Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-38644 (GCVE-0-2025-38644)
Vulnerability from cvelistv5 – Published: 2025-08-22 16:00 – Updated: 2026-05-11 21:32
VLAI
EPSS
Title
wifi: mac80211: reject TDLS operations when station is not associated
Summary
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: reject TDLS operations when station is not associated
syzbot triggered a WARN in ieee80211_tdls_oper() by sending
NL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,
before association completed and without prior TDLS setup.
This left internal state like sdata->u.mgd.tdls_peer uninitialized,
leading to a WARN_ON() in code paths that assumed it was valid.
Reject the operation early if not in station mode or not associated.
Severity
5.5 (Medium)
Assigner
References
7 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
81dd2b8822410e56048b927be779d95a2b6dc186 , < 0c84204cf0bbe89e454a5caccc6a908bc7db1542
(git)
Affected: 81dd2b8822410e56048b927be779d95a2b6dc186 , < 378ae9ccaea3f445838a087962a067b5cb2e8577 (git) Affected: 81dd2b8822410e56048b927be779d95a2b6dc186 , < af72badd5ee423eb16f6ad7fe0a62f1b4252d848 (git) Affected: 81dd2b8822410e56048b927be779d95a2b6dc186 , < 4df663d4c1ca386dcab2f743dfc9f0cc07aef73c (git) Affected: 81dd2b8822410e56048b927be779d95a2b6dc186 , < 31af06b574394530f68a4310c45ecbe2f68853c4 (git) Affected: 81dd2b8822410e56048b927be779d95a2b6dc186 , < 16ecdab5446f15a61ec88eb0d23d25d009821db0 (git) |
|
| Linux | Linux |
Affected:
3.17
Unaffected: 0 , < 3.17 (semver) Unaffected: 6.1.148 , ≤ 6.1.* (semver) Unaffected: 6.6.102 , ≤ 6.6.* (semver) Unaffected: 6.12.42 , ≤ 6.12.* (semver) Unaffected: 6.15.10 , ≤ 6.15.* (semver) Unaffected: 6.16.1 , ≤ 6.16.* (semver) Unaffected: 6.17 , ≤ * (original_commit_for_fix) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T17:40:40.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/mac80211/tdls.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "0c84204cf0bbe89e454a5caccc6a908bc7db1542",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
},
{
"lessThan": "378ae9ccaea3f445838a087962a067b5cb2e8577",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
},
{
"lessThan": "af72badd5ee423eb16f6ad7fe0a62f1b4252d848",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
},
{
"lessThan": "4df663d4c1ca386dcab2f743dfc9f0cc07aef73c",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
},
{
"lessThan": "31af06b574394530f68a4310c45ecbe2f68853c4",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
},
{
"lessThan": "16ecdab5446f15a61ec88eb0d23d25d009821db0",
"status": "affected",
"version": "81dd2b8822410e56048b927be779d95a2b6dc186",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/mac80211/tdls.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.17"
},
{
"lessThan": "3.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.148",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.102",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.42",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.16.*",
"status": "unaffected",
"version": "6.16.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.17",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.148",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.102",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.42",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.10",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16.1",
"versionStartIncluding": "3.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.17",
"versionStartIncluding": "3.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated."
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T21:32:12.399Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/0c84204cf0bbe89e454a5caccc6a908bc7db1542"
},
{
"url": "https://git.kernel.org/stable/c/378ae9ccaea3f445838a087962a067b5cb2e8577"
},
{
"url": "https://git.kernel.org/stable/c/af72badd5ee423eb16f6ad7fe0a62f1b4252d848"
},
{
"url": "https://git.kernel.org/stable/c/4df663d4c1ca386dcab2f743dfc9f0cc07aef73c"
},
{
"url": "https://git.kernel.org/stable/c/31af06b574394530f68a4310c45ecbe2f68853c4"
},
{
"url": "https://git.kernel.org/stable/c/16ecdab5446f15a61ec88eb0d23d25d009821db0"
}
],
"title": "wifi: mac80211: reject TDLS operations when station is not associated",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38644",
"datePublished": "2025-08-22T16:00:49.899Z",
"dateReserved": "2025-04-16T04:51:24.030Z",
"dateUpdated": "2026-05-11T21:32:12.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-38644",
"date": "2026-06-26",
"epss": "0.00147",
"percentile": "0.04298"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-38644\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-08-22T16:15:38.567\",\"lastModified\":\"2026-01-07T16:21:33.453\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwifi: mac80211: reject TDLS operations when station is not associated\\n\\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\\nbefore association completed and without prior TDLS setup.\\n\\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\\nleading to a WARN_ON() in code paths that assumed it was valid.\\n\\nReject the operation early if not in station mode or not associated.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: mac80211: rechazar operaciones TDLS cuando la estaci\u00f3n no est\u00e1 asociada. syzbot activ\u00f3 una advertencia en ieee80211_tdls_oper() al enviar NL80211_TDLS_ENABLE_LINK inmediatamente despu\u00e9s de NL80211_CMD_CONNECT, antes de que se completara la asociaci\u00f3n y sin haber configurado previamente TDLS. Esto dej\u00f3 un estado interno como sdata-\u0026gt;u.mgd.tdls_peer sin inicializar, lo que provoc\u00f3 una advertencia WARN_ON() en las rutas de c\u00f3digo que asum\u00edan que era v\u00e1lido. Rechace la operaci\u00f3n antes de tiempo si no est\u00e1 en modo estaci\u00f3n o no est\u00e1 asociada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-908\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.17\",\"versionEndExcluding\":\"6.1.148\",\"matchCriteriaId\":\"C6221869-9E30-49CC-8B2C-EE367E1CDD3D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.102\",\"matchCriteriaId\":\"DD6EDB96-08AC-49D8-A1A9-4D2140C49BC7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.42\",\"matchCriteriaId\":\"EA7AA5E6-4376-4A85-A021-6ACC5FF801C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.15.10\",\"matchCriteriaId\":\"5890C690-B295-40C2-9121-FF5F987E5142\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.16\",\"versionEndExcluding\":\"6.16.1\",\"matchCriteriaId\":\"58182352-D7DF-4CC9-841E-03C1D852C3FB\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0c84204cf0bbe89e454a5caccc6a908bc7db1542\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/16ecdab5446f15a61ec88eb0d23d25d009821db0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/31af06b574394530f68a4310c45ecbe2f68853c4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/378ae9ccaea3f445838a087962a067b5cb2e8577\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/4df663d4c1ca386dcab2f743dfc9f0cc07aef73c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/af72badd5ee423eb16f6ad7fe0a62f1b4252d848\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
SUSE-SU-2025:3675-1
Vulnerability from csaf_suse - Published: 2025-10-20 08:06 - Updated: 2025-10-20 08:06Summary
Security update for the Linux Kernel (Live Patch 31 for SLE 15 SP4)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel (Live Patch 31 for SLE 15 SP4)
Description of the patch: This update for the Linux Kernel 5.14.21-150400_24_133 fixes several issues.
