[LSN-0112-1] Linux kernel vulnerabilities
[USN-7548-1] MariaDB vulnerabilities
[USN-7508-2] Open VM Tools vulnerability
[USN-7550-1] Linux kernel vulnerabilities
[USN-7551-1] libvpx vulnerability
[LSN-0112-1] Linux kernel vulnerabilities
Linux kernel vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 22.04 LTS
Summary
Several security issues were fixed in the kernel.
Software Description
- linux - Linux kernel
- linux-aws - Linux kernel for Amazon Web Services (AWS) systems
- linux-azure - Linux kernel for Microsoft Azure Cloud systems
- linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke - Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop - Linux kernel for Google Container Engine (GKE) systems
- linux-ibm - Linux kernel for IBM cloud systems
- linux-oracle - Linux kernel for Oracle Cloud systems
Details
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix use-after-free due to delegation race A delegation break could
arrive as soon as we’ve called vfs_setlease. A delegation break runs a
callback which immediately (in nfsd4_cb_recall_prepare) adds the
delegation to del_recall_lru. If we then exit nfs4_set_delegation
without hashing the delegation, it will be freed as soon as the callback
is done with it, without ever being removed from del_recall_lru.
Symptoms show up later as use-after-free or list corruption warnings,
usually in the laundromat thread. I suspect aba2072f4523 “nfsd: grant
read delegations to clients holding writes” made this bug easier to hit,
but I looked as far back as v3.0 and it looks to me it already had the
same problem. So I’m not sure where the bug was introduced; it may have
been there from the beginning. (CVE-2021-47506)
Jann Horn discovered that the watch_queue event notification subsystem
in the Linux kernel contained an out-of-bounds write vulnerability. A
local attacker could use this to cause a denial of service (system
crash) or escalate their privileges. (CVE-2022-0995)
In the Linux kernel, the following vulnerability has been resolved: net:
atlantic: eliminate double free in error handling logic Driver has a
logic leak in ring data allocation/free, where aq_ring_free could be
called multiple times on same ring, if system is under stress and got
memory allocation error. Ring pointer was used as an indicator of
failure, but this is not correct since only ring data is
allocated/deallocated. Ring itself is an array member. Changing ring
allocation functions to return error code directly. This simplifies
error handling and eliminates aq_ring_free on higher layer.
(CVE-2023-52664)
In the Linux kernel, the following vulnerability has been resolved:
ceph: prevent use-after-free in encode_cap_msg() In fs/ceph/caps.c, in
encode_cap_msg(), “use after free” error was caught by KASAN at this
line - ‘ceph_buffer_get(arg->xattr_buf);’. This implies before the
refcount could be increment here, it was freed. In same file, in
“handle_cap_grant()” refcount is decremented by this line -
‘ceph_buffer_put(ci->i_xattrs.blob);’. It appears that a race occurred
and resource was freed by the latter line before the former line could
increment it. encode_cap_msg() is called by __send_cap() and
__send_cap() is called by ceph_check_caps() after calling __prep_cap().
__prep_cap() is where arg->xattr_buf is assigned to ci->i_xattrs.blob.
This is the spot where the refcount must be increased to prevent “use
after free” error. (CVE-2024-26689)
In the Linux kernel, the following vulnerability has been resolved: smb:
client: fix potential UAF in smb2_is_valid_lease_break() Skip sessions
that are being teared down (status == SES_EXITING) to avoid UAF.
(CVE-2024-35864)
In the Linux kernel, the following vulnerability has been resolved: HID:
core: zero-initialize the report buffer Since the report buffer is used
by all kinds of drivers in various ways, let’s zero- initialize it
during allocation to make sure that it can’t be ever used to leak kernel
memory via specially-crafted report. (CVE-2024-50302)
In the Linux kernel, the following vulnerability has been resolved:
media: dvbdev: prevent the risk of out of memory access The dvbdev
contains a static variable used to store dvb minors. The behavior of it
depends if CONFIG_DVB_DYNAMIC_MINORS is set or not. When not set,
dvb_register_device() won’t check for boundaries, as it will rely that a
previous call to dvb_register_adapter() would already be enforcing it.
