kernel-4.18.0-553.81.1.el8_10

エラータID: AXSA:2025-11004:84

リリース日: 
2025/10/31 Friday - 09:54
題名: 
kernel-4.18.0-553.81.1.el8_10
影響のあるチャネル: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp (CVE-2023-53297)
* kernel: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare (CVE-2025-39817)
* kernel: Bluetooth: Fix potential use-after-free when clear keys (CVE-2023-53386)
* kernel: Bluetooth: L2CAP: Fix user-after-free (CVE-2022-50386)
* kernel: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() (CVE-2025-39849)
* kernel: scsi: lpfc: Fix buffer free/clear order in deferred receive path (CVE-2025-39841)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-50386
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix user-after-free This uses l2cap_chan_hold_unless_zero() after calling __l2cap_get_chan_blah() to prevent the following trace: Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref *kref) Bluetooth: chan 0000000023c4974d Bluetooth: parent 00000000ae861c08 ================================================================== BUG: KASAN: use-after-free in __mutex_waiter_is_first kernel/locking/mutex.c:191 [inline] BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:671 [inline] BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400 kernel/locking/mutex.c:729 Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389
CVE-2023-53297
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp conn->chan_lock isn't acquired before l2cap_get_chan_by_scid, if l2cap_get_chan_by_scid returns NULL, then 'bad unlock balance' is triggered.
CVE-2023-53386
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix potential use-after-free when clear keys Similar to commit c5d2b6fa26b5 ("Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk"). We can not access k after kfree_rcu() call.
CVE-2025-39817
In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Observed on kernel 6.6 (present on master as well): BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasan_check_range+0xe8/0x190 __asan_loadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfs_d_compare+0x68/0xd8 __d_lookup_rcu_op_compare+0x178/0x218 __d_lookup_rcu+0x1f8/0x228 d_alloc_parallel+0x150/0x648 lookup_open.isra.0+0x5f0/0x8d0 open_last_lookups+0x264/0x828 path_openat+0x130/0x3f8 do_filp_open+0x114/0x248 do_sys_openat2+0x340/0x3c0 __arm64_sys_openat+0x120/0x1a0 If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become negative, leadings to oob. The issue can be triggered by parallel lookups using invalid filename: T1 T2 lookup_open ->lookup simple_lookup d_add // invalid dentry is added to hash list lookup_open d_alloc_parallel __d_lookup_rcu __d_lookup_rcu_op_compare hlist_bl_for_each_entry_rcu // invalid dentry can be retrieved ->d_compare efivarfs_d_compare // oob Fix it by checking 'guid' before cmp.
CVE-2025-39841
In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/clear order in deferred receive path Fix a use-after-free window by correcting the buffer release sequence in the deferred receive path. The code freed the RQ buffer first and only then cleared the context pointer under the lock. Concurrent paths (e.g., ABTS and the repost path) also inspect and release the same pointer under the lock, so the old order could lead to double-free/UAF. Note that the repost path already uses the correct pattern: detach the pointer under the lock, then free it after dropping the lock. The deferred path should do the same.
CVE-2025-39849
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would lead to memory corruption so add some bounds checking.

解決策: 

Update packages.

CVE: 
CVE-2022-50386
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix user-after-free This uses l2cap_chan_hold_unless_zero() after calling __l2cap_get_chan_blah() to prevent the following trace: Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref *kref) Bluetooth: chan 0000000023c4974d Bluetooth: parent 00000000ae861c08 ================================================================== BUG: KASAN: use-after-free in __mutex_waiter_is_first kernel/locking/mutex.c:191 [inline] BUG: KASAN: use-after-free in __mutex_lock_common kernel/locking/mutex.c:671 [inline] BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400 kernel/locking/mutex.c:729 Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389
CVE-2023-53297
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp conn->chan_lock isn't acquired before l2cap_get_chan_by_scid, if l2cap_get_chan_by_scid returns NULL, then 'bad unlock balance' is triggered.
CVE-2023-53386
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix potential use-after-free when clear keys Similar to commit c5d2b6fa26b5 ("Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk"). We can not access k after kfree_rcu() call.
CVE-2025-39817
In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Observed on kernel 6.6 (present on master as well): BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasan_check_range+0xe8/0x190 __asan_loadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfs_d_compare+0x68/0xd8 __d_lookup_rcu_op_compare+0x178/0x218 __d_lookup_rcu+0x1f8/0x228 d_alloc_parallel+0x150/0x648 lookup_open.isra.0+0x5f0/0x8d0 open_last_lookups+0x264/0x828 path_openat+0x130/0x3f8 do_filp_open+0x114/0x248 do_sys_openat2+0x340/0x3c0 __arm64_sys_openat+0x120/0x1a0 If dentry->d_name.len < EFI_VARIABLE_GUID_LEN , 'guid' can become negative, leadings to oob. The issue can be triggered by parallel lookups using invalid filename: T1 T2 lookup_open ->lookup simple_lookup d_add // invalid dentry is added to hash list lookup_open d_alloc_parallel __d_lookup_rcu __d_lookup_rcu_op_compare hlist_bl_for_each_entry_rcu // invalid dentry can be retrieved ->d_compare efivarfs_d_compare // oob Fix it by checking 'guid' before cmp.
CVE-2025-39841
In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/clear order in deferred receive path Fix a use-after-free window by correcting the buffer release sequence in the deferred receive path. The code freed the RQ buffer first and only then cleared the context pointer under the lock. Concurrent paths (e.g., ABTS and the repost path) also inspect and release the same pointer under the lock, so the old order could lead to double-free/UAF. Note that the repost path already uses the correct pattern: detach the pointer under the lock, then free it after dropping the lock. The deferred path should do the same.
CVE-2025-39849
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would lead to memory corruption so add some bounds checking.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. kernel-4.18.0-553.81.1.el8_10.src.rpm
    MD5: 69cff69f96abe4df44795947fcd9b419
    SHA-256: d87d14bb659946d91ff450fc5528801d50be103e567e0fd5074ec5249314354f
    Size: 132.29 MB