The following security issues were fixed:
- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2024-49974: NFSD: Force all NFSv4.2 COPY requests to be synchronous (bsc#1232384).
- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).
Patchnames: SUSE-2025-3675,SUSE-SLE-Module-Live-Patching-15-SP4-2025-3675
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.1 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
34 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 31 for SLE 15 SP4)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 5.14.21-150400_24_133 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2024-49974: NFSD: Force all NFSv4.2 COPY requests to be synchronous (bsc#1232384).\n- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3675,SUSE-SLE-Module-Live-Patching-15-SP4-2025-3675",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_3675-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:3675-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20253675-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:3675-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042216.html"
},
{
"category": "self",
"summary": "SUSE Bug 1232384",
"url": "https://bugzilla.suse.com/1232384"
},
{
"category": "self",
"summary": "SUSE Bug 1245794",
"url": "https://bugzilla.suse.com/1245794"
},
{
"category": "self",
"summary": "SUSE Bug 1246075",
"url": "https://bugzilla.suse.com/1246075"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1249534",
"url": "https://bugzilla.suse.com/1249534"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-49974 page",
"url": "https://www.suse.com/security/cve/CVE-2024-49974/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21971 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21971/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38206 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38206/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38678 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38678/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 31 for SLE 15 SP4)",
"tracking": {
"current_release_date": "2025-10-20T08:06:59Z",
"generator": {
"date": "2025-10-20T08:06:59Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:3675-1",
"initial_release_date": "2025-10-20T08:06:59Z",
"revision_history": [
{
"date": "2025-10-20T08:06:59Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"product_id": "kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"product_id": "kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64",
"product_id": "kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-49974",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-49974"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Limit the number of concurrent async COPY operations\n\nNothing appears to limit the number of concurrent async COPY\noperations that clients can start. In addition, AFAICT each async\nCOPY can copy an unlimited number of 4MB chunks, so can run for a\nlong time. Thus IMO async COPY can become a DoS vector.\n\nAdd a restriction mechanism that bounds the number of concurrent\nbackground COPY operations. Start simple and try to be fair -- this\npatch implements a per-namespace limit.\n\nAn async COPY request that occurs while this limit is exceeded gets\nNFS4ERR_DELAY. The requesting client can choose to send the request\nagain after a delay or fall back to a traditional read/write style\ncopy.\n\nIf there is need to make the mechanism more sophisticated, we can\nvisit that in future patches.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-49974",
"url": "https://www.suse.com/security/cve/CVE-2024-49974"
},
{
"category": "external",
"summary": "SUSE Bug 1232383 for CVE-2024-49974",
"url": "https://bugzilla.suse.com/1232383"
},
{
"category": "external",
"summary": "SUSE Bug 1232384 for CVE-2024-49974",
"url": "https://bugzilla.suse.com/1232384"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-20T08:06:59Z",
"details": "important"
}
],
"title": "CVE-2024-49974"
},
{
"cve": "CVE-2025-21971",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21971"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21971",
"url": "https://www.suse.com/security/cve/CVE-2025-21971"
},
{
"category": "external",
"summary": "SUSE Bug 1240799 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1240799"
},
{
"category": "external",
"summary": "SUSE Bug 1245794 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1245794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-20T08:06:59Z",
"details": "important"
}
],
"title": "CVE-2025-21971"
},
{
"cve": "CVE-2025-38206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38206"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n exfat_create_upcase_table() : return error\n exfat_free_upcase_table() : free -\u003evol_utbl\n exfat_load_default_upcase_table : return error\n exfat_kill_sb()\n delayed_free()\n exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38206",
"url": "https://www.suse.com/security/cve/CVE-2025-38206"
},
{
"category": "external",
"summary": "SUSE Bug 1246073 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246073"
},
{
"category": "external",
"summary": "SUSE Bug 1246075 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246075"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-20T08:06:59Z",
"details": "important"
}
],
"title": "CVE-2025-38206"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-20T08:06:59Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-20T08:06:59Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
},
{
"cve": "CVE-2025-38678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38678"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject duplicate device on updates\n\nA chain/flowtable update with duplicated devices in the same batch is\npossible. Unfortunately, netdev event path only removes the first\ndevice that is found, leaving unregistered the hook of the duplicated\ndevice.\n\nCheck if a duplicated device exists in the transaction batch, bail out\nwith EEXIST in such case.\n\nWARNING is hit when unregistering the hook:\n\n [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150\n [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)\n [...]\n [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38678",
"url": "https://www.suse.com/security/cve/CVE-2025-38678"
},
{
"category": "external",
"summary": "SUSE Bug 1249126 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249126"
},
{
"category": "external",
"summary": "SUSE Bug 1249534 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249534"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_133-default-17-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-20T08:06:59Z",
"details": "important"
}
],
"title": "CVE-2025-38678"
}
]
}
SUSE-SU-2025:3679-1
Vulnerability from csaf_suse - Published: 2025-10-20 10:33 - Updated: 2025-10-20 10:33Summary
Security update for the Linux Kernel (Live Patch 34 for SLE 15 SP4)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel (Live Patch 34 for SLE 15 SP4)
Description of the patch: This update for the Linux Kernel 5.14.21-150400_24_144 fixes several issues.