On a similar way, dvb_device_open() uses the assumption that the
register functions already did the needed checks. This can be fragile if
some device ends using different calls. This also generate warnings on
static check analysers like Coverity. So, add explicit guards to prevent
potential risk of OOM issues. (CVE-2024-53063)
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix out of bounds reads when finding clock sources The
current USB-audio driver code doesn’t check bLength of each descriptor
at traversing for clock descriptors. That is, when a device provides a
bogus descriptor with a shorter bLength, the driver might hit
out-of-bounds reads. For addressing it, this patch adds sanity checks to
the validator functions for the clock descriptor traversal. When the
descriptor length is shorter than expected, it’s skipped in the loop.
For the clock source and clock multiplier descriptors, we can just check
bLength against the sizeof() of each descriptor type. OTOH, the clock
selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements
and two more fields at its tail, hence those have to be checked in
addition to the sizeof() check. (CVE-2024-53150)
In the Linux kernel, the following vulnerability has been resolved:
sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket BUG: KASAN:
slab-use-after-free in tcp_write_timer_handler+0x156/0x3e0
(CVE-2024-53168)
In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox
devices A bogus device can provide a bNumConfigurations value that
exceeds the initial value used in usb_get_configuration for allocating
dev->config. This can lead to out-of-bounds accesses later, e.g. in
usb_destroy_configuration. (CVE-2024-53197)
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: fix usage slab after free [ +0.000021] BUG: KASAN:
slab-use-after-free in drm_sched_entity_flush+0x6cb/0x7a0 (CVE-2024-56551)
In the Linux kernel, the following vulnerability has been resolved:
wifi: brcmfmac: Fix oops due to NULL pointer dereference in
brcmf_sdiod_sglist_rw() This patch fixes a NULL pointer dereference bug
in brcmfmac that occurs when a high ‘sd_sgentry_align’ value applies
(e.g. 512) and a lot of queued SKBs are sent from the pkt queue. The
problem is the number of entries in the pre-allocated sgtable, it is
nents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) >>
4 + 1. Given the default [rt]xglom_size=32 it’s actually 35 which is too
small. Worst case, the pkt queue can end up with 64 SKBs. This occurs
when a new SKB is added for each original SKB if tailroom isn’t enough
to hold tail_pad. At least one sg entry is needed for each SKB. So,
eventually the “skb_queue_walk loop” in brcmf_sdiod_sglist_rw may run
out of sg entries. This makes sg_next return NULL and this causes the
oops. The patch sets nents to max(rxglom_size, txglom_size) * 2 to be
able handle the worst- case. Btw. this requires only 64-35=29 * 16 (or
20 if CONFIG_NEED_SG_DMA_LENGTH) = 464 additional bytes of memory.
(CVE-2024-56593)
In the Linux kernel, the following vulnerability has been resolved: jfs:
add a check to prevent array-index-out-of-bounds in dbAdjTree When the
value of lp is 0 at the beginning of the for loop, it will become
negative in the next assignment and we should bail out. (CVE-2024-56595)
In the Linux kernel, the following vulnerability has been resolved: jfs:
array-index-out-of-bounds fix in dtReadFirst The value of stbl can be
sometimes out of bounds due to a bad filesystem. Added a check with
appopriate return of error code in that case. (CVE-2024-56598)
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: btmtk: avoid UAF in btmtk_process_coredump hci_devcd_append
may lead to the release of the skb, so it cannot be accessed once it is
called. (CVE-2024-56653)
In the Linux kernel, the following vulnerability has been resolved:
drm/dp_mst: Ensure mst_primary pointer is valid in
drm_dp_mst_handle_up_req() While receiving an MST up request message
from one thread in drm_dp_mst_handle_up_req(), the MST topology could be
removed from another thread via drm_dp_mst_topology_mgr_set_mst(false),
freeing mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to
NULL. This could lead to a NULL deref/use-after-free of mst_primary in
drm_dp_mst_handle_up_req(). Avoid the above by holding a reference for
mst_primary in drm_dp_mst_handle_up_req() while it’s used. v2: Fix
kfreeing the request if getting an mst_primary reference fails.
