 [ 70.691380][ T9333] x64_sys_call+0x2f89/0x3cf0 [ 70.691816][ T9333] do_syscall_64+0xd9/0x1d0 [ 70.692229][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.692773][ T9333] [ 70.692990][ T9333] Uninit was stored to memory at: [ 70.693469][ T9333] hfsplus_subfolders_inc+0x1c2/0x1d0 [ 70.693960][ T9333] hfsplus_create_cat+0x148e/0x1800 [ 70.694438][ T9333] hfsplus_fill_super+0x21c1/0x2700 [ 70.694911][ T9333] mount_bdev+0x37b/0x530 [ 70.695320][ T9333] hfsplus_mount+0x4d/0x60 [ 70.695729][ T9333] legacy_get_tree+0x113/0x2c0 [ 70.696167][ T9333] vfs_get_tree+0xb3/0x5c0 [ 70.696588][ T9333] do_new_mount+0x73e/0x1630 [ 70.697013][ T9333] path_mount+0x6e3/0x1eb0 [ 70.697425][ T9333] __se_sys_mount+0x733/0x830 [ 70.697857][ T9333] __x64_sys_mount+0xe4/0x150 [ 70.698269][ T9333] x64_sys_call+0x2691/0x3cf0 [ 70.698704][ T9333] do_syscall_64+0xd9/0x1d0 [ 70.699117][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.699730][ T9333] [ 70.699946][ T9333] Uninit was created at: [ 70.700378][ T9333] __alloc_pages_noprof+0x714/0xe60 [ 70.700843][ T9333] alloc_pages_mpol_noprof+0x2a2/0x9b0 [ 70.701331][ T9333] alloc_pages_noprof+0xf8/0x1f0 [ 70.701774][ T9333] allocate_slab+0x30e/0x1390 [ 70.702194][ T9333] ___slab_alloc+0x1049/0x33a0 [ 70.702635][ T9333] kmem_cache_alloc_lru_noprof+0x5ce/0xb20 [ 70.703153][ T9333] hfsplus_alloc_inode+0x5a/0xd0 [ 70.703598][ T9333] alloc_inode+0x82/0x490 [ 70.703984][ T9333] iget_locked+0x22e/0x1320 [ 70.704428][ T9333] hfsplus_iget+0x5c/0xba0 [ 70.704827][ T9333] hfsplus_btree_open+0x135/0x1dd0 [ 70.705291][ T9333] hfsplus_fill_super+0x1132/0x2700 [ 70.705776][ T9333] mount_bdev+0x37b/0x530 [ 70.706171][ T9333] hfsplus_mount+0x4d/0x60 [ 70.706579][ T9333] legacy_get_tree+0x113/0x2c0 [ 70.707019][ T9333] vfs_get_tree+0xb3/0x5c0 [ 70.707444][ T9333] do_new_mount+0x73e/0x1630 [ 70.707865][ T9333] path_mount+0x6e3/0x1eb0 [ 70.708270][ T9333] __se_sys_mount+0x733/0x830 [ 70.708711][ T9333] __x64_sys_mount+0xe4/0x150 [ 70.709158][ T9333] x64_sys_call+0x2691/0x3cf0 [ 70.709630][ T9333] do_syscall_64+0xd9/0x1d0 [ 70.710053][ T9333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.710611][ T9333] [ 70.710842][ T9333] CPU: 3 UID: 0 PID: 9333 Comm: repro Not tainted 6.12.0-rc6-dirty #17 [ 70.711568][ T9333] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.712490][ T9333] ===================================================== [ 70.713085][ T9333] Disabling lock debugging due to kernel taint [ 70.713618][ T9333] Kernel panic - not syncing: kmsan.panic set ... [ 70.714159][ T9333] ---truncated--- CVE-2025-40351 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40351.html CVE-2025-40351 https://bugzilla.suse.com/1255281 SUSE Bug 1255281 In the Linux kernel, the following vulnerability has been resolved: sysfs: check visibility before changing group attribute ownership Since commit 0c17270f9b92 ("net: sysfs: Implement is_visible for phys_(port_id, port_name, switch_id)"), __dev_change_net_namespace() can hit WARN_ON() when trying to change owner of a file that isn't visible. See the trace below: WARNING: CPU: 6 PID: 2938 at net/core/dev.c:12410 __dev_change_net_namespace+0xb89/0xc30 CPU: 6 UID: 0 PID: 2938 Comm: incusd Not tainted 6.17.1-1-mainline #1 PREEMPT(full) 4b783b4a638669fb644857f484487d17cb45ed1f Hardware name: Framework Laptop 13 (AMD Ryzen 7040Series)/FRANMDCP07, BIOS 03.07 02/19/2025 RIP: 0010:__dev_change_net_namespace+0xb89/0xc30 [...] Call Trace: <TASK> ? if6_seq_show+0x30/0x50 do_setlink.isra.0+0xc7/0x1270 ? __nla_validate_parse+0x5c/0xcc0 ? security_capable+0x94/0x1a0 rtnl_newlink+0x858/0xc20 ? update_curr+0x8e/0x1c0 ? update_entity_lag+0x71/0x80 ? sched_balance_newidle+0x358/0x450 ? psi_task_switch+0x113/0x2a0 ? __pfx_rtnl_newlink+0x10/0x10 rtnetlink_rcv_msg+0x346/0x3e0 ? sched_clock+0x10/0x30 ? __pfx_rtnetlink_rcv_msg+0x10/0x10 netlink_rcv_skb+0x59/0x110 netlink_unicast+0x285/0x3c0 ? __alloc_skb+0xdb/0x1a0 netlink_sendmsg+0x20d/0x430 ____sys_sendmsg+0x39f/0x3d0 ? import_iovec+0x2f/0x40 ___sys_sendmsg+0x99/0xe0 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x81/0x970 ? __sys_bind+0xe3/0x110 ? syscall_exit_work+0x143/0x1b0 ? do_syscall_64+0x244/0x970 ? sock_alloc_file+0x63/0xc0 ? syscall_exit_work+0x143/0x1b0 ? do_syscall_64+0x244/0x970 ? alloc_fd+0x12e/0x190 ? put_unused_fd+0x2a/0x70 ? do_sys_openat2+0xa2/0xe0 ? syscall_exit_work+0x143/0x1b0 ? do_syscall_64+0x244/0x970 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] </TASK> Fix this by checking is_visible() before trying to touch the attribute. CVE-2025-40355 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40355.html CVE-2025-40355 https://bugzilla.suse.com/1255261 SUSE Bug 1255261 In the Linux kernel, the following vulnerability has been resolved: drm/sysfb: Do not dereference NULL pointer in plane reset The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not deref that pointer, but forward NULL to the other plane-reset helpers. Clears plane->state to NULL. v2: - fix typo in commit description (Javier) CVE-2025-40360 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40360.html CVE-2025-40360 https://bugzilla.suse.com/1255095 SUSE Bug 1255095 In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix field-spanning memcpy warning in AH output Fix field-spanning memcpy warnings in ah6_output() and ah6_output_done() where extension headers are copied to/from IPv6 address fields, triggering fortify-string warnings about writes beyond the 16-byte address fields. memcpy: detected field-spanning write (size 40) of single field "&top_iph->saddr" at net/ipv6/ah6.c:439 (size 16) WARNING: CPU: 0 PID: 8838 at net/ipv6/ah6.c:439 ah6_output+0xe7e/0x14e0 net/ipv6/ah6.c:439 The warnings are false positives as the extension headers are intentionally placed after the IPv6 header in memory. Fix by properly copying addresses and extension headers separately, and introduce helper functions to avoid code duplication. CVE-2025-40363 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-40363.html CVE-2025-40363 https://bugzilla.suse.com/1255102 SUSE Bug 1255102 In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate no transaction. However, txEnd(0) still gets called and tries to access TxBlock[0].waitor via tid_to_tblock(0), but this waitqueue was never initialized because the initialization loop started at index 1 instead of 0. This causes a 'non-static key' lockdep warning and system crash: INFO: trying to register non-static key in txEnd Fix by ensuring all transaction blocks including TxBlock[0] have their waitqueues properly initialized during txInit(). CVE-2025-68168 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68168.html CVE-2025-68168 https://bugzilla.suse.com/1255100 SUSE Bug 1255100 In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported [1] the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfd_validate_state+0x65/0x70 Call Trace: <TASK> fpu__clear_user_states+0x9c/0x100 arch_do_signal_or_restart+0x142/0x210 exit_to_user_mode_loop+0x55/0x100 do_syscall_64+0x205/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Chao further identified [2] a reproducible scenario involving signal delivery: a non-AMX task is preempted by an AMX-enabled task which modifies the XFD MSR. When the non-AMX task resumes and reloads XSTATE with init values, a warning is triggered due to a mismatch between fpstate::xfd and the CPU's current XFD state. fpu__clear_user_states() does not currently re-synchronize the XFD state after such preemption. Invoke xfd_update_state() which detects and corrects the mismatch if there is a dynamic feature. This also benefits the sigreturn path, as fpu__restore_sig() may call fpu__clear_user_states() when the sigframe is inaccessible. [ dhansen: minor changelog munging ] CVE-2025-68171 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68171.html CVE-2025-68171 https://bugzilla.suse.com/1255255 SUSE Bug 1255255 In the Linux kernel, the following vulnerability has been resolved: crypto: aspeed - fix double free caused by devm The clock obtained via devm_clk_get_enabled() is automatically managed by devres and will be disabled and freed on driver detach. Manually calling clk_disable_unprepare() in error path and remove function causes double free. Remove the manual clock cleanup in both aspeed_acry_probe()'s error path and aspeed_acry_remove(). CVE-2025-68172 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68172.html CVE-2025-68172 https://bugzilla.suse.com/1255253 SUSE Bug 1255253 In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: enhance kfd process check in switch partition current switch partition only check if kfd_processes_table is empty. kfd_prcesses_table entry is deleted in kfd_process_notifier_release, but kfd_process tear down is in kfd_process_wq_release. consider two processes: Process A (workqueue) -> kfd_process_wq_release -> Access kfd_node member Process B switch partition -> amdgpu_xcp_pre_partition_switch -> amdgpu_amdkfd_device_fini_sw -> kfd_node tear down. Process A and B may trigger a race as shown in dmesg log. This patch is to resolve the race by adding an atomic kfd_process counter kfd_processes_count, it increment as create kfd process, decrement as finish kfd_process_wq_release. v2: Put kfd_processes_count per kfd_dev, move decrement to kfd_process_destroy_pdds and bug fix. (Philip Yang) [3966658.307702] divide error: 0000 [#1] SMP NOPTI [3966658.350818] i10nm_edac [3966658.356318] CPU: 124 PID: 38435 Comm: kworker/124:0 Kdump: loaded Tainted [3966658.356890] Workqueue: kfd_process_wq kfd_process_wq_release [amdgpu] [3966658.362839] nfit [3966658.366457] RIP: 0010:kfd_get_num_sdma_engines+0x17/0x40 [amdgpu] [3966658.366460] Code: 00 00 e9 ac 81 02 00 66 66 2e 0f 1f 84 00 00 00 00 00 90 0f 1f 44 00 00 48 8b 4f 08 48 8b b7 00 01 00 00 8b 81 58 26 03 00 99 <f7> be b8 01 00 00 80 b9 70 2e 00 00 00 74 0b 83 f8 02 ba 02 00 00 [3966658.380967] x86_pkg_temp_thermal [3966658.391529] RSP: 0018:ffffc900a0edfdd8 EFLAGS: 00010246 [3966658.391531] RAX: 0000000000000008 RBX: ffff8974e593b800 RCX: ffff888645900000 [3966658.391531] RDX: 0000000000000000 RSI: ffff888129154400 RDI: ffff888129151c00 [3966658.391532] RBP: ffff8883ad79d400 R08: 0000000000000000 R09: ffff8890d2750af4 [3966658.391532] R10: 0000000000000018 R11: 0000000000000018 R12: 0000000000000000 [3966658.391533] R13: ffff8883ad79d400 R14: ffffe87ff662ba00 R15: ffff8974e593b800 [3966658.391533] FS: 0000000000000000(0000) GS:ffff88fe7f600000(0000) knlGS:0000000000000000 [3966658.391534] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [3966658.391534] CR2: 0000000000d71000 CR3: 000000dd0e970004 CR4: 0000000002770ee0 [3966658.391535] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [3966658.391535] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [3966658.391536] PKRU: 55555554 [3966658.391536] Call Trace: [3966658.391674] deallocate_sdma_queue+0x38/0xa0 [amdgpu] [3966658.391762] process_termination_cpsch+0x1ed/0x480 [amdgpu] [3966658.399754] intel_powerclamp [3966658.402831] kfd_process_dequeue_from_all_devices+0x5b/0xc0 [amdgpu] [3966658.402908] kfd_process_wq_release+0x1a/0x1a0 [amdgpu] [3966658.410516] coretemp [3966658.434016] process_one_work+0x1ad/0x380 [3966658.434021] worker_thread+0x49/0x310 [3966658.438963] kvm_intel [3966658.446041] ? process_one_work+0x380/0x380 [3966658.446045] kthread+0x118/0x140 [3966658.446047] ? __kthread_bind_mask+0x60/0x60 [3966658.446050] ret_from_fork+0x1f/0x30 [3966658.446053] Modules linked in: kpatch_20765354(OEK) [3966658.455310] kvm [3966658.464534] mptcp_diag xsk_diag raw_diag unix_diag af_packet_diag netlink_diag udp_diag act_pedit act_mirred act_vlan cls_flower kpatch_21951273(OEK) kpatch_18424469(OEK) kpatch_19749756(OEK) [3966658.473462] idxd_mdev [3966658.482306] kpatch_17971294(OEK) sch_ingress xt_conntrack amdgpu(OE) amdxcp(OE) amddrm_buddy(OE) amd_sched(OE) amdttm(OE) amdkcl(OE) intel_ifs iptable_mangle tcm_loop target_core_pscsi tcp_diag target_core_file inet_diag target_core_iblock target_core_user target_core_mod coldpgs kpatch_18383292(OEK) ip6table_nat ip6table_filter ip6_tables ip_set_hash_ipportip ip_set_hash_ipportnet ip_set_hash_ipport ip_set_bitmap_port xt_comment iptable_nat nf_nat iptable_filter ip_tables ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sn_core_odd(OE) i40e overlay binfmt_misc tun bonding(OE) aisqos(OE) aisqo ---truncated--- CVE-2025-68174 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68174.html CVE-2025-68174 https://bugzilla.suse.com/1255327 SUSE Bug 1255327 In the Linux kernel, the following vulnerability has been resolved: PCI: cadence: Check for the existence of cdns_pcie::ops before using it cdns_pcie::ops might not be populated by all the Cadence glue drivers. This is going to be true for the upcoming Sophgo platform which doesn't set the ops. Hence, add a check to prevent NULL pointer dereference. [mani: reworded subject and description] CVE-2025-68176 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68176.html CVE-2025-68176 https://bugzilla.suse.com/1255329 SUSE Bug 1255329 In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted ------------------------------------------------------ check/1334 is trying to acquire lock: ff1100011d9d0678 (&q->sysfs_lock){+.+.}-{4:4}, at: blk_unregister_queue+0x53/0x180 but task is already holding lock: ff1100011d9d00e0 (&q->q_usage_counter(queue)#3){++++}-{0:0}, at: del_gendisk+0xba/0x110 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&q->q_usage_counter(queue)#3){++++}-{0:0}: blk_queue_enter+0x40b/0x470 blkg_conf_prep+0x7b/0x3c0 tg_set_limit+0x10a/0x3e0 cgroup_file_write+0xc6/0x420 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&q->rq_qos_mutex){+.+.}-{4:4}: __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 wbt_init+0x17e/0x280 wbt_enable_default+0xe9/0x140 blk_register_queue+0x1da/0x2e0 __add_disk+0x38c/0x5d0 add_disk_fwnode+0x89/0x250 device_add_disk+0x18/0x30 virtblk_probe+0x13a3/0x1800 virtio_dev_probe+0x389/0x610 really_probe+0x136/0x620 __driver_probe_device+0xb3/0x230 driver_probe_device+0x2f/0xe0 __driver_attach+0x158/0x250 bus_for_each_dev+0xa9/0x130 driver_attach+0x26/0x40 bus_add_driver+0x178/0x3d0 driver_register+0x7d/0x1c0 __register_virtio_driver+0x2c/0x60 virtio_blk_init+0x6f/0xe0 do_one_initcall+0x94/0x540 kernel_init_freeable+0x56a/0x7b0 kernel_init+0x2b/0x270 ret_from_fork+0x268/0x4c0 ret_from_fork_asm+0x1a/0x30 -> #0 (&q->sysfs_lock){+.+.}-{4:4}: __lock_acquire+0x1835/0x2940 lock_acquire+0xf9/0x450 __mutex_lock+0xd8/0xf50 mutex_lock_nested+0x2b/0x40 blk_unregister_queue+0x53/0x180 __del_gendisk+0x226/0x690 del_gendisk+0xba/0x110 sd_remove+0x49/0xb0 [sd_mod] device_remove+0x87/0xb0 device_release_driver_internal+0x11e/0x230 device_release_driver+0x1a/0x30 bus_remove_device+0x14d/0x220 device_del+0x1e1/0x5a0 __scsi_remove_device+0x1ff/0x2f0 scsi_remove_device+0x37/0x60 sdev_store_delete+0x77/0x100 dev_attr_store+0x1f/0x40 sysfs_kf_write+0x65/0x90 kernfs_fop_write_iter+0x189/0x280 vfs_write+0x256/0x490 ksys_write+0x83/0x190 __x64_sys_write+0x21/0x30 x64_sys_call+0x4608/0x4630 do_syscall_64+0xdb/0x6b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e other info that might help us debug this: Chain exists of: &q->sysfs_lock --> &q->rq_qos_mutex --> &q->q_usage_counter(queue)#3 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(queue)#3); lock(&q->rq_qos_mutex); lock(&q->q_usage_counter(queue)#3); lock(&q->sysfs_lock); Root cause is that queue_usage_counter is grabbed with rq_qos_mutex held in blkg_conf_prep(), while queue should be freezed before rq_qos_mutex from other context. The blk_queue_enter() from blkg_conf_prep() is used to protect against policy deactivation, which is already protected with blkcg_mutex, hence convert blk_queue_enter() to blkcg_mutex to fix this problem. Meanwhile, consider that blkcg_mutex is held after queue is freezed from policy deactivation, also convert blkg_alloc() to use GFP_NOIO. CVE-2025-68178 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68178.html CVE-2025-68178 https://bugzilla.suse.com/1255266 SUSE Bug 1255266 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments When a connector is connected but inactive (e.g., disabled by desktop environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading odm_combine_segments causes kernel NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> seq_read_iter+0x125/0x490 ? __alloc_frozen_pages_noprof+0x18f/0x350 seq_read+0x12c/0x170 full_proxy_read+0x51/0x80 vfs_read+0xbc/0x390 ? __handle_mm_fault+0xa46/0xef0 ? do_syscall_64+0x71/0x900 ksys_read+0x73/0xf0 do_syscall_64+0x71/0x900 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x6c/0x74 RIP: 0033:0x7f44d4031687 Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 </TASK> Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> CR2: 0000000000000000 ---[ end trace 0000000000000000 ]--- RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 PKRU: 55555554 Fix this by checking pipe_ctx-> ---truncated--- CVE-2025-68180 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68180.html CVE-2025-68180 https://bugzilla.suse.com/1255252 SUSE Bug 1255252 In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then writes/removes some other security xattr for the file. For example, on Fedora, after booting the kernel with "ima_appraise=fix evm=fix ima_policy=appraise_tcb" and installing rpm-plugin-ima, installing/reinstalling a package will not make good reference IMA signature generated. Instead IMA hash is generated, # getfattr -m - -d -e hex /usr/bin/bash # file: usr/bin/bash security.ima=0x0404... This happens because when setting security.selinux, the IMA_DIGSIG flag that had been set early was cleared. As a result, IMA hash is generated when the file is closed. Similarly, IMA signature can be cleared on file close after removing security xattr like security.evm or setting/removing ACL. Prevent replacing the IMA file signature with a file hash, by preventing the IMA_DIGSIG flag from being reset. Here's a minimal C reproducer which sets security.selinux as the last step which can also replaced by removing security.evm or setting ACL, #include <stdio.h> #include <sys/xattr.h> #include <fcntl.h> #include <unistd.h> #include <string.h> #include <stdlib.h> int main() { const char* file_path = "/usr/sbin/test_binary"; const char* hex_string = "030204d33204490066306402304"; int length = strlen(hex_string); char* ima_attr_value; int fd; fd = open(file_path, O_WRONLY|O_CREAT|O_EXCL, 0644); if (fd == -1) { perror("Error opening file"); return 1; } ima_attr_value = (char*)malloc(length / 2 ); for (int i = 0, j = 0; i < length; i += 2, j++) { sscanf(hex_string + i, "%2hhx", &ima_attr_value[j]); } if (fsetxattr(fd, "security.ima", ima_attr_value, length/2, 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; } const char* selinux_value= "system_u:object_r:bin_t:s0"; if (fsetxattr(fd, "security.selinux", selinux_value, strlen(selinux_value), 0) == -1) { perror("Error setting extended attribute"); close(fd); return 1; } close(fd); return 0; } CVE-2025-68183 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68183.html CVE-2025-68183 https://bugzilla.suse.com/1255251 SUSE Bug 1255251 In the Linux kernel, the following vulnerability has been resolved: nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy to attack. Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of put_unaligned_be64(), we can put that under ->d_lock and be done with that. CVE-2025-68185 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68185.html CVE-2025-68185 https://bugzilla.suse.com/1255135 SUSE Bug 1255135 In the Linux kernel, the following vulnerability has been resolved: tcp: use dst_dev_rcu() in tcp_fastopen_active_disable_ofo_check() Use RCU to avoid a pair of atomic operations and a potential UAF on dst_dev()->flags. CVE-2025-68188 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68188.html CVE-2025-68188 https://bugzilla.suse.com/1255269 SUSE Bug 1255269 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/atom: Check kcalloc() for WS buffer in amdgpu_atom_execute_table_locked() kcalloc() may fail. When WS is non-zero and allocation fails, ectx.ws remains NULL while ectx.ws_size is set, leading to a potential NULL pointer dereference in atom_get_src_int() when accessing WS entries. Return -ENOMEM on allocation failure to avoid the NULL dereference. CVE-2025-68190 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68190.html CVE-2025-68190 https://bugzilla.suse.com/1255131 SUSE Bug 1255131 In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crashes. This can trigger kernel panics on ARM when running IPsec over the qmimux0 interface. Example trace: Internal error: Oops: 000000009600004f [#1] SMP CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.34-gbe78e49cb433 #1 Hardware name: LS1028A RDB Board (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_input+0xde8/0x1318 lr : xfrm_input+0x61c/0x1318 sp : ffff800080003b20 Call trace: xfrm_input+0xde8/0x1318 xfrm6_rcv+0x38/0x44 xfrm6_esp_rcv+0x48/0xa8 ip6_protocol_deliver_rcu+0x94/0x4b0 ip6_input_finish+0x44/0x70 ip6_input+0x44/0xc0 ipv6_rcv+0x6c/0x114 __netif_receive_skb_one_core+0x5c/0x8c __netif_receive_skb+0x18/0x60 process_backlog+0x78/0x17c __napi_poll+0x38/0x180 net_rx_action+0x168/0x2f0 CVE-2025-68192 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68192.html CVE-2025-68192 https://bugzilla.suse.com/1255246 SUSE Bug 1255246 In the Linux kernel, the following vulnerability has been resolved: media: imon: make send_packet() more robust syzbot is reporting that imon has three problems which result in hung tasks due to forever holding device lock [1]. First problem is that when usb_rx_callback_intf0() once got -EPROTO error after ictx->dev_present_intf0 became true, usb_rx_callback_intf0() resubmits urb after printk(), and resubmitted urb causes usb_rx_callback_intf0() to again get -EPROTO error. This results in printk() flooding (RCU stalls). Alan Stern commented [2] that In theory it's okay to resubmit _if_ the driver has a robust error-recovery scheme (such as giving up after some fixed limit on the number of errors or after some fixed time has elapsed, perhaps with a time delay to prevent a flood of errors). Most drivers don't bother to do this; they simply give up right away. This makes them more vulnerable to short-term noise interference during USB transfers, but in reality such interference is quite rare. There's nothing really wrong with giving up right away. but imon has a poor error-recovery scheme which just retries forever; this behavior should be fixed. Since I'm not sure whether it is safe for imon users to give up upon any error code, this patch takes care of only union of error codes chosen from modules in drivers/media/rc/ directory which handle -EPROTO error (i.e. ir_toy, mceusb and igorplugusb). Second problem is that when usb_rx_callback_intf0() once got -EPROTO error before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge hardware after early callbacks"). Move the ictx->dev_present_intf0 test introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes until intf configured") to immediately before imon_incoming_packet(), or the first problem explained above happens without printk() flooding (i.e. hung task). Third problem is that when usb_rx_callback_intf0() is not called for some reason (e.g. flaky hardware; the reproducer for this problem sometimes prevents usb_rx_callback_intf0() from being called), wait_for_completion_interruptible() in send_packet() never returns (i.e. hung task). As a workaround for such situation, change send_packet() to wait for completion with timeout of 10 seconds. CVE-2025-68194 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68194.html CVE-2025-68194 https://bugzilla.suse.com/1255325 SUSE Bug 1255325 In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode Running x86_match_min_microcode_rev() on a Zen5 CPU trips up KASAN for an out of bounds access. CVE-2025-68195 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68195.html CVE-2025-68195 https://bugzilla.suse.com/1255259 SUSE Bug 1255259 In the Linux kernel, the following vulnerability has been resolved: bpf: Add bpf_prog_run_data_pointers() syzbot found that cls_bpf_classify() is able to change tc_skb_cb(skb)->drop_reason triggering a warning in sk_skb_reason_drop(). WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 __sk_skb_reason_drop net/core/skbuff.c:1189 [inline] WARNING: CPU: 0 PID: 5965 at net/core/skbuff.c:1192 sk_skb_reason_drop+0x76/0x170 net/core/skbuff.c:1214 struct tc_skb_cb has been added in commit ec624fe740b4 ("net/sched: Extend qdisc control block with tc control block"), which added a wrong interaction with db58ba459202 ("bpf: wire in data and data_end for cls_act_bpf"). drop_reason was added later. Add bpf_prog_run_data_pointers() helper to save/restore the net_sched storage colliding with BPF data_meta/data_end. CVE-2025-68200 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68200.html CVE-2025-68200 https://bugzilla.suse.com/1255241 SUSE Bug 1255241 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: remove two invalid BUG_ON()s Those can be triggered trivially by userspace. CVE-2025-68201 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68201.html CVE-2025-68201 https://bugzilla.suse.com/1255136 SUSE Bug 1255136 In the Linux kernel, the following vulnerability has been resolved: pmdomain: arm: scmi: Fix genpd leak on provider registration failure If of_genpd_add_provider_onecell() fails during probe, the previously created generic power domains are not removed, leading to a memory leak and potential kernel crash later in genpd_debug_add(). Add proper error handling to unwind the initialized domains before returning from probe to ensure all resources are correctly released on failure. Example crash trace observed without this fix: | Unable to handle kernel paging request at virtual address fffffffffffffc70 | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : genpd_debug_add+0x2c/0x160 | lr : genpd_debug_init+0x74/0x98 | Call trace: | genpd_debug_add+0x2c/0x160 (P) | genpd_debug_init+0x74/0x98 | do_one_initcall+0xd0/0x2d8 | do_initcall_level+0xa0/0x140 | do_initcalls+0x60/0xa8 | do_basic_setup+0x28/0x40 | kernel_init_freeable+0xe8/0x170 | kernel_init+0x2c/0x140 | ret_from_fork+0x10/0x20 CVE-2025-68204 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68204.html CVE-2025-68204 https://bugzilla.suse.com/1255224 SUSE Bug 1255224 In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: add seqadj extension for natted connections Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq. The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type "ftp" protocol tcp l3proto inet } chain prerouting { type filter hook prerouting priority 0; policy accept; tcp dport 21 ct state new ct helper set "ftp_helper" } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { 192.168.100.1 : 192.168.13.2/32 } } chain postrouting { type nat hook postrouting priority 100 ; policy accept; tcp sport 21 snat ip prefix to ip saddr map { 192.168.13.2 : 192.168.100.1/32 } } } Note that the ftp helper gets assigned *after* the dnat setup. The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem. Topoloy: +-------------------+ +----------------------------------+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +-------------------+ +----------------------------------+ | +-----------------------+ | Client: 192.168.100.2 | +-----------------------+ ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection. Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 .. Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding. CVE-2025-68206 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68206.html CVE-2025-68206 https://bugzilla.suse.com/1255142 SUSE Bug 1255142 In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st in the explored states tree. This ancestor is not guaranteed to have same allocated stack depth as queued_st. E.g. in the following case: def main(): for i in 1..2: foo(i) // same callsite, differnt param def foo(i): if i == 1: use 128 bytes of stack iterator based loop Here, for a second 'foo' call prev_st->allocated_stack is 128, while queued_st->allocated_stack is much smaller. widen_imprecise_scalars() needs to take this into account and avoid accessing bpf_verifier_state->frame[*]->stack out of bounds. CVE-2025-68208 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68208.html CVE-2025-68208 https://bugzilla.suse.com/1255227 SUSE Bug 1255227 In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs. CVE-2025-68209 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68209.html CVE-2025-68209 https://bugzilla.suse.com/1255230 SUSE Bug 1255230 In the Linux kernel, the following vulnerability has been resolved: Input: pegasus-notetaker - fix potential out-of-bounds access In the pegasus_notetaker driver, the pegasus_probe() function allocates the URB transfer buffer using the wMaxPacketSize value from the endpoint descriptor. An attacker can use a malicious USB descriptor to force the allocation of a very small buffer. Subsequently, if the device sends an interrupt packet with a specific pattern (e.g., where the first byte is 0x80 or 0x42), the pegasus_parse_packet() function parses the packet without checking the allocated buffer size. This leads to an out-of-bounds memory access. CVE-2025-68217 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68217.html CVE-2025-68217 https://bugzilla.suse.com/1255221 SUSE Bug 1255221 In the Linux kernel, the following vulnerability has been resolved: nvme-multipath: fix lockdep WARN due to partition scan work Blktests test cases nvme/014, 057 and 058 fail occasionally due to a lockdep WARN. As reported in the Closes tag URL, the WARN indicates that a deadlock can happen due to the dependency among disk->open_mutex, kblockd workqueue completion and partition_scan_work completion. To avoid the lockdep WARN and the potential deadlock, cut the dependency by running the partition_scan_work not by kblockd workqueue but by nvme_wq. CVE-2025-68218 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68218.html CVE-2025-68218 https://bugzilla.suse.com/1255245 SUSE Bug 1255245 In the Linux kernel, the following vulnerability has been resolved: pinctrl: s32cc: fix uninitialized memory in s32_pinctrl_desc s32_pinctrl_desc is allocated with devm_kmalloc(), but not all of its fields are initialized. Notably, num_custom_params is used in pinconf_generic_parse_dt_config(), resulting in intermittent allocation errors, such as the following splat when probing i2c-imx: WARNING: CPU: 0 PID: 176 at mm/page_alloc.c:4795 __alloc_pages_noprof+0x290/0x300 [...] Hardware name: NXP S32G3 Reference Design Board 3 (S32G-VNP-RDB3) (DT) [...] Call trace: __alloc_pages_noprof+0x290/0x300 (P) ___kmalloc_large_node+0x84/0x168 __kmalloc_large_node_noprof+0x34/0x120 __kmalloc_noprof+0x2ac/0x378 pinconf_generic_parse_dt_config+0x68/0x1a0 s32_dt_node_to_map+0x104/0x248 dt_to_map_one_config+0x154/0x1d8 pinctrl_dt_to_map+0x12c/0x280 create_pinctrl+0x6c/0x270 pinctrl_get+0xc0/0x170 devm_pinctrl_get+0x50/0xa0 pinctrl_bind_pins+0x60/0x2a0 really_probe+0x60/0x3a0 [...] __platform_driver_register+0x2c/0x40 i2c_adap_imx_init+0x28/0xff8 [i2c_imx] [...] This results in later parse failures that can cause issues in dependent drivers: s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c0-pins/i2c0-grp0: could not parse node property [...] pca953x 0-0022: failed writing register: -6 i2c i2c-0: IMX I2C adapter registered s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c2-pins/i2c2-grp0: could not parse node property i2c i2c-1: IMX I2C adapter registered s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property s32g-siul2-pinctrl 4009c240.pinctrl: /soc@0/pinctrl@4009c240/i2c4-pins/i2c4-grp0: could not parse node property i2c i2c-2: IMX I2C adapter registered Fix this by initializing s32_pinctrl_desc with devm_kzalloc() instead of devm_kmalloc() in s32_pinctrl_probe(), which sets the previously uninitialized fields to zero. CVE-2025-68222 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68222.html CVE-2025-68222 https://bugzilla.suse.com/1255218 SUSE Bug 1255218 In the Linux kernel, the following vulnerability has been resolved: mptcp: Fix proto fallback detection with BPF The sockmap feature allows bpf syscall from userspace, or based on bpf sockops, replacing the sk_prot of sockets during protocol stack processing with sockmap's custom read/write interfaces. ''' tcp_rcv_state_process() syn_recv_sock()/subflow_syn_recv_sock() tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) bpf_skops_established <== sockops bpf_sock_map_update(sk) <== call bpf helper tcp_bpf_update_proto() <== update sk_prot ''' When the server has MPTCP enabled but the client sends a TCP SYN without MPTCP, subflow_syn_recv_sock() performs a fallback on the subflow, replacing the subflow sk's sk_prot with the native sk_prot. ''' subflow_syn_recv_sock() subflow_ulp_fallback() subflow_drop_ctx() mptcp_subflow_ops_undo_override() ''' Then, this subflow can be normally used by sockmap, which replaces the native sk_prot with sockmap's custom sk_prot. The issue occurs when the user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops(). Here, it uses sk->sk_prot to compare with the native sk_prot, but this is incorrect when sockmap is used, as we may incorrectly set sk->sk_socket->ops. This fix uses the more generic sk_family for the comparison instead. Additionally, this also prevents a WARNING from occurring: result from ./scripts/decode_stacktrace.sh: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \ (net/mptcp/protocol.c:4005) Modules linked in: ... PKRU: 55555554 Call Trace: <TASK> do_accept (net/socket.c:1989) __sys_accept4 (net/socket.c:2028 net/socket.c:2057) __x64_sys_accept (net/socket.c:2067) x64_sys_call (arch/x86/entry/syscall_64.c:41) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f87ac92b83d ---[ end trace 0000000000000000 ]--- CVE-2025-68227 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68227.html CVE-2025-68227 https://bugzilla.suse.com/1255216 SUSE Bug 1255216 In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix gpu page fault after hibernation on PF passthrough On PF passthrough environment, after hibernate and then resume, coralgemm will cause gpu page fault. Mode1 reset happens during hibernate, but partition mode is not restored on resume, register mmCP_HYP_XCP_CTL and mmCP_PSP_XCP_CTL is not right after resume. When CP access the MQD BO, wrong stride size is used, this will cause out of bound access on the MQD BO, resulting page fault. The fix is to ensure gfx_v9_4_3_switch_compute_partition() is called when resume from a hibernation. KFD resume is called separately during a reset recovery or resume from suspend sequence. Hence it's not required to be called as part of partition switch. (cherry picked from commit 5d1b32cfe4a676fe552416cb5ae847b215463a1a) CVE-2025-68230 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68230.html CVE-2025-68230 https://bugzilla.suse.com/1255134 SUSE Bug 1255134 In the Linux kernel, the following vulnerability has been resolved: drm/tegra: Add call to put_pid() Add a call to put_pid() corresponding to get_task_pid(). host1x_memory_context_alloc() does not take ownership of the PID so we need to free it here to avoid leaking. [mperttunen@nvidia.com: reword commit message] CVE-2025-68233 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68233.html CVE-2025-68233 https://bugzilla.suse.com/1255206 SUSE Bug 1255206 In the Linux kernel, the following vulnerability has been resolved: nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot nvkm_falcon_fw::boot is allocated, but no one frees it. This causes a kmemleak warning. Make sure this data is deallocated. CVE-2025-68235 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68235.html CVE-2025-68235 https://bugzilla.suse.com/1255209 SUSE Bug 1255209 In the Linux kernel, the following vulnerability has been resolved: mtdchar: fix integer overflow in read/write ioctls The "req.start" and "req.len" variables are u64 values that come from the user at the start of the function. We mask away the high 32 bits of "req.len" so that's capped at U32_MAX but the "req.start" variable can go up to U64_MAX which means that the addition can still integer overflow. Use check_add_overflow() to fix this bug. CVE-2025-68237 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68237.html CVE-2025-68237 https://bugzilla.suse.com/1255203 SUSE Bug 1255203 In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: cadence: fix DMA device NULL pointer dereference The DMA device pointer `dma_dev` was being dereferenced before ensuring that `cdns_ctrl->dmac` is properly initialized. Move the assignment of `dma_dev` after successfully acquiring the DMA channel to ensure the pointer is valid before use. CVE-2025-68238 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68238.html CVE-2025-68238 https://bugzilla.suse.com/1255202 SUSE Bug 1255202 In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: restore write access before closing files opened by open_exec() bm_register_write() opens an executable file using open_exec(), which internally calls do_open_execat() and denies write access on the file to avoid modification while it is being executed. However, when an error occurs, bm_register_write() closes the file using filp_close() directly. This does not restore the write permission, which may cause subsequent write operations on the same file to fail. Fix this by calling exe_file_allow_write_access() before filp_close() to restore the write permission properly. CVE-2025-68239 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68239.html CVE-2025-68239 https://bugzilla.suse.com/1255272 SUSE Bug 1255272 In the Linux kernel, the following vulnerability has been resolved: ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe The sit driver's packet transmission path calls: sit_tunnel_xmit() -> update_or_create_fnhe(), which lead to fnhe_remove_oldest() being called to delete entries exceeding FNHE_RECLAIM_DEPTH+random. The race window is between fnhe_remove_oldest() selecting fnheX for deletion and the subsequent kfree_rcu(). During this time, the concurrent path's __mkroute_output() -> find_exception() can fetch the soon-to-be-deleted fnheX, and rt_bind_exception() then binds it with a new dst using a dst_hold(). When the original fnheX is freed via RCU, the dst reference remains permanently leaked. CPU 0 CPU 1 __mkroute_output() find_exception() [fnheX] update_or_create_fnhe() fnhe_remove_oldest() [fnheX] rt_bind_exception() [bind dst] RCU callback [fnheX freed, dst leak] This issue manifests as a device reference count leak and a warning in dmesg when unregistering the net device: unregister_netdevice: waiting for sitX to become free. Usage count = N Ido Schimmel provided the simple test validation method [1]. The fix clears 'oldest->fnhe_daddr' before calling fnhe_flush_routes(). Since rt_bind_exception() checks this field, setting it to zero prevents the stale fnhe from being reused and bound to a new dst just before it is freed. [1] ip netns add ns1 ip -n ns1 link set dev lo up ip -n ns1 address add 192.0.2.1/32 dev lo ip -n ns1 link add name dummy1 up type dummy ip -n ns1 route add 192.0.2.2/32 dev dummy1 ip -n ns1 link add name gretap1 up arp off type gretap \ local 192.0.2.1 remote 192.0.2.2 ip -n ns1 route add 198.51.0.0/16 dev gretap1 taskset -c 0 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & taskset -c 2 ip netns exec ns1 mausezahn gretap1 \ -A 198.51.100.1 -B 198.51.0.0/16 -t udp -p 1000 -c 0 -q & sleep 10 ip netns pids ns1 | xargs kill ip netns del ns1 CVE-2025-68241 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68241.html CVE-2025-68241 https://bugzilla.suse.com/1255157 SUSE Bug 1255157 In the Linux kernel, the following vulnerability has been resolved: drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD On completion of i915_vma_pin_ww(), a synchronous variant of dma_fence_work_commit() is called. When pinning a VMA to GGTT address space on a Cherry View family processor, or on a Broxton generation SoC with VTD enabled, i.e., when stop_machine() is then called from intel_ggtt_bind_vma(), that can potentially lead to lock inversion among reservation_ww and cpu_hotplug locks. [86.861179] ====================================================== [86.861193] WARNING: possible circular locking dependency detected [86.861209] 6.15.0-rc5-CI_DRM_16515-gca0305cadc2d+ #1 Tainted: G U [86.861226] ------------------------------------------------------ [86.861238] i915_module_loa/1432 is trying to acquire lock: [86.861252] ffffffff83489090 (cpu_hotplug_lock){++++}-{0:0}, at: stop_machine+0x1c/0x50 [86.861290] but task is already holding lock: [86.861303] ffffc90002e0b4c8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: i915_vma_pin.constprop.0+0x39/0x1d0 [i915] [86.862233] which lock already depends on the new lock. [86.862251] the existing dependency chain (in reverse order) is: [86.862265] -> #5 (reservation_ww_class_mutex){+.+.}-{3:3}: [86.862292] dma_resv_lockdep+0x19a/0x390 [86.862315] do_one_initcall+0x60/0x3f0 [86.862334] kernel_init_freeable+0x3cd/0x680 [86.862353] kernel_init+0x1b/0x200 [86.862369] ret_from_fork+0x47/0x70 [86.862383] ret_from_fork_asm+0x1a/0x30 [86.862399] -> #4 (reservation_ww_class_acquire){+.+.}-{0:0}: [86.862425] dma_resv_lockdep+0x178/0x390 [86.862440] do_one_initcall+0x60/0x3f0 [86.862454] kernel_init_freeable+0x3cd/0x680 [86.862470] kernel_init+0x1b/0x200 [86.862482] ret_from_fork+0x47/0x70 [86.862495] ret_from_fork_asm+0x1a/0x30 [86.862509] -> #3 (&mm->mmap_lock){++++}-{3:3}: [86.862531] down_read_killable+0x46/0x1e0 [86.862546] lock_mm_and_find_vma+0xa2/0x280 [86.862561] do_user_addr_fault+0x266/0x8e0 [86.862578] exc_page_fault+0x8a/0x2f0 [86.862593] asm_exc_page_fault+0x27/0x30 [86.862607] filldir64+0xeb/0x180 [86.862620] kernfs_fop_readdir+0x118/0x480 [86.862635] iterate_dir+0xcf/0x2b0 [86.862648] __x64_sys_getdents64+0x84/0x140 [86.862661] x64_sys_call+0x1058/0x2660 [86.862675] do_syscall_64+0x91/0xe90 [86.862689] entry_SYSCALL_64_after_hwframe+0x76/0x7e [86.862703] -> #2 (&root->kernfs_rwsem){++++}-{3:3}: [86.862725] down_write+0x3e/0xf0 [86.862738] kernfs_add_one+0x30/0x3c0 [86.862751] kernfs_create_dir_ns+0x53/0xb0 [86.862765] internal_create_group+0x134/0x4c0 [86.862779] sysfs_create_group+0x13/0x20 [86.862792] topology_add_dev+0x1d/0x30 [86.862806] cpuhp_invoke_callback+0x4b5/0x850 [86.862822] cpuhp_issue_call+0xbf/0x1f0 [86.862836] __cpuhp_setup_state_cpuslocked+0x111/0x320 [86.862852] __cpuhp_setup_state+0xb0/0x220 [86.862866] topology_sysfs_init+0x30/0x50 [86.862879] do_one_initcall+0x60/0x3f0 [86.862893] kernel_init_freeable+0x3cd/0x680 [86.862908] kernel_init+0x1b/0x200 [86.862921] ret_from_fork+0x47/0x70 [86.862934] ret_from_fork_asm+0x1a/0x30 [86.862947] -> #1 (cpuhp_state_mutex){+.+.}-{3:3}: [86.862969] __mutex_lock+0xaa/0xed0 [86.862982] mutex_lock_nested+0x1b/0x30 [86.862995] __cpuhp_setup_state_cpuslocked+0x67/0x320 [86.863012] __cpuhp_setup_state+0xb0/0x220 [86.863026] page_alloc_init_cpuhp+0x2d/0x60 [86.863041] mm_core_init+0x22/0x2d0 [86.863054] start_kernel+0x576/0xbd0 [86.863068] x86_64_start_reservations+0x18/0x30 [86.863084] x86_64_start_kernel+0xbf/0x110 [86.863098] common_startup_64+0x13e/0x141 [86.863114] -> #0 (cpu_hotplug_lock){++++}-{0:0}: [86.863135] __lock_acquire+0x16 ---truncated--- CVE-2025-68244 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68244.html CVE-2025-68244 https://bugzilla.suse.com/1255190 SUSE Bug 1255190 In the Linux kernel, the following vulnerability has been resolved: net: netpoll: fix incorrect refcount handling causing incorrect cleanup commit efa95b01da18 ("netpoll: fix use after free") incorrectly ignored the refcount and prematurely set dev->npinfo to NULL during netpoll cleanup, leading to improper behavior and memory leaks. Scenario causing lack of proper cleanup: 1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is allocated, and refcnt = 1 - Keep in mind that npinfo is shared among all netpoll instances. In this case, there is just one. 2) Another netpoll is also associated with the same NIC and npinfo->refcnt += 1. - Now dev->npinfo->refcnt = 2; - There is just one npinfo associated to the netdev. 3) When the first netpolls goes to clean up: - The first cleanup succeeds and clears np->dev->npinfo, ignoring refcnt. - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);` - Set dev->npinfo = NULL, without proper cleanup - No ->ndo_netpoll_cleanup() is either called 4) Now the second target tries to clean up - The second cleanup fails because np->dev->npinfo is already NULL. * In this case, ops->ndo_netpoll_cleanup() was never called, and the skb pool is not cleaned as well (for the second netpoll instance) - This leaks npinfo and skbpool skbs, which is clearly reported by kmemleak. Revert commit efa95b01da18 ("netpoll: fix use after free") and adds clarifying comments emphasizing that npinfo cleanup should only happen once the refcount reaches zero, ensuring stable and correct netpoll behavior. CVE-2025-68245 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68245.html CVE-2025-68245 https://bugzilla.suse.com/1255268 SUSE Bug 1255268 In the Linux kernel, the following vulnerability has been resolved: most: usb: hdm_probe: Fix calling put_device() before device initialization The early error path in hdm_probe() can jump to err_free_mdev before &mdev->dev has been initialized with device_initialize(). Calling put_device(&mdev->dev) there triggers a device core WARN and ends up invoking kref_put(&kobj->kref, kobject_release) on an uninitialized kobject. In this path the private struct was only kmalloc'ed and the intended release is effectively kfree(mdev) anyway, so free it directly instead of calling put_device() on an uninitialized device. This removes the WARNING and fixes the pre-initialization error path. CVE-2025-68249 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68249.html CVE-2025-68249 https://bugzilla.suse.com/1255233 SUSE Bug 1255233 In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix dma_buf object leak in fastrpc_map_lookup In fastrpc_map_lookup, dma_buf_get is called to obtain a reference to the dma_buf for comparison purposes. However, this reference is never released when the function returns, leading to a dma_buf memory leak. Fix this by adding dma_buf_put before returning from the function, ensuring that the temporarily acquired reference is properly released regardless of whether a matching map is found. Rule: add CVE-2025-68252 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68252.html CVE-2025-68252 https://bugzilla.suse.com/1255197 SUSE Bug 1255197 In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing The Extended Supported Rates (ESR) IE handling in OnBeacon accessed *(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these offsets lie within the received frame buffer. A malformed beacon with an ESR IE positioned at the end of the buffer could cause an out-of-bounds read, potentially triggering a kernel panic. Add a boundary check to ensure that the ESR IE body and the subsequent bytes are within the limits of the frame before attempting to access them. This prevents OOB reads caused by malformed beacon frames. CVE-2025-68254 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68254.html CVE-2025-68254 https://bugzilla.suse.com/1255140 SUSE Bug 1255140 In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing The Supported Rates IE length from an incoming Association Request frame was used directly as the memcpy() length when copying into a fixed-size 16-byte stack buffer (supportRate). A malicious station can advertise an IE length larger than 16 bytes, causing a stack buffer overflow. Clamp ie_len to the buffer size before copying the Supported Rates IE, and correct the bounds check when merging Extended Supported Rates to prevent a second potential overflow. This prevents kernel stack corruption triggered by malformed association requests. CVE-2025-68255 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68255.html CVE-2025-68255 https://bugzilla.suse.com/1255395 SUSE Bug 1255395 In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser The Information Element (IE) parser rtw_get_ie() trusted the length byte of each IE without validating that the IE body (len bytes after the 2-byte header) fits inside the remaining frame buffer. A malformed frame can advertise an IE length larger than the available data, causing the parser to increment its pointer beyond the buffer end. This results in out-of-bounds reads or, depending on the pattern, an infinite loop. Fix by validating that (offset + 2 + len) does not exceed the limit before accepting the IE or advancing to the next element. This prevents OOB reads and ensures the parser terminates safely on malformed frames. CVE-2025-68256 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68256.html CVE-2025-68256 https://bugzilla.suse.com/1255138 SUSE Bug 1255138 In the Linux kernel, the following vulnerability has been resolved: comedi: check device's attached status in compat ioctls Syzbot identified an issue [1] that crashes kernel, seemingly due to unexistent callback dev->get_valid_routes(). By all means, this should not occur as said callback must always be set to get_zero_valid_routes() in __comedi_device_postconfig(). As the crash seems to appear exclusively in i386 kernels, at least, judging from [1] reports, the blame lies with compat versions of standard IOCTL handlers. Several of them are modified and do not use comedi_unlocked_ioctl(). While functionality of these ioctls essentially copy their original versions, they do not have required sanity check for device's attached status. This, in turn, leads to a possibility of calling select IOCTLs on a device that has not been properly setup, even via COMEDI_DEVCONFIG. Doing so on unconfigured devices means that several crucial steps are missed, for instance, specifying dev->get_valid_routes() callback. Fix this somewhat crudely by ensuring device's attached status before performing any ioctls, improving logic consistency between modern and compat functions. [1] Syzbot report: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0 Call Trace: <TASK> get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline] parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401 do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594 compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline] comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273 __do_compat_sys_ioctl fs/ioctl.c:695 [inline] __se_compat_sys_ioctl fs/ioctl.c:638 [inline] __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] ... CVE-2025-68257 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68257.html CVE-2025-68257 https://bugzilla.suse.com/1255167 SUSE Bug 1255167 In the Linux kernel, the following vulnerability has been resolved: comedi: multiq3: sanitize config options in multiq3_attach() Syzbot identified an issue [1] in multiq3_attach() that induces a task timeout due to open() or COMEDI_DEVCONFIG ioctl operations, specifically, in the case of multiq3 driver. This problem arose when syzkaller managed to craft weird configuration options used to specify the number of channels in encoder subdevice. If a particularly great number is passed to s->n_chan in multiq3_attach() via it->options[2], then multiple calls to multiq3_encoder_reset() at the end of driver-specific attach() method will be running for minutes, thus blocking tasks and affected devices as well. While this issue is most likely not too dangerous for real-life devices, it still makes sense to sanitize configuration inputs. Enable a sensible limit on the number of encoder chips (4 chips max, each with 2 channels) to stop this behaviour from manifesting. [1] Syzbot crash: INFO: task syz.2.19:6067 blocked for more than 143 seconds. ... Call Trace: <TASK> context_switch kernel/sched/core.c:5254 [inline] __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862 __schedule_loop kernel/sched/core.c:6944 [inline] schedule+0x165/0x360 kernel/sched/core.c:6959 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016 __mutex_lock_common kernel/locking/mutex.c:676 [inline] __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760 comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868 chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414 do_dentry_open+0x953/0x13f0 fs/open.c:965 vfs_open+0x3b/0x340 fs/open.c:1097 ... CVE-2025-68258 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68258.html CVE-2025-68258 https://bugzilla.suse.com/1255182 SUSE Bug 1255182 In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn instruction, discard the exception and retry the instruction if the code stream is changed (e.g. by a different vCPU) between when the CPU executes the instruction and when KVM decodes the instruction to get the next RIP. As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject INT3/INTO instead of retrying the instruction"), failure to verify that the correct INTn instruction was decoded can effectively clobber guest state due to decoding the wrong instruction and thus specifying the wrong next RIP. The bug most often manifests as "Oops: int3" panics on static branch checks in Linux guests. Enabling or disabling a static branch in Linux uses the kernel's "text poke" code patching mechanism. To modify code while other CPUs may be executing that code, Linux (temporarily) replaces the first byte of the original instruction with an int3 (opcode 0xcc), then patches in the new code stream except for the first byte, and finally replaces the int3 with the first byte of the new code stream. If a CPU hits the int3, i.e. executes the code while it's being modified, then the guest kernel must look up the RIP to determine how to handle the #BP, e.g. by emulating the new instruction. If the RIP is incorrect, then this lookup fails and the guest kernel panics. The bug reproduces almost instantly by hacking the guest kernel to repeatedly check a static branch[1] while running a drgn script[2] on the host to constantly swap out the memory containing the guest's TSS. [1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a [2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b CVE-2025-68259 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68259.html CVE-2025-68259 https://bugzilla.suse.com/1255199 SUSE Bug 1255199 In the Linux kernel, the following vulnerability has been resolved: ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Fix a race between inline data destruction and block mapping. The function ext4_destroy_inline_data_nolock() changes the inode data layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS. At the same time, another thread may execute ext4_map_blocks(), which tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks() or ext4_ind_map_blocks(). Without i_data_sem protection, ext4_ind_map_blocks() may receive inode with EXT4_INODE_EXTENTS flag and triggering assert. kernel BUG at fs/ext4/indirect.c:546! EXT4-fs (loop2): unmounting filesystem. invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546 Call Trace: <TASK> ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681 _ext4_get_block+0x242/0x590 fs/ext4/inode.c:822 ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124 ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255 ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000 generic_perform_write+0x259/0x5d0 mm/filemap.c:3846 ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285 ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679 call_write_iter include/linux/fs.h:2271 [inline] do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735 do_iter_write+0x186/0x710 fs/read_write.c:861 vfs_iter_write+0x70/0xa0 fs/read_write.c:902 iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 do_splice_from fs/splice.c:763 [inline] direct_splice_actor+0x10f/0x170 fs/splice.c:950 splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896 do_splice_direct+0x1a9/0x280 fs/splice.c:1002 do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 __do_sys_sendfile64 fs/read_write.c:1323 [inline] __se_sys_sendfile64 fs/read_write.c:1309 [inline] __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 CVE-2025-68261 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68261.html CVE-2025-68261 https://bugzilla.suse.com/1255164 SUSE Bug 1255164 In the Linux kernel, the following vulnerability has been resolved: ext4: refresh inline data size before write operations The cached ei->i_inline_size can become stale between the initial size check and when ext4_update_inline_data()/ext4_create_inline_data() use it. Although ext4_get_max_inline_size() reads the correct value at the time of the check, concurrent xattr operations can modify i_inline_size before ext4_write_lock_xattr() is acquired. This causes ext4_update_inline_data() and ext4_create_inline_data() to work with stale capacity values, leading to a BUG_ON() crash in ext4_write_inline_data(): kernel BUG at fs/ext4/inline.c:1331! BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); The race window: 1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct) 2. Size check passes for 50-byte write 3. [Another thread adds xattr, i_inline_size changes to 40] 4. ext4_write_lock_xattr() acquires lock 5. ext4_update_inline_data() uses stale i_inline_size = 60 6. Attempts to write 50 bytes but only 40 bytes actually available 7. BUG_ON() triggers Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock() immediately after acquiring xattr_sem. This ensures ext4_update_inline_data() and ext4_create_inline_data() work with current values that are protected from concurrent modifications. This is similar to commit a54c4613dac1 ("ext4: fix race writing to an inline_data file while its xattrs are changing") which fixed i_inline_off staleness. This patch addresses the related i_inline_size staleness issue. CVE-2025-68264 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68264.html CVE-2025-68264 https://bugzilla.suse.com/1255380 SUSE Bug 1255380 In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds writes in handle_auth_session_key() The len field originates from untrusted network packets. Boundary checks have been added to prevent potential out-of-bounds writes when decrypting the connection secret or processing service tickets. [ idryomov: changelog ] CVE-2025-68284 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68284.html CVE-2025-68284 https://bugzilla.suse.com/1255377 SUSE Bug 1255377 https://bugzilla.suse.com/1255378 SUSE Bug 1255378 In the Linux kernel, the following vulnerability has been resolved: libceph: fix potential use-after-free in have_mon_and_osd_map() The wait loop in __ceph_open_session() can race with the client receiving a new monmap or osdmap shortly after the initial map is received. Both ceph_monc_handle_map() and handle_one_map() install a new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap; under client->monc.mutex and client->osdc.lock respectively, but because neither is taken in have_mon_and_osd_map() it's possible for client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in client->monc.monmap && client->monc.monmap->epoch && client->osdc.osdmap && client->osdc.osdmap->epoch; condition to dereference an already freed map. This happens to be reproducible with generic/395 and generic/397 with KASAN enabled: BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70 Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305 CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266 ... Call Trace: <TASK> have_mon_and_osd_map+0x56/0x70 ceph_open_session+0x182/0x290 ceph_get_tree+0x333/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Allocated by task 13305: ceph_osdmap_alloc+0x16/0x130 ceph_osdc_init+0x27a/0x4c0 ceph_create_client+0x153/0x190 create_fs_client+0x50/0x2a0 ceph_get_tree+0xff/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 9475: kfree+0x212/0x290 handle_one_map+0x23c/0x3b0 ceph_osdc_handle_map+0x3c9/0x590 mon_dispatch+0x655/0x6f0 ceph_con_process_message+0xc3/0xe0 ceph_con_v1_try_read+0x614/0x760 ceph_con_workfn+0x2de/0x650 process_one_work+0x486/0x7c0 process_scheduled_works+0x73/0x90 worker_thread+0x1c8/0x2a0 kthread+0x2ec/0x300 ret_from_fork+0x24/0x40 ret_from_fork_asm+0x1a/0x30 Rewrite the wait loop to check the above condition directly with client->monc.mutex and client->osdc.lock taken as appropriate. While at it, improve the timeout handling (previously mount_timeout could be exceeded in case wait_event_interruptible_timeout() slept more than once) and access client->auth_err under client->monc.mutex to match how it's set in finish_auth(). monmap_show() and osdmap_show() now take the respective lock before accessing the map as well. CVE-2025-68285 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68285.html CVE-2025-68285 https://bugzilla.suse.com/1255401 SUSE Bug 1255401 https://bugzilla.suse.com/1255402 SUSE Bug 1255402 In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check NULL before accessing [WHAT] IGT kms_cursor_legacy's long-nonblocking-modeset-vs-cursor-atomic fails with NULL pointer dereference. This can be reproduced with both an eDP panel and a DP monitors connected. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 13 UID: 0 PID: 2960 Comm: kms_cursor_lega Not tainted 6.16.0-99-custom #8 PREEMPT(voluntary) Hardware name: AMD ........ RIP: 0010:dc_stream_get_scanoutpos+0x34/0x130 [amdgpu] Code: 57 4d 89 c7 41 56 49 89 ce 41 55 49 89 d5 41 54 49 89 fc 53 48 83 ec 18 48 8b 87 a0 64 00 00 48 89 75 d0 48 c7 c6 e0 41 30 c2 <48> 8b 38 48 8b 9f 68 06 00 00 e8 8d d7 fd ff 31 c0 48 81 c3 e0 02 RSP: 0018:ffffd0f3c2bd7608 EFLAGS: 00010292 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffd0f3c2bd7668 RDX: ffffd0f3c2bd7664 RSI: ffffffffc23041e0 RDI: ffff8b32494b8000 RBP: ffffd0f3c2bd7648 R08: ffffd0f3c2bd766c R09: ffffd0f3c2bd7760 R10: ffffd0f3c2bd7820 R11: 0000000000000000 R12: ffff8b32494b8000 R13: ffffd0f3c2bd7664 R14: ffffd0f3c2bd7668 R15: ffffd0f3c2bd766c FS: 000071f631b68700(0000) GS:ffff8b399f114000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001b8105000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> dm_crtc_get_scanoutpos+0xd7/0x180 [amdgpu] amdgpu_display_get_crtc_scanoutpos+0x86/0x1c0 [amdgpu] ? __pfx_amdgpu_crtc_get_scanout_position+0x10/0x10[amdgpu] amdgpu_crtc_get_scanout_position+0x27/0x50 [amdgpu] drm_crtc_vblank_helper_get_vblank_timestamp_internal+0xf7/0x400 drm_crtc_vblank_helper_get_vblank_timestamp+0x1c/0x30 drm_crtc_get_last_vbltimestamp+0x55/0x90 drm_crtc_next_vblank_start+0x45/0xa0 drm_atomic_helper_wait_for_fences+0x81/0x1f0 ... (cherry picked from commit 621e55f1919640acab25383362b96e65f2baea3c) CVE-2025-68286 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68286.html CVE-2025-68286 https://bugzilla.suse.com/1255351 SUSE Bug 1255351 In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths This patch addresses a race condition caused by unsynchronized execution of multiple call paths invoking `dwc3_remove_requests()`, leading to premature freeing of USB requests and subsequent crashes. Three distinct execution paths interact with `dwc3_remove_requests()`: Path 1: Triggered via `dwc3_gadget_reset_interrupt()` during USB reset handling. The call stack includes: - `dwc3_ep0_reset_state()` - `dwc3_ep0_stall_and_restart()` - `dwc3_ep0_out_start()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 2: Also initiated from `dwc3_gadget_reset_interrupt()`, but through `dwc3_stop_active_transfers()`. The call stack includes: - `dwc3_stop_active_transfers()` - `dwc3_remove_requests()` - `dwc3_gadget_del_and_unmap_request()` Path 3: Occurs independently during `adb root` execution, which triggers USB function unbind and bind operations. The sequence includes: - `gserial_disconnect()` - `usb_ep_disable()` - `dwc3_gadget_ep_disable()` - `dwc3_remove_requests()` with `-ESHUTDOWN` status Path 3 operates asynchronously and lacks synchronization with Paths 1 and 2. When Path 3 completes, it disables endpoints and frees 'out' requests. If Paths 1 or 2 are still processing these requests, accessing freed memory leads to a crash due to use-after-free conditions. To fix this added check for request completion and skip processing if already completed and added the request status for ep0 while queue. CVE-2025-68287 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68287.html CVE-2025-68287 https://bugzilla.suse.com/1255152 SUSE Bug 1255152 In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_eem: Fix memory leak in eem_unwrap The existing code did not handle the failure case of usb_ep_queue in the command path, potentially leading to memory leaks. Improve error handling to free all allocated resources on usb_ep_queue failure. This patch continues to use goto logic for error handling, as the existing error handling is complex and not easily adaptable to auto-cleanup helpers. kmemleak results: unreferenced object 0xffffff895a512300 (size 240): backtrace: slab_post_alloc_hook+0xbc/0x3a4 kmem_cache_alloc+0x1b4/0x358 skb_clone+0x90/0xd8 eem_unwrap+0x1cc/0x36c unreferenced object 0xffffff8a157f4000 (size 256): backtrace: slab_post_alloc_hook+0xbc/0x3a4 __kmem_cache_alloc_node+0x1b4/0x2dc kmalloc_trace+0x48/0x140 dwc3_gadget_ep_alloc_request+0x58/0x11c usb_ep_alloc_request+0x40/0xe4 eem_unwrap+0x204/0x36c unreferenced object 0xffffff8aadbaac00 (size 128): backtrace: slab_post_alloc_hook+0xbc/0x3a4 __kmem_cache_alloc_node+0x1b4/0x2dc __kmalloc+0x64/0x1a8 eem_unwrap+0x218/0x36c unreferenced object 0xffffff89ccef3500 (size 64): backtrace: slab_post_alloc_hook+0xbc/0x3a4 __kmem_cache_alloc_node+0x1b4/0x2dc kmalloc_trace+0x48/0x140 eem_unwrap+0x238/0x36c CVE-2025-68289 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68289.html CVE-2025-68289 https://bugzilla.suse.com/1255155 SUSE Bug 1255155 In the Linux kernel, the following vulnerability has been resolved: most: usb: fix double free on late probe failure The MOST subsystem has a non-standard registration function which frees the interface on registration failures and on deregistration. This unsurprisingly leads to bugs in the MOST drivers, and a couple of recent changes turned a reference underflow and use-after-free in the USB driver into several double free and a use-after-free on late probe failures. CVE-2025-68290 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68290.html CVE-2025-68290 https://bugzilla.suse.com/1255154 SUSE Bug 1255154 In the Linux kernel, the following vulnerability has been resolved: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup Protect vga_switcheroo_client_fb_set() with console lock. Avoids OOB access in fbcon_remap_all(). Without holding the console lock the call races with switching outputs. VGA switcheroo calls fbcon_remap_all() when switching clients. The fbcon function uses struct fb_info.node, which is set by register_framebuffer(). As the fb-helper code currently sets up VGA switcheroo before registering the framebuffer, the value of node is -1 and therefore not a legal value. For example, fbcon uses the value within set_con2fb_map() [1] as an index into an array. Moving vga_switcheroo_client_fb_set() after register_framebuffer() can result in VGA switching that does not switch fbcon correctly. Therefore move vga_switcheroo_client_fb_set() under fbcon_fb_registered(), which already holds the console lock. Fbdev calls fbcon_fb_registered() from within register_framebuffer(). Serializes the helper with VGA switcheroo's call to fbcon_remap_all(). Although vga_switcheroo_client_fb_set() takes an instance of struct fb_info as parameter, it really only needs the contained fbcon state. Moving the call to fbcon initialization is therefore cleaner than before. Only amdgpu, i915, nouveau and radeon support vga_switcheroo. For all other drivers, this change does nothing. CVE-2025-68296 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68296.html CVE-2025-68296 https://bugzilla.suse.com/1255128 SUSE Bug 1255128 In the Linux kernel, the following vulnerability has been resolved: ceph: fix crash in process_v2_sparse_read() for encrypted directories The crash in process_v2_sparse_read() for fscrypt-encrypted directories has been reported. Issue takes place for Ceph msgr2 protocol in secure mode. It can be reproduced by the steps: sudo mount -t ceph :/ /mnt/cephfs/ -o name=admin,fs=cephfs,ms_mode=secure (1) mkdir /mnt/cephfs/fscrypt-test-3 (2) cp area_decrypted.tar /mnt/cephfs/fscrypt-test-3 (3) fscrypt encrypt --source=raw_key --key=./my.key /mnt/cephfs/fscrypt-test-3 (4) fscrypt lock /mnt/cephfs/fscrypt-test-3 (5) fscrypt unlock --key=my.key /mnt/cephfs/fscrypt-test-3 (6) cat /mnt/cephfs/fscrypt-test-3/area_decrypted.tar (7) Issue has been triggered [ 408.072247] ------------[ cut here ]------------ [ 408.072251] WARNING: CPU: 1 PID: 392 at net/ceph/messenger_v2.c:865 ceph_con_v2_try_read+0x4b39/0x72f0 [ 408.072267] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec kvm_intel joydev kvm irqbypass polyval_clmulni ghash_clmulni_intel aesni_intel rapl input_leds psmouse serio_raw i2c_piix4 vga16fb bochs vgastate i2c_smbus floppy mac_hid qemu_fw_cfg pata_acpi sch_fq_codel rbd msr parport_pc ppdev lp parport efi_pstore [ 408.072304] CPU: 1 UID: 0 PID: 392 Comm: kworker/1:3 Not tainted 6.17.0-rc7+ [ 408.072307] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-5.fc42 04/01/2014 [ 408.072310] Workqueue: ceph-msgr ceph_con_workfn [ 408.072314] RIP: 0010:ceph_con_v2_try_read+0x4b39/0x72f0 [ 408.072317] Code: c7 c1 20 f0 d4 ae 50 31 d2 48 c7 c6 60 27 d5 ae 48 c7 c7 f8 8e 6f b0 68 60 38 d5 ae e8 00 47 61 fe 48 83 c4 18 e9 ac fc ff ff <0f> 0b e9 06 fe ff ff 4c 8b 9d 98 fd ff ff 0f 84 64 e7 ff ff 89 85 [ 408.072319] RSP: 0018:ffff88811c3e7a30 EFLAGS: 00010246 [ 408.072322] RAX: ffffed1024874c6f RBX: ffffea00042c2b40 RCX: 0000000000000f38 [ 408.072324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 408.072325] RBP: ffff88811c3e7ca8 R08: 0000000000000000 R09: 00000000000000c8 [ 408.072326] R10: 00000000000000c8 R11: 0000000000000000 R12: 00000000000000c8 [ 408.072327] R13: dffffc0000000000 R14: ffff8881243a6030 R15: 0000000000003000 [ 408.072329] FS: 0000000000000000(0000) GS:ffff88823eadf000(0000) knlGS:0000000000000000 [ 408.072331] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 408.072332] CR2: 000000c0003c6000 CR3: 000000010c106005 CR4: 0000000000772ef0 [ 408.072336] PKRU: 55555554 [ 408.072337] Call Trace: [ 408.072338] <TASK> [ 408.072340] ? sched_clock_noinstr+0x9/0x10 [ 408.072344] ? __pfx_ceph_con_v2_try_read+0x10/0x10 [ 408.072347] ? _raw_spin_unlock+0xe/0x40 [ 408.072349] ? finish_task_switch.isra.0+0x15d/0x830 [ 408.072353] ? __kasan_check_write+0x14/0x30 [ 408.072357] ? mutex_lock+0x84/0xe0 [ 408.072359] ? __pfx_mutex_lock+0x10/0x10 [ 408.072361] ceph_con_workfn+0x27e/0x10e0 [ 408.072364] ? metric_delayed_work+0x311/0x2c50 [ 408.072367] process_one_work+0x611/0xe20 [ 408.072371] ? __kasan_check_write+0x14/0x30 [ 408.072373] worker_thread+0x7e3/0x1580 [ 408.072375] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 408.072378] ? __pfx_worker_thread+0x10/0x10 [ 408.072381] kthread+0x381/0x7a0 [ 408.072383] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 408.072385] ? __pfx_kthread+0x10/0x10 [ 408.072387] ? __kasan_check_write+0x14/0x30 [ 408.072389] ? recalc_sigpending+0x160/0x220 [ 408.072392] ? _raw_spin_unlock_irq+0xe/0x50 [ 408.072394] ? calculate_sigpending+0x78/0xb0 [ 408.072395] ? __pfx_kthread+0x10/0x10 [ 408.072397] ret_from_fork+0x2b6/0x380 [ 408.072400] ? __pfx_kthread+0x10/0x10 [ 408.072402] ret_from_fork_asm+0x1a/0x30 [ 408.072406] </TASK> [ 408.072407] ---[ end trace 0000000000000000 ]--- [ 408.072418] Oops: general protection fault, probably for non-canonical address 0xdffffc00000000 ---truncated--- CVE-2025-68297 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68297.html CVE-2025-68297 https://bugzilla.suse.com/1255403 SUSE Bug 1255403 In the Linux kernel, the following vulnerability has been resolved: net: atlantic: fix fragment overflow handling in RX path The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17) fragments when handling large multi-descriptor packets. This causes an out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic. The issue occurs because the driver doesn't check the total number of fragments before calling skb_add_rx_frag(). When a packet requires more than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds. Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE, then all fragments are accounted for. And reusing the existing check to prevent the overflow earlier in the code path. This crash occurred in production with an Aquantia AQC113 10G NIC. Stack trace from production environment: ``` RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0 Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89 ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90 c8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48 89 fa 83 RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287 RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX: fffffffe0a0c8000 RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI: 0000000000037a40 RBP: 0000000000000024 R08: 0000000000000000 R09: 0000000000000021 R10: 0000000000000848 R11: 0000000000000000 R12: ffffa9bec02a8e24 R13: ffff925ad8615570 R14: 0000000000000000 R15: ffff925b22e80a00 FS: 0000000000000000(0000) GS:ffff925e47880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4: 0000000000f72ef0 PKRU: 55555554 Call Trace: <IRQ> aq_ring_rx_clean+0x175/0xe60 [atlantic] ? aq_ring_rx_clean+0x14d/0xe60 [atlantic] ? aq_ring_tx_clean+0xdf/0x190 [atlantic] ? kmem_cache_free+0x348/0x450 ? aq_vec_poll+0x81/0x1d0 [atlantic] ? __napi_poll+0x28/0x1c0 ? net_rx_action+0x337/0x420 ``` Changes in v4: - Add Fixes: tag to satisfy patch validation requirements. Changes in v3: - Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE, then all fragments are accounted for. CVE-2025-68301 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68301.html CVE-2025-68301 https://bugzilla.suse.com/1255120 SUSE Bug 1255120 In the Linux kernel, the following vulnerability has been resolved: platform/x86: intel: punit_ipc: fix memory corruption This passes the address of the pointer "&punit_ipcdev" when the intent was to pass the pointer itself "punit_ipcdev" (without the ampersand). This means that the: complete(&ipcdev->cmd_complete); in intel_punit_ioc() will write to a wrong memory address corrupting it. CVE-2025-68303 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68303.html CVE-2025-68303 https://bugzilla.suse.com/1255122 SUSE Bug 1255122 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Prevent race in socket write iter and sock bind There is a potential race condition between sock bind and socket write iter. bind may free the same cmd via mgmt_pending before write iter sends the cmd, just as syzbot reported in UAF[1]. Here we use hci_dev_lock to synchronize the two, thereby avoiding the UAF mentioned in [1]. [1] syzbot reported: BUG: KASAN: slab-use-after-free in mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316 Read of size 8 at addr ffff888077164818 by task syz.0.17/5989 Call Trace: mgmt_pending_remove+0x3b/0x210 net/bluetooth/mgmt_util.c:316 set_link_security+0x5c2/0x710 net/bluetooth/mgmt.c:1918 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 sock_write_iter+0x279/0x360 net/socket.c:1195 Allocated by task 5989: mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296 set_link_security+0x557/0x710 net/bluetooth/mgmt.c:1910 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 sock_write_iter+0x279/0x360 net/socket.c:1195 Freed by task 5991: mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline] mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257 mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9477 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314 CVE-2025-68305 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68305.html CVE-2025-68305 https://bugzilla.suse.com/1255169 SUSE Bug 1255169 In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_xmit_callback(): fix handling of failed transmitted URBs The driver lacks the cleanup of failed transfers of URBs. This reduces the number of available URBs per error by 1. This leads to reduced performance and ultimately to a complete stop of the transmission. If the sending of a bulk URB fails do proper cleanup: - increase netdev stats - mark the echo_sbk as free - free the driver's context and do accounting - wake the send queue CVE-2025-68307 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68307.html CVE-2025-68307 https://bugzilla.suse.com/1255146 SUSE Bug 1255146 In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: leaf: Fix potential infinite loop in command parsers The `kvaser_usb_leaf_wait_cmd()` and `kvaser_usb_leaf_read_bulk_callback` functions contain logic to zero-length commands. These commands are used to align data to the USB endpoint's wMaxPacketSize boundary. The driver attempts to skip these placeholders by aligning the buffer position `pos` to the next packet boundary using `round_up()` function. However, if zero-length command is found exactly on a packet boundary (i.e., `pos` is a multiple of wMaxPacketSize, including 0), `round_up` function will return the unchanged value of `pos`. This prevents `pos` to be increased, causing an infinite loop in the parsing logic. This patch fixes this in the function by using `pos + 1` instead. This ensures that even if `pos` is on a boundary, the calculation is based on `pos + 1`, forcing `round_up()` to always return the next aligned boundary. CVE-2025-68308 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68308.html CVE-2025-68308 https://bugzilla.suse.com/1255149 SUSE Bug 1255149 In the Linux kernel, the following vulnerability has been resolved: usbnet: Prevents free active kevent The root cause of this issue are: 1. When probing the usbnet device, executing usbnet_link_change(dev, 0, 0); put the kevent work in global workqueue. However, the kevent has not yet been scheduled when the usbnet device is unregistered. Therefore, executing free_netdev() results in the "free active object (kevent)" error reported here. 2. Another factor is that when calling usbnet_disconnect()->unregister_netdev(), if the usbnet device is up, ndo_stop() is executed to cancel the kevent. However, because the device is not up, ndo_stop() is not executed. The solution to this problem is to cancel the kevent before executing free_netdev(). CVE-2025-68312 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68312.html CVE-2025-68312 https://bugzilla.suse.com/1255171 SUSE Bug 1255171 In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 "at a rate inconsistent with randomness while incorrectly signaling success (CF=1)". Search the web for AMD-SB-7055 for more detail. Add a fix glue which checks microcode revisions. [ bp: Add microcode revisions checking, rewrite. ] CVE-2025-68313 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68313.html CVE-2025-68313 https://bugzilla.suse.com/1255415 SUSE Bug 1255415 In the Linux kernel, the following vulnerability has been resolved: lan966x: Fix sleeping in atomic context The following warning was seen when we try to connect using ssh to the device. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:575 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 104, name: dropbear preempt_count: 1, expected: 0 INFO: lockdep is turned off. CPU: 0 UID: 0 PID: 104 Comm: dropbear Tainted: G W 6.18.0-rc2-00399-g6f1ab1b109b9-dirty #530 NONE Tainted: [W]=WARN Hardware name: Generic DT based system Call trace: unwind_backtrace from show_stack+0x10/0x14 show_stack from dump_stack_lvl+0x7c/0xac dump_stack_lvl from __might_resched+0x16c/0x2b0 __might_resched from __mutex_lock+0x64/0xd34 __mutex_lock from mutex_lock_nested+0x1c/0x24 mutex_lock_nested from lan966x_stats_get+0x5c/0x558 lan966x_stats_get from dev_get_stats+0x40/0x43c dev_get_stats from dev_seq_printf_stats+0x3c/0x184 dev_seq_printf_stats from dev_seq_show+0x10/0x30 dev_seq_show from seq_read_iter+0x350/0x4ec seq_read_iter from seq_read+0xfc/0x194 seq_read from proc_reg_read+0xac/0x100 proc_reg_read from vfs_read+0xb0/0x2b0 vfs_read from ksys_read+0x6c/0xec ksys_read from ret_fast_syscall+0x0/0x1c Exception stack(0xf0b11fa8 to 0xf0b11ff0) 1fa0: 00000001 00001000 00000008 be9048d8 00001000 00000001 1fc0: 00000001 00001000 00000008 00000003 be905920 0000001e 00000000 00000001 1fe0: 0005404c be9048c0 00018684 b6ec2cd8 It seems that we are using a mutex in a atomic context which is wrong. Change the mutex with a spinlock. CVE-2025-68320 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68320.html CVE-2025-68320 https://bugzilla.suse.com/1255172 SUSE Bug 1255172 In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes that the parent qdisc will enqueue the current packet. However, this assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent qdisc stops enqueuing current packet, leaving the tree qlen/backlog accounting inconsistent. This mismatch can lead to a NULL dereference (e.g., when the parent Qdisc is qfq_qdisc). This patch computes the qlen/backlog delta in a more robust way by observing the difference before and after the series of cake_drop() calls, and then compensates the qdisc tree accounting if cake_enqueue() returns NET_XMIT_CN. To ensure correct compensation when ACK thinning is enabled, a new variable is introduced to keep qlen unchanged. CVE-2025-68325 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68325.html CVE-2025-68325 https://bugzilla.suse.com/1255417 SUSE Bug 1255417 In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Fix synchronous external abort on unbind A synchronous external abort occurs on the Renesas RZ/G3S SoC if unbind is executed after the configuration sequence described above: modprobe usb_f_ecm modprobe libcomposite modprobe configfs cd /sys/kernel/config/usb_gadget mkdir -p g1 cd g1 echo "0x1d6b" > idVendor echo "0x0104" > idProduct mkdir -p strings/0x409 echo "0123456789" > strings/0x409/serialnumber echo "Renesas." > strings/0x409/manufacturer echo "Ethernet Gadget" > strings/0x409/product mkdir -p functions/ecm.usb0 mkdir -p configs/c.1 mkdir -p configs/c.1/strings/0x409 echo "ECM" > configs/c.1/strings/0x409/configuration if [ ! -L configs/c.1/ecm.usb0 ]; then ln -s functions/ecm.usb0 configs/c.1 fi echo 11e20000.usb > UDC echo 11e20000.usb > /sys/bus/platform/drivers/renesas_usbhs/unbind The displayed trace is as follows: Internal error: synchronous external abort: 0000000096000010 [#1] SMP CPU: 0 UID: 0 PID: 188 Comm: sh Tainted: G M 6.17.0-rc7-next-20250922-00010-g41050493b2bd #55 PREEMPT Tainted: [M]=MACHINE_CHECK Hardware name: Renesas SMARC EVK version 2 based on r9a08g045s33 (DT) pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] lr : usbhsg_update_pullup+0x3c/0x68 [renesas_usbhs] sp : ffff8000838b3920 x29: ffff8000838b3920 x28: ffff00000d585780 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: ffff00000c3e3810 x23: ffff00000d5e5c80 x22: ffff00000d5e5d40 x21: 0000000000000000 x20: 0000000000000000 x19: ffff00000d5e5c80 x18: 0000000000000020 x17: 2e30303230316531 x16: 312d7968703a7968 x15: 3d454d414e5f4344 x14: 000000000000002c x13: 0000000000000000 x12: 0000000000000000 x11: ffff00000f358f38 x10: ffff00000f358db0 x9 : ffff00000b41f418 x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d x5 : 8080808000000000 x4 : 000000004b5ccb9d x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff800083790000 x0 : ffff00000d5e5c80 Call trace: usbhs_sys_function_pullup+0x10/0x40 [renesas_usbhs] (P) usbhsg_pullup+0x4c/0x7c [renesas_usbhs] usb_gadget_disconnect_locked+0x48/0xd4 gadget_unbind_driver+0x44/0x114 device_remove+0x4c/0x80 device_release_driver_internal+0x1c8/0x224 device_release_driver+0x18/0x24 bus_remove_device+0xcc/0x10c device_del+0x14c/0x404 usb_del_gadget+0x88/0xc0 usb_del_gadget_udc+0x18/0x30 usbhs_mod_gadget_remove+0x24/0x44 [renesas_usbhs] usbhs_mod_remove+0x20/0x30 [renesas_usbhs] usbhs_remove+0x98/0xdc [renesas_usbhs] platform_remove+0x20/0x30 device_remove+0x4c/0x80 device_release_driver_internal+0x1c8/0x224 device_driver_detach+0x18/0x24 unbind_store+0xb4/0xb8 drv_attr_store+0x24/0x38 sysfs_kf_write+0x7c/0x94 kernfs_fop_write_iter+0x128/0x1b8 vfs_write+0x2ac/0x350 ksys_write+0x68/0xfc __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xf0 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: 7100003f 1a9f07e1 531c6c22 f9400001 (79400021) ---[ end trace 0000000000000000 ]--- note: sh[188] exited with irqs disabled note: sh[188] exited with preempt_count 1 The issue occurs because usbhs_sys_function_pullup(), which accesses the IP registers, is executed after the USBHS clocks have been disabled. The problem is reproducible on the Renesas RZ/G3S SoC starting with the addition of module stop in the clock enable/disable APIs. With module stop functionality enabled, a bus error is expected if a master accesses a module whose clock has been stopped and module stop activated. Disable the IP clocks at the end of remove. CVE-2025-68327 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68327.html CVE-2025-68327 https://bugzilla.suse.com/1255488 SUSE Bug 1255488 In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-svc: fix bug in saving controller data Fix the incorrect usage of platform_set_drvdata and dev_set_drvdata. They both are of the same data and overrides each other. This resulted in the rmmod of the svc driver to fail and throw a kernel panic for kthread_stop and fifo free. CVE-2025-68328 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68328.html CVE-2025-68328 https://bugzilla.suse.com/1255489 SUSE Bug 1255489 In the Linux kernel, the following vulnerability has been resolved: iio: accel: bmc150: Fix irq assumption regression The code in bmc150-accel-core.c unconditionally calls bmc150_accel_set_interrupt() in the iio_buffer_setup_ops, such as on the runtime PM resume path giving a kernel splat like this if the device has no interrupts: Unable to handle kernel NULL pointer dereference at virtual address 00000001 when read PC is at bmc150_accel_set_interrupt+0x98/0x194 LR is at __pm_runtime_resume+0x5c/0x64 (...) Call trace: bmc150_accel_set_interrupt from bmc150_accel_buffer_postenable+0x40/0x108 bmc150_accel_buffer_postenable from __iio_update_buffers+0xbe0/0xcbc __iio_update_buffers from enable_store+0x84/0xc8 enable_store from kernfs_fop_write_iter+0x154/0x1b4 This bug seems to have been in the driver since the beginning, but it only manifests recently, I do not know why. Store the IRQ number in the state struct, as this is a common pattern in other drivers, then use this to determine if we have IRQ support or not. CVE-2025-68330 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68330.html CVE-2025-68330 https://bugzilla.suse.com/1255493 SUSE Bug 1255493 In the Linux kernel, the following vulnerability has been resolved: usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer When a UAS device is unplugged during data transfer, there is a probability of a system panic occurring. The root cause is an access to an invalid memory address during URB callback handling. Specifically, this happens when the dma_direct_unmap_sg() function is called within the usb_hcd_unmap_urb_for_dma() interface, but the sg->dma_address field is 0 and the sg data structure has already been freed. The SCSI driver sends transfer commands by invoking uas_queuecommand_lck() in uas.c, using the uas_submit_urbs() function to submit requests to USB. Within the uas_submit_urbs() implementation, three URBs (sense_urb, data_urb, and cmd_urb) are sequentially submitted. Device removal may occur at any point during uas_submit_urbs execution, which may result in URB submission failure. However, some URBs might have been successfully submitted before the failure, and uas_submit_urbs will return the -ENODEV error code in this case. The current error handling directly calls scsi_done(). In the SCSI driver, this eventually triggers scsi_complete() to invoke scsi_end_request() for releasing the sgtable. The successfully submitted URBs, when being unlinked to giveback, call usb_hcd_unmap_urb_for_dma() in hcd.c, leading to exceptions during sg unmapping operations since the sg data structure has already been freed. This patch modifies the error condition check in the uas_submit_urbs() function. When a UAS device is removed but one or more URBs have already been successfully submitted to USB, it avoids immediately invoking scsi_done() and save the cmnd to devinfo->cmnd array. If the successfully submitted