The following security issues were fixed:
- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).
Patchnames: SUSE-2025-3679,SUSE-2025-3680,SUSE-SLE-Module-Live-Patching-15-SP4-2025-3679
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.1 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 34 for SLE 15 SP4)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 5.14.21-150400_24_144 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3679,SUSE-2025-3680,SUSE-SLE-Module-Live-Patching-15-SP4-2025-3679",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_3679-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:3679-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20253679-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:3679-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042215.html"
},
{
"category": "self",
"summary": "SUSE Bug 1245794",
"url": "https://bugzilla.suse.com/1245794"
},
{
"category": "self",
"summary": "SUSE Bug 1246075",
"url": "https://bugzilla.suse.com/1246075"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1249534",
"url": "https://bugzilla.suse.com/1249534"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21971 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21971/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38206 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38206/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38678 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38678/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 34 for SLE 15 SP4)",
"tracking": {
"current_release_date": "2025-10-20T10:33:45Z",
"generator": {
"date": "2025-10-20T10:33:45Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:3679-1",
"initial_release_date": "2025-10-20T10:33:45Z",
"revision_history": [
{
"date": "2025-10-20T10:33:45Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"product_id": "kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_153-default-9-150400.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_153-default-9-150400.2.1.ppc64le",
"product_id": "kernel-livepatch-5_14_21-150400_24_153-default-9-150400.2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"product_id": "kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_153-default-9-150400.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_153-default-9-150400.2.1.s390x",
"product_id": "kernel-livepatch-5_14_21-150400_24_153-default-9-150400.2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64",
"product_id": "kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_153-default-9-150400.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_153-default-9-150400.2.1.x86_64",
"product_id": "kernel-livepatch-5_14_21-150400_24_153-default-9-150400.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-21971",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21971"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21971",
"url": "https://www.suse.com/security/cve/CVE-2025-21971"
},
{
"category": "external",
"summary": "SUSE Bug 1240799 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1240799"
},
{
"category": "external",
"summary": "SUSE Bug 1245794 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1245794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-20T10:33:45Z",
"details": "important"
}
],
"title": "CVE-2025-21971"
},
{
"cve": "CVE-2025-38206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38206"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n exfat_create_upcase_table() : return error\n exfat_free_upcase_table() : free -\u003evol_utbl\n exfat_load_default_upcase_table : return error\n exfat_kill_sb()\n delayed_free()\n exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38206",
"url": "https://www.suse.com/security/cve/CVE-2025-38206"
},
{
"category": "external",
"summary": "SUSE Bug 1246073 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246073"
},
{
"category": "external",
"summary": "SUSE Bug 1246075 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246075"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-20T10:33:45Z",
"details": "important"
}
],
"title": "CVE-2025-38206"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-20T10:33:45Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-20T10:33:45Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
},
{
"cve": "CVE-2025-38678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38678"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject duplicate device on updates\n\nA chain/flowtable update with duplicated devices in the same batch is\npossible. Unfortunately, netdev event path only removes the first\ndevice that is found, leaving unregistered the hook of the duplicated\ndevice.\n\nCheck if a duplicated device exists in the transaction batch, bail out\nwith EEXIST in such case.\n\nWARNING is hit when unregistering the hook:\n\n [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150\n [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)\n [...]\n [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38678",
"url": "https://www.suse.com/security/cve/CVE-2025-38678"
},
{
"category": "external",
"summary": "SUSE Bug 1249126 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249126"
},
{
"category": "external",
"summary": "SUSE Bug 1249534 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249534"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_144-default-15-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-20T10:33:45Z",
"details": "important"
}
],
"title": "CVE-2025-38678"
}
]
}
SUSE-SU-2025:3683-1
Vulnerability from csaf_suse - Published: 2025-10-20 17:05 - Updated: 2025-10-20 17:05Summary
Security update for the Linux Kernel (Live Patch 51 for SLE 15 SP3)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel (Live Patch 51 for SLE 15 SP3)
Description of the patch: This update for the Linux Kernel 5.3.18-150300_59_185 fixes several issues.
The following security issues were fixed:
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).
