Synopsis: ELSA-2025-20480 can now be patched using Ksplice CVEs: CVE-2018-3646 CVE-2025-23155 CVE-2025-37953 CVE-2025-37954 CVE-2025-37961 CVE-2025-37992 CVE-2025-38000 CVE-2025-38001 CVE-2025-38018 CVE-2025-38020 CVE-2025-38022 CVE-2025-38035 CVE-2025-38051 CVE-2025-38058 CVE-2025-38068 CVE-2025-38073 CVE-2025-38075 CVE-2025-38079 CVE-2025-38083 CVE-2025-38084 CVE-2025-38085 CVE-2025-38086 CVE-2025-38087 CVE-2025-38089 CVE-2025-38097 CVE-2025-38107 CVE-2025-38108 CVE-2025-38109 CVE-2025-38110 CVE-2025-38111 CVE-2025-38112 CVE-2025-38115 CVE-2025-38120 CVE-2025-38124 CVE-2025-38146 CVE-2025-38147 CVE-2025-38154 CVE-2025-38184 CVE-2025-38190 CVE-2025-38193 CVE-2025-38194 CVE-2025-38197 CVE-2025-38208 CVE-2025-38211 CVE-2025-38212 CVE-2025-38220 CVE-2025-38222 CVE-2025-38231 CVE-2025-38236 CVE-2025-38245 CVE-2025-38251 CVE-2025-38263 CVE-2025-38264 CVE-2025-38305 CVE-2025-38310 CVE-2025-38328 CVE-2025-38332 CVE-2025-38334 CVE-2025-38342 CVE-2025-38350 CVE-2025-38352 CVE-2025-38364 CVE-2025-38417 CVE-2025-38430 CVE-2025-38498
Users with Oracle Linux Premier Support can now use Ksplice to patch against the latest Oracle Linux Security Advisory, ELSA-2025-20480. More information about this errata can be found at https://linux.oracle.com/errata/ELSA-2025-20480.html INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack running UEKR8 6.12.0 on OL9 and OL10 install these updates. On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any action. Alternatively, you can install these updates by running: # /usr/sbin/uptrack-upgrade -y DESCRIPTION * CVE-2025-23155: Out-of-bounds memory access in STMicroelectronics Multi-Gigabit Ethernet driver. * CVE-2025-37953: Null pointer dereference in Hierarchical Token Bucket (HTB) driver. * CVE-2025-37954: Memory leak in SMB/CIFS client driver. * CVE-2025-37961: Use of uninitialized memory in IP virtual server driver. * CVE-2025-37992: Null pointer dereference in Fair Queue driver. * CVE-2025-38000: Use-after-free in Hierarchical Fair Service Curve (HFSC) driver. * CVE-2025-38001: Use-after-free in HFSC network scheduler. * CVE-2025-38018: Null pointer dereference in Transport Layer Security driver. * CVE-2025-38020: Null pointer dereference in Mellanox 5th generation network adapters (ConnectX series) Ethernet driver. * CVE-2025-38022: Use-after-free in InfiniBand driver. * CVE-2025-38035: Null pointer dereference in NVMe Target subsystem. * CVE-2025-38051: Use-after-free in SMB/CIFS client driver. * CVE-2025-38058: Reference count leak in namespace management code. * CVE-2025-38068: Out-of-bounds memory access in LZO compression algorithm driver. * CVE-2025-38073: Kernel crash in Zoned block device driver. * CVE-2025-38075: Null pointer dereference in iSCSI Target Mode Stack driver. * CVE-2025-38079: Use-after-free in hash algorithms interface layer. * CVE-2025-38083, CVE-2025-38108: Integer underflow in multiple network schedulers. * CVE-2025-38084, CVE-2025-38085: Race condition in Transparent Hugepage driver. * CVE-2025-38086: Use of uninitialized memory in QingHeng CH9200 USB ethernet driver. * CVE-2025-38087: Use-after-free in Time Aware Priority (taprio) Scheduler driver. * CVE-2025-38089: Kernel crash in SUNRPC subsystem. Orabug: 38178286 * CVE-2025-38097: Reference count leak in XFRM. * CVE-2025-38107: Integer overflow in Enhanced transmission selection scheduler (ETS). * CVE-2025-38109: Use-after-free in Mellanox Technologies MLX5 SRIOV E-Switch driver. * CVE-2025-38110: Out-of-bounds memory access in MDIO Bus interface. * CVE-2025-38111: Out-of-bounds memory usage in MDIO bus driver. * CVE-2025-38112: Null pointer dereference in TCP/IP networking driver. * CVE-2025-38115: Null-pointer dereference in Stochastic Fairness Queueing (SFQ) network scheduler. * CVE-2025-38120: Memory disclosure in Netfilter driver. * CVE-2025-38124: Kernel oops in TCP/IP networking driver. * CVE-2025-38146: Soft lockup in Open vSwitch driver. * CVE-2025-38147: Null-pointer dereference in NetLabel subsystem. * CVE-2025-38154: Kernel panic in Networking driver. * CVE-2025-38184: Null-pointer dereference in TIPC IP/UDP driver. * CVE-2025-38190: Memory leak in ATM networking stack. * CVE-2025-38193: Integer overflow in Stochastic Fairness Queueing (SFQ) driver. * CVE-2025-38194, CVE-2025-38328: Logic error in Journalling Flash File System v2 (JFFS2) driver. * CVE-2025-38197: Null pointer dereference in BIOS update driver for DELL systems. * CVE-2025-38208: Null pointer dereference in SMB/CIFS client driver. * CVE-2025-38211: Use-after-free in InfiniBand driver. * CVE-2025-38212: Use-after-free in System V IPC driver. * CVE-2025-38220: Null pointer dereference in ext4 filesystem driver. * CVE-2025-38222: Integer overflow in ext4 filesystem. * CVE-2025-38231: Null pointer dereference in NFS server driver. * CVE-2025-38236: Out-of-bounds memory access in Unix domain sockets driver. * CVE-2025-38245: Race condition in ATM networking stack. * CVE-2025-38251: Kernel crash in Classical IP over ATM driver. * CVE-2025-38263: Null pointer dereference in Block device as cache driver. * CVE-2025-38264: Kernel crash in NVM Express over Fabrics TCP driver. * CVE-2025-38305: Deadlock in Precision Time Protocol (PTP) driver. * CVE-2025-38310: Out-of-bounds memory access in IPv6 Segment Routing Header encapsulation driver. * CVE-2025-38332: Kernel panic in Emulex LightPulse Fibre Channel driver. * CVE-2025-38334: Kernel panic in Software Guard eXtensions (SGX) driver. * CVE-2025-38342: Out-of-bounds memory access in software node component. * CVE-2025-38350: Use-after-free in Packet Scheduler subsystem. Orabug: 38217337 * CVE-2025-38352: Missing check in POSIX clock/timer driver. * CVE-2025-38364: Null pointer dereference in Maple Tree implementation. * CVE-2025-38417: Memory leak in Switchdev driver. * CVE-2025-38430: Remote kernel crash in NFSv4 server driver. * CVE-2025-38498: Logic error in core filesystem layer. * Improved fix for CVE-2018-3646: L1 Terminal Fault Reloaded. * Information leak on x86 CPUs (VMScape). Orabug: 38343659 * Note: Oracle has determined some CVEs are not applicable. The kernel is not affected by the following CVEs since the code under consideration is not compiled. CVE-2025-22102, CVE-2025-22123, CVE-2025-37947, CVE-2025-37951, CVE-2025-37952, CVE-2025-37956, CVE-2025-37962, CVE-2025-37969, CVE-2025-37970, CVE-2025-37971, CVE-2025-37972, CVE-2025-37999, CVE-2025-38005, CVE-2025-38016, CVE-2025-38019, CVE-2025-38027, CVE-2025-38033, CVE-2025-38043, CVE-2025-38054, CVE-2025-38065, CVE-2025-38069, CVE-2025-38082, CVE-2025-38092 SUPPORT Ksplice support is available at [email protected]. _______________________________________________ El-errata mailing list [email protected] https://oss.oracle.com/mailman/listinfo/el-errata
