LSN-0117-1

Description

Kernel Live Patch Security Notice In the Linux kernel, the following vulnerability has been resolved: e100: Fix possible use after free in e100_xmit_prepare In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will resend the skb. In the Linux kernel, the following vulnerability has been resolved: macsec: fix UAF bug for real_dev Create a new macsec device but not get reference to real_dev. In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix firmware crash due to invalid peer nss Currently, if the access point receives an association request containing an Extended HE Capabilities Information Element with an invalid MCS-NSS, it triggers a firmware crash. In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix overflow in oa batch buffer By default xe_bb_create_job() appends a MI_BATCH_BUFFER_END to batch buffer, this is not a problem if batch buffer is only used once but oa reuses the batch buffer for the same metric and at each call it appends a MI_BATCH_BUFFER_END, printing the warning below and then overflowing. In the Linux kernel, the following vulnerability has been resolved: NFSD: Prevent NULL dereference in nfsd4_process_cb_update() @ses is initialized to NULL. In the Linux kernel, the following vulnerability has been resolved: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() Explicitly verify the target vCPU is fully online _prior_ to clamping the index in kvm_get_vcpu(). In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: add bounds checks to host bulk flow fairness counts Even though we fixed a logic error in the commit cited below, syzbot still managed to trigger an underflow of the per-host bulk flow counters, leading to an out of bounds memory access. In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ets qdisc OOB Indexing Haowei Yan <g1042620637@gmail.com> found that ets_class_from_arg() can index an Out- Of-Bound class in ets_class_from_arg() when passed clid of 0. In the Linux kernel, the following vulnerability has been resolved: usb: cdc-acm: Check control transfer buffer size before access If the first fragment is shorter than struct usb_cdc_notification, we can't calculate an expected_size. In the Linux kernel, the following vulnerability has been resolved: net: davicom: fix UAF in dm9000_drv_remove dm is netdev private data and it cannot be used after free_netdev() call. In the Linux kernel, the following vulnerability has been resolved: exfat: fix random stack corruption after get_block When get_block is called with a buffer_head allocated on the stack, such as do_mpage_readpage, stack corruption due to buffer_head UAF may occur in the following race condition situation.

Affected Systems

• ubuntu•linux

  < 4.15.0-245.257 | all | < 6.8.0-56.58 | < 4.15.0-247.259 | < 5.4.0-224.244 | < 5.15.0-164.174 | < 6.8.0-86.87

• ubuntu•linux-aws

  < 4.15.0-1187.200 | all | < 6.8.0-1025.27 | < 4.15.0-1189.202 | < 5.4.0-1153.163 | < 5.15.0-1098.105 | < 6.8.0-1041.43

• ubuntu•linux-aws-5.15

  all | < 5.15.0-1098.105~20.04.1

• ubuntu•linux-azure

  all | < 6.8.0-1025.30 | < 5.15.0-1102.111 | < 6.8.0-1041.47

• ubuntu•linux-azure-4.15

  < 4.15.0-1195.210 | all | < 4.15.0-1197.212

• ubuntu•linux-azure-5.15

  all | < 5.15.0-1102.111~20.04.1

• ubuntu•linux-gcp

  all | < 6.8.0-1026.28 | < 5.15.0-1098.107 | < 6.8.0-1042.45

• ubuntu•linux-gcp-4.15

  < 4.15.0-1180.197 | all | < 4.15.0-1182.199

• ubuntu•linux-gcp-5.15

  all | < 5.15.0-1098.107~20.04.1

• ubuntu•linux-hwe-5.15

  all | < 5.15.0-164.174~20.04.1

• ubuntu•linux-hwe-5.4

  all | < 5.4.0-224.244~18.04.1

• ubuntu•linux-ibm

  < 6.8.0-1022.22 | < 6.8.0-1039.39

• ubuntu•linux-ibm-5.15

  all | < 5.15.0-1092.95~20.04.1

• ubuntu•linux-lowlatency-hwe-5.15

  all | < 5.15.0-164.174~20.04.1

• ubuntu•linux-oracle

  < 4.15.0-1149.160 | all | < 6.8.0-1022.23 | < 4.15.0-1151.162 | < 5.15.0-1095.101 | < 6.8.0-1038.39

• ubuntu•linux-oracle-5.15

  all | < 5.15.0-1095.101~20.04.1

References (12)

• https://ubuntu.com/security/notices/LSN-0117-1
• https://ubuntu.com/security/CVE-2022-49026
• https://ubuntu.com/security/CVE-2022-49390
• https://ubuntu.com/security/CVE-2024-46827
• https://ubuntu.com/security/CVE-2024-50090
• https://ubuntu.com/security/CVE-2024-53217
• https://ubuntu.com/security/CVE-2024-58083
• https://ubuntu.com/security/CVE-2025-21647
• https://ubuntu.com/security/CVE-2025-21692
• https://ubuntu.com/security/CVE-2025-21704
• https://ubuntu.com/security/CVE-2025-21715
• https://ubuntu.com/security/CVE-2025-22036