Patchnames: SUSE-2025-3683,SUSE-SLE-Module-Live-Patching-15-SP3-2025-3683
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
24 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 51 for SLE 15 SP3)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 5.3.18-150300_59_185 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3683,SUSE-SLE-Module-Live-Patching-15-SP3-2025-3683",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_3683-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:3683-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20253683-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:3683-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042223.html"
},
{
"category": "self",
"summary": "SUSE Bug 1245794",
"url": "https://bugzilla.suse.com/1245794"
},
{
"category": "self",
"summary": "SUSE Bug 1246075",
"url": "https://bugzilla.suse.com/1246075"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21971 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21971/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38206 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38206/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 51 for SLE 15 SP3)",
"tracking": {
"current_release_date": "2025-10-20T17:05:06Z",
"generator": {
"date": "2025-10-20T17:05:06Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:3683-1",
"initial_release_date": "2025-10-20T17:05:06Z",
"revision_history": [
{
"date": "2025-10-20T17:05:06Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le",
"product_id": "kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x",
"product_id": "kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64",
"product_id": "kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_3_18-150300_59_185-preempt-14-150300.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_3_18-150300_59_185-preempt-14-150300.2.1.x86_64",
"product_id": "kernel-livepatch-5_3_18-150300_59_185-preempt-14-150300.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP3",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP3",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP3",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le"
},
"product_reference": "kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP3",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x"
},
"product_reference": "kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP3",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64"
},
"product_reference": "kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-21971",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21971"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21971",
"url": "https://www.suse.com/security/cve/CVE-2025-21971"
},
{
"category": "external",
"summary": "SUSE Bug 1240799 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1240799"
},
{
"category": "external",
"summary": "SUSE Bug 1245794 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1245794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-20T17:05:06Z",
"details": "important"
}
],
"title": "CVE-2025-21971"
},
{
"cve": "CVE-2025-38206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38206"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n exfat_create_upcase_table() : return error\n exfat_free_upcase_table() : free -\u003evol_utbl\n exfat_load_default_upcase_table : return error\n exfat_kill_sb()\n delayed_free()\n exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38206",
"url": "https://www.suse.com/security/cve/CVE-2025-38206"
},
{
"category": "external",
"summary": "SUSE Bug 1246073 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246073"
},
{
"category": "external",
"summary": "SUSE Bug 1246075 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246075"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-20T17:05:06Z",
"details": "important"
}
],
"title": "CVE-2025-38206"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-20T17:05:06Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP3:kernel-livepatch-5_3_18-150300_59_185-default-14-150300.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-20T17:05:06Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
}
]
}
SUSE-SU-2025:3703-1
Vulnerability from csaf_suse - Published: 2025-10-21 11:13 - Updated: 2025-10-21 11:13Summary
Security update for the Linux Kernel (Live Patch 71 for SLE 12 SP5)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel (Live Patch 71 for SLE 12 SP5)
Description of the patch: This update for the Linux Kernel 4.12.14-122_269 fixes several issues.
The following security issues were fixed:
- CVE-2022-50386: Bluetooth: L2CAP: Fix user-after-free (bsc#1250302).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
Patchnames: SUSE-2025-3703,SUSE-SLE-Live-Patching-12-SP5-2025-3703
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
18 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 71 for SLE 12 SP5)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 4.12.14-122_269 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2022-50386: Bluetooth: L2CAP: Fix user-after-free (bsc#1250302).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3703,SUSE-SLE-Live-Patching-12-SP5-2025-3703",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_3703-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:3703-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20253703-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:3703-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042236.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1250302",
"url": "https://bugzilla.suse.com/1250302"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-50386 page",
"url": "https://www.suse.com/security/cve/CVE-2022-50386/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 71 for SLE 12 SP5)",
"tracking": {
"current_release_date": "2025-10-21T11:13:27Z",
"generator": {
"date": "2025-10-21T11:13:27Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:3703-1",
"initial_release_date": "2025-10-21T11:13:27Z",
"revision_history": [
{
"date": "2025-10-21T11:13:27Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le",
"product": {
"name": "kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le",
"product_id": "kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kgraft-patch-4_12_14-122_269-default-3-2.1.s390x",
"product": {
"name": "kgraft-patch-4_12_14-122_269-default-3-2.1.s390x",
"product_id": "kgraft-patch-4_12_14-122_269-default-3-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64",
"product": {
"name": "kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64",
"product_id": "kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 12 SP5",
"product": {
"name": "SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-live-patching:12:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le"
},
"product_reference": "kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kgraft-patch-4_12_14-122_269-default-3-2.1.s390x as component of SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.s390x"
},
"product_reference": "kgraft-patch-4_12_14-122_269-default-3-2.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 12 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64"
},
"product_reference": "kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 12 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-50386",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-50386"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix user-after-free\n\nThis uses l2cap_chan_hold_unless_zero() after calling\n__l2cap_get_chan_blah() to prevent the following trace:\n\nBluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref\n*kref)\nBluetooth: chan 0000000023c4974d\nBluetooth: parent 00000000ae861c08\n==================================================================\nBUG: KASAN: use-after-free in __mutex_waiter_is_first\nkernel/locking/mutex.c:191 [inline]\nBUG: KASAN: use-after-free in __mutex_lock_common\nkernel/locking/mutex.c:671 [inline]\nBUG: KASAN: use-after-free in __mutex_lock+0x278/0x400\nkernel/locking/mutex.c:729\nRead of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-50386",
"url": "https://www.suse.com/security/cve/CVE-2022-50386"
},
{
"category": "external",
"summary": "SUSE Bug 1250301 for CVE-2022-50386",
"url": "https://bugzilla.suse.com/1250301"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T11:13:27Z",
"details": "important"
}
],
"title": "CVE-2022-50386"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T11:13:27Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.s390x",
"SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_269-default-3-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T11:13:27Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
}
]
}
SUSE-SU-2025:3704-1
Vulnerability from csaf_suse - Published: 2025-10-21 12:04 - Updated: 2025-10-21 12:04Summary
Security update for the Linux Kernel (Live Patch 32 for SLE 15 SP4)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel (Live Patch 32 for SLE 15 SP4)
Description of the patch: This update for the Linux Kernel 5.14.21-150400_24_136 fixes several issues.
The following security issues were fixed:
- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2024-49974: NFSD: Force all NFSv4.2 COPY requests to be synchronous (bsc#1232384).
- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).
