Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2025:02851-1
Release Date:	2025-08-18T15:57:50Z
Rating:	important
References:	bsc#1206051 bsc#1221829 bsc#1229334 bsc#1234863 bsc#1236104 bsc#1236333 bsc#1238160 bsc#1239644 bsc#1240185 bsc#1240799 bsc#1242414 bsc#1242780 bsc#1244309 bsc#1245217 bsc#1245431 bsc#1245506 bsc#1245711 bsc#1245986 bsc#1246000 bsc#1246029 bsc#1246037 bsc#1246045 bsc#1246073 bsc#1246186 bsc#1246781 bsc#1247314 bsc#1247347 bsc#1247348 bsc#1247349 bsc#1247437
Cross-References:	CVE-2022-49138 CVE-2022-49770 CVE-2023-52923 CVE-2023-52927 CVE-2023-53117 CVE-2024-26643 CVE-2024-42265 CVE-2024-53164 CVE-2024-57947 CVE-2025-21881 CVE-2025-21971 CVE-2025-37798 CVE-2025-38079 CVE-2025-38088 CVE-2025-38120 CVE-2025-38177 CVE-2025-38181 CVE-2025-38200 CVE-2025-38206 CVE-2025-38212 CVE-2025-38213 CVE-2025-38257 CVE-2025-38350 CVE-2025-38468 CVE-2025-38477 CVE-2025-38494 CVE-2025-38495 CVE-2025-38497
CVSS scores:	CVE-2022-49138 ( SUSE ): 2.0 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2022-49138 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2022-49770 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-52923 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2023-52923 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-52927 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2023-52927 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2023-52927 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-53117 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2023-53117 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-26643 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-26643 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-42265 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2024-53164 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2024-53164 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-57947 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2024-57947 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-21881 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21971 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-21971 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-37798 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38079 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-38079 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38088 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-38088 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38120 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2025-38120 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2025-38177 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-38177 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38181 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-38181 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2025-38200 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-38200 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2025-38206 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-38206 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38212 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-38212 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38213 ( SUSE ): 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-38213 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2025-38257 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-38257 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38350 ( SUSE ): 7.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-38350 ( SUSE ): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H CVE-2025-38468 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-38468 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-38477 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-38477 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38494 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-38494 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38495 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-38495 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-38497 ( SUSE ): 5.8 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-38497 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H
Affected Products:	SUSE Linux Enterprise Micro 5.3 SUSE Linux Enterprise Micro 5.4 SUSE Linux Enterprise Micro for Rancher 5.3 SUSE Linux Enterprise Micro for Rancher 5.4

An update that solves 28 vulnerabilities and has two security fixes can now be installed.

Description:

The SUSE Linux Enterprise 15 SP4 RT kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

CVE-2022-49138: Bluetooth: hci_event: Fix checking conn for le_conn_complete_evt (bsc#1238160).
CVE-2023-52923: netfilter: nf_tables: split async and sync catchall in two functions (bsc#1236104).
CVE-2023-52927: netfilter: allow exp not to be removed in nf_ct_find_expectation (bsc#1239644).
CVE-2023-53117: fs: prevent out-of-bounds array speculation when closing a file descriptor (bsc#1242780).
CVE-2024-26643: Fixed mark set as dead when unbinding anonymous set with timeout (bsc#1221829).
CVE-2024-42265: protect the fetch of ->fd[fd] in do_dup2() from mispredictions (bsc#1229334).
CVE-2024-53164: net: sched: fix ordering of qlen adjustment (bsc#1234863).
CVE-2025-21881: uprobes: Reject the shared zeropage in uprobe_write_opcode() (bsc#1240185).
CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1240799).
CVE-2025-38079: crypto: algif_hash - fix double free in hash_accept (bsc#1245217).
CVE-2025-38181: calipso: Fix null-ptr-deref in calipso_req_{set,del}attr() (bsc#1246000).
CVE-2025-38200: i40e: fix MMIO write access to an invalid page in i40e_clear_hw (bsc#1246045).
CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246073).
CVE-2025-38212: ipc: fix to protect IPCS lookups using RCU (bsc#1246029).
CVE-2025-38213: vgacon: Add check for vc_origin address range in vgacon_scroll() (bsc#1246037).
CVE-2025-38257: s390/pkey: Prevent overflow in size calculation for memdup_user() (bsc#1246186).
CVE-2025-38350: net/sched: Always pass notifications when child class becomes empty (bsc#1246781).
CVE-2025-38468: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree (bsc#1247437).
CVE-2025-38477: net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class (bsc#1247314).
CVE-2025-38494: HID: core: do not bypass hid_hw_raw_request (bsc#1247349).
CVE-2025-38495: HID: core: ensure the allocated report buffer can contain the reserved report ID (bsc#1247348).
CVE-2025-38497: usb: gadget: configfs: Fix OOB read on empty string write (bsc#1247347).

The following non-security bugs were fixed:

Revert "hugetlb: unshare some PMDs when splitting VMAs (bsc#1245431)."
Revert "mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race"
Revert "mm/hugetlb: unshare page tables during VMA split, not before"

Special Instructions and Notes:

Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE Linux Enterprise Micro for Rancher 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2025-2851=1
SUSE Linux Enterprise Micro 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2025-2851=1
SUSE Linux Enterprise Micro for Rancher 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2025-2851=1
SUSE Linux Enterprise Micro 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2025-2851=1

Package List:

SUSE Linux Enterprise Micro for Rancher 5.3 (nosrc x86_64)
- kernel-rt-5.14.21-150400.15.127.1
SUSE Linux Enterprise Micro for Rancher 5.3 (x86_64)
- kernel-rt-debugsource-5.14.21-150400.15.127.1
- kernel-rt-debuginfo-5.14.21-150400.15.127.1
SUSE Linux Enterprise Micro for Rancher 5.3 (noarch)
- kernel-source-rt-5.14.21-150400.15.127.1
SUSE Linux Enterprise Micro 5.3 (nosrc x86_64)
- kernel-rt-5.14.21-150400.15.127.1
SUSE Linux Enterprise Micro 5.3 (x86_64)
- kernel-rt-debugsource-5.14.21-150400.15.127.1
- kernel-rt-debuginfo-5.14.21-150400.15.127.1
SUSE Linux Enterprise Micro 5.3 (noarch)
- kernel-source-rt-5.14.21-150400.15.127.1
SUSE Linux Enterprise Micro for Rancher 5.4 (nosrc x86_64)
- kernel-rt-5.14.21-150400.15.127.1
SUSE Linux Enterprise Micro for Rancher 5.4 (x86_64)
- kernel-rt-debugsource-5.14.21-150400.15.127.1
- kernel-rt-debuginfo-5.14.21-150400.15.127.1
SUSE Linux Enterprise Micro for Rancher 5.4 (noarch)
- kernel-source-rt-5.14.21-150400.15.127.1
SUSE Linux Enterprise Micro 5.4 (nosrc x86_64)
- kernel-rt-5.14.21-150400.15.127.1
SUSE Linux Enterprise Micro 5.4 (x86_64)
- kernel-rt-debugsource-5.14.21-150400.15.127.1
- kernel-rt-debuginfo-5.14.21-150400.15.127.1
SUSE Linux Enterprise Micro 5.4 (noarch)
- kernel-source-rt-5.14.21-150400.15.127.1

Security update for the Linux Kernel

Description:

Special Instructions and Notes:

Patch Instructions:

Package List:

References: