kernel-4.18.0-553.92.1.el8_10

エラータID: AXSA:2026-065:02

Release date: 
Thursday, January 22, 2026 - 09:59
Subject: 
kernel-4.18.0-553.92.1.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: media: rc: fix races with imon_disconnect() (CVE-2025-39993)
* kernel: sctp: avoid NULL dereference when chunk data buffer is missing (CVE-2025-40240)
* kernel: libceph: fix potential use-after-free in have_mon_and_osd_map() (CVE-2025-68285)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-39993
In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
CVE-2025-40240
In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.
CVE-2025-68285
In the Linux kernel, the following vulnerability has been resolved: libceph: fix potential use-after-free in have_mon_and_osd_map() The wait loop in __ceph_open_session() can race with the client receiving a new monmap or osdmap shortly after the initial map is received. Both ceph_monc_handle_map() and handle_one_map() install a new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap; under client->monc.mutex and client->osdc.lock respectively, but because neither is taken in have_mon_and_osd_map() it's possible for client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in client->monc.monmap && client->monc.monmap->epoch && client->osdc.osdmap && client->osdc.osdmap->epoch; condition to dereference an already freed map. This happens to be reproducible with generic/395 and generic/397 with KASAN enabled: BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70 Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305 CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266 ... Call Trace: have_mon_and_osd_map+0x56/0x70 ceph_open_session+0x182/0x290 ceph_get_tree+0x333/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 13305: ceph_osdmap_alloc+0x16/0x130 ceph_osdc_init+0x27a/0x4c0 ceph_create_client+0x153/0x190 create_fs_client+0x50/0x2a0 ceph_get_tree+0xff/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 9475: kfree+0x212/0x290 handle_one_map+0x23c/0x3b0 ceph_osdc_handle_map+0x3c9/0x590 mon_dispatch+0x655/0x6f0 ceph_con_process_message+0xc3/0xe0 ceph_con_v1_try_read+0x614/0x760 ceph_con_workfn+0x2de/0x650 process_one_work+0x486/0x7c0 process_scheduled_works+0x73/0x90 worker_thread+0x1c8/0x2a0 kthread+0x2ec/0x300 ret_from_fork+0x24/0x40 ret_from_fork_asm+0x1a/0x30 Rewrite the wait loop to check the above condition directly with client->monc.mutex and client->osdc.lock taken as appropriate. While at it, improve the timeout handling (previously mount_timeout could be exceeded in case wait_event_interruptible_timeout() slept more than once) and access client->auth_err under client->monc.mutex to match how it's set in finish_auth(). monmap_show() and osdmap_show() now take the respective lock before accessing the map as well.

Solution: 

Update packages.

CVEs: 
CVE-2025-39993
In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
CVE-2025-40240
In the Linux kernel, the following vulnerability has been resolved: sctp: avoid NULL dereference when chunk data buffer is missing chunk->skb pointer is dereferenced in the if-block where it's supposed to be NULL only. chunk->skb can only be NULL if chunk->head_skb is not. Check for frag_list instead and do it just before replacing chunk->skb. We're sure that otherwise chunk->skb is non-NULL because of outer if() condition.
CVE-2025-68285
In the Linux kernel, the following vulnerability has been resolved: libceph: fix potential use-after-free in have_mon_and_osd_map() The wait loop in __ceph_open_session() can race with the client receiving a new monmap or osdmap shortly after the initial map is received. Both ceph_monc_handle_map() and handle_one_map() install a new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap; under client->monc.mutex and client->osdc.lock respectively, but because neither is taken in have_mon_and_osd_map() it's possible for client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in client->monc.monmap && client->monc.monmap->epoch && client->osdc.osdmap && client->osdc.osdmap->epoch; condition to dereference an already freed map. This happens to be reproducible with generic/395 and generic/397 with KASAN enabled: BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70 Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305 CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266 ... Call Trace: have_mon_and_osd_map+0x56/0x70 ceph_open_session+0x182/0x290 ceph_get_tree+0x333/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e Allocated by task 13305: ceph_osdmap_alloc+0x16/0x130 ceph_osdc_init+0x27a/0x4c0 ceph_create_client+0x153/0x190 create_fs_client+0x50/0x2a0 ceph_get_tree+0xff/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 9475: kfree+0x212/0x290 handle_one_map+0x23c/0x3b0 ceph_osdc_handle_map+0x3c9/0x590 mon_dispatch+0x655/0x6f0 ceph_con_process_message+0xc3/0xe0 ceph_con_v1_try_read+0x614/0x760 ceph_con_workfn+0x2de/0x650 process_one_work+0x486/0x7c0 process_scheduled_works+0x73/0x90 worker_thread+0x1c8/0x2a0 kthread+0x2ec/0x300 ret_from_fork+0x24/0x40 ret_from_fork_asm+0x1a/0x30 Rewrite the wait loop to check the above condition directly with client->monc.mutex and client->osdc.lock taken as appropriate. While at it, improve the timeout handling (previously mount_timeout could be exceeded in case wait_event_interruptible_timeout() slept more than once) and access client->auth_err under client->monc.mutex to match how it's set in finish_auth(). monmap_show() and osdmap_show() now take the respective lock before accessing the map as well.
Additional Info: 

N/A

Download: 

SRPMS
  1. kernel-4.18.0-553.92.1.el8_10.src.rpm
    MD5: e68884ea779ca753d2666e8a06bb43a6
    SHA-256: f40babb7f0b6d407312d3e0e1907ab3b1f6466058a43b7d2cd1d9e6e8b1b68e4
    Size: 132.32 MB

Asianux Server 8 for x86_64
  1. bpftool-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: bf69251c574a21720a349fd226f8587a
    SHA-256: a1dfcc5c116e2dfd9f05e49d0f033e18a6dcde629da8f19c547d7d9fbec332c9
    Size: 11.27 MB
  2. kernel-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: 88762bf6bb3e6314971147620ec2fa40
    SHA-256: cc13db6dc3a4b32aac893e4744e6f36581cbcb12f514c2a3ff725ce3594f77c7
    Size: 10.54 MB
  3. kernel-abi-stablelists-4.18.0-553.92.1.el8_10.noarch.rpm
    MD5: 8de26c6382650ab6c59e73845312c208
    SHA-256: 4e3f29902ee0100a318f5765a2fb9a98337cd72d4d09f84a3c1993e92fbe0e8a
    Size: 10.56 MB
  4. kernel-core-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: 758e912e9cf156322d46abd97d1ecd4b
    SHA-256: c7802b1bc5510e13985a3d40c6583d25afd642ca6263c885ea5972bebc03fafd
    Size: 43.57 MB
  5. kernel-cross-headers-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: 0391e938a736f15a2940bb9b0b9c1153
    SHA-256: 3c8262dd020df983062416909f6274194178305dc3631d42b15650b3a1b89876
    Size: 15.89 MB
  6. kernel-debug-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: 01d5618044633529fd992d91d2d416e4
    SHA-256: da83e741bfab4b36dd2b9dcf6cfff0283738fad63a5b9f8612e2806de139fe18
    Size: 10.54 MB
  7. kernel-debug-core-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: b4c957f5ae86cba38765774147e24f75
    SHA-256: 6cb053c3f8f29590bdad273c8428d196bee2090f83656ab33ac81a7b1e8380cb
    Size: 72.88 MB
  8. kernel-debug-devel-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: 6212e3bc2fef75cfd54f14bba81e9943
    SHA-256: 8b52217a1029c05372683990a185ed4460cfb94c6721fe6203282f975e471ca4
    Size: 24.38 MB
  9. kernel-debug-modules-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: 2869664b4ef68093e3f0321a593a25c2
    SHA-256: e1972b6422a473c1a097383392825933f6582fa8e19c338707784186d995d280
    Size: 65.96 MB
  10. kernel-debug-modules-extra-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: bb743f3ef0a0673e4a57fc66a61b0a75
    SHA-256: d2164fb8e7c6a7db52f9f955e9ea7146d3dea7843e728bf30d106e02338c1d66
    Size: 11.92 MB
  11. kernel-devel-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: 03c5e76eaff77aa9872c4022619ddf92
    SHA-256: dbfbf2cc374767aa283aad3e7d2b58433e3e3e5b4587890cf9a078a917064ee5
    Size: 24.18 MB
  12. kernel-doc-4.18.0-553.92.1.el8_10.noarch.rpm
    MD5: 73da6d1d179d97c28c1bc1cd8320d5e1
    SHA-256: 16c82af10bbd1fe7139d17d326dcaf786d6916ba8867c893484ea5f3268619ef
    Size: 28.41 MB
  13. kernel-headers-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: 179ecbb04863d077dc05f6ae9f8abbc9
    SHA-256: 5107893c77362f4ab00a86b0968738e5f8783b5abce95d424c914dabbf7b32ff
    Size: 11.89 MB
  14. kernel-modules-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: dfc91c24ea636dd604e8348f0f909c89
    SHA-256: a5f75d95a12ebb62e9cc96dff8106214641cafdbfc6dc7f05bf21e1bd6cda884
    Size: 36.37 MB
  15. kernel-modules-extra-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: d1245e807b30938149b81f56012d2fde
    SHA-256: b0db086c00caedac53b8062b836a11c67cc7f05af462e31a6e32ff6bd67351ed
    Size: 11.23 MB
  16. kernel-tools-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: 5a9279ebe4f2a552ca10ea6e1be19af4
    SHA-256: 0a8a3cdaddb769439365a0a206e24878dbf4f258fb0cb4a2e7fd0cff5839964e
    Size: 10.76 MB
  17. kernel-tools-libs-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: f238d13ca667f1117a01c71c4d1e6e09
    SHA-256: 8d85920cda662ac48a39f5e4e1a6a774eb71fcbb2fa7a4a1d9887311ca6c257d
    Size: 10.55 MB
  18. kernel-tools-libs-devel-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: f9e6500b87e1f6f57bd87fa540f3ab83
    SHA-256: bfa4aa56117932866730562dbfa3f64a85eb6f948feaef61453cd3db633c8a68
    Size: 10.54 MB
  19. perf-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: 9b04e626715d0c39520dbfe2e586fa75
    SHA-256: c23e8d3ee0046303ac9878bdb7a46f8655d3b6178c22cc970cf310cf53aa9bb4
    Size: 12.86 MB
  20. python3-perf-4.18.0-553.92.1.el8_10.x86_64.rpm
    MD5: 62206a0e93c5711b250bfccf782b0212
    SHA-256: cd20f61c6ee592d9fcef5f006ef1ef92cb9d0e86b190e92e67f677dc42bd8658
    Size: 10.67 MB