Patchnames: SUSE-2025-3704,SUSE-SLE-Module-Live-Patching-15-SP4-2025-3704
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.1 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
34 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 32 for SLE 15 SP4)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 5.14.21-150400_24_136 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2024-49974: NFSD: Force all NFSv4.2 COPY requests to be synchronous (bsc#1232384).\n- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3704,SUSE-SLE-Module-Live-Patching-15-SP4-2025-3704",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_3704-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:3704-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20253704-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:3704-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042244.html"
},
{
"category": "self",
"summary": "SUSE Bug 1232384",
"url": "https://bugzilla.suse.com/1232384"
},
{
"category": "self",
"summary": "SUSE Bug 1245794",
"url": "https://bugzilla.suse.com/1245794"
},
{
"category": "self",
"summary": "SUSE Bug 1246075",
"url": "https://bugzilla.suse.com/1246075"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1249534",
"url": "https://bugzilla.suse.com/1249534"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-49974 page",
"url": "https://www.suse.com/security/cve/CVE-2024-49974/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21971 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21971/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38206 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38206/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38678 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38678/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 32 for SLE 15 SP4)",
"tracking": {
"current_release_date": "2025-10-21T12:04:31Z",
"generator": {
"date": "2025-10-21T12:04:31Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:3704-1",
"initial_release_date": "2025-10-21T12:04:31Z",
"revision_history": [
{
"date": "2025-10-21T12:04:31Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"product_id": "kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"product_id": "kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64",
"product_id": "kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-49974",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-49974"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Limit the number of concurrent async COPY operations\n\nNothing appears to limit the number of concurrent async COPY\noperations that clients can start. In addition, AFAICT each async\nCOPY can copy an unlimited number of 4MB chunks, so can run for a\nlong time. Thus IMO async COPY can become a DoS vector.\n\nAdd a restriction mechanism that bounds the number of concurrent\nbackground COPY operations. Start simple and try to be fair -- this\npatch implements a per-namespace limit.\n\nAn async COPY request that occurs while this limit is exceeded gets\nNFS4ERR_DELAY. The requesting client can choose to send the request\nagain after a delay or fall back to a traditional read/write style\ncopy.\n\nIf there is need to make the mechanism more sophisticated, we can\nvisit that in future patches.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-49974",
"url": "https://www.suse.com/security/cve/CVE-2024-49974"
},
{
"category": "external",
"summary": "SUSE Bug 1232383 for CVE-2024-49974",
"url": "https://bugzilla.suse.com/1232383"
},
{
"category": "external",
"summary": "SUSE Bug 1232384 for CVE-2024-49974",
"url": "https://bugzilla.suse.com/1232384"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T12:04:31Z",
"details": "important"
}
],
"title": "CVE-2024-49974"
},
{
"cve": "CVE-2025-21971",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21971"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21971",
"url": "https://www.suse.com/security/cve/CVE-2025-21971"
},
{
"category": "external",
"summary": "SUSE Bug 1240799 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1240799"
},
{
"category": "external",
"summary": "SUSE Bug 1245794 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1245794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T12:04:31Z",
"details": "important"
}
],
"title": "CVE-2025-21971"
},
{
"cve": "CVE-2025-38206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38206"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n exfat_create_upcase_table() : return error\n exfat_free_upcase_table() : free -\u003evol_utbl\n exfat_load_default_upcase_table : return error\n exfat_kill_sb()\n delayed_free()\n exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38206",
"url": "https://www.suse.com/security/cve/CVE-2025-38206"
},
{
"category": "external",
"summary": "SUSE Bug 1246073 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246073"
},
{
"category": "external",
"summary": "SUSE Bug 1246075 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246075"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T12:04:31Z",
"details": "important"
}
],
"title": "CVE-2025-38206"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T12:04:31Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T12:04:31Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
},
{
"cve": "CVE-2025-38678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38678"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject duplicate device on updates\n\nA chain/flowtable update with duplicated devices in the same batch is\npossible. Unfortunately, netdev event path only removes the first\ndevice that is found, leaving unregistered the hook of the duplicated\ndevice.\n\nCheck if a duplicated device exists in the transaction batch, bail out\nwith EEXIST in such case.\n\nWARNING is hit when unregistering the hook:\n\n [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150\n [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)\n [...]\n [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38678",
"url": "https://www.suse.com/security/cve/CVE-2025-38678"
},
{
"category": "external",
"summary": "SUSE Bug 1249126 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249126"
},
{
"category": "external",
"summary": "SUSE Bug 1249534 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249534"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_136-default-17-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T12:04:31Z",
"details": "important"
}
],
"title": "CVE-2025-38678"
}
]
}
SUSE-SU-2025:3705-1
Vulnerability from csaf_suse - Published: 2025-10-21 13:34 - Updated: 2025-10-21 13:34Summary
Security update for the Linux Kernel (Live Patch 33 for SLE 15 SP4)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel (Live Patch 33 for SLE 15 SP4)
Description of the patch: This update for the Linux Kernel 5.14.21-150400_24_141 fixes several issues.
The following security issues were fixed:
- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).
Patchnames: SUSE-2025-3705,SUSE-SLE-Module-Live-Patching-15-SP4-2025-3705
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.1 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 33 for SLE 15 SP4)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 5.14.21-150400_24_141 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3705,SUSE-SLE-Module-Live-Patching-15-SP4-2025-3705",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_3705-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:3705-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20253705-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:3705-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042243.html"
},
{
"category": "self",
"summary": "SUSE Bug 1245794",
"url": "https://bugzilla.suse.com/1245794"
},
{
"category": "self",
"summary": "SUSE Bug 1246075",
"url": "https://bugzilla.suse.com/1246075"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1249534",
"url": "https://bugzilla.suse.com/1249534"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21971 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21971/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38206 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38206/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38678 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38678/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 33 for SLE 15 SP4)",
"tracking": {
"current_release_date": "2025-10-21T13:34:07Z",
"generator": {
"date": "2025-10-21T13:34:07Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:3705-1",
"initial_release_date": "2025-10-21T13:34:07Z",
"revision_history": [
{
"date": "2025-10-21T13:34:07Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"product_id": "kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"product_id": "kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64",
"product_id": "kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-21971",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21971"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21971",
"url": "https://www.suse.com/security/cve/CVE-2025-21971"
},
{
"category": "external",
"summary": "SUSE Bug 1240799 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1240799"
},
{
"category": "external",
"summary": "SUSE Bug 1245794 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1245794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T13:34:07Z",
"details": "important"
}
],
"title": "CVE-2025-21971"
},
{
"cve": "CVE-2025-38206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38206"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n exfat_create_upcase_table() : return error\n exfat_free_upcase_table() : free -\u003evol_utbl\n exfat_load_default_upcase_table : return error\n exfat_kill_sb()\n delayed_free()\n exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38206",
"url": "https://www.suse.com/security/cve/CVE-2025-38206"
},
{
"category": "external",
"summary": "SUSE Bug 1246073 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246073"
},
{
"category": "external",
"summary": "SUSE Bug 1246075 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246075"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T13:34:07Z",
"details": "important"
}
],
"title": "CVE-2025-38206"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T13:34:07Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T13:34:07Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
},
{
"cve": "CVE-2025-38678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38678"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject duplicate device on updates\n\nA chain/flowtable update with duplicated devices in the same batch is\npossible. Unfortunately, netdev event path only removes the first\ndevice that is found, leaving unregistered the hook of the duplicated\ndevice.\n\nCheck if a duplicated device exists in the transaction batch, bail out\nwith EEXIST in such case.\n\nWARNING is hit when unregistering the hook:\n\n [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150\n [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)\n [...]\n [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38678",
"url": "https://www.suse.com/security/cve/CVE-2025-38678"
},
{
"category": "external",
"summary": "SUSE Bug 1249126 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249126"
},
{
"category": "external",
"summary": "SUSE Bug 1249534 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249534"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_141-default-16-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T13:34:07Z",
"details": "important"
}
],
"title": "CVE-2025-38678"
}
]
}
SUSE-SU-2025:3712-1
Vulnerability from csaf_suse - Published: 2025-10-21 23:36 - Updated: 2025-10-21 23:36Summary
Security update for the Linux Kernel (Live Patch 35 for SLE 15 SP4)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel (Live Patch 35 for SLE 15 SP4)
Description of the patch: This update for the Linux Kernel 5.14.21-150400_24_147 fixes several issues.