URBs is completed before devinfo->resetting being set, then the scsi_done() function will be called within uas_try_complete() after all pending URB operations are finalized. Otherwise, the scsi_done() function will be called within uas_zap_pending(), which is executed after usb_kill_anchored_urbs(). The error handling only takes effect when uas_queuecommand_lck() calls uas_submit_urbs() and returns the error value -ENODEV . In this case, the device is disconnected, and the flow proceeds to uas_disconnect(), where uas_zap_pending() is invoked to call uas_try_complete(). CVE-2025-68331 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68331.html CVE-2025-68331 https://bugzilla.suse.com/1255495 SUSE Bug 1255495 In the Linux kernel, the following vulnerability has been resolved: comedi: c6xdigio: Fix invalid PNP driver unregistration The Comedi low-level driver "c6xdigio" seems to be for a parallel port connected device. When the Comedi core calls the driver's Comedi "attach" handler `c6xdigio_attach()` to configure a Comedi to use this driver, it tries to enable the parallel port PNP resources by registering a PNP driver with `pnp_register_driver()`, but ignores the return value. (The `struct pnp_driver` it uses has only the `name` and `id_table` members filled in.) The driver's Comedi "detach" handler `c6xdigio_detach()` unconditionally unregisters the PNP driver with `pnp_unregister_driver()`. It is possible for `c6xdigio_attach()` to return an error before it calls `pnp_register_driver()` and it is possible for the call to `pnp_register_driver()` to return an error (that is ignored). In both cases, the driver should not be calling `pnp_unregister_driver()` as it does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be called by the Comedi core if `c6xdigio_attach()` returns an error, or if the Comedi core decides to detach the Comedi device from the driver for some other reason.) The unconditional call to `pnp_unregister_driver()` without a previous successful call to `pnp_register_driver()` will cause `driver_unregister()` to issue a warning "Unexpected driver unregister!". This was detected by Syzbot [1]. Also, the PNP driver registration and unregistration should be done at module init and exit time, respectively, not when attaching or detaching Comedi devices to the driver. (There might be more than one Comedi device being attached to the driver, although that is unlikely.) Change the driver to do the PNP driver registration at module init time, and the unregistration at module exit time. Since `c6xdigio_detach()` now only calls `comedi_legacy_detach()`, remove the function and change the Comedi driver "detach" handler to `comedi_legacy_detach`. ------------------------------------------- [1] Syzbot sample crash report: Unexpected driver unregister! WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline] WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270 Modules linked in: CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline] RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270 Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41 RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8 RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660 R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000 FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0 Call Trace: <TASK> comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207 comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215 comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011 do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872 comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_sys ---truncated--- CVE-2025-68332 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68332.html CVE-2025-68332 https://bugzilla.suse.com/1255483 SUSE Bug 1255483 In the Linux kernel, the following vulnerability has been resolved: comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from the fact that in case of early device detach via pcl818_detach(), subdevice dev->read_subdev may not have initialized its pointer to &struct comedi_async as intended. Thus, any such dereferencing of &s->async->cmd will lead to general protection fault and kernel crash. Mitigate this problem by removing a call to pcl818_ai_cancel() from pcl818_detach() altogether. This way, if the subdevice setups its support for async commands, everything async-related will be handled via subdevice's own ->cancel() function in comedi_device_detach_locked() even before pcl818_detach(). If no support for asynchronous commands is provided, there is no need to cancel anything either. [1] Syzbot crash: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762 ... Call Trace: <TASK> pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115 comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207 do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline] comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] ... CVE-2025-68335 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68335.html CVE-2025-68335 https://bugzilla.suse.com/1255480 SUSE Bug 1255480 In the Linux kernel, the following vulnerability has been resolved: jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted There's issue when file system corrupted: ------------[ cut here ]------------ kernel BUG at fs/jbd2/transaction.c:1289! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0 RSP: 0018:ffff888117aafa30 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534 RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010 RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028 R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0 Call Trace: <TASK> __ext4_journal_get_create_access+0x42/0x170 ext4_getblk+0x319/0x6f0 ext4_bread+0x11/0x100 ext4_append+0x1e6/0x4a0 ext4_init_new_dir+0x145/0x1d0 ext4_mkdir+0x326/0x920 vfs_mkdir+0x45c/0x740 do_mkdirat+0x234/0x2f0 __x64_sys_mkdir+0xd6/0x120 do_syscall_64+0x5f/0xfa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The above issue occurs with us in errors=continue mode when accompanied by storage failures. There have been many inconsistencies in the file system data. In the case of file system data inconsistency, for example, if the block bitmap of a referenced block is not set, it can lead to the situation where a block being committed is allocated and used again. As a result, the following condition will not be satisfied then trigger BUG_ON. Of course, it is entirely possible to construct a problematic image that can trigger this BUG_ON through specific operations. In fact, I have constructed such an image and easily reproduced this issue. Therefore, J_ASSERT() holds true only under ideal conditions, but it may not necessarily be satisfied in exceptional scenarios. Using J_ASSERT() directly in abnormal situations would cause the system to crash, which is clearly not what we want. So here we directly trigger a JBD abort instead of immediately invoking BUG_ON. CVE-2025-68337 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68337.html CVE-2025-68337 https://bugzilla.suse.com/1255482 SUSE Bug 1255482 In the Linux kernel, the following vulnerability has been resolved: atm/fore200e: Fix possible data race in fore200e_open() Protect access to fore200e->available_cell_rate with rate_mtx lock in the error handling path of fore200e_open() to prevent a data race. The field fore200e->available_cell_rate is a shared resource used to track available bandwidth. It is concurrently accessed by fore200e_open(), fore200e_close(), and fore200e_change_qos(). In fore200e_open(), the lock rate_mtx is correctly held when subtracting vcc->qos.txtp.max_pcr from available_cell_rate to reserve bandwidth. However, if the subsequent call to fore200e_activate_vcin() fails, the function restores the reserved bandwidth by adding back to available_cell_rate without holding the lock. This introduces a race condition because available_cell_rate is a global device resource shared across all VCCs. If the error path in fore200e_open() executes concurrently with operations like fore200e_close() or fore200e_change_qos() on other VCCs, a read-modify-write race occurs. Specifically, the error path reads the rate without the lock. If another CPU acquires the lock and modifies the rate (e.g., releasing bandwidth in fore200e_close()) between this read and the subsequent write, the error path will overwrite the concurrent update with a stale value. This results in incorrect bandwidth accounting. CVE-2025-68339 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68339.html CVE-2025-68339 https://bugzilla.suse.com/1255505 SUSE Bug 1255505 In the Linux kernel, the following vulnerability has been resolved: team: Move team device type change at the end of team_port_add Attempting to add a port device that is already up will expectedly fail, but not before modifying the team device header_ops. In the case of the syzbot reproducer the gre0 device is already in state UP when it attempts to add it as a port device of team0, this fails but before that header_ops->create of team0 is changed from eth_header to ipgre_header in the call to team_dev_type_check_change. Later when we end up in ipgre_header() struct ip_tunnel* points to nonsense as the private data of the device still holds a struct team. Example sequence of iproute2 commands to reproduce the hang/BUG(): ip link add dev team0 type team ip link add dev gre0 type gre ip link set dev gre0 up ip link set dev gre0 master team0 ip link set dev team0 up ping -I team0 1.1.1.1 Move team_dev_type_check_change down where all other checks have passed as it changes the dev type with no way to restore it in case one of the checks that follow it fail. Also make sure to preserve the origial mtu assignment: - If port_dev is not the same type as dev, dev takes mtu from port_dev - If port_dev is the same type as dev, port_dev takes mtu from dev This is done by adding a conditional before the call to dev_set_mtu to prevent it from assigning port_dev->mtu = dev->mtu and instead letting team_dev_type_check_change assign dev->mtu = port_dev->mtu. The conditional is needed because the patch moves the call to team_dev_type_check_change past dev_set_mtu. Testing: - team device driver in-tree selftests - Add/remove various devices as slaves of team device - syzbot CVE-2025-68340 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68340.html CVE-2025-68340 https://bugzilla.suse.com/1255507 SUSE Bug 1255507 In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi() The acpi_get_first_physical_node() function can return NULL, in which case the get_device() function also returns NULL, but this value is then dereferenced without checking,so add a check to prevent a crash. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-68345 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68345.html CVE-2025-68345 https://bugzilla.suse.com/1255601 SUSE Bug 1255601 In the Linux kernel, the following vulnerability has been resolved: ALSA: dice: fix buffer overflow in detect_stream_formats() The function detect_stream_formats() reads the stream_count value directly from a FireWire device without validating it. This can lead to out-of-bounds writes when a malicious device provides a stream_count value greater than MAX_STREAMS. Fix by applying the same validation to both TX and RX stream counts in detect_stream_formats(). CVE-2025-68346 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68346.html CVE-2025-68346 https://bugzilla.suse.com/1255603 SUSE Bug 1255603 In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events The DSP event handling code in hwdep_read() could write more bytes to the user buffer than requested, when a user provides a buffer smaller than the event header size (8 bytes). Fix by using min_t() to clamp the copy size, This ensures we never copy more than the user requested. CVE-2025-68347 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68347.html CVE-2025-68347 https://bugzilla.suse.com/1255706 SUSE Bug 1255706 In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid Fixes a crash when layout is null during this call stack: write_inode -> nfs4_write_inode -> pnfs_layoutcommit_inode pnfs_set_layoutcommit relies on the lseg refcount to keep the layout around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt to reference a null layout. CVE-2025-68349 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68349.html CVE-2025-68349 https://bugzilla.suse.com/1255544 SUSE Bug 1255544 In the Linux kernel, the following vulnerability has been resolved: exfat: fix refcount leak in exfat_find Fix refcount leaks in `exfat_find` related to `exfat_get_dentry_set`. Function `exfat_get_dentry_set` would increase the reference counter of `es->bh` on success. Therefore, `exfat_put_dentry_set` must be called after `exfat_get_dentry_set` to ensure refcount consistency. This patch relocate two checks to avoid possible leaks. CVE-2025-68351 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68351.html CVE-2025-68351 https://bugzilla.suse.com/1255567 SUSE Bug 1255567 In the Linux kernel, the following vulnerability has been resolved: regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex regulator_supply_alias_list was accessed without any locking in regulator_supply_alias(), regulator_register_supply_alias(), and regulator_unregister_supply_alias(). Concurrent registration, unregistration and lookups can race, leading to: 1 use-after-free if an alias entry is removed while being read, 2 duplicate entries when two threads register the same alias, 3 inconsistent alias mappings observed by consumers. Protect all traversals, insertions and deletions on regulator_supply_alias_list with the existing regulator_list_mutex. CVE-2025-68354 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68354.html CVE-2025-68354 https://bugzilla.suse.com/1255553 SUSE Bug 1255553 In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() The rtl8187_rx_cb() calculates the rx descriptor header address by subtracting its size from the skb tail pointer. However, it does not validate if the received packet (skb->len from urb->actual_length) is large enough to contain this header. If a truncated packet is received, this will lead to a buffer underflow, reading memory before the start of the skb data area, and causing a kernel panic. Add length checks for both rtl8187 and rtl8187b descriptor headers before attempting to access them, dropping the packet cleanly if the check fails. CVE-2025-68362 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68362.html CVE-2025-68362 https://bugzilla.suse.com/1255611 SUSE Bug 1255611 In the Linux kernel, the following vulnerability has been resolved: bpf: Check skb->transport_header is set in bpf_skb_check_mtu The bpf_skb_check_mtu helper needs to use skb->transport_header when the BPF_MTU_CHK_SEGS flag is used: bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS) The transport_header is not always set. There is a WARN_ON_ONCE report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set + bpf_prog_test_run is used: WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071 skb_gso_validate_network_len bpf_skb_check_mtu bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch bpf_test_run bpf_prog_test_run_skb For a normal ingress skb (not test_run), skb_reset_transport_header is performed but there is plan to avoid setting it as described in commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()"). This patch fixes the bpf helper by checking skb_transport_header_was_set(). The check is done just before skb->transport_header is used, to avoid breaking the existing bpf prog. The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next. CVE-2025-68363 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68363.html CVE-2025-68363 https://bugzilla.suse.com/1255552 SUSE Bug 1255552 In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Initialize allocated memory before use KMSAN reports: Multiple uninitialized values detected: - KMSAN: uninit-value in ntfs_read_hdr (3) - KMSAN: uninit-value in bcmp (3) Memory is allocated by __getname(), which is a wrapper for kmem_cache_alloc(). This memory is used before being properly cleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to properly allocate and clear memory before use. CVE-2025-68365 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68365.html CVE-2025-68365 https://bugzilla.suse.com/1255548 SUSE Bug 1255548 In the Linux kernel, the following vulnerability has been resolved: nbd: defer config unlock in nbd_genl_connect There is one use-after-free warning when running NBD_CMD_CONNECT and NBD_CLEAR_SOCK: nbd_genl_connect nbd_alloc_and_init_config // config_refs=1 nbd_start_device // config_refs=2 set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3 recv_work done // config_refs=2 NBD_CLEAR_SOCK // config_refs=1 close nbd // config_refs=0 refcount_inc -> uaf ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290 nbd_genl_connect+0x16d0/0x1ab0 genl_family_rcv_msg_doit+0x1f3/0x310 genl_rcv_msg+0x44a/0x790 The issue can be easily reproduced by adding a small delay before refcount_inc(&nbd->config_refs) in nbd_genl_connect(): mutex_unlock(&nbd->config_lock); if (!ret) { set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags); + printk("before sleep\n"); + mdelay(5 * 1000); + printk("after sleep\n"); refcount_inc(&nbd->config_refs); nbd_connect_reply(info, nbd->index); } CVE-2025-68366 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68366.html CVE-2025-68366 https://bugzilla.suse.com/1255622 SUSE Bug 1255622 In the Linux kernel, the following vulnerability has been resolved: macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse The following warning appears when running syzkaller, and this issue also exists in the mainline code. ------------[ cut here ]------------ list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100. WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130 Modules linked in: CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:__list_add_valid_or_report+0xf7/0x130 RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817 RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001 RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100 R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48 FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 80000000 Call Trace: <TASK> input_register_handler+0xb3/0x210 mac_hid_start_emulation+0x1c5/0x290 mac_hid_toggle_emumouse+0x20a/0x240 proc_sys_call_handler+0x4c2/0x6e0 new_sync_write+0x1b1/0x2d0 vfs_write+0x709/0x950 ksys_write+0x12a/0x250 do_syscall_64+0x5a/0x110 entry_SYSCALL_64_after_hwframe+0x78/0xe2 The WARNING occurs when two processes concurrently write to the mac-hid emulation sysctl, causing a race condition in mac_hid_toggle_emumouse(). Both processes read old_val=0, then both try to register the input handler, leading to a double list_add of the same handler. CPU0 CPU1 ------------------------- ------------------------- vfs_write() //write 1 vfs_write() //write 1 proc_sys_write() proc_sys_write() mac_hid_toggle_emumouse() mac_hid_toggle_emumouse() old_val = *valp // old_val=0 old_val = *valp // old_val=0 mutex_lock_killable() proc_dointvec() // *valp=1 mac_hid_start_emulation() input_register_handler() mutex_unlock() mutex_lock_killable() proc_dointvec() mac_hid_start_emulation() input_register_handler() //Trigger Warning mutex_unlock() Fix this by moving the old_val read inside the mutex lock region. CVE-2025-68367 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68367.html CVE-2025-68367 https://bugzilla.suse.com/1255547 SUSE Bug 1255547 In the Linux kernel, the following vulnerability has been resolved: nbd: defer config put in recv_work There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and NBD_CMD_RECONFIGURE: nbd_genl_connect // conf_ref=2 (connect and recv_work A) nbd_open // conf_ref=3 recv_work A done // conf_ref=2 NBD_CLEAR_SOCK // conf_ref=1 nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B) close nbd // conf_ref=1 recv_work B config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Or only running NBD_CLEAR_SOCK: nbd_genl_connect // conf_ref=2 nbd_open // conf_ref=3 NBD_CLEAR_SOCK // conf_ref=2 close nbd nbd_release config_put // conf_ref=1 recv_work config_put // conf_ref=0 atomic_dec(&config->recv_threads); -> UAF Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the waiter") moved nbd_config_put() to run before waking up the waiter in recv_work, in order to ensure that nbd_start_device_ioctl() would not be woken up while nbd->task_recv was still uncleared. However, in nbd_start_device_ioctl(), after being woken up it explicitly calls flush_workqueue() to make sure all current works are finished. Therefore, there is no need to move the config put ahead of the wakeup. Move nbd_config_put() to the end of recv_work, so that the reference is held for the whole lifetime of the worker thread. This makes sure the config cannot be freed while recv_work is still running, even if clear + reconfigure interleave. In addition, we don't need to worry about recv_work dropping the last nbd_put (which causes deadlock): path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=1 (trigger recv_work) open nbd // nbd_refs=2 NBD_CLEAR_SOCK close nbd nbd_release nbd_disconnect_and_put flush_workqueue // recv_work done nbd_config_put nbd_put // nbd_refs=1 nbd_put // nbd_refs=0 queue_work path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT): connect // nbd_refs=2 (trigger recv_work) open nbd // nbd_refs=3 NBD_CLEAR_SOCK // conf_refs=2 close nbd nbd_release nbd_config_put // conf_refs=1 nbd_put // nbd_refs=2 recv_work done // conf_refs=0, nbd_refs=1 rmmod // nbd_refs=0 Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put") CVE-2025-68372 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68372.html CVE-2025-68372 https://bugzilla.suse.com/1255537 SUSE Bug 1255537 In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stackmap overflow check in __bpf_get_stackid() Syzkaller reported a KASAN slab-out-of-bounds write in __bpf_get_stackid() when copying stack trace data. The issue occurs when the perf trace contains more stack entries than the stack map bucket can hold, leading to an out-of-bounds write in the bucket's data array. CVE-2025-68378 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68378.html CVE-2025-68378 https://bugzilla.suse.com/1255614 SUSE Bug 1255614 In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix null deref on srq->rq.queue after resize failure A NULL pointer dereference can occur in rxe_srq_chk_attr() when ibv_modify_srq() is invoked twice in succession under certain error conditions. The first call may fail in rxe_queue_resize(), which leads rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then triggers a crash (null deref) when accessing srq->rq.queue->buf->index_mask. Call Trace: <TASK> rxe_modify_srq+0x170/0x480 [rdma_rxe] ? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe] ? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs] ? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs] ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs] ? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs] ? tryinc_node_nr_active+0xe6/0x150 ? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs] ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] ? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs] ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs] ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs] ? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs] ? __pfx___raw_spin_lock_irqsave+0x10/0x10 ? __pfx_do_vfs_ioctl+0x10/0x10 ? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0 ? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10 ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs] ? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs] __x64_sys_ioctl+0x138/0x1c0 do_syscall_64+0x82/0x250 ? fdget_pos+0x58/0x4c0 ? ksys_write+0xf3/0x1c0 ? __pfx_ksys_write+0x10/0x10 ? do_syscall_64+0xc8/0x250 ? __pfx_vm_mmap_pgoff+0x10/0x10 ? fget+0x173/0x230 ? fput+0x2a/0x80 ? ksys_mmap_pgoff+0x224/0x4c0 ? do_syscall_64+0xc8/0x250 ? do_user_addr_fault+0x37b/0xfe0 ? clear_bhb_loop+0x50/0xa0 ? clear_bhb_loop+0x50/0xa0 ? clear_bhb_loop+0x50/0xa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e CVE-2025-68379 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68379.html CVE-2025-68379 https://bugzilla.suse.com/1255695 SUSE Bug 1255695 In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix peer HE MCS assignment In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to firmware as receive MCS while peer's receive MCS sent as transmit MCS, which goes against firmwire's definition. While connecting to a misbehaved AP that advertises 0xffff (meaning not supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff is assigned to he_mcs->rx_mcs_set field. Ext Tag: HE Capabilities [...] Supported HE-MCS and NSS Set [...] Rx and Tx MCS Maps 160 MHz [...] Tx HE-MCS Map 160 MHz: 0xffff Swap the assignment to fix this issue. As the HE rate control mask is meant to limit our own transmit MCS, it needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping done, change is needed as well to apply it to the peer's receive MCS. Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 CVE-2025-68380 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68380.html CVE-2025-68380 https://bugzilla.suse.com/1255580 SUSE Bug 1255580 In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Use check_add_overflow() to guard against potential integer overflows when adding the binary blob lengths and the size of an asymmetric_key_id structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a possible buffer overflow when copying data from potentially malicious X.509 certificate fields that can be arbitrarily large, such as ASN.1 INTEGER serial numbers, issuer names, etc. CVE-2025-68724 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68724.html CVE-2025-68724 https://bugzilla.suse.com/1255550 SUSE Bug 1255550 In the Linux kernel, the following vulnerability has been resolved: bpf: Do not let BPF test infra emit invalid GSO types to stack Yinhao et al. reported that their fuzzer tool was able to trigger a skb_warn_bad_offload() from netif_skb_features() -> gso_features_check(). When a BPF program - triggered via BPF test infra - pushes the packet to the loopback device via bpf_clone_redirect() then mentioned offload warning can be seen. GSO-related features are then rightfully disabled. We get into this situation due to convert___skb_to_skb() setting gso_segs and gso_size but not gso_type. Technically, it makes sense that this warning triggers since the GSO properties are malformed due to the gso_type. Potentially, the gso_type could be marked non-trustworthy through setting it at least to SKB_GSO_DODGY without any other specific assumptions, but that also feels wrong given we should not go further into the GSO engine in the first place. The checks were added in 121d57af308d ("gso: validate gso_type in GSO handlers") because there were malicious (syzbot) senders that combine a protocol with a non-matching gso_type. If we would want to drop such packets, gso_features_check() currently only returns feature flags via netif_skb_features(), so one location for potentially dropping such skbs could be validate_xmit_unreadable_skb(), but then otoh it would be an additional check in the fast-path for a very corner case. Given bpf_clone_redirect() is the only place where BPF test infra could emit such packets, lets reject them right there. CVE-2025-68725 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68725.html CVE-2025-68725 https://bugzilla.suse.com/1255569 SUSE Bug 1255569 In the Linux kernel, the following vulnerability has been resolved: ntfs3: Fix uninit buffer allocated by __getname() Fix uninit errors caused after buffer allocation given to 'de'; by initializing the buffer with zeroes. The fix was found by using KMSAN. CVE-2025-68727 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68727.html CVE-2025-68727 https://bugzilla.suse.com/1255568 SUSE Bug 1255568 In the Linux kernel, the following vulnerability has been resolved: ntfs3: fix uninit memory after failed mi_read in mi_format_new Fix a KMSAN un-init bug found by syzkaller. ntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be uptodate. We do not bring the buffer uptodate before setting it as uptodate. If the buffer were to not be uptodate, it could mean adding a buffer with un-init data to the mi record. Attempting to load that record will trigger KMSAN. Avoid this by setting the buffer as uptodate, if it's not already, by overwriting it. CVE-2025-68728 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68728.html CVE-2025-68728 https://bugzilla.suse.com/1255539 SUSE Bug 1255539 In the Linux kernel, the following vulnerability has been resolved: gpu: host1x: Fix race in syncpt alloc/free Fix race condition between host1x_syncpt_alloc() and host1x_syncpt_put() by using kref_put_mutex() instead of kref_put() + manual mutex locking. This ensures no thread can acquire the syncpt_mutex after the refcount drops to zero but before syncpt_release acquires it. This prevents races where syncpoints could be allocated while still being cleaned up from a previous release. Remove explicit mutex locking in syncpt_release as kref_put_mutex() handles this atomically. CVE-2025-68732 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68732.html CVE-2025-68732 https://bugzilla.suse.com/1255688 SUSE Bug 1255688 https://bugzilla.suse.com/1255689 SUSE Bug 1255689 In the Linux kernel, the following vulnerability has been resolved: smack: fix bug: unprivileged task can create labels If an unprivileged task is allowed to relabel itself (/smack/relabel-self is not empty), it can freely create new labels by writing their names into own /proc/PID/attr/smack/current This occurs because do_setattr() imports the provided label in advance, before checking "relabel-self" list. This change ensures that the "relabel-self" list is checked before importing the label. CVE-2025-68733 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68733.html CVE-2025-68733 https://bugzilla.suse.com/1255615 SUSE Bug 1255615 In the Linux kernel, the following vulnerability has been resolved: isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when setup_instance() fails with an error code. Fix that by freeing the urb before freeing the hw structure. Also change the error paths to use the goto ladder style. Compile tested only. Issue found using a prototype static analysis tool. CVE-2025-68734 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68734.html CVE-2025-68734 https://bugzilla.suse.com/1255538 SUSE Bug 1255538 In the Linux kernel, the following vulnerability has been resolved: ima: Handle error code returned by ima_filter_rule_match() In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to the rule being NULL, the function incorrectly skips the 'if (!rc)' check and sets 'result = true'. The LSM rule is considered a match, causing extra files to be measured by IMA. This issue can be reproduced in the following scenario: After unloading the SELinux policy module via 'semodule -d', if an IMA measurement is triggered before ima_lsm_rules is updated, in ima_match_rules(), the first call to ima_filter_rule_match() returns -ESTALE. This causes the code to enter the 'if (rc == -ESTALE && !rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In ima_lsm_copy_rule(), since the SELinux module has been removed, the rule becomes NULL, and the second call to ima_filter_rule_match() returns -ENOENT. This bypasses the 'if (!rc)' check and results in a false match. Call trace: selinux_audit_rule_match+0x310/0x3b8 security_audit_rule_match+0x60/0xa0 ima_match_rules+0x2e4/0x4a0 ima_match_policy+0x9c/0x1e8 ima_get_action+0x48/0x60 process_measurement+0xf8/0xa98 ima_bprm_check+0x98/0xd8 security_bprm_check+0x5c/0x78 search_binary_handler+0x6c/0x318 exec_binprm+0x58/0x1b8 bprm_execve+0xb8/0x130 do_execveat_common.isra.0+0x1a8/0x258 __arm64_sys_execve+0x48/0x68 invoke_syscall+0x50/0x128 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x44/0x200 el0t_64_sync_handler+0x100/0x130 el0t_64_sync+0x3c8/0x3d0 Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error codes like -ENOENT do not bypass the check and accidentally result in a successful match. CVE-2025-68740 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68740.html CVE-2025-68740 https://bugzilla.suse.com/1255812 SUSE Bug 1255812 In the Linux kernel, the following vulnerability has been resolved: bpf: Fix invalid prog->stats access when update_effective_progs fails Syzkaller triggers an invalid memory access issue following fault injection in update_effective_progs. The issue can be described as follows: __cgroup_bpf_detach update_effective_progs compute_effective_progs bpf_prog_array_alloc <-- fault inject purge_effective_progs /* change to dummy_bpf_prog */ array->items[index] = &dummy_bpf_prog.prog ---softirq start--- __do_softirq ... __cgroup_bpf_run_filter_skb __bpf_prog_run_save_cb bpf_prog_run stats = this_cpu_ptr(prog->stats) /* invalid memory access */ flags = u64_stats_update_begin_irqsave(&stats->syncp) ---softirq end--- static_branch_dec(&cgroup_bpf_enabled_key[atype]) The reason is that fault injection caused update_effective_progs to fail and then changed the original prog into dummy_bpf_prog.prog in purge_effective_progs. Then a softirq came, and accessing the members of dummy_bpf_prog.prog in the softirq triggers invalid mem access. To fix it, skip updating stats when stats is NULL. CVE-2025-68742 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68742.html CVE-2025-68742 https://bugzilla.suse.com/1255707 SUSE Bug 1255707 In the Linux kernel, the following vulnerability has been resolved: bpf: Free special fields when update [lru_,]percpu_hash maps As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing calls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' could cause the memory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the map gets freed. Fix this by calling 'bpf_obj_free_fields()' after 'copy_map_value[,_long]()' in 'pcpu_copy_value()'. CVE-2025-68744 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68744.html CVE-2025-68744 https://bugzilla.suse.com/1255709 SUSE Bug 1255709 In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Fix timeout handling When the CPU that the QSPI interrupt handler runs on (typically CPU 0) is excessively busy, it can lead to rare cases of the IRQ thread not running before the transfer timeout is reached. While handling the timeouts, any pending transfers are cleaned up and the message that they correspond to is marked as failed, which leaves the curr_xfer field pointing at stale memory. To avoid this, clear curr_xfer to NULL upon timeout and check for this condition when the IRQ thread is finally run. While at it, also make sure to clear interrupts on failure so that new interrupts can be run. A better, more involved, fix would move the interrupt clearing into a hard IRQ handler. Ideally we would also want to signal that the IRQ thread no longer needs to be run after the timeout is hit to avoid the extra check for a valid transfer. CVE-2025-68746 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68746.html CVE-2025-68746 https://bugzilla.suse.com/1255722 SUSE Bug 1255722 In the Linux kernel, the following vulnerability has been resolved: usb: potential integer overflow in usbg_make_tpg() The variable tpgt in usbg_make_tpg() is defined as unsigned long and is assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an integer overflow when tpgt is greater than USHRT_MAX (65535). I haven't tried to trigger it myself, but it is possible to trigger it by calling usbg_make_tpg() with a large value for tpgt. I modified the type of tpgt to match tpgt->tport_tpgt and adjusted the relevant code accordingly. This patch is similar to commit 59c816c1f24d ("vhost/scsi: potential memory corruption"). CVE-2025-68750 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68750.html CVE-2025-68750 https://bugzilla.suse.com/1255814 SUSE Bug 1255814 In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-motu: add bounds check in put_user loop for DSP events In the DSP event handling code, a put_user() loop copies event data. When the user buffer size is not aligned to 4 bytes, it could overwrite beyond the buffer boundary. Fix by adding a bounds check before put_user(). CVE-2025-68753 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68753.html CVE-2025-68753 https://bugzilla.suse.com/1256238 SUSE Bug 1256238 In the Linux kernel, the following vulnerability has been resolved: drm/vgem-fence: Fix potential deadlock on release A timer that expires a vgem fence automatically in 10 seconds is now released with timer_delete_sync() from fence->ops.release() called on last dma_fence_put(). In some scenarios, it can run in IRQ context, which is not safe unless TIMER_IRQSAFE is used. One potentially risky scenario was demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while working on new IGT subtests syncobj_timeline@stress-* as user space replacements of some problematic test cases of a dma-fence-chain selftest [1]. [117.004338] ================================ [117.004340] WARNING: inconsistent lock state [117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U [117.004346] -------------------------------- [117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. [117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes: [117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190 [117.004361] {HARDIRQ-ON-W} state was registered at: [117.004363] lock_acquire+0xc4/0x2e0 [117.004366] call_timer_fn+0x80/0x2a0 [117.004368] __run_timers+0x231/0x310 [117.004370] run_timer_softirq+0x76/0xe0 [117.004372] handle_softirqs+0xd4/0x4d0 [117.004375] __irq_exit_rcu+0x13f/0x160 [117.004377] irq_exit_rcu+0xe/0x20 [117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0 [117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20 [117.004385] cpuidle_enter_state+0x12b/0x8a0 [117.004388] cpuidle_enter+0x2e/0x50 [117.004393] call_cpuidle+0x22/0x60 [117.004395] do_idle+0x1fd/0x260 [117.004398] cpu_startup_entry+0x29/0x30 [117.004401] start_secondary+0x12d/0x160 [117.004404] common_startup_64+0x13e/0x141 [117.004407] irq event stamp: 2282669 [117.004409] hardirqs last enabled at (2282668): [<ffffffff8289db71>] _raw_spin_unlock_irqrestore+0x51/0x80 [117.004414] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvec_irq_work+0x11/0xc0 [117.004419] softirqs last enabled at (2254702): [<ffffffff8289fd00>] __do_softirq+0x10/0x18 [117.004423] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] __irq_exit_rcu+0x13f/0x160 [117.004426] other info that might help us debug this: [117.004429] Possible unsafe locking scenario: [117.004432] CPU0 [117.004433] ---- [117.004434] lock((&fence->timer)); [117.004436] <Interrupt> [117.004438] lock((&fence->timer)); [117.004440] *** DEADLOCK *** [117.004443] 1 lock held by swapper/0/0: [117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0 [117.004450] stack backtrace: [117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary) [117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER [117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023 [117.004456] Call Trace: [117.004456] <IRQ> [117.004457] dump_stack_lvl+0x91/0xf0 [117.004460] dump_stack+0x10/0x20 [117.004461] print_usage_bug.part.0+0x260/0x360 [117.004463] mark_lock+0x76e/0x9c0 [117.004465] ? register_lock_class+0x48/0x4a0 [117.004467] __lock_acquire+0xbc3/0x2860 [117.004469] lock_acquire+0xc4/0x2e0 [117.004470] ? __timer_delete_sync+0x4b/0x190 [117.004472] ? __timer_delete_sync+0x4b/0x190 [117.004473] __timer_delete_sync+0x68/0x190 [117.004474] ? __timer_delete_sync+0x4b/0x190 [117.004475] timer_delete_sync+0x10/0x20 [117.004476] vgem_fence_release+0x19/0x30 [vgem] [117.004478] dma_fence_release+0xc1/0x3b0 [117.004480] ? dma_fence_release+0xa1/0x3b0 [117.004481] dma_fence_chain_release+0xe7/0x130 [117.004483] dma_fence_release+0xc1/0x3b0 [117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80 [117.004485] dma_fence_chain_irq_work+0x59/0x80 [117.004487] irq_work_single+0x75/0xa0 [117.004490] irq_work_r ---truncated--- CVE-2025-68757 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68757.html CVE-2025-68757 https://bugzilla.suse.com/1255943 SUSE Bug 1255943 In the Linux kernel, the following vulnerability has been resolved: backlight: led-bl: Add devlink to supplier LEDs LED Backlight is a consumer of one or multiple LED class devices, but devlink is currently unable to create correct supplier-producer links when the supplier is a class device. It creates instead a link where the supplier is the parent of the expected device. One consequence is that removal order is not correctly enforced. Issues happen for example with the following sections in a device tree overlay: // An LED driver chip pca9632@62 { compatible = "nxp,pca9632"; reg = <0x62>; // ... addon_led_pwm: led-pwm@3 { reg = <3>; label = "addon:led:pwm"; }; }; backlight-addon { compatible = "led-backlight"; leds = <&addon_led_pwm>; brightness-levels = <255>; default-brightness-level = <255>; }; In this example, the devlink should be created between the backlight-addon (consumer) and the pca9632@62 (supplier). Instead it is created between the backlight-addon (consumer) and the parent of the pca9632@62, which is typically the I2C bus adapter. On removal of the above overlay, the LED driver can be removed before the backlight device, resulting in: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 ... Call trace: led_put+0xe0/0x140 devm_led_release+0x6c/0x98 Another way to reproduce the bug without any device tree overlays is unbinding the LED class device (pca9632@62) before unbinding the consumer (backlight-addon): echo 11-0062 >/sys/bus/i2c/drivers/leds-pca963x/unbind echo ...backlight-dock >/sys/bus/platform/drivers/led-backlight/unbind Fix by adding a devlink between the consuming led-backlight device and the supplying LED device, as other drivers and subsystems do as well. CVE-2025-68758 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68758.html CVE-2025-68758 https://bugzilla.suse.com/1255944 SUSE Bug 1255944 In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() In rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA allocations in a loop. When an allocation fails, the previously successful allocations are not freed on exit. Fix that by jumping to err_free_rings label on error, which calls rtl8180_free_rx_ring() to free the allocations. Remove the free of rx_ring in rtl8180_init_rx_ring() error path, and set the freed priv->rx_buf entry to null, to avoid double free. CVE-2025-68759 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68759.html CVE-2025-68759 https://bugzilla.suse.com/1255934 SUSE Bug 1255934 In the Linux kernel, the following vulnerability has been resolved: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags When a filesystem is being automounted, it needs to preserve the user-set superblock mount options, such as the "ro" flag. CVE-2025-68764 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68764.html CVE-2025-68764 https://bugzilla.suse.com/1255930 SUSE Bug 1255930 In the Linux kernel, the following vulnerability has been resolved: mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add() In mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the subsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function returns an error without freeing sskb, leading to a memory leak. Fix this by calling dev_kfree_skb() on sskb in the error handling path to ensure it is properly released. CVE-2025-68765 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68765.html CVE-2025-68765 https://bugzilla.suse.com/1255931 SUSE Bug 1255931 In the Linux kernel, the following vulnerability has been resolved: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then it results in an out of bounds access. The code checks for invalid values, but doesn't set the error code. Return -EINVAL in that case, instead of returning success. CVE-2025-68766 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68766.html CVE-2025-68766 https://bugzilla.suse.com/1255932 SUSE Bug 1255932 In the Linux kernel, the following vulnerability has been resolved: inet: frags: flush pending skbs in fqdir_pre_exit() We have been seeing occasional deadlocks on pernet_ops_rwsem since September in NIPA. The stuck task was usually modprobe (often loading a driver like ipvlan), trying to take the lock as a Writer. lockdep does not track readers for rwsems so the read wasn't obvious from the reports. On closer inspection the Reader holding the lock was conntrack looping forever in nf_conntrack_cleanup_net_list(). Based on past experience with occasional NIPA crashes I looked thru the tests which run before the crash and noticed that the crash follows ip_defrag.sh. An immediate red flag. Scouring thru (de)fragmentation queues reveals skbs sitting around, holding conntrack references. The problem is that since conntrack depends on nf_defrag_ipv6, nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its netns exit hooks run _after_ conntrack's netns exit hook. Flush all fragment queue SKBs during fqdir_pre_exit() to release conntrack references before conntrack cleanup runs. Also flush the queues in timer expiry handlers when they discover fqdir->dead is set, in case packet sneaks in while we're running the pre_exit flush. The commit under Fixes is not exactly the culprit, but I think previously the timer firing would eventually unblock the spinning conntrack. CVE-2025-68768 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68768.html CVE-2025-68768 https://bugzilla.suse.com/1256579 SUSE Bug 1256579 In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix XDP_TX path For XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not correct. __bnxt_poll_work() -> bnxt_rx_pkt() -> bnxt_rx_xdp() may be looping within NAPI and some event flags may be set in earlier iterations. In particular, if BNXT_TX_EVENT is set earlier indicating some XDP_TX packets are ready and pending, it will be cleared if it is XDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we successfully call __bnxt_xmit_xdp(). But if the TX ring has no more room, the flag will not be set. This will cause the TX producer to be ahead but the driver will not hit the TX doorbell. For multi-buf XDP_TX, there is no need to clear the event flags and set BNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in bnxt_rx_pkt(). The visible symptom of this is that the RX ring associated with the TX XDP ring will eventually become empty and all packets will be dropped. Because this condition will cause the driver to not refill the RX ring seeing that the TX ring has forever pending XDP_TX packets. The fix is to only clear BNXT_RX_EVENT when we have successfully called __bnxt_xmit_xdp(). CVE-2025-68770 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68770.html CVE-2025-68770 https://bugzilla.suse.com/1256584 SUSE Bug 1256584 In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix kernel BUG in ocfs2_find_victim_chain syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the `cl_next_free_rec` field of the allocation chain list (next free slot in the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec) condition in ocfs2_find_victim_chain() and panicking the kernel. To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(), just before calling ocfs2_find_victim_chain(), the code block in it being executed when either of the following conditions is true: 1. `cl_next_free_rec` is equal to 0, indicating that there are no free chains in the allocation chain list 2. `cl_next_free_rec` is greater than `cl_count` (the total number of chains in the allocation chain list) Either of them being true is indicative of the fact that there are no chains left for usage. This is addressed using ocfs2_error(), which prints the error log for debugging purposes, rather than panicking the kernel. CVE-2025-68771 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68771.html CVE-2025-68771 https://bugzilla.suse.com/1256582 SUSE Bug 1256582 In the Linux kernel, the following vulnerability has been resolved: spi: fsl-cpm: Check length parity before switching to 16 bit mode Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size") failed to make sure that the size is really even before switching to 16 bit mode. Until recently the problem went unnoticed because kernfs uses a pre-allocated bounce buffer of size PAGE_SIZE for reading EEPROM. But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API") introduced an additional dynamically allocated bounce buffer whose size is exactly the size of the transfer, leading to a buffer overrun in the fsl-cpm driver when that size is odd. Add the missing length parity verification and remain in 8 bit mode when the length is not even. CVE-2025-68773 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68773.html CVE-2025-68773 https://bugzilla.suse.com/1256586 SUSE Bug 1256586 In the Linux kernel, the following vulnerability has been resolved: net/handshake: duplicate handshake cancellations leak socket When a handshake request is cancelled it is removed from the handshake_net->hn_requests list, but it is still present in the handshake_rhashtbl until it is destroyed. If a second cancellation request arrives for the same handshake request, then remove_pending() will return false... and assuming HANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continue processing through the out_true label, where we put another reference on the sock and a refcount underflow occurs. This can happen for example if a handshake times out - particularly if the SUNRPC client sends the AUTH_TLS probe to the server but doesn't follow it up with the ClientHello due to a problem with tlshd. When the timeout is hit on the server, the server will send a FIN, which triggers a cancellation request via xs_reset_transport(). When the timeout is hit on the client, another cancellation request happens via xs_tls_handshake_sync(). Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel path so duplicate cancels can be detected. CVE-2025-68775 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68775.html CVE-2025-68775 https://bugzilla.suse.com/1256665 SUSE Bug 1256665 https://bugzilla.suse.com/1256666 SUSE Bug 1256666 In the Linux kernel, the following vulnerability has been resolved: net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std but doesn't check if the allocation failed. If __pskb_copy() returns NULL, skb_clone() is called with a NULL pointer, causing a crash: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f] CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041 Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207 RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480 RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000 RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000 R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00 FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0 Call Trace: <TASK> hsr_forward_do net/hsr/hsr_forward.c:-1 [inline] hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741 hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84 __netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966 __netif_receive_skb_one_core net/core/dev.c:6077 [inline] __netif_receive_skb+0x72/0x380 net/core/dev.c:6192 netif_receive_skb_internal net/core/dev.c:6278 [inline] netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337 tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485 tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953 tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x5c9/0xb30 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0449f8e1ff Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48 RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8 RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001 R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003 </TASK> Add a NULL check immediately after __pskb_copy() to handle allocation failures gracefully. CVE-2025-68776 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68776.html CVE-2025-68776 https://bugzilla.suse.com/1256659 SUSE Bug 1256659 In the Linux kernel, the following vulnerability has been resolved: Input: ti_am335x_tsc - fix off-by-one error in wire_order validation The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds access when used as index in 'config_pins[wire_order[i]]'. Since config_pins has 4 elements (indices 0-3), the valid range for wire_order should be 0-3. Fix the off-by-one error by using >= instead of > in the validation check. CVE-2025-68777 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68777.html CVE-2025-68777 https://bugzilla.suse.com/1256655 SUSE Bug 1256655 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-mixer: us16x08: validate meter packet indices get_meter_levels_from_urb() parses the 64-byte meter packets sent by the device and fills the per-channel arrays meter_level[], comp_level[] and master_level[] in struct snd_us16x08_meter_store. Currently the function derives the channel index directly from the meter packet (MUB2(meter_urb, s) - 1) and uses it to index those arrays without validating the range. If the packet contains a negative or out-of-range channel number, the driver may write past the end of these arrays. Introduce a local channel variable and validate it before updating the arrays. We reject negative indices, limit meter_level[] and comp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[] updates with ARRAY_SIZE(master_level). CVE-2025-68783 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68783.html CVE-2025-68783 https://bugzilla.suse.com/1256650 SUSE Bug 1256650 In the Linux kernel, the following vulnerability has been resolved: fsnotify: do not generate ACCESS/MODIFY events on child for special files inotify/fanotify do not allow users with no read access to a file to subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the same user to subscribe for watching events on children when the user has access to the parent directory (e.g. /dev). Users with no read access to a file but with read access to its parent directory can still stat the file and see if it was accessed/modified via atime/mtime change. The same is not true for special files (e.g. /dev/null). Users will not generally observe atime/mtime changes when other users read/write to special files, only when someone sets atime/mtime via utimensat(). Align fsnotify events with this stat behavior and do not generate ACCESS/MODIFY events to parent watchers on read/write of special files. The events are still generated to parent watchers on utimensat(). This closes some side-channels that could be possibly used for information exfiltration [1]. [1] https://snee.la/pdf/pubs/file-notification-attacks.pdf CVE-2025-68788 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68788.html CVE-2025-68788 https://bugzilla.suse.com/1256638 SUSE Bug 1256638 This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. CVE-2025-68789 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68789.html CVE-2025-68789 https://bugzilla.suse.com/1256781 SUSE Bug 1256781 In the Linux kernel, the following vulnerability has been resolved: ethtool: Avoid overflowing userspace buffer on stats query The ethtool -S command operates across three ioctl calls: ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and ETHTOOL_GSTATS for the values. If the number of stats changes between these calls (e.g., due to device reconfiguration), userspace's buffer allocation will be incorrect, potentially leading to buffer overflow. Drivers are generally expected to maintain stable stat counts, but some drivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making this scenario possible. Some drivers try to handle this internally: - bnad_get_ethtool_stats() returns early in case stats.n_stats is not equal to the driver's stats count. - micrel/ksz884x also makes sure not to write anything beyond stats.n_stats and overflow the buffer. However, both use stats.n_stats which is already assigned with the value returned from get_sset_count(), hence won't solve the issue described here. Change ethtool_get_strings(), ethtool_get_stats(), ethtool_get_phy_stats() to not return anything in case of a mismatch between userspace's size and get_sset_size(), to prevent buffer overflow. The returned n_stats value will be equal to zero, to reflect that nothing has been returned. This could result in one of two cases when using upstream ethtool, depending on when the size change is detected: 1. When detected in ethtool_get_strings(): # ethtool -S eth2 no stats available 2. When detected in get stats, all stats will be reported as zero. Both cases are presumably transient, and a subsequent ethtool call should succeed. Other than the overflow avoidance, these two cases are very evident (no output/cleared stats), which is arguably better than presenting incorrect/shifted stats. I also considered returning an error instead of a "silent" response, but that seems more destructive towards userspace apps. Notes: - This patch does not claim to fix the inherent race, it only makes sure that we do not overflow the userspace buffer, and makes for a more predictable behavior. - RTNL lock is held during each ioctl, the race window exists between the separate ioctl calls when the lock is released. - Userspace ethtool always fills stats.n_stats, but it is likely that these stats ioctls are implemented in other userspace applications which might not fill it. The added code checks that it's not zero, to prevent any regressions. CVE-2025-68795 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68795.html CVE-2025-68795 https://bugzilla.suse.com/1256688 SUSE Bug 1256688 In the Linux kernel, the following vulnerability has been resolved: char: applicom: fix NULL pointer dereference in ac_ioctl Discovered by Atuin - Automated Vulnerability Discovery Engine. In ac_ioctl, the validation of IndexCard and the check for a valid RamIO pointer are skipped when cmd is 6. However, the function unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the end. If cmd is 6, IndexCard may reference a board that does not exist (where RamIO is NULL), leading to a NULL pointer dereference. Fix this by skipping the readb access when cmd is 6, as this command is a global information query and does not target a specific board context. CVE-2025-68797 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68797.html CVE-2025-68797 https://bugzilla.suse.com/1256660 SUSE Bug 1256660 In the Linux kernel, the following vulnerability has been resolved: perf/x86/amd: Check event before enable to avoid GPF On AMD machines cpuc->events[idx] can become NULL in a subtle race condition with NMI->throttle->x86_pmu_stop(). Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF. This appears to be an AMD only issue. Syzkaller reported a GPF in amd_pmu_enable_all. INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143 msecs Oops: general protection fault, probably for non-canonical address 0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7] CPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk RIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195 arch/x86/events/core.c:1430) RSP: 0018:ffff888118009d60 EFLAGS: 00010012 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002 R13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601 FS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0 Call Trace: <IRQ> amd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2)) x86_pmu_enable (arch/x86/events/core.c:1360) event_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186 kernel/events/core.c:2346) __perf_remove_from_context (kernel/events/core.c:2435) event_function (kernel/events/core.c:259) remote_function (kernel/events/core.c:92 (discriminator 1) kernel/events/core.c:72 (discriminator 1)) __flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64 kernel/smp.c:135 kernel/smp.c:540) __sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272) sysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47) arch/x86/kernel/smp.c:266 (discriminator 47)) </IRQ> CVE-2025-68798 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68798.html CVE-2025-68798 https://bugzilla.suse.com/1256689 SUSE Bug 1256689 In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Cited commit added a dedicated mutex (instead of RTNL) to protect the multicast route list, so that it will not change while the driver periodically traverses it in order to update the kernel about multicast route stats that were queried from the device. One instance of list entry deletion (during route replace) was missed and it can result in a use-after-free [1]. Fix by acquiring the mutex before deleting the entry from the list and releasing it afterwards. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum] Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043 CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full) Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017 Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum] Call Trace: <TASK> dump_stack_lvl+0xba/0x110 print_report+0x174/0x4f5 kasan_report+0xdf/0x110 mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 Freed by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x43/0x70 kfree+0x14e/0x700 mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 CVE-2025-68800 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68800.html CVE-2025-68800 https://bugzilla.suse.com/1256646 SUSE Bug 1256646 In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_router: Fix neighbour use-after-free We sometimes observe use-after-free when dereferencing a neighbour [1]. The problem seems to be that the driver stores a pointer to the neighbour, but without holding a reference on it. A reference is only taken when the neighbour is used by a nexthop. Fix by simplifying the reference counting scheme. Always take a reference when storing a neighbour pointer in a neighbour entry. Avoid taking a referencing when the neighbour is used by a nexthop as the neighbour entry associated with the nexthop already holds a reference. Tested by running the test that uncovered the problem over 300 times. Without this patch the problem was reproduced after a handful of iterations. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310 Read of size 8 at addr ffff88817f8e3420 by task ip/3929 CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full) Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023 Call Trace: <TASK> dump_stack_lvl+0x6f/0xa0 print_address_description.constprop.0+0x6e/0x300 print_report+0xfc/0x1fb kasan_report+0xe4/0x110 mlxsw_sp_neigh_entry_update+0x2d4/0x310 mlxsw_sp_router_rif_gone_sync+0x35f/0x510 mlxsw_sp_rif_destroy+0x1ea/0x730 mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0 __mlxsw_sp_inetaddr_lag_event+0xcc/0x130 __mlxsw_sp_inetaddr_event+0xf5/0x3c0 mlxsw_sp_router_netdevice_event+0x1015/0x1580 notifier_call_chain+0xcc/0x150 call_netdevice_notifiers_info+0x7e/0x100 __netdev_upper_dev_unlink+0x10b/0x210 netdev_upper_dev_unlink+0x79/0xa0 vrf_del_slave+0x18/0x50 do_set_master+0x146/0x7d0 do_setlink.isra.0+0x9a0/0x2880 rtnl_newlink+0x637/0xb20 rtnetlink_rcv_msg+0x6fe/0xb90 netlink_rcv_skb+0x123/0x380 netlink_unicast+0x4a3/0x770 netlink_sendmsg+0x75b/0xc90 __sock_sendmsg+0xbe/0x160 ____sys_sendmsg+0x5b2/0x7d0 ___sys_sendmsg+0xfd/0x180 __sys_sendmsg+0x124/0x1c0 do_syscall_64+0xbb/0xfd0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [...] Allocated by task 109: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x2c1/0x790 neigh_alloc+0x6af/0x8f0 ___neigh_create+0x63/0xe90 mlxsw_sp_nexthop_neigh_init+0x430/0x7e0 mlxsw_sp_nexthop_type_init+0x212/0x960 mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280 mlxsw_sp_nexthop6_group_get+0x392/0x6a0 mlxsw_sp_fib6_entry_create+0x46a/0xfd0 mlxsw_sp_router_fib6_replace+0x1ed/0x5f0 mlxsw_sp_router_fib6_event_work+0x10a/0x2a0 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 Freed by task 154: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free_bulk.part.0+0x1eb/0x5e0 kvfree_rcu_bulk+0x1f2/0x260 kfree_rcu_work+0x130/0x1b0 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 Last potentially related work creation: kasan_save_stack+0x30/0x50 kasan_record_aux_stack+0x8c/0xa0 kvfree_call_rcu+0x93/0x5b0 mlxsw_sp_router_neigh_event_work+0x67d/0x860 process_one_work+0xd57/0x1390 worker_thread+0x4d6/0xd40 kthread+0x355/0x5b0 ret_from_fork+0x1d4/0x270 ret_from_fork_asm+0x11/0x20 CVE-2025-68801 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68801.html CVE-2025-68801 https://bugzilla.suse.com/1256653 SUSE Bug 1256653 In the Linux kernel, the following vulnerability has been resolved: NFSD: NFSv4 file creation neglects setting ACL An NFSv4 client that sets an ACL with a named principal during file creation retrieves the ACL afterwards, and finds that it is only a default ACL (based on the mode bits) and not the ACL that was requested during file creation. This violates RFC 8881 section 6.4.1.3: "the ACL attribute is set as given". The issue occurs in nfsd_create_setattr(), which calls nfsd_attrs_valid() to determine whether to call nfsd_setattr(). However, nfsd_attrs_valid() checks only for iattr changes and security labels, but not POSIX ACLs. When only an ACL is present, the function returns false, nfsd_setattr() is skipped, and the POSIX ACL is never applied to the inode. Subsequently, when the client retrieves the ACL, the server finds no POSIX ACL on the inode and returns one generated from the file's mode bits rather than returning the originally-specified ACL. CVE-2025-68803 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68803.html CVE-2025-68803 https://bugzilla.suse.com/1256770 SUSE Bug 1256770 In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver After unbinding the driver, another kthread `cros_ec_console_log_work` is still accessing the device, resulting an UAF and crash. The driver doesn't unregister the EC device in .remove() which should shutdown sub-devices synchronously. Fix it. CVE-2025-68804 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68804.html CVE-2025-68804 https://bugzilla.suse.com/1256617 SUSE Bug 1256617 https://bugzilla.suse.com/1256618 SUSE Bug 1256618 In the Linux kernel, the following vulnerability has been resolved: media: vidtv: initialize local pointers upon transfer of memory ownership vidtv_channel_si_init() creates a temporary list (program, service, event) and ownership of the memory itself is transferred to the PAT/SDT/EIT tables through vidtv_psi_pat_program_assign(), vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign(). The problem here is that the local pointer where the memory ownership transfer was completed is not initialized to NULL. This causes the vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and in the flow that jumps to free_eit, the memory that was freed by vidtv_psi_*_table_destroy() can be accessed again by vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it is freed once again. Therefore, to prevent use-after-free and double-free vulnerability, local pointers must be initialized to NULL when transferring memory ownership. CVE-2025-68808 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68808.html CVE-2025-68808 https://bugzilla.suse.com/1256682 SUSE Bug 1256682 In the Linux kernel, the following vulnerability has been resolved: ipvs: fix ipv4 null-ptr-deref in route error path The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure() without ensuring skb->dev is set, leading to a NULL pointer dereference in fib_compute_spec_dst() when ipv4_link_failure() attempts to send ICMP destination unreachable messages. The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure") started calling __ip_options_compile() from ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst() which dereferences skb->dev. An attempt was made to fix the NULL skb->dev dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev) dereference by using a fallback device. The fix was incomplete because fib_compute_spec_dst() later in the call chain still accesses skb->dev directly, which remains NULL when IPVS calls dst_link_failure(). The crash occurs when: 1. IPVS processes a packet in NAT mode with a misconfigured destination 2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route 3. The error path calls dst_link_failure(skb) with skb->dev == NULL 4. ipv4_link_failure() -> ipv4_send_dest_unreach() -> __ip_options_compile() -> fib_compute_spec_dst() 5. fib_compute_spec_dst() dereferences NULL skb->dev Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before calling dst_link_failure(). KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f] CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2 RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233 RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285 Call Trace: <TASK> spec_dst_fill net/ipv4/ip_options.c:232 spec_dst_fill net/ipv4/ip_options.c:229 __ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330 ipv4_send_dest_unreach net/ipv4/route.c:1252 ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265 dst_link_failure include/net/dst.h:437 __ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412 ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764 CVE-2025-68813 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68813.html CVE-2025-68813 https://bugzilla.suse.com/1256641 SUSE Bug 1256641 https://bugzilla.suse.com/1256644 SUSE Bug 1256644 In the Linux kernel, the following vulnerability has been resolved: io_uring: fix filename leak in __io_openat_prep() __io_openat_prep() allocates a struct filename using getname(). However, for the condition of the file being installed in the fixed file table as well as having O_CLOEXEC flag set, the function returns early. At that point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this, the memory for the newly allocated struct filename is not cleaned up, causing a memory leak. Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the successful getname() call, so that when the request is torn down, the filename will be cleaned up, along with other resources needing cleanup. CVE-2025-68814 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68814.html CVE-2025-68814 https://bugzilla.suse.com/1256651 SUSE Bug 1256651 In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Remove drr class from the active list if it changes to strict Whenever a user issues an ets qdisc change command, transforming a drr class into a strict one, the ets code isn't checking whether that class was in the active list and removing it. This means that, if a user changes a strict class (which was in the active list) back to a drr one, that class will be added twice to the active list [1]. Doing so with the following commands: tc qdisc add dev lo root handle 1: ets bands 2 strict 1 tc qdisc add dev lo parent 1:2 handle 20: \ tbf rate 8bit burst 100b latency 1s tc filter add dev lo parent 1: basic classid 1:2 ping -c1 -W0.01 -s 56 127.0.0.1 tc qdisc change dev lo root handle 1: ets bands 2 strict 2 tc qdisc change dev lo root handle 1: ets bands 2 strict 1 ping -c1 -W0.01 -s 56 127.0.0.1 Will trigger the following splat with list debug turned on: [ 59.279014][ T365] ------------[ cut here ]------------ [ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0. [ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220 [ 59.280860][ T365] Modules linked in: [ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary) [ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220 [ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44 ... [ 59.288812][ T365] Call Trace: [ 59.289056][ T365] <TASK> [ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80 [ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0 [ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10 [ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240 [ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10 [ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.292313][ T365] ? trace_contention_end+0xc8/0x110 [ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0 Fix this by always checking and removing an ets class from the active list when changing it to strict. [1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663 CVE-2025-68815 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68815.html CVE-2025-68815 https://bugzilla.suse.com/1256680 SUSE Bug 1256680 In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fw_tracer, Validate format string parameters Add validation for format string parameters in the firmware tracer to prevent potential security vulnerabilities and crashes from malformed format strings received from firmware. The firmware tracer receives format strings from the device firmware and uses them to format trace messages. Without proper validation, bad firmware could provide format strings with invalid format specifiers (e.g., %s, %p, %n) that could lead to crashes, or other undefined behavior. Add mlx5_tracer_validate_params() to validate that all format specifiers in trace strings are limited to safe integer/hex formats (%x, %d, %i, %u, %llx, %lx, etc.). Reject strings containing other format types that could be used to access arbitrary memory or cause crashes. Invalid format strings are added to the trace output for visibility with "BAD_FORMAT: " prefix. CVE-2025-68816 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68816.html CVE-2025-68816 https://bugzilla.suse.com/1256674 SUSE Bug 1256674 In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() rlen value is a user-controlled value, but dtv5100_i2c_msg() does not check the size of the rlen value. Therefore, if it is set to a value larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data. Therefore, we need to add proper range checking to prevent this vuln. CVE-2025-68819 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68819.html CVE-2025-68819 https://bugzilla.suse.com/1256664 SUSE Bug 1256664 In the Linux kernel, the following vulnerability has been resolved: ext4: xattr: fix null pointer deref in ext4_raw_inode() If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED), iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all() lacks error checking, this will lead to a null pointer dereference in ext4_raw_inode(), called right after ext4_get_inode_loc(). Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-68820 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-68820.html CVE-2025-68820 https://bugzilla.suse.com/1256754 SUSE Bug 1256754 In the Linux kernel, the following vulnerability has been resolved: net: hns3: using the num_tqps in the vf driver to apply for resources Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller than hdev->num_tqps, which causes some hdev->htqp[i] to remain uninitialized in hclgevf_knic_setup(). Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps, ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent and that all elements are properly initialized. CVE-2025-71064 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71064.html CVE-2025-71064 https://bugzilla.suse.com/1256654 SUSE Bug 1256654 In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change zdi-disclosures@trendmicro.com says: The vulnerability is a race condition between `ets_qdisc_dequeue` and `ets_qdisc_change`. It leads to UAF on `struct Qdisc` object. Attacker requires the capability to create new user and network namespace in order to trigger the bug. See my additional commentary at the end of the analysis. Analysis: static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt, struct netlink_ext_ack *extack) { ... // (1) this lock is preventing .change handler (`ets_qdisc_change`) //to race with .dequeue handler (`ets_qdisc_dequeue`) sch_tree_lock(sch); for (i = nbands; i < oldbands; i++) { if (i >= q->nstrict && q->classes[i].qdisc->q.qlen) list_del_init(&q->classes[i].alist); qdisc_purge_queue(q->classes[i].qdisc); } WRITE_ONCE(q->nbands, nbands); for (i = nstrict; i < q->nstrict; i++) { if (q->classes[i].qdisc->q.qlen) { // (2) the class is added to the q->active list_add_tail(&q->classes[i].alist, &q->active); q->classes[i].deficit = quanta[i]; } } WRITE_ONCE(q->nstrict, nstrict); memcpy(q->prio2band, priomap, sizeof(priomap)); for (i = 0; i < q->nbands; i++) WRITE_ONCE(q->classes[i].quantum, quanta[i]); for (i = oldbands; i < q->nbands; i++) { q->classes[i].qdisc = queues[i]; if (q->classes[i].qdisc != &noop_qdisc) qdisc_hash_add(q->classes[i].qdisc, true); } // (3) the qdisc is unlocked, now dequeue can be called in parallel // to the rest of .change handler sch_tree_unlock(sch); ets_offload_change(sch); for (i = q->nbands; i < oldbands; i++) { // (4) we're reducing the refcount for our class's qdisc and // freeing it qdisc_put(q->classes[i].qdisc); // (5) If we call .dequeue between (4) and (5), we will have // a strong UAF and we can control RIP q->classes[i].qdisc = NULL; WRITE_ONCE(q->classes[i].quantum, 0); q->classes[i].deficit = 0; gnet_stats_basic_sync_init(&q->classes[i].bstats); memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats)); } return 0; } Comment: This happens because some of the classes have their qdiscs assigned to NULL, but remain in the active list. This commit fixes this issue by always removing the class from the active list before deleting and freeing its associated qdisc Reproducer Steps (trimmed version of what was sent by zdi-disclosures@trendmicro.com) ``` DEV="${DEV:-lo}" ROOT_HANDLE="${ROOT_HANDLE:-1:}" BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2 PING_BYTES="${PING_BYTES:-48}" PING_COUNT="${PING_COUNT:-200000}" PING_DST="${PING_DST:-127.0.0.1}" SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}" SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}" SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}" cleanup() { tc qdisc del dev "$DEV" root 2>/dev/null } trap cleanup EXIT ip link set "$DEV" up tc qdisc del dev "$DEV" root 2>/dev/null || true tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2 tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \ tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT" tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2 tc -s qdisc ls dev $DEV ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \ >/dev/null 2>&1 & tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0 tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2 tc -s qdisc ls dev $DEV tc qdisc del dev "$DEV" parent ---truncated--- CVE-2025-71066 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71066.html CVE-2025-71066 https://bugzilla.suse.com/1256645 SUSE Bug 1256645 In the Linux kernel, the following vulnerability has been resolved: tpm: Cap the number of PCR banks tpm2_get_pcr_allocation() does not cap any upper limit for the number of banks. Cap the limit to eight banks so that out of bounds values coming from external I/O cause on only limited harm. CVE-2025-71077 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71077.html CVE-2025-71077 https://bugzilla.suse.com/1256613 SUSE Bug 1256613 In the Linux kernel, the following vulnerability has been resolved: powerpc/64s/slb: Fix SLB multihit issue during SLB preload On systems using the hash MMU, there is a software SLB preload cache that mirrors the entries loaded into the hardware SLB buffer. This preload cache is subject to periodic eviction - typically after every 256 context switches - to remove old entry. To optimize performance, the kernel skips switch_mmu_context() in switch_mm_irqs_off() when the prev and next mm_struct are the same. However, on hash MMU systems, this can lead to inconsistencies between the hardware SLB and the software preload cache. If an SLB entry for a process is evicted from the software cache on one CPU, and the same process later runs on another CPU without executing switch_mmu_context(), the hardware SLB may retain stale entries. If the kernel then attempts to reload that entry, it can trigger an SLB multi-hit error. The following timeline shows how stale SLB entries are created and can cause a multi-hit error when a process moves between CPUs without a MMU context switch. CPU 0 CPU 1 ----- ----- Process P exec swapper/1 load_elf_binary begin_new_exc activate_mm switch_mm_irqs_off switch_mmu_context switch_slb /* * This invalidates all * the entries in the HW * and setup the new HW * SLB entries as per the * preload cache. */ context_switch sched_migrate_task migrates process P to cpu-1 Process swapper/0 context switch (to process P) (uses mm_struct of Process P) switch_mm_irqs_off() switch_slb load_slb++ /* * load_slb becomes 0 here * and we evict an entry from * the preload cache with * preload_age(). We still * keep HW SLB and preload * cache in sync, that is * because all HW SLB entries * anyways gets evicted in * switch_slb during SLBIA. * We then only add those * entries back in HW SLB, * which are currently * present in preload_cache * (after eviction). */ load_elf_binary continues... setup_new_exec() slb_setup_new_exec() sched_switch event sched_migrate_task migrates process P to cpu-0 context_switch from swapper/0 to Process P switch_mm_irqs_off() /* * Since both prev and next mm struct are same we don't call * switch_mmu_context(). This will cause the HW SLB and SW preload * cache to go out of sync in preload_new_slb_context. Because there * was an SLB entry which was evicted from both HW and preload cache * on cpu-1. Now later in preload_new_slb_context(), when we will try * to add the same preload entry again, we will add this to the SW * preload cache and then will add it to the HW SLB. Since on cpu-0 * this entry was never invalidated, hence adding this entry to the HW * SLB will cause a SLB multi-hit error. */ load_elf_binary cont ---truncated--- CVE-2025-71078 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71078.html CVE-2025-71078 https://bugzilla.suse.com/1256616 SUSE Bug 1256616 In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex. The problematic lock order is: Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lock Thread B (nfc_unregister_device): nfc_unregister_device() device_lock(&dev->dev) rfkill_unregister() mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex This creates a classic ABBA deadlock scenario. Fix this by moving rfkill_unregister() and rfkill_destroy() outside the device_lock critical section. Store the rfkill pointer in a local variable before releasing the lock, then call rfkill_unregister() after releasing device_lock. This change is safe because rfkill_fop_write() holds rfkill_global_mutex while calling the rfkill callbacks, and rfkill_unregister() also acquires rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will wait for any ongoing callback to complete before proceeding, and device_del() is only called after rfkill_unregister() returns, preventing any use-after-free. The similar lock ordering in nfc_register_device() (device_lock -> rfkill_global_mutex via rfkill_register) is safe because during registration the device is not yet in rfkill_list, so no concurrent rfkill operations can occur on this device. CVE-2025-71079 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71079.html CVE-2025-71079 https://bugzilla.suse.com/1256619 SUSE Bug 1256619 In the Linux kernel, the following vulnerability has been resolved: ASoC: stm32: sai: fix OF node leak on probe The reference taken to the sync provider OF node when probing the platform device is currently only dropped if the set_sync() callback fails during DAI probe. Make sure to drop the reference on platform probe failures (e.g. probe deferral) and on driver unbind. This also avoids a potential use-after-free in case the DAI is ever reprobed without first rebinding the platform driver. CVE-2025-71081 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71081.html CVE-2025-71081 https://bugzilla.suse.com/1256609 SUSE Bug 1256609 In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of devm_kzalloc in btusb This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file"). In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This ties the lifetime of all the btusb data to the binding of a driver to one interface, INTF. In a driver that binds to other interfaces, ISOC and DIAG, this is an accident waiting to happen. The issue is revealed in btusb_disconnect(), where calling usb_driver_release_interface(&btusb_driver, data->intf) will have devm free the data that is also being used by the other interfaces of the driver that may not be released yet. To fix this, revert the use of devm and go back to freeing memory explicitly. CVE-2025-71082 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71082.html CVE-2025-71082 https://bugzilla.suse.com/1256611 SUSE Bug 1256611 In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted. When devcoredump tries to read the contents of all BOs for dumping, we need to expect this as well -- in this case, ENODATA is recorded instead of the buffer contents. CVE-2025-71083 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71083.html CVE-2025-71083 https://bugzilla.suse.com/1256610 SUSE Bug 1256610 In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multicast GID table reference If the CM ID is destroyed while the CM event for multicast creating is still queued the cancel_work_sync() will prevent the work from running which also prevents destroying the ah_attr. This leaks a refcount and triggers a WARN: GID entry ref leak for dev syz1 index 2 ref=573 WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline] WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886 Destroy the ah_attr after canceling the work, it is safe to call this twice. CVE-2025-71084 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71084.html CVE-2025-71084 https://bugzilla.suse.com/1256622 SUSE Bug 1256622 In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead < 0) at net/core/skbuff.c:2232 in pskb_expand_head(). This bug is triggered as part of the calipso_skbuff_setattr() routine when skb_cow() is passed headroom > INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) < 0). The root cause of the bug is due to an implicit integer cast in __skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a BUG_ON in pskb_expand_head(). However, if headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta becomes negative, and pskb_expand_head() is passed a negative value for nhead. Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing "negative" headroom sizes to skb_cow() within calipso_skbuff_setattr() by only using skb_cow() to grow headroom. PoC: Using `netlabelctl` tool: netlabelctl map del default netlabelctl calipso add pass doi:7 netlabelctl map add default address:0::1/128 protocol:calipso,7 Then run the following PoC: int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP); // setup msghdr int cmsg_size = 2; int cmsg_len = 0x60; struct msghdr msg; struct sockaddr_in6 dest_addr; struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1, sizeof(struct cmsghdr) + cmsg_len); msg.msg_name = &dest_addr; msg.msg_namelen = sizeof(dest_addr); msg.msg_iov = NULL; msg.msg_iovlen = 0; msg.msg_control = cmsg; msg.msg_controllen = cmsg_len; msg.msg_flags = 0; // setup sockaddr dest_addr.sin6_family = AF_INET6; dest_addr.sin6_port = htons(31337); dest_addr.sin6_flowinfo = htonl(31337); dest_addr.sin6_addr = in6addr_loopback; dest_addr.sin6_scope_id = 31337; // setup cmsghdr cmsg->cmsg_len = cmsg_len; cmsg->cmsg_level = IPPROTO_IPV6; cmsg->cmsg_type = IPV6_HOPOPTS; char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr); hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80 sendmsg(fd, &msg, 0); CVE-2025-71085 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71085.html CVE-2025-71085 https://bugzilla.suse.com/1256623 SUSE Bug 1256623 https://bugzilla.suse.com/1256624 SUSE Bug 1256624 In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this reads an uninitialized entry; for cnt == ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to an invalid socket pointer dereference and also leaks references taken via sock_hold(). Fix the index to use i. CVE-2025-71086 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71086.html CVE-2025-71086 https://bugzilla.suse.com/1256625 SUSE Bug 1256625 In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), the loop upper bounds were: i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX which is safe since the value is the last valid index. That commit changed the bounds to: i <= adapter->rss_{key,lut}_size / 4 where `rss_{key,lut}_size / 4` is the number of dwords, so the last valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=` accesses one element past the end. Fix the issues by using `<` instead of `<=`, ensuring we do not exceed the bounds. [1] KASAN splat about rss_key_size off-by-one BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800 Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63 CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: iavf iavf_watchdog_task Call Trace: <TASK> dump_stack_lvl+0x6f/0xb0 print_report+0x170/0x4f3 kasan_report+0xe1/0x1a0 iavf_config_rss+0x619/0x800 iavf_watchdog_task+0x2be7/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 63: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x246/0x6f0 iavf_watchdog_task+0x28fc/0x3230 process_one_work+0x7fd/0x1420 worker_thread+0x4d1/0xd40 kthread+0x344/0x660 ret_from_fork+0x249/0x320 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff888102c50100 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes to the right of allocated 52-byte region [ffff888102c50100, ffff888102c50134) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50 flags: 0x200000000000000(node=0|zone=2) page_type: f5(slab) raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc >ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc ^ ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc CVE-2025-71087 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71087.html CVE-2025-71087 https://bugzilla.suse.com/1256628 SUSE Bug 1256628 In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simult connection Syzkaller reports a simult-connect race leading to inconsistent fallback status: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Modules linked in: CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6 RSP: 0018:ffffc900006cf338 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007 R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900 R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0 Call Trace: <TASK> tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197 tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922 tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672 tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918 ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500 dst_input include/net/dst.h:471 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6092 process_backlog+0x442/0x15e0 net/core/dev.c:6444 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494 napi_poll net/core/dev.c:7557 [inline] net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684 handle_softirqs+0x216/0x8e0 kernel/softirq.c:579 run_ksoftirqd kernel/softirq.c:968 [inline] run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160 kthread+0x3c2/0x780 kernel/kthread.c:463 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The TCP subflow can process the simult-connect syn-ack packet after transitioning to TCP_FIN1 state, bypassing the MPTCP fallback check, as the sk_state_change() callback is not invoked for * -> FIN_WAIT1 transitions. That will move the msk socket to an inconsistent status and the next incoming data will hit the reported splat. Close the race moving the simult-fallback check at the earliest possible stage - that is at syn-ack generation time. About the fixes tags: [2] was supposed to also fix this issue introduced by [3]. [1] is required as a dependence: it was not explicitly marked as a fix, but it is one and it has already been backported before [3]. In other words, this commit should be backported up to [3], including [2] and [1] if that's not already there. CVE-2025-71088 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71088.html CVE-2025-71088 https://bugzilla.suse.com/1256630 SUSE Bug 1256630 In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel page table page is freed and reallocated for another purpose, the IOMMU might still hold stale, incorrect entries. This can be exploited to cause a use-after-free or write-after-free condition, potentially leading to privilege escalation or data corruption. This solution introduces a deferred freeing mechanism for kernel page table pages, which provides a safe window to notify the IOMMU to invalidate its caches before the page is reused. This patch (of 8): In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware shares and walks the CPU's page tables. The x86 architecture maps the kernel's virtual address space into the upper portion of every process's page table. Consequently, in an SVA context, the IOMMU hardware can walk and cache kernel page table entries. The Linux kernel currently lacks a notification mechanism for kernel page table changes, specifically when page table pages are freed and reused. The IOMMU driver is only notified of changes to user virtual address mappings. This can cause the IOMMU's internal caches to retain stale entries for kernel VA. Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when kernel page table pages are freed and later reallocated. The IOMMU could misinterpret the new data as valid page table entries. The IOMMU might then walk into attacker-controlled memory, leading to arbitrary physical memory DMA access or privilege escalation. This is also a Write-After-Free issue, as the IOMMU will potentially continue to write Accessed and Dirty bits to the freed memory while attempting to walk the stale page tables. Currently, SVA contexts are unprivileged and cannot access kernel mappings. However, the IOMMU will still walk kernel-only page tables all the way down to the leaf entries, where it realizes the mapping is for the kernel and errors out. This means the IOMMU still caches these intermediate page table entries, making the described vulnerability a real concern. Disable SVA on x86 architecture until the IOMMU can receive notification to flush the paging cache before freeing the CPU kernel page table pages. CVE-2025-71089 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71089.html CVE-2025-71089 https://bugzilla.suse.com/1256612 SUSE Bug 1256612 https://bugzilla.suse.com/1256615 SUSE Bug 1256615 In the Linux kernel, the following vulnerability has been resolved: team: fix check for port enabled in team_queue_override_port_prio_changed() There has been a syzkaller bug reported recently with the following trace: list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:59! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59 Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286 RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000 RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005 RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230 R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480 FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0 Call Trace: <TASK> __list_del_entry_valid include/linux/list.h:132 [inline] __list_del_entry include/linux/list.h:223 [inline] list_del_rcu include/linux/rculist.h:178 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:826 [inline] __team_queue_override_port_del drivers/net/team/team_core.c:821 [inline] team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline] team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534 team_option_set drivers/net/team/team_core.c:376 [inline] team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653 genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa98/0xc70 net/socket.c:2630 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2684 __sys_sendmsg+0x16d/0x220 net/socket.c:2716 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The problem is in this flow: 1) Port is enabled, queue_id != 0, in qom_list 2) Port gets disabled -> team_port_disable() -> team_queue_override_port_del() -> del (removed from list) 3) Port is disabled, queue_id != 0, not in any list 4) Priority changes -> team_queue_override_port_prio_changed() -> checks: port disabled && queue_id != 0 -> calls del - hits the BUG as it is removed already To fix this, change the check in team_queue_override_port_prio_changed() so it returns early if port is not enabled. CVE-2025-71091 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71091.html CVE-2025-71091 https://bugzilla.suse.com/1256773 SUSE Bug 1256773 In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_should_accept() In e1000_tbi_should_accept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and can hit unrelated slab objects. The issue is observed from the NAPI receive path (e1000_clean_rx_irq): ================================================================== BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790 Read of size 1 at addr ffff888014114e54 by task sshd/363 CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x5a/0x74 print_address_description+0x7b/0x440 print_report+0x101/0x200 kasan_report+0xc1/0xf0 e1000_tbi_should_accept+0x610/0x790 e1000_clean_rx_irq+0xa8c/0x1110 e1000_clean+0xde2/0x3c10 __napi_poll+0x98/0x380 net_rx_action+0x491/0xa20 __do_softirq+0x2c9/0x61d do_softirq+0xd1/0x120 </IRQ> <TASK> __local_bh_enable_ip+0xfe/0x130 ip_finish_output2+0x7d5/0xb00 __ip_queue_xmit+0xe24/0x1ab0 __tcp_transmit_skb+0x1bcb/0x3340 tcp_write_xmit+0x175d/0x6bd0 __tcp_push_pending_frames+0x7b/0x280 tcp_sendmsg_locked+0x2e4f/0x32d0 tcp_sendmsg+0x24/0x40 sock_write_iter+0x322/0x430 vfs_write+0x56c/0xa60 ksys_write+0xd1/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f511b476b10 Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24 RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10 RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003 RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00 R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003 </TASK> Allocated by task 1: __kasan_krealloc+0x131/0x1c0 krealloc+0x90/0xc0 add_sysfs_param+0xcb/0x8a0 kernel_add_sysfs_param+0x81/0xd4 param_sysfs_builtin+0x138/0x1a6 param_sysfs_init+0x57/0x5b do_one_initcall+0x104/0x250 do_initcall_level+0x102/0x132 do_initcalls+0x46/0x74 kernel_init_freeable+0x28f/0x393 kernel_init+0x14/0x1a0 ret_from_fork+0x22/0x30 The buggy address belongs to the object at ffff888014114000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1620 bytes to the right of 2048-byte region [ffff888014114000, ffff888014114800] The buggy address belongs to the physical page: page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110 head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head|node=0|zone=1) raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000 raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected ================================================================== This happens because the TBI check unconditionally dereferences the last byte without validating the reported length first: u8 last_byte = *(data + length - 1); Fix by rejecting the frame early if the length is zero, or if it exceeds adapter->rx_buffer_len. This preserves the TBI workaround semantics for valid frames and prevents touching memory beyond the RX buffer. CVE-2025-71093 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71093.html CVE-2025-71093 https://bugzilla.suse.com/1256777 SUSE Bug 1256777 In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: validate PHY address before use The ASIX driver reads the PHY address from the USB device via asix_read_phy_addr(). A malicious or faulty device can return an invalid address (>= PHY_MAX_ADDR), which causes a warning in mdiobus_get_phy(): addr 207 out of range WARNING: drivers/net/phy/mdio_bus.c:76 Validate the PHY address in asix_read_phy_addr() and remove the now-redundant check in ax88172a.c. CVE-2025-71094 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71094.html CVE-2025-71094 https://bugzilla.suse.com/1256597 SUSE Bug 1256597 In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDP_TX action There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP [ 216.301694] Call trace: [ 216.304130] dcache_clean_poc+0x20/0x38 (P) [ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0 [ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400 [ 216.317701] __stmmac_xdp_run_prog+0x164/0x368 [ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00 [ 216.326576] __napi_poll+0x40/0x218 [ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt For XDP_TX action, the xdp_buff is converted to xdp_frame by xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame depends on the memory type of the xdp_buff. For page pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy XSK pool based xdp_buff it produces xdp_frame with memory type MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the memory type and always uses the page pool type, this leads to invalid mappings and causes the crash. Therefore, check the xdp_buff memory type in stmmac_xdp_xmit_back() to fix this issue. CVE-2025-71095 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71095.html CVE-2025-71095 https://bugzilla.suse.com/1256605 SUSE Bug 1256605 In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then directly index that array to get the data for the DGID. Just fail if it is NULL. Remove the for loop searching for the nla, and squash the validation and parsing into one function. Fixes an uninitialized read from the stack triggered by userspace if it does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE query. BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline] BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 hex_byte_pack include/linux/hex.h:13 [inline] ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490 ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509 ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633 pointer+0xc09/0x1bd0 lib/vsprintf.c:2542 vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930 vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279 vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426 vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465 vprintk+0x36/0x50 kernel/printk/printk_safe.c:82 _printk+0x17e/0x1b0 kernel/printk/printk.c:2475 ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline] ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141 rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline] rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x333/0x3d0 net/socket.c:729 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2671 __sys_sendmsg+0x1aa/0x300 net/socket.c:2703 __compat_sys_sendmsg net/compat.c:346 [inline] __do_compat_sys_sendmsg net/compat.c:353 [inline] __se_compat_sys_sendmsg net/compat.c:350 [inline] __ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350 ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3 CVE-2025-71096 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71096.html CVE-2025-71096 https://bugzilla.suse.com/1256606 SUSE Bug 1256606 In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when their nexthop object is deleted: # ip link add name dummy1 up type dummy # ip nexthop add id 1 dev dummy1 # ip route add 198.51.100.1/32 nhid 1 # ip route add blackhole 198.51.100.2/32 nhid 1 # ip nexthop del id 1 # ip route show blackhole 198.51.100.2 nhid 1 dev dummy1 As such, they keep holding a reference on the nexthop object which in turn holds a reference on the nexthop device, resulting in a reference count leak: # ip link del dev dummy1 [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 Fix by flushing error routes when their nexthop is marked as dead. IPv6 does not suffer from this problem. CVE-2025-71097 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71097.html CVE-2025-71097 https://bugzilla.suse.com/1256607 SUSE Bug 1256607 In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ip6gre device. [1] skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:213 ! <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 neigh_output include/net/neighbour.h:556 [inline] ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 CVE-2025-71098 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71098.html CVE-2025-71098 https://bugzilla.suse.com/1256591 SUSE Bug 1256591 In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() TID getting from ieee80211_get_tid() might be out of range of array size of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise, UBSAN warn: UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30 index 10 is out of range for type 'rtl_tid_data [9]' CVE-2025-71100 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71100.html CVE-2025-71100 https://bugzilla.suse.com/1256593 SUSE Bug 1256593 In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Handle incorrect num_connectors capability The UCSI spec states that the num_connectors field is 7 bits, and the 8th bit is reserved and should be set to zero. Some buggy FW has been known to set this bit, and it can lead to a system not booting. Flag that the FW is not behaving correctly, and auto-fix the value so that the system boots correctly. Found on Lenovo P1 G8 during Linux enablement program. The FW will be fixed, but seemed worth addressing in case it hit platforms that aren't officially Linux supported. CVE-2025-71108 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71108.html CVE-2025-71108 https://bugzilla.suse.com/1256774 SUSE Bug 1256774 In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU The macro FAN_FROM_REG evaluates its arguments multiple times. When used in lockless contexts involving shared driver data, this leads to Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially causing divide-by-zero errors. Convert the macro to a static function. This guarantees that arguments are evaluated only once (pass-by-value), preventing the race conditions. Additionally, in store_fan_div, move the calculation of the minimum limit inside the update lock. This ensures that the read-modify-write sequence operates on consistent data. Adhere to the principle of minimal changes by only converting macros that evaluate arguments multiple times and are used in lockless contexts. CVE-2025-71111 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71111.html CVE-2025-71111 https://bugzilla.suse.com/1256728 SUSE Bug 1256728 In the Linux kernel, the following vulnerability has been resolved: net: hns3: add VLAN id validation before using Currently, the VLAN id may be used without validation when receive a VLAN configuration mailbox from VF. The length of vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause out-of-bounds memory access once the VLAN id is bigger than or equal to VLAN_N_VID. Therefore, VLAN id needs to be checked to ensure it is within the range of VLAN_N_VID. CVE-2025-71112 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71112.html CVE-2025-71112 https://bugzilla.suse.com/1256726 SUSE Bug 1256726 https://bugzilla.suse.com/1256727 SUSE Bug 1256727 In the Linux kernel, the following vulnerability has been resolved: via_wdt: fix critical boot hang due to unnamed resource allocation The VIA watchdog driver uses allocate_resource() to reserve a MMIO region for the watchdog control register. However, the allocated resource was not given a name, which causes the kernel resource tree to contain an entry marked as "<BAD>" under /proc/iomem on x86 platforms. During boot, this unnamed resource can lead to a critical hang because subsequent resource lookups and conflict checks fail to handle the invalid entry properly. CVE-2025-71114 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71114.html CVE-2025-71114 https://bugzilla.suse.com/1256752 SUSE Bug 1256752 In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value. This patch adds explicit bounds checks for each field that is decoded or skipped. CVE-2025-71116 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71116.html CVE-2025-71116 https://bugzilla.suse.com/1256744 SUSE Bug 1256744 In the Linux kernel, the following vulnerability has been resolved: ACPICA: Avoid walking the Namespace if start_node is NULL Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace if it is not there") fixed the situation when both start_node and acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed on Honor Magicbook 14 Pro [1]. That happens due to the access to the member of parent_node in acpi_ns_get_next_node(). The NULL pointer dereference will always happen, no matter whether or not the start_node is equal to ACPI_ROOT_OBJECT, so move the check of start_node being NULL out of the if block. Unfortunately, all the attempts to contact Honor have failed, they refused to provide any technical support for Linux. The bad DSDT table's dump could be found on GitHub [2]. DMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025 [ rjw: Subject adjustment, changelog edits ] CVE-2025-71118 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71118.html CVE-2025-71118 https://bugzilla.suse.com/1256763 SUSE Bug 1256763 In the Linux kernel, the following vulnerability has been resolved: powerpc/kexec: Enable SMT before waking offline CPUs If SMT is disabled or a partial SMT state is enabled, when a new kernel image is loaded for kexec, on reboot the following warning is observed: kexec: Waking offline cpu 228. WARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:223 kexec_prepare_cpus+0x1b0/0x1bc [snip] NIP kexec_prepare_cpus+0x1b0/0x1bc LR kexec_prepare_cpus+0x1a0/0x1bc Call Trace: kexec_prepare_cpus+0x1a0/0x1bc (unreliable) default_machine_kexec+0x160/0x19c machine_kexec+0x80/0x88 kernel_kexec+0xd0/0x118 __do_sys_reboot+0x210/0x2c4 system_call_exception+0x124/0x320 system_call_vectored_common+0x15c/0x2ec This occurs as add_cpu() fails due to cpu_bootable() returning false for CPUs that fail the cpu_smt_thread_allowed() check or non primary threads if SMT is disabled. Fix the issue by enabling SMT and resetting the number of SMT threads to the number of threads per core, before attempting to wake up all present CPUs. CVE-2025-71119 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71119.html CVE-2025-71119 https://bugzilla.suse.com/1256730 SUSE Bug 1256730 In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the copy length is 0. Guard the first memcpy so it only runs when length > 0. CVE-2025-71120 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71120.html CVE-2025-71120 https://bugzilla.suse.com/1256779 SUSE Bug 1256779 https://bugzilla.suse.com/1256780 SUSE Bug 1256780 In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce memtostr() and memtostr_pad()") provides additional information in that regard. So if this happens, the following warning is observed: strnlen: detected buffer overflow: 65 byte read of buffer size 64 WARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Modules linked in: CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Call Trace: <TASK> __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039 strnlen include/linux/fortify-string.h:235 [inline] sized_strscpy include/linux/fortify-string.h:309 [inline] parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline] __ext4_fill_super fs/ext4/super.c:5261 [inline] ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706 get_tree_bdev_flags+0x387/0x620 fs/super.c:1636 vfs_get_tree+0x93/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3553 [inline] path_mount+0x6ae/0x1f70 fs/namespace.c:3880 do_mount fs/namespace.c:3893 [inline] __do_sys_mount fs/namespace.c:4103 [inline] __se_sys_mount fs/namespace.c:4080 [inline] __x64_sys_mount+0x280/0x300 fs/namespace.c:4080 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e Since userspace is expected to provide s_mount_opts field to be at most 63 characters long with the ending byte being NUL-term, use a 64-byte buffer which matches the size of s_mount_opts, so that strscpy_pad() does its job properly. Return with error if the user still managed to provide a non-NUL-term string here. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. CVE-2025-71123 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71123.html CVE-2025-71123 https://bugzilla.suse.com/1256757 SUSE Bug 1256757 In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Initialize the eb.vma array with values of 0 when the eb structure is first set up. In particular, this sets the eb->vma[i].vma pointers to NULL, simplifying cleanup and getting rid of the bug described below. During the execution of eb_lookup_vmas(), the eb->vma array is successively filled up with struct eb_vma objects. This process includes calling eb_add_vma(), which might fail; however, even in the event of failure, eb->vma[i].vma is set for the currently processed buffer. If eb_add_vma() fails, eb_lookup_vmas() returns with an error, which prompts a call to eb_release_vmas() to clean up the mess. Since eb_lookup_vmas() might fail during processing any (possibly not first) buffer, eb_release_vmas() checks whether a buffer's vma is NULL to know at what point did the lookup function fail. In eb_lookup_vmas(), eb->vma[i].vma is set to NULL if either the helper function eb_lookup_vma() or eb_validate_vma() fails. eb->vma[i+1].vma is set to NULL in case i915_gem_object_userptr_submit_init() fails; the current one needs to be cleaned up by eb_release_vmas() at this point, so the next one is set. If eb_add_vma() fails, neither the current nor the next vma is set to NULL, which is a source of a NULL deref bug described in the issue linked in the Closes tag. When entering eb_lookup_vmas(), the vma pointers are set to the slab poison value, instead of NULL. This doesn't matter for the actual lookup, since it gets overwritten anyway, however the eb_release_vmas() function only recognizes NULL as the stopping value, hence the pointers are being set to NULL as they go in case of intermediate failure. This patch changes the approach to filling them all with NULL at the start instead, rather than handling that manually during failure. (cherry picked from commit 08889b706d4f0b8d2352b7ca29c2d8df4d0787cd) CVE-2025-71130 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71130.html CVE-2025-71130 https://bugzilla.suse.com/1256741 SUSE Bug 1256741 In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt As soon as crypto_aead_encrypt is called, the underlying request may be freed by an asynchronous completion. Thus dereferencing req->iv after it returns is invalid. Instead of checking req->iv against info, create a new variable unaligned_info and use it for that purpose instead. CVE-2025-71131 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71131.html CVE-2025-71131 https://bugzilla.suse.com/1256742 SUSE Bug 1256742 In the Linux kernel, the following vulnerability has been resolved: smc91x: fix broken irq-context in PREEMPT_RT When smc91x.c is built with PREEMPT_RT, the following splat occurs in FVP_RevC: [ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000 [ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106] [ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work [ 13.062266] C ** replaying previous printk message ** [ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)} [ 13.062353] Hardware name: , BIOS [ 13.062382] Workqueue: mld mld_ifc_work [ 13.062469] Call trace: [ 13.062494] show_stack+0x24/0x40 (C) [ 13.062602] __dump_stack+0x28/0x48 [ 13.062710] dump_stack_lvl+0x7c/0xb0 [ 13.062818] dump_stack+0x18/0x34 [ 13.062926] process_scheduled_works+0x294/0x450 [ 13.063043] worker_thread+0x260/0x3d8 [ 13.063124] kthread+0x1c4/0x228 [ 13.063235] ret_from_fork+0x10/0x20 This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT, but smc_special_unlock() does not restore IRQs on PREEMPT_RT. The reason is that smc_special_unlock() calls spin_unlock_irqrestore(), and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero. To address this issue, replace smc_special_trylock() with spin_trylock_irqsave(). CVE-2025-71132 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71132.html CVE-2025-71132 https://bugzilla.suse.com/1256737 SUSE Bug 1256737 In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: avoid invalid read in irdma_net_event irdma_net_event() should not dereference anything from "neigh" (alias "ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE. Other events come with different structures pointed to by "ptr" and they may be smaller than struct neighbour. Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case. The bug is mostly harmless, but it triggers KASAN on debug kernels: BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma] Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554 CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1 Hardware name: [...] Workqueue: events rt6_probe_deferred Call Trace: <IRQ> dump_stack_lvl+0x60/0xb0 print_address_description.constprop.0+0x2c/0x3f0 print_report+0xb4/0x270 kasan_report+0x92/0xc0 irdma_net_event+0x32e/0x3b0 [irdma] notifier_call_chain+0x9e/0x180 atomic_notifier_call_chain+0x5c/0x110 rt6_do_redirect+0xb91/0x1080 tcp_v6_err+0xe9b/0x13e0 icmpv6_notify+0x2b2/0x630 ndisc_redirect_rcv+0x328/0x530 icmpv6_rcv+0xc16/0x1360 ip6_protocol_deliver_rcu+0xb84/0x12e0 ip6_input_finish+0x117/0x240 ip6_input+0xc4/0x370 ipv6_rcv+0x420/0x7d0 __netif_receive_skb_one_core+0x118/0x1b0 process_backlog+0xd1/0x5d0 __napi_poll.constprop.0+0xa3/0x440 net_rx_action+0x78a/0xba0 handle_softirqs+0x2d4/0x9c0 do_softirq+0xad/0xe0 </IRQ> CVE-2025-71133 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71133.html CVE-2025-71133 https://bugzilla.suse.com/1256733 SUSE Bug 1256733 In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() The variable mddev->private is first assigned to conf and then checked: conf = mddev->private; if (!conf) ... If conf is NULL, then mddev->private is also NULL. In this case, null-pointer dereferences can occur when calling raid5_quiesce(): raid5_quiesce(mddev, true); raid5_quiesce(mddev, false); since mddev->private is assigned to conf again in raid5_quiesce(), and conf is dereferenced in several places, for example: conf->quiesce = 0; wake_up(&conf->wait_for_quiescent); To fix this issue, the function should unlock mddev and return before invoking raid5_quiesce() when conf is NULL, following the existing pattern in raid5_change_consistency_policy(). CVE-2025-71135 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71135.html CVE-2025-71135 https://bugzilla.suse.com/1256761 SUSE Bug 1256761 In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() It's possible for cp_read() and hdmi_read() to return -EIO. Those values are further used as indexes for accessing arrays. Fix that by checking return values where it's needed. Found by Linux Verification Center (linuxtesting.org) with SVACE. CVE-2025-71136 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71136.html CVE-2025-71136 https://bugzilla.suse.com/1256759 SUSE Bug 1256759 In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" This patch ensures that the RX ring size (rx_pending) is not set below the permitted length. This avoids UBSAN shift-out-of-bounds errors when users passes small or zero ring sizes via ethtool -G. CVE-2025-71137 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71137.html CVE-2025-71137 https://bugzilla.suse.com/1256760 SUSE Bug 1256760 In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add missing NULL pointer check for pingpong interface It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a single place the check is missing. Also use convenient locals instead of phys_enc->* where available. Patchwork: https://patchwork.freedesktop.org/patch/693860/ CVE-2025-71138 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71138.html CVE-2025-71138 https://bugzilla.suse.com/1256785 SUSE Bug 1256785 In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. Increment the reference count also for non-OF so that the caller can decrement it unconditionally. Note that this is inherently racy just as using the returned I2C device is since nothing is preventing the PHY driver from being unbound while in use. CVE-2025-71145 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71145.html CVE-2025-71145 https://bugzilla.suse.com/1257155 SUSE Bug 1257155 https://bugzilla.suse.com/1257156 SUSE Bug 1257156 In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix a memory leak in tpm2_load_cmd 'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode' but it is not freed in the failure paths. Address this by wrapping the blob into with a cleanup helper. CVE-2025-71147 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71147.html CVE-2025-71147 https://bugzilla.suse.com/1257158 SUSE Bug 1257158 In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: correctly handle io_poll_add() return value on update When the core of io_uring was updated to handle completions consistently and with fixed return codes, the POLL_REMOVE opcode with updates got slightly broken. If a POLL_ADD is pending and then POLL_REMOVE is used to update the events of that request, if that update causes the POLL_ADD to now trigger, then that completion is lost and a CQE is never posted. Additionally, ensure that if an update does cause an existing POLL_ADD to complete, that the completion value isn't always overwritten with -ECANCELED. For that case, whatever io_poll_add() set the value to should just be retained. CVE-2025-71149 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71149.html CVE-2025-71149 https://bugzilla.suse.com/1257164 SUSE Bug 1257164 In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. The completion callback async_set_reg_cb() is responsible for freeing these allocations, but it is only called after the URB is successfully submitted and completes (successfully or with error). If submission fails, the callback never runs and the memory is leaked. Fix this by freeing both the URB and the request structure in the error path when usb_submit_urb() fails. CVE-2025-71154 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71154.html CVE-2025-71154 https://bugzilla.suse.com/1257163 SUSE Bug 1257163 In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegra_adma_terminate_all() before the vchan completion tasklet finishes accessing it. The race condition follows this sequence: 1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet has not executed yet) 2. Audio playback stops, calling tegra_adma_terminate_all() which frees the DMA buffer memory via kfree() 3. The scheduled tasklet finally executes, calling vchan_complete() which attempts to access the already-freed memory Since tasklets can execute at any time after being scheduled, there is no guarantee that the buffer will remain valid when vchan_complete() runs. Fix this by properly synchronizing the virtual channel completion: - Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the descriptors as terminated instead of freeing the descriptor. - Add the callback tegra_adma_synchronize() that calls vchan_synchronize() which kills any pending tasklets and frees any terminated descriptors. Crash logs: [ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 [ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 [ 337.427562] Call trace: [ 337.427564] dump_backtrace+0x0/0x320 [ 337.427571] show_stack+0x20/0x30 [ 337.427575] dump_stack_lvl+0x68/0x84 [ 337.427584] print_address_description.constprop.0+0x74/0x2b8 [ 337.427590] kasan_report+0x1f4/0x210 [ 337.427598] __asan_load8+0xa0/0xd0 [ 337.427603] vchan_complete+0x124/0x3b0 [ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 [ 337.427617] tasklet_action+0x30/0x40 [ 337.427623] __do_softirq+0x1a0/0x5c4 [ 337.427628] irq_exit+0x110/0x140 [ 337.427633] handle_domain_irq+0xa4/0xe0 [ 337.427640] gic_handle_irq+0x64/0x160 [ 337.427644] call_on_irq_stack+0x20/0x4c [ 337.427649] do_interrupt_handler+0x7c/0x90 [ 337.427654] el1_interrupt+0x30/0x80 [ 337.427659] el1h_64_irq_handler+0x18/0x30 [ 337.427663] el1h_64_irq+0x7c/0x80 [ 337.427667] cpuidle_enter_state+0xe4/0x540 [ 337.427674] cpuidle_enter+0x54/0x80 [ 337.427679] do_idle+0x2e0/0x380 [ 337.427685] cpu_startup_entry+0x2c/0x70 [ 337.427690] rest_init+0x114/0x130 [ 337.427695] arch_call_rest_init+0x18/0x24 [ 337.427702] start_kernel+0x380/0x3b4 [ 337.427706] __primary_switched+0xc0/0xc8 CVE-2025-71162 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71162.html CVE-2025-71162 https://bugzilla.suse.com/1257204 SUSE Bug 1257204 In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix device leaks on compat bind and unbind Make sure to drop the reference taken when looking up the idxd device as part of the compat bind and unbind sysfs interface. CVE-2025-71163 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2025-71163.html CVE-2025-71163 https://bugzilla.suse.com/1257215 SUSE Bug 1257215 In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset `qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class itself is active. Two qfq_class objects may point to the same leaf_qdisc. This happens when: 1. one QFQ qdisc is attached to the dev as the root qdisc, and 2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() / qdisc_put()) and is pending to be destroyed, as in function tc_new_tfilter. When packets are enqueued through the root QFQ qdisc, the shared leaf_qdisc->q.qlen increases. At the same time, the second QFQ qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters qfq_reset() with its own q->q.qlen == 0, but its class's leaf qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate an inactive aggregate and trigger a null-deref in qfq_deactivate_agg: [ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 0.903571] #PF: supervisor write access in kernel mode [ 0.903860] #PF: error_code(0x0002) - not-present page [ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0 [ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI [ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE [ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) [ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 Code starting with the faulting instruction =========================================== 0: 0f 84 4d 01 00 00 je 0x153 6: 48 89 70 18 mov %rsi,0x18(%rax) a: 8b 4b 10 mov 0x10(%rbx),%ecx d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx 14: 48 8b 78 08 mov 0x8(%rax),%rdi 18: 48 d3 e2 shl %cl,%rdx 1b: 48 21 f2 and %rsi,%rdx 1e: 48 2b 13 sub (%rbx),%rdx 21: 48 8b 30 mov (%rax),%rsi 24: 48 d3 ea shr %cl,%rdx 27: 8b 4b 18 mov 0x18(%rbx),%ecx ... [ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 [ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 [ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 [ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 [ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 [ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 [ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 [ 0.910247] PKRU: 55555554 [ 0.910391] Call Trace: [ 0.910527] <TASK> [ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485) [ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036) [ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076) [ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447) [ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) [ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861) [ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550) [ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) [ 0.912296] ? __alloc_skb (net/core/skbuff.c:706) [ 0.912484] netlink_sendmsg (net/netlink/af ---truncated--- CVE-2026-22976 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-22976.html CVE-2026-22976 https://bugzilla.suse.com/1257035 SUSE Bug 1257035 In the Linux kernel, the following vulnerability has been resolved: net: sock: fix hardened usercopy panic in sock_recv_errqueue skbuff_fclone_cache was created without defining a usercopy region, [1] unlike skbuff_head_cache which properly whitelists the cb[] field. [2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is enabled and the kernel attempts to copy sk_buff.cb data to userspace via sock_recv_errqueue() -> put_cmsg(). The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone() (from skbuff_fclone_cache) [1] 2. The skb is cloned via skb_clone() using the pre-allocated fclone [3] 3. The cloned skb is queued to sk_error_queue for timestamp reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE) 5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb [4] 6. __check_heap_object() fails because skbuff_fclone_cache has no usercopy whitelist [5] When cloned skbs allocated from skbuff_fclone_cache are used in the socket error queue, accessing the sock_exterr_skb structure in skb->cb via put_cmsg() triggers a usercopy hardening violation: [ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)! [ 5.382796] kernel BUG at mm/usercopy.c:102! [ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7 [ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80 [ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490 [ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246 [ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74 [ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0 [ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74 [ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001 [ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00 [ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000 [ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0 [ 5.384903] PKRU: 55555554 [ 5.384903] Call Trace: [ 5.384903] <TASK> [ 5.384903] __check_heap_object+0x9a/0xd0 [ 5.384903] __check_object_size+0x46c/0x690 [ 5.384903] put_cmsg+0x129/0x5e0 [ 5.384903] sock_recv_errqueue+0x22f/0x380 [ 5.384903] tls_sw_recvmsg+0x7ed/0x1960 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5.384903] ? schedule+0x6d/0x270 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5.384903] ? mutex_unlock+0x81/0xd0 [ 5.384903] ? __pfx_mutex_unlock+0x10/0x10 [ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10 [ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0 [ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 The crash offset 296 corresponds to skb2->cb within skbuff_fclones: - sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 - offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 = 272 + 24 (inside sock_exterr_skb.ee) This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure. [1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885 [2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104 [3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566 [4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491 [5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719 CVE-2026-22977 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-22977.html CVE-2026-22977 https://bugzilla.suse.com/1257053 SUSE Bug 1257053 In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak from struct iw_point struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero the structure to avoid disclosing 32bits of kernel data to user space. CVE-2026-22978 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-22978.html CVE-2026-22978 https://bugzilla.suse.com/1257227 SUSE Bug 1257227 In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ idryomov: changelog ] CVE-2026-22984 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-22984.html CVE-2026-22984 https://bugzilla.suse.com/1257217 SUSE Bug 1257217 In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL pointer crash on early ethtool operations The RSS LUT is not initialized until the interface comes up, causing the following NULL pointer crash when ethtool operations like rxhash on/off are performed before the interface is brought up for the first time. Move RSS LUT initialization from ndo_open to vport creation to ensure LUT is always available. This enables RSS configuration via ethtool before bringing the interface up. Simplify LUT management by maintaining all changes in the driver's soft copy and programming zeros to the indirection table when rxhash is disabled. Defer HW programming until the interface comes up if it is down during rxhash and LUT configuration changes. Steps to reproduce: ** Load idpf driver; interfaces will be created modprobe idpf ** Before bringing the interfaces up, turn rxhash off ethtool -K eth2 rxhash off [89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000 [89408.371908] #PF: supervisor read access in kernel mode [89408.371924] #PF: error_code(0x0000) - not-present page [89408.371940] PGD 0 P4D 0 [89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [89408.372052] RIP: 0010:memcpy_orig+0x16/0x130 [89408.372310] Call Trace: [89408.372317] <TASK> [89408.372326] ? idpf_set_features+0xfc/0x180 [idpf] [89408.372363] __netdev_update_features+0x295/0xde0 [89408.372384] ethnl_set_features+0x15e/0x460 [89408.372406] genl_family_rcv_msg_doit+0x11f/0x180 [89408.372429] genl_rcv_msg+0x1ad/0x2b0 [89408.372446] ? __pfx_ethnl_set_features+0x10/0x10 [89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10 [89408.372482] netlink_rcv_skb+0x58/0x100 [89408.372502] genl_rcv+0x2c/0x50 [89408.372516] netlink_unicast+0x289/0x3e0 [89408.372533] netlink_sendmsg+0x215/0x440 [89408.372551] __sys_sendto+0x234/0x240 [89408.372571] __x64_sys_sendto+0x28/0x30 [89408.372585] x64_sys_call+0x1909/0x1da0 [89408.372604] do_syscall_64+0x7a/0xfa0 [89408.373140] ? clear_bhb_loop+0x60/0xb0 [89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e [89408.378887] </TASK> <snip> CVE-2026-22985 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-22985.html CVE-2026-22985 https://bugzilla.suse.com/1257277 SUSE Bug 1257277 In the Linux kernel, the following vulnerability has been resolved: arp: do not assume dev_hard_header() does not change skb->head arp_create() is the only dev_hard_header() caller making assumption about skb->head being unchanged. A recent commit broke this assumption. Initialize @arp pointer after dev_hard_header() call. CVE-2026-22988 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-22988.html CVE-2026-22988 https://bugzilla.suse.com/1257282 SUSE Bug 1257282 In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid. CVE-2026-22990 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-22990.html CVE-2026-22990 https://bugzilla.suse.com/1257221 SUSE Bug 1257221 In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->args and dereference a NULL pointer. To prevent this potential NULL pointer dereference and make free_choose_arg_map() more resilient, add checks for pointers before iterating. CVE-2026-22991 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-22991.html CVE-2026-22991 https://bugzilla.suse.com/1257220 SUSE Bug 1257220 In the Linux kernel, the following vulnerability has been resolved: libceph: return the handler error from mon_handle_auth_done() Currently any error from ceph_auth_handle_reply_done() is propagated via finish_auth() but isn't returned from mon_handle_auth_done(). This results in higher layers learning that (despite the monitor considering us to be successfully authenticated) something went wrong in the authentication phase and reacting accordingly, but msgr2 still trying to proceed with establishing the session in the background. In the case of secure mode this can trigger a WARN in setup_crypto() and later lead to a NULL pointer dereference inside of prepare_auth_signature(). CVE-2026-22992 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-22992.html CVE-2026-22992 https://bugzilla.suse.com/1257218 SUSE Bug 1257218 In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL ptr issue after soft reset During soft reset, the RSS LUT is freed and not restored unless the interface is up. If an ethtool command that accesses the rss lut is attempted immediately after reset, it will result in NULL ptr dereference. Also, there is no need to reset the rss lut if the soft reset does not involve queue count change. After soft reset, set the RSS LUT to default values based on the updated queue count only if the reset was a result of a queue count change and the LUT was not configured by the user. In all other cases, don't touch the LUT. Steps to reproduce: ** Bring the interface down (if up) ifconfig eth1 down ** update the queue count (eg., 27->20) ethtool -L eth1 combined 20 ** display the RSS LUT ethtool -x eth1 [82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000 [82375.558373] #PF: supervisor read access in kernel mode [82375.558391] #PF: error_code(0x0000) - not-present page [82375.558408] PGD 0 P4D 0 [82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf] [82375.558786] Call Trace: [82375.558793] <TASK> [82375.558804] rss_prepare.isra.0+0x187/0x2a0 [82375.558827] rss_prepare_data+0x3a/0x50 [82375.558845] ethnl_default_doit+0x13d/0x3e0 [82375.558863] genl_family_rcv_msg_doit+0x11f/0x180 [82375.558886] genl_rcv_msg+0x1ad/0x2b0 [82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10 [82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10 [82375.558937] netlink_rcv_skb+0x58/0x100 [82375.558957] genl_rcv+0x2c/0x50 [82375.558971] netlink_unicast+0x289/0x3e0 [82375.558988] netlink_sendmsg+0x215/0x440 [82375.559005] __sys_sendto+0x234/0x240 [82375.559555] __x64_sys_sendto+0x28/0x30 [82375.560068] x64_sys_call+0x1909/0x1da0 [82375.560576] do_syscall_64+0x7a/0xfa0 [82375.561076] ? clear_bhb_loop+0x60/0xb0 [82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e <snip> CVE-2026-22993 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-22993.html CVE-2026-22993 https://bugzilla.suse.com/1257180 SUSE Bug 1257180 In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to reference the netdev and mdev associated with that struct. Instead, store netdev directly into mlx5e_dev and get mdev from the containing mlx5_adev aux device structure. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure. $ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5_core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 $ devlink dev reload pci/0000:00:03.0 ==> oops BUG: kernel NULL pointer dereference, address: 0000000000000520 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_remove+0x68/0x130 RSP: 0018:ffffc900034838f0 EFLAGS: 00010246 RAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10 R10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0 R13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400 FS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0 Call Trace: <TASK> device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140 CVE-2026-22996 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-22996.html CVE-2026-22996 https://bugzilla.suse.com/1257203 SUSE Bug 1257203 In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we cancelled the timer. Otherwise, refcount for j1939_session leaks, which will later appear as | unregister_netdevice: waiting for vcan0 to become free. Usage count = 2. problem. CVE-2026-22997 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-22997.html CVE-2026-22997 https://bugzilla.suse.com/1257202 SUSE Bug 1257202 In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF. CVE-2026-22999 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-22999.html CVE-2026-22999 https://bugzilla.suse.com/1257236 SUSE Bug 1257236 https://bugzilla.suse.com/1257238 SUSE Bug 1257238 In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix crash on profile change rollback failure mlx5e_netdev_change_profile can fail to attach a new profile and can fail to rollback to old profile, in such case, we could end up with a dangling netdev with a fully reset netdev_priv. A retry to change profile, e.g. another attempt to call mlx5e_netdev_change_profile via switchdev mode change, will crash trying to access the now NULL priv->mdev. This fix allows mlx5e_netdev_change_profile() to handle previous failures and an empty priv, by not assuming priv is valid. Pass netdev and mdev to all flows requiring mlx5e_netdev_change_profile() and avoid passing priv. In mlx5e_netdev_change_profile() check if current priv is valid, and if not, just attach the new profile without trying to access the old one. This fixes the following oops, when enabling switchdev mode for the 2nd time after first time failure: ## Enabling switchdev mode first time: mlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 ^^^^^^^^ mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) ## retry: Enabling switchdev mode 2nd time: mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload BUG: kernel NULL pointer dereference, address: 0000000000000038 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_detach_netdev+0x3c/0x90 Code: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 <48> 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07 RSP: 0018:ffffc90000673890 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000 RDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000 R10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000 R13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000 FS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0 Call Trace: <TASK> mlx5e_netdev_change_profile+0x45/0xb0 mlx5e_vport_rep_load+0x27b/0x2d0 mlx5_esw_offloads_rep_load+0x72/0xf0 esw_offloads_enable+0x5d0/0x970 mlx5_eswitch_enable_locked+0x349/0x430 ? is_mp_supported+0x57/0xb0 mlx5_devlink_eswitch_mode_set+0x26b/0x430 devlink_nl_eswitch_set_doit+0x6f/0xf0 genl_family_rcv_msg_doit+0xe8/0x140 genl_rcv_msg+0x18b/0x290 ? __pfx_devlink_nl_pre_doit+0x10/0x10 ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10 ? __pfx_devlink_nl_post_doit+0x10/0x10 ? __pfx_genl_rcv_msg+0x10/0x10 netlink_rcv_skb+0x52/0x100 genl_rcv+0x28/0x40 netlink_unicast+0x282/0x3e0 ? __alloc_skb+0xd6/0x190 netlink_sendmsg+0x1f7/0x430 __sys_sendto+0x213/0x220 ? __sys_recvmsg+0x6a/0xd0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fdfb8495047 CVE-2026-23000 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-23000.html CVE-2026-23000 https://bugzilla.suse.com/1257234 SUSE Bug 1257234 In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u CVE-2026-23001 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-23001.html CVE-2026-23001 https://bugzilla.suse.com/1257232 SUSE Bug 1257232 https://bugzilla.suse.com/1257233 SUSE Bug 1257233 In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for features that are disabled via the guest's XFD. Because the kernel executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1 will cause XRSTOR to #NM and panic the kernel. E.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848 Modules linked in: kvm_intel kvm irqbypass CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 switch_fpu_return+0x4a/0xb0 kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- This can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1, and a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler's call to fpu_update_guest_xfd(). and if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867 Modules linked in: kvm_intel kvm irqbypass CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 fpu_swap_kvm_fpstate+0x6b/0x120 kvm_load_guest_fpu+0x30/0x80 [kvm] kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- The new behavior is consistent with the AMX architecture. Per Intel's SDM, XSAVE saves XSTATE_BV as '0' for components that are disabled via XFD (and non-compacted XSAVE saves the initial configuration of the state component): If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i, the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1; instead, it operates as if XINUSE[i] = 0 (and the state component was in its initial state): it saves bit i of XSTATE_BV field of the XSAVE header as 0; in addition, XSAVE saves the initial configuration of the state component (the other instructions do not save state component i). Alternatively, KVM could always do XRSTOR with XFD=0, e.g. by using a constant XFD based on the set of enabled features when XSAVEing for a struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled features can only happen in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, because fpu_swap_kvm_fpstate()'s call to save_fpregs_to_fpstate() saves the outgoing FPU state with the current XFD; and that is (on all but the first WRMSR to XFD) the guest XFD. Therefore, XFD can only go out of sync with XSTATE_BV in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, and it we can consider it (de facto) part of KVM ABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features. [Move clea ---truncated--- CVE-2026-23005 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-23005.html CVE-2026-23005 https://bugzilla.suse.com/1257245 SUSE Bug 1257245 In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adcx140_priv". CVE-2026-23006 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-23006.html CVE-2026-23006 https://bugzilla.suse.com/1257208 SUSE Bug 1257208 In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix use-after-free in inet6_addr_del(). syzbot reported use-after-free of inet6_ifaddr in inet6_addr_del(). [0] The cited commit accidentally moved ipv6_del_addr() for mngtmpaddr before reading its ifp->flags for temporary addresses in inet6_addr_del(). Let's move ipv6_del_addr() down to fix the UAF. [0]: BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593 CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181 inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f164cf8f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749 RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003 RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288 </TASK> Allocated by task 9593: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120 inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050 addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160 inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6099: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free_freelist_hook mm/slub.c:2569 [inline] slab_free_bulk mm/slub.c:6696 [inline] kmem_cache_free_bulk mm/slub.c:7383 [inline] kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362 kfree_bulk include/linux/slab.h:830 [inline] kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523 kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline] kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqu ---truncated--- CVE-2026-23010 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-23010.html CVE-2026-23010 https://bugzilla.suse.com/1257332 SUSE Bug 1257332 In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust") Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ipgre device. [1] skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 kernel BUG at net/core/skbuff.c:213 ! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: mld mld_ifc_work RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 Call Trace: <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 CVE-2026-23011 SUSE Linux Micro 6.1:kernel-default-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-base-6.4.0-39.1.21.16 SUSE Linux Micro 6.1:kernel-default-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-default-livepatch-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-devel-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-kvmsmall-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-macros-6.4.0-39.1 SUSE Linux Micro 6.1:kernel-source-6.4.0-39.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620498-1/ https://www.suse.com/security/cve/CVE-2026-23011.html CVE-2026-23011 https://bugzilla.suse.com/1257207 SUSE Bug 1257207