LSN-0116-1

Description

Kernel Live Patch Security Notice In the Linux kernel, the following vulnerability has been resolved: net: atlantic: eliminate double free in error handling logic Driver has a logic leak in ring data allocation/free, where aq_ring_free could be called multiple times on same ring, if system is under stress and got memory allocation error. In the Linux kernel, the following vulnerability has been resolved: sctp: properly validate chunk size in sctp_sf_ootb() A size validation fix similar to that in Commit 50619dbf8db7 ('sctp: add size validation when walking chunks') is also required in sctp_sf_ootb() to address a crash reported by syzbot: BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712 sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712 sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166 sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407 sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243 sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159 ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233)(CVE-2024-50299). In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. In the Linux kernel, the following vulnerability has been resolved: ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit After an insertion in TNC, the tree might split and cause a node to change its `znode->parent`. In the Linux kernel, the following vulnerability has been resolved: NFSD: Prevent NULL dereference in nfsd4_process_cb_update() @ses is initialized to NULL. In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace: <TASK> dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand().

Affected Systems

• ubuntu•linux

  all | < 4.4.0-276.310 | < 4.15.0-245.257 | < 5.4.0-223.243 | < 5.15.0-156.166 | < 6.8.0-87.88

• ubuntu•linux-aws

  all | < 4.4.0-1188.203 | < 4.15.0-1187.200 | < 5.4.0-1152.162 | < 5.15.0-1092.99 | < 6.8.0-1042.44

• ubuntu•linux-aws-5.15

  all | < 5.15.0-1092.99~20.04.1

• ubuntu•linux-aws-hwe

  all | < 4.15.0-1187.200~16.04.1

• ubuntu•linux-azure

  all | < 5.15.0-1096.105 | < 6.8.0-1044.50

• ubuntu•linux-azure-5.15

  all | < 5.15.0-1096.105~20.04.1

• ubuntu•linux-gcp

  all | < 4.15.0-1180.197~16.04.1 | < 5.15.0-1092.101 | < 6.8.0-1043.46

• ubuntu•linux-gcp-4.15

  all | < 4.15.0-1180.197

• ubuntu•linux-gcp-5.15

  all | < 5.15.0-1092.101~20.04.1

• ubuntu•linux-gke

  all | < 5.15.0-1089.95

• ubuntu•linux-hwe

  all | < 4.15.0-245.257~16.04.1

• ubuntu•linux-hwe-5.15

  all | < 5.15.0-156.166~20.04.1

• ubuntu•linux-hwe-5.4

  all | < 5.4.0-223.243~18.04.1

• ubuntu•linux-ibm

  all | < 5.15.0-1086.89 | < 6.8.0-1040.40

• ubuntu•linux-ibm-5.15

  all | < 5.15.0-1086.89~20.04.1

• ubuntu•linux-lowlatency-hwe-5.15

  all | < 5.15.0-156.166~20.04.1

• ubuntu•linux-lts-xenial

  all | < 4.4.0-276.310~14.04.1

• ubuntu•linux-oracle

  all | < 4.15.0-1149.160 | < 5.15.0-1090.96 | < 6.8.0-1039.40

• ubuntu•linux-oracle-5.15

  all | < 5.15.0-1090.96~20.04.1

References (8)

• https://ubuntu.com/security/notices/LSN-0116-1
• https://ubuntu.com/security/CVE-2023-52664
• https://ubuntu.com/security/CVE-2024-50299
• https://ubuntu.com/security/CVE-2024-53150
• https://ubuntu.com/security/CVE-2024-53171
• https://ubuntu.com/security/CVE-2024-53217
• https://ubuntu.com/security/CVE-2025-21727
• https://ubuntu.com/security/CVE-2025-38352