The following security issues were fixed:
- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).
Patchnames: SUSE-2025-3710,SUSE-2025-3711,SUSE-2025-3712,SUSE-2025-3713,SUSE-SLE-Module-Live-Patching-15-SP4-2025-3712
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.1 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 35 for SLE 15 SP4)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 5.14.21-150400_24_147 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3710,SUSE-2025-3711,SUSE-2025-3712,SUSE-2025-3713,SUSE-SLE-Module-Live-Patching-15-SP4-2025-3712",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_3712-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:3712-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20253712-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:3712-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042248.html"
},
{
"category": "self",
"summary": "SUSE Bug 1245794",
"url": "https://bugzilla.suse.com/1245794"
},
{
"category": "self",
"summary": "SUSE Bug 1246075",
"url": "https://bugzilla.suse.com/1246075"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1249534",
"url": "https://bugzilla.suse.com/1249534"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21971 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21971/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38206 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38206/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38678 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38678/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 35 for SLE 15 SP4)",
"tracking": {
"current_release_date": "2025-10-21T23:36:04Z",
"generator": {
"date": "2025-10-21T23:36:04Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:3712-1",
"initial_release_date": "2025-10-21T23:36:04Z",
"revision_history": [
{
"date": "2025-10-21T23:36:04Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_164-default-8-150400.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_164-default-8-150400.2.1.ppc64le",
"product_id": "kernel-livepatch-5_14_21-150400_24_164-default-8-150400.2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_170-default-6-150400.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_170-default-6-150400.2.1.ppc64le",
"product_id": "kernel-livepatch-5_14_21-150400_24_170-default-6-150400.2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"product_id": "kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_150-default-9-150400.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_150-default-9-150400.2.1.ppc64le",
"product_id": "kernel-livepatch-5_14_21-150400_24_150-default-9-150400.2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_164-default-8-150400.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_164-default-8-150400.2.1.s390x",
"product_id": "kernel-livepatch-5_14_21-150400_24_164-default-8-150400.2.1.s390x"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_170-default-6-150400.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_170-default-6-150400.2.1.s390x",
"product_id": "kernel-livepatch-5_14_21-150400_24_170-default-6-150400.2.1.s390x"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"product_id": "kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_150-default-9-150400.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_150-default-9-150400.2.1.s390x",
"product_id": "kernel-livepatch-5_14_21-150400_24_150-default-9-150400.2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_164-default-8-150400.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_164-default-8-150400.2.1.x86_64",
"product_id": "kernel-livepatch-5_14_21-150400_24_164-default-8-150400.2.1.x86_64"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_170-default-6-150400.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_170-default-6-150400.2.1.x86_64",
"product_id": "kernel-livepatch-5_14_21-150400_24_170-default-6-150400.2.1.x86_64"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64",
"product_id": "kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_150-default-9-150400.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_150-default-9-150400.2.1.x86_64",
"product_id": "kernel-livepatch-5_14_21-150400_24_150-default-9-150400.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-21971",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21971"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21971",
"url": "https://www.suse.com/security/cve/CVE-2025-21971"
},
{
"category": "external",
"summary": "SUSE Bug 1240799 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1240799"
},
{
"category": "external",
"summary": "SUSE Bug 1245794 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1245794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T23:36:04Z",
"details": "important"
}
],
"title": "CVE-2025-21971"
},
{
"cve": "CVE-2025-38206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38206"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n exfat_create_upcase_table() : return error\n exfat_free_upcase_table() : free -\u003evol_utbl\n exfat_load_default_upcase_table : return error\n exfat_kill_sb()\n delayed_free()\n exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38206",
"url": "https://www.suse.com/security/cve/CVE-2025-38206"
},
{
"category": "external",
"summary": "SUSE Bug 1246073 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246073"
},
{
"category": "external",
"summary": "SUSE Bug 1246075 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246075"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T23:36:04Z",
"details": "important"
}
],
"title": "CVE-2025-38206"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T23:36:04Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T23:36:04Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
},
{
"cve": "CVE-2025-38678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38678"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject duplicate device on updates\n\nA chain/flowtable update with duplicated devices in the same batch is\npossible. Unfortunately, netdev event path only removes the first\ndevice that is found, leaving unregistered the hook of the duplicated\ndevice.\n\nCheck if a duplicated device exists in the transaction batch, bail out\nwith EEXIST in such case.\n\nWARNING is hit when unregistering the hook:\n\n [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150\n [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)\n [...]\n [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38678",
"url": "https://www.suse.com/security/cve/CVE-2025-38678"
},
{
"category": "external",
"summary": "SUSE Bug 1249126 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249126"
},
{
"category": "external",
"summary": "SUSE Bug 1249534 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249534"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_147-default-14-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-21T23:36:04Z",
"details": "important"
}
],
"title": "CVE-2025-38678"
}
]
}
SUSE-SU-2025:3717-1
Vulnerability from csaf_suse - Published: 2025-10-22 09:45 - Updated: 2025-10-22 09:45Summary
Security update for the Linux Kernel (Live Patch 41 for SLE 15 SP4)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel (Live Patch 41 for SLE 15 SP4)
Description of the patch: This update for the Linux Kernel 5.14.21-150400_24_167 fixes several issues.