(CVE-2024-57798)
Update instructions
The problem can be corrected by updating your kernel livepatch to the
following versions:
Ubuntu 20.04 LTS
aws - 112.1
aws - 112.2
azure - 112.1
azure - 112.2
gcp - 112.1
gcp - 112.2
generic - 112.1
generic - 112.2
gkeop - 112.1
ibm - 112.1
lowlatency - 112.1
lowlatency - 112.2
oracle - 112.1
Ubuntu 18.04 LTS
aws - 112.1
azure - 112.1
gcp - 112.1
generic - 112.1
lowlatency - 112.1
oracle - 112.1
Ubuntu 16.04 LTS
aws - 112.1
azure - 112.1
gcp - 112.1
generic - 112.1
lowlatency - 112.1
Ubuntu 22.04 LTS
aws - 112.1
aws - 112.2
azure - 112.1
azure - 112.2
gcp - 112.1
generic - 112.1
gke - 112.1
ibm - 112.1
oracle - 112.1
Support Information
Livepatches for supported LTS kernels will receive upgrades for a period
of up to 13 months after the build date of the kernel.
Livepatches for supported HWE kernels which are not based on an LTS
kernel version will receive upgrades for a period of up to 9 months
after the build date of the kernel, or until the end of support for that
kernel’s non-LTS distro release version, whichever is sooner.
References
- CVE-2021-47506
- CVE-2022-0995
- CVE-2023-52664
- CVE-2024-26689
- CVE-2024-35864
- CVE-2024-50302
- CVE-2024-53063
- CVE-2024-53150
- CVE-2024-53168
- CVE-2024-53197
- CVE-2024-56551
- CVE-2024-56593
- CVE-2024-56595
- CVE-2024-56598
- CVE-2024-56653
- CVE-2024-57798
[USN-7548-1] MariaDB vulnerabilities
=========================================================================
Ubuntu Security Notice USN-7548-1
June 02, 2025
mariadb vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in MariaDB.
Software Description:
- mariadb: MariaDB database
Details:
Several security issues were discovered in MariaDB and this update
includes a new upstream MariaDB version to fix these issues.
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
mariadb-server 1:11.4.7-0ubuntu0.25.04.1
Ubuntu 24.04 LTS
mariadb-server 1:10.11.13-0ubuntu0.24.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart MariaDB to
make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7548-1
CVE-2023-52969, CVE-2023-52970, CVE-2023-52971, CVE-2025-30693,
CVE-2025-30722
Package Information:
https://launchpad.net/ubuntu/+source/mariadb/1:11.4.7-0ubuntu0.25.04.1
https://launchpad.net/ubuntu/+source/mariadb/1:10.11.13-0ubuntu0.24.04.1
[USN-7508-2] Open VM Tools vulnerability
=========================================================================
Ubuntu Security Notice USN-7508-2
June 03, 2025
open-vm-tools vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Open VM Tools could be made to overwrite files as the administrator.
Software Description:
- open-vm-tools: Open VMware Tools for virtual machines hosted on VMware
Details:
USN-7508-1 fixed a vulnerability in Open VM Tools. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS
Original advisory details:
It was discovered that Open VM Tools incorrectly handled certain
file operations. An attacker in a guest could use this issue to
perform insecure file operations and possibly elevate privileges
in the guest.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
open-vm-tools 2:11.0.5-4ubuntu0.18.04.3+esm4
Available with Ubuntu Pro
Ubuntu 16.04 LTS
open-vm-tools 2:10.2.0-3~ubuntu0.16.04.1+esm5
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7508-2
https://ubuntu.com/security/notices/USN-7508-1
CVE-2025-22247
[USN-7550-1] Linux kernel vulnerabilities
==========================================================================
Ubuntu Security Notice USN-7550-1
June 03, 2025
linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-gkeop,
linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency,
linux-nvidia-tegra, linux-oracle vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux: Linux kernel
- linux-aws: Linux kernel for Amazon Web Services (AWS) systems
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke: Linux kernel for Google Container Engine (GKE) systems
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems
- linux-ibm: Linux kernel for IBM cloud systems
- linux-intel-iotg: Linux kernel for Intel IoT platforms
