Security update for the Linux Kernel (Live Patch 5 for SUSE Linux Enterprise Micro 6.0) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20500-1 Final 1 1 2026-02-19T09:17:44Z current 2026-02-19T09:17:44Z 2026-02-19T09:17:44Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 5 for SUSE Linux Enterprise Micro 6.0) This update for the SUSE Linux Enterprise kernel 6.4.0-25.1 fixes various security issues The following security issues were fixed: - CVE-2025-38111: net/mdiobus: Fix potential out-of-bounds read/write access (bsc#1249455). - CVE-2025-38352: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() (bsc#1249205). - CVE-2025-39742: RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() (bsc#1249480). - CVE-2025-40129: sunrpc: fix null pointer dereference on zero-length checksum (bsc#1253473). - CVE-2025-40186: tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request() (bsc#1253439). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-kernel-271 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620500-1/ Link for SUSE-SU-2026:20500-1 https://lists.suse.com/pipermail/sle-security-updates/2026-February/024474.html E-Mail link for SUSE-SU-2026:20500-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1249205 SUSE Bug 1249205 https://bugzilla.suse.com/1249455 SUSE Bug 1249455 https://bugzilla.suse.com/1249480 SUSE Bug 1249480 https://bugzilla.suse.com/1253439 SUSE Bug 1253439 https://bugzilla.suse.com/1253473 SUSE Bug 1253473 https://www.suse.com/security/cve/CVE-2025-38111/ SUSE CVE CVE-2025-38111 page https://www.suse.com/security/cve/CVE-2025-38352/ SUSE CVE CVE-2025-38352 page https://www.suse.com/security/cve/CVE-2025-39742/ SUSE CVE CVE-2025-39742 page https://www.suse.com/security/cve/CVE-2025-40129/ SUSE CVE CVE-2025-40129 page https://www.suse.com/security/cve/CVE-2025-40186/ SUSE CVE CVE-2025-40186 page SUSE Linux Micro 6.1 kernel-livepatch-6_4_0-25-default-15-1.2 kernel-livepatch-6_4_0-25-default-15-1.2 as a component of SUSE Linux Micro 6.1 In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before read/write operation. While this excludes this access from any statistics, it improves security of read/write operation. CVE-2025-38111 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-25-default-15-1.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620500-1/ https://www.suse.com/security/cve/CVE-2025-38111.html CVE-2025-38111 https://bugzilla.suse.com/1245666 SUSE Bug 1245666 https://bugzilla.suse.com/1249455 SUSE Bug 1249455 In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case. CVE-2025-38352 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-25-default-15-1.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620500-1/ https://www.suse.com/security/cve/CVE-2025-38352.html CVE-2025-38352 https://bugzilla.suse.com/1246911 SUSE Bug 1246911 https://bugzilla.suse.com/1249205 SUSE Bug 1249205 In the Linux kernel, the following vulnerability has been resolved: RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() The function divides number of online CPUs by num_core_siblings, and later checks the divider by zero. This implies a possibility to get and divide-by-zero runtime error. Fix it by moving the check prior to division. This also helps to save one indentation level. CVE-2025-39742 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-25-default-15-1.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620500-1/ https://www.suse.com/security/cve/CVE-2025-39742.html CVE-2025-39742 https://bugzilla.suse.com/1247374 SUSE Bug 1247374 https://bugzilla.suse.com/1249479 SUSE Bug 1249479 https://bugzilla.suse.com/1249480 SUSE Bug 1249480 https://bugzilla.suse.com/1253291 SUSE Bug 1253291 In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix null pointer dereference on zero-length checksum In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes checksum.data to be set to NULL. This triggers a NPD when accessing checksum.data in gss_krb5_verify_mic_v2(). This patch ensures that the value of checksum.len is not less than XDR_UNIT. CVE-2025-40129 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-25-default-15-1.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620500-1/ https://www.suse.com/security/cve/CVE-2025-40129.html CVE-2025-40129 https://bugzilla.suse.com/1253472 SUSE Bug 1253472 https://bugzilla.suse.com/1253473 SUSE Bug 1253473 In the Linux kernel, the following vulnerability has been resolved: tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). syzbot reported the splat below in tcp_conn_request(). [0] If a listener is close()d while a TFO socket is being processed in tcp_conn_request(), inet_csk_reqsk_queue_add() does not set reqsk->sk and calls inet_child_forget(), which calls tcp_disconnect() for the TFO socket. After the cited commit, tcp_disconnect() calls reqsk_fastopen_remove(), where reqsk_put() is called due to !reqsk->sk. Then, reqsk_fastopen_remove() in tcp_conn_request() decrements the last req->rsk_refcnt and frees reqsk, and __reqsk_free() at the drop_and_free label causes the refcount underflow for the listener and double-free of the reqsk. Let's remove reqsk_fastopen_remove() in tcp_conn_request(). Note that other callers make sure tp->fastopen_rsk is not NULL. [0]: refcount_t: underflow; use-after-free. WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28) Modules linked in: CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:refcount_warn_saturate (lib/refcount.c:28) Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6 RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246 RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900 RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280 RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280 R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100 R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8 FS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0 Call Trace: <IRQ> tcp_conn_request (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/request_sock.h:131 net/ipv4/tcp_input.c:7301) tcp_rcv_state_process (net/ipv4/tcp_input.c:6708) tcp_v6_do_rcv (net/ipv6/tcp_ipv6.c:1670) tcp_v6_rcv (net/ipv6/tcp_ipv6.c:1906) ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:438) ip6_input (net/ipv6/ip6_input.c:500) ipv6_rcv (net/ipv6/ip6_input.c:311) __netif_receive_skb (net/core/dev.c:6104) process_backlog (net/core/dev.c:6456) __napi_poll (net/core/dev.c:7506) net_rx_action (net/core/dev.c:7569 net/core/dev.c:7696) handle_softirqs (kernel/softirq.c:579) do_softirq (kernel/softirq.c:480) </IRQ> CVE-2025-40186 SUSE Linux Micro 6.1:kernel-livepatch-6_4_0-25-default-15-1.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620500-1/ https://www.suse.com/security/cve/CVE-2025-40186.html CVE-2025-40186 https://bugzilla.suse.com/1253438 SUSE Bug 1253438 https://bugzilla.suse.com/1253439 SUSE Bug 1253439