The following security issues were fixed:
- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).
Patchnames: SUSE-2025-3717,SUSE-2025-3718,SUSE-2025-3719,SUSE-SLE-Module-Live-Patching-15-SP4-2025-3719
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.1 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
29 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 41 for SLE 15 SP4)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 5.14.21-150400_24_167 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3717,SUSE-2025-3718,SUSE-2025-3719,SUSE-SLE-Module-Live-Patching-15-SP4-2025-3719",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_3717-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:3717-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20253717-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:3717-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042255.html"
},
{
"category": "self",
"summary": "SUSE Bug 1245794",
"url": "https://bugzilla.suse.com/1245794"
},
{
"category": "self",
"summary": "SUSE Bug 1246075",
"url": "https://bugzilla.suse.com/1246075"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1249534",
"url": "https://bugzilla.suse.com/1249534"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21971 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21971/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38206 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38206/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38678 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38678/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 41 for SLE 15 SP4)",
"tracking": {
"current_release_date": "2025-10-22T09:45:07Z",
"generator": {
"date": "2025-10-22T09:45:07Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:3717-1",
"initial_release_date": "2025-10-22T09:45:07Z",
"revision_history": [
{
"date": "2025-10-22T09:45:07Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_158-default-8-150400.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_158-default-8-150400.2.1.ppc64le",
"product_id": "kernel-livepatch-5_14_21-150400_24_158-default-8-150400.2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_161-default-8-150400.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_161-default-8-150400.2.1.ppc64le",
"product_id": "kernel-livepatch-5_14_21-150400_24_161-default-8-150400.2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"product_id": "kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_158-default-8-150400.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_158-default-8-150400.2.1.s390x",
"product_id": "kernel-livepatch-5_14_21-150400_24_158-default-8-150400.2.1.s390x"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_161-default-8-150400.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_161-default-8-150400.2.1.s390x",
"product_id": "kernel-livepatch-5_14_21-150400_24_161-default-8-150400.2.1.s390x"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"product_id": "kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_158-default-8-150400.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_158-default-8-150400.2.1.x86_64",
"product_id": "kernel-livepatch-5_14_21-150400_24_158-default-8-150400.2.1.x86_64"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_161-default-8-150400.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_161-default-8-150400.2.1.x86_64",
"product_id": "kernel-livepatch-5_14_21-150400_24_161-default-8-150400.2.1.x86_64"
}
},
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64",
"product_id": "kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-21971",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21971"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21971",
"url": "https://www.suse.com/security/cve/CVE-2025-21971"
},
{
"category": "external",
"summary": "SUSE Bug 1240799 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1240799"
},
{
"category": "external",
"summary": "SUSE Bug 1245794 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1245794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-22T09:45:07Z",
"details": "important"
}
],
"title": "CVE-2025-21971"
},
{
"cve": "CVE-2025-38206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38206"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n exfat_create_upcase_table() : return error\n exfat_free_upcase_table() : free -\u003evol_utbl\n exfat_load_default_upcase_table : return error\n exfat_kill_sb()\n delayed_free()\n exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38206",
"url": "https://www.suse.com/security/cve/CVE-2025-38206"
},
{
"category": "external",
"summary": "SUSE Bug 1246073 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246073"
},
{
"category": "external",
"summary": "SUSE Bug 1246075 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246075"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-22T09:45:07Z",
"details": "important"
}
],
"title": "CVE-2025-38206"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-22T09:45:07Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-22T09:45:07Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
},
{
"cve": "CVE-2025-38678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38678"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject duplicate device on updates\n\nA chain/flowtable update with duplicated devices in the same batch is\npossible. Unfortunately, netdev event path only removes the first\ndevice that is found, leaving unregistered the hook of the duplicated\ndevice.\n\nCheck if a duplicated device exists in the transaction batch, bail out\nwith EEXIST in such case.\n\nWARNING is hit when unregistering the hook:\n\n [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150\n [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)\n [...]\n [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38678",
"url": "https://www.suse.com/security/cve/CVE-2025-38678"
},
{
"category": "external",
"summary": "SUSE Bug 1249126 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249126"
},
{
"category": "external",
"summary": "SUSE Bug 1249534 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249534"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_167-default-7-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-22T09:45:07Z",
"details": "important"
}
],
"title": "CVE-2025-38678"
}
]
}
SUSE-SU-2025:3720-1
Vulnerability from csaf_suse - Published: 2025-10-22 09:45 - Updated: 2025-10-22 09:45Summary
Security update for the Linux Kernel (Live Patch 43 for SLE 15 SP4)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel (Live Patch 43 for SLE 15 SP4)
Description of the patch: This update for the Linux Kernel 5.14.21-150400_24_173 fixes several issues.