- linux-kvm: Linux kernel for cloud environments
- linux-lowlatency: Linux low latency kernel
- linux-nvidia-tegra: Linux kernel for NVIDIA Tegra systems
- linux-oracle: Linux kernel for Oracle Cloud systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- GPU drivers;
- Sun RPC protocol;
(CVE-2024-56608, CVE-2024-56551, CVE-2024-53168)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS
linux-image-5.15.0-1038-nvidia-tegra 5.15.0-1038.38
linux-image-5.15.0-1038-nvidia-tegra-rt 5.15.0-1038.38
linux-image-5.15.0-1067-gkeop 5.15.0-1067.75
linux-image-5.15.0-1077-ibm 5.15.0-1077.80
linux-image-5.15.0-1080-intel-iotg 5.15.0-1080.86
linux-image-5.15.0-1081-kvm 5.15.0-1081.86
linux-image-5.15.0-1082-gke 5.15.0-1082.88
linux-image-5.15.0-1082-oracle 5.15.0-1082.88
linux-image-5.15.0-1084-gcp 5.15.0-1084.93
linux-image-5.15.0-1085-aws 5.15.0-1085.92
linux-image-5.15.0-1090-azure 5.15.0-1090.99
linux-image-5.15.0-141-generic 5.15.0-141.151
linux-image-5.15.0-141-generic-64k 5.15.0-141.151
linux-image-5.15.0-141-generic-lpae 5.15.0-141.151
linux-image-5.15.0-141-lowlatency 5.15.0-141.151
linux-image-5.15.0-141-lowlatency-64k 5.15.0-141.151
linux-image-aws-lts-22.04 5.15.0.1085.87
linux-image-azure-lts-22.04 5.15.0.1090.88
linux-image-gcp-lts-22.04 5.15.0.1084.80
linux-image-generic 5.15.0.141.136
linux-image-generic-64k 5.15.0.141.136
linux-image-generic-lpae 5.15.0.141.136
linux-image-gke 5.15.0.1082.81
linux-image-gke-5.15 5.15.0.1082.81
linux-image-gkeop 5.15.0.1067.66
linux-image-gkeop-5.15 5.15.0.1067.66
linux-image-ibm 5.15.0.1077.73
linux-image-intel-iotg 5.15.0.1080.80
linux-image-kvm 5.15.0.1081.77
linux-image-lowlatency 5.15.0.141.127
linux-image-lowlatency-64k 5.15.0.141.127
linux-image-nvidia-tegra 5.15.0.1038.38
linux-image-nvidia-tegra-rt 5.15.0.1038.38
linux-image-oracle-lts-22.04 5.15.0.1082.78
linux-image-virtual 5.15.0.141.136
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7550-1
CVE-2024-53168, CVE-2024-56551, CVE-2024-56608
Package Information:
https://launchpad.net/ubuntu/+source/linux/5.15.0-141.151
https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1085.92
https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1090.99
https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1084.93
https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1082.88
https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1067.75
https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1077.80
https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1080.86
https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1081.86
https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-141.151
https://launchpad.net/ubuntu/+source/linux-nvidia-tegra/5.15.0-1038.38
https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1082.88
[USN-7551-1] libvpx vulnerability
==========================================================================
Ubuntu Security Notice USN-7551-1
June 03, 2025
libvpx vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
libvpx could be made to crash if it received specially crafted
input.
Software Description:
- libvpx: VP8 and VP9 video codec
Details:
It was discovered that libvpx did not properly manage memory. An attacker
could possibly use this issue to cause applications using libvpx to
crash, resulting in a denial of service, or possibly execute arbitrary
code.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
libvpx9 1.15.0-2ubuntu0.1
Ubuntu 24.10
libvpx9 1.14.1-1ubuntu1.1
Ubuntu 24.04 LTS
libvpx9 1.14.0-1ubuntu2.2
Ubuntu 22.04 LTS
libvpx7 1.11.0-2ubuntu2.4
Ubuntu 20.04 LTS
libvpx6 1.8.2-1ubuntu0.4
Ubuntu 18.04 LTS
libvpx5 1.7.0-3ubuntu0.18.04.1+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
libvpx3 1.5.0-2ubuntu1.1+esm4
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7551-1
CVE-2025-5283
Package Information:
https://launchpad.net/ubuntu/+source/libvpx/1.15.0-2ubuntu0.1
https://launchpad.net/ubuntu/+source/libvpx/1.14.1-1ubuntu1.1
https://launchpad.net/ubuntu/+source/libvpx/1.14.0-1ubuntu2.2
https://launchpad.net/ubuntu/+source/libvpx/1.11.0-2ubuntu2.4
https://launchpad.net/ubuntu/+source/libvpx/1.8.2-1ubuntu0.4