Asianux Server 8 for x86_64
  1. bpftool-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: db16e23b22d98341c66a7c8ae30aa27c
    SHA-256: 433c1a1f4e5d01ea60bade4d4314319582eb6fceaa664f562447a5112abd98ea
    Size: 11.25 MB
  2. kernel-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: 5e3d83bf9a500622b4e605e348dee6fb
    SHA-256: 97427cec23136eb8b9a5a3422ec6e52e2e1fcd1d87f672c3c70bad245ea48741
    Size: 10.52 MB
  3. kernel-abi-stablelists-4.18.0-553.81.1.el8_10.noarch.rpm
    MD5: 6d6276697c5a8cb4d791a6a6919e3cb5
    SHA-256: 74b0c98a0e6372247611f4a09b3bec741341e8f4295e4380eca485b08ad2d5b5
    Size: 10.54 MB
  4. kernel-core-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: d05744bc703d7a43987aa0070f7bfc73
    SHA-256: 54941519e3cc8ab9795d13c8a3839bcbd3c1b0232be507b0279cf004b80d3d1a
    Size: 43.55 MB
  5. kernel-cross-headers-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: 964200fd21b239418c5b4ec69cb7b2da
    SHA-256: e15ace9e0ff28ded2039f2b9c0aea72e4e55e268bd562c168b67997ea9861ea3
    Size: 15.87 MB
  6. kernel-debug-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: 08f168c42ca6f30ddc54917b40d80b4c
    SHA-256: 7d6b9fb0d651891ac687e8b1b301b452f5f7ad24dcf0df14d1f23878a5154c6a
    Size: 10.52 MB
  7. kernel-debug-core-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: 7eca8bc6fd10e4b71ec4309369ab8212
    SHA-256: b13b4b75ea4ff0cc97954fc8f4baf6ae938f6feea04e2bf64478d2ae2d93579d
    Size: 72.84 MB
  8. kernel-debug-devel-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: 85fee5c280fae1910b8dc07c0fc987f3
    SHA-256: 061012aa322e648e28c25a01a167bfd09cff84e94078e73789cb4c068050535b
    Size: 24.36 MB
  9. kernel-debug-modules-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: 7c4ce952609e721858de41f79adf13fc
    SHA-256: be5b0eede888dbd821d539c73956ec002c6c6c253a0ffcbccb01d3d55a8b3e0c
    Size: 65.94 MB
  10. kernel-debug-modules-extra-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: a6cfe8213db0d6c835c95862cf12e993
    SHA-256: a68ec70c2294ea1286331253641ccb730f1bbe2edf971367510a2e804a353008
    Size: 11.90 MB
  11. kernel-devel-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: 1b890fe14afc973921f5aa6e27366ee1
    SHA-256: ec7f1fc9d34c9df978067683bf8ad01f12179441f04d24268b23471af501a3be
    Size: 24.15 MB
  12. kernel-doc-4.18.0-553.81.1.el8_10.noarch.rpm
    MD5: 6f13d94ba7655febd0634b93f897d6ff
    SHA-256: c4bedd5b45ac9db44c1e642d44427ffdf0b5db624a100446d9fbbcb608fa8471
    Size: 28.38 MB
  13. kernel-headers-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: 6e8e944bf04c5a2978228cd9e455c600
    SHA-256: 3bebe82450a5c0b3253ea4cdda5a9d7082f63ab99fe8c81a34a6382a2da356e4
    Size: 11.87 MB
  14. kernel-modules-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: 8e44ed316408b137cde0ab628eed2ca4
    SHA-256: bf49fe0da9a32e7e7cf9241646562ec64e89b233a17760aef6f2d7387c17324d
    Size: 36.34 MB
  15. kernel-modules-extra-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: 411e09ab303e796b0811fdbee0eab876
    SHA-256: c64539299abe565aa124aa999cf80d86fe8a8fba522c412dbb5bf2255ffd5ae0
    Size: 11.21 MB
  16. kernel-tools-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: 1a89a6b9bf06501abc0d55a0516a048e
    SHA-256: 6859277d43e3ffbabe75f6a9c68e696215a1fa5fc94ebb06e608fccc5e70a5ce
    Size: 10.74 MB
  17. kernel-tools-libs-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: 9795de36cf3535dba74d64fa14e0d679
    SHA-256: 2055a085cb81a28530f145478f5f8f22716b12b033502a8fba4a840f695d9f04
    Size: 10.53 MB
  18. kernel-tools-libs-devel-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: 491482b755773bf1ddbe531faba97e2b
    SHA-256: 5206e4fc16201722b11daa6afbe6a81013c4e729697d41d7ae74d337532a44a7
    Size: 10.52 MB
  19. perf-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: 3e3a6fa4be9bae95f8404594542c9c32
    SHA-256: ae8a62cb5b126a4971b2ee96fdaabdbd8a65f67303277d2a8f281ebed4770ca0
    Size: 12.84 MB
  20. python3-perf-4.18.0-553.81.1.el8_10.x86_64.rpm
    MD5: 5a281400493301c19e0bbd343a0f990e
    SHA-256: 30e4092e464e4f2d688498af993a46460c831ff5128e3c2417fcc98b6ba83eb3
    Size: 10.65 MB