The following security issues were fixed:
- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
Patchnames: SUSE-2025-3720,SUSE-SLE-Module-Live-Patching-15-SP4-2025-3720
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.4 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.1 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
19 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 43 for SLE 15 SP4)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 5.14.21-150400_24_173 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3720,SUSE-SLE-Module-Live-Patching-15-SP4-2025-3720",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_3720-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:3720-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20253720-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:3720-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042254.html"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1249534",
"url": "https://bugzilla.suse.com/1249534"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38678 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38678/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 43 for SLE 15 SP4)",
"tracking": {
"current_release_date": "2025-10-22T09:45:17Z",
"generator": {
"date": "2025-10-22T09:45:17Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:3720-1",
"initial_release_date": "2025-10-22T09:45:17Z",
"revision_history": [
{
"date": "2025-10-22T09:45:17Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le",
"product_id": "kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x",
"product_id": "kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64",
"product_id": "kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP4",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64"
},
"product_reference": "kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-22T09:45:17Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-22T09:45:17Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
},
{
"cve": "CVE-2025-38678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38678"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject duplicate device on updates\n\nA chain/flowtable update with duplicated devices in the same batch is\npossible. Unfortunately, netdev event path only removes the first\ndevice that is found, leaving unregistered the hook of the duplicated\ndevice.\n\nCheck if a duplicated device exists in the transaction batch, bail out\nwith EEXIST in such case.\n\nWARNING is hit when unregistering the hook:\n\n [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150\n [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)\n [...]\n [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38678",
"url": "https://www.suse.com/security/cve/CVE-2025-38678"
},
{
"category": "external",
"summary": "SUSE Bug 1249126 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249126"
},
{
"category": "external",
"summary": "SUSE Bug 1249534 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249534"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_173-default-3-150400.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-22T09:45:17Z",
"details": "important"
}
],
"title": "CVE-2025-38678"
}
]
}
SUSE-SU-2025:3721-1
Vulnerability from csaf_suse - Published: 2025-10-22 11:06 - Updated: 2025-10-22 11:06Summary
Security update for the Linux Kernel (Live Patch 19 for SLE 15 SP5)
Severity
Important
Notes
Title of the patch: Security update for the Linux Kernel (Live Patch 19 for SLE 15 SP5)
Description of the patch: This update for the Linux Kernel 5.14.21-150500_55_80 fixes several issues.
The following security issues were fixed:
- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).
- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).
- CVE-2024-49974: NFSD: Force all NFSv4.2 COPY requests to be synchronous (bsc#1232384).
- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).
- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).
- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).
Patchnames: SUSE-2025-3721,SUSE-SLE-Module-Live-Patching-15-SP5-2025-3721
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
8.4 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.1 (High)
Affected products
Recommended
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
34 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 19 for SLE 15 SP5)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 5.14.21-150500_55_80 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38678: netfilter: nf_tables: reject duplicate device on updates (bsc#1249534).\n- CVE-2025-38499: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (bsc#1248673).\n- CVE-2024-49974: NFSD: Force all NFSv4.2 COPY requests to be synchronous (bsc#1232384).\n- CVE-2025-21971: net_sched: Prevent creation of classes with TC_H_ROOT (bsc#1245794).\n- CVE-2025-38644: wifi: mac80211: reject TDLS operations when station is not associated (bsc#1248749).\n- CVE-2025-38206: exfat: fix double free in delayed_free (bsc#1246075).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3721,SUSE-SLE-Module-Live-Patching-15-SP5-2025-3721",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_3721-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:3721-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-20253721-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:3721-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042253.html"
},
{
"category": "self",
"summary": "SUSE Bug 1232384",
"url": "https://bugzilla.suse.com/1232384"
},
{
"category": "self",
"summary": "SUSE Bug 1245794",
"url": "https://bugzilla.suse.com/1245794"
},
{
"category": "self",
"summary": "SUSE Bug 1246075",
"url": "https://bugzilla.suse.com/1246075"
},
{
"category": "self",
"summary": "SUSE Bug 1248673",
"url": "https://bugzilla.suse.com/1248673"
},
{
"category": "self",
"summary": "SUSE Bug 1248749",
"url": "https://bugzilla.suse.com/1248749"
},
{
"category": "self",
"summary": "SUSE Bug 1249534",
"url": "https://bugzilla.suse.com/1249534"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-49974 page",
"url": "https://www.suse.com/security/cve/CVE-2024-49974/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-21971 page",
"url": "https://www.suse.com/security/cve/CVE-2025-21971/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38206 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38206/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38499 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38499/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38644 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38644/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38678 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38678/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 19 for SLE 15 SP5)",
"tracking": {
"current_release_date": "2025-10-22T11:06:14Z",
"generator": {
"date": "2025-10-22T11:06:14Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:3721-1",
"initial_release_date": "2025-10-22T11:06:14Z",
"revision_history": [
{
"date": "2025-10-22T11:06:14Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"product": {
"name": "kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"product_id": "kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"product": {
"name": "kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"product_id": "kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64",
"product": {
"name": "kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64",
"product_id": "kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le"
},
"product_reference": "kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x as component of SUSE Linux Enterprise Live Patching 15 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x"
},
"product_reference": "kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP5",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
},
"product_reference": "kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-49974",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-49974"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Limit the number of concurrent async COPY operations\n\nNothing appears to limit the number of concurrent async COPY\noperations that clients can start. In addition, AFAICT each async\nCOPY can copy an unlimited number of 4MB chunks, so can run for a\nlong time. Thus IMO async COPY can become a DoS vector.\n\nAdd a restriction mechanism that bounds the number of concurrent\nbackground COPY operations. Start simple and try to be fair -- this\npatch implements a per-namespace limit.\n\nAn async COPY request that occurs while this limit is exceeded gets\nNFS4ERR_DELAY. The requesting client can choose to send the request\nagain after a delay or fall back to a traditional read/write style\ncopy.\n\nIf there is need to make the mechanism more sophisticated, we can\nvisit that in future patches.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-49974",
"url": "https://www.suse.com/security/cve/CVE-2024-49974"
},
{
"category": "external",
"summary": "SUSE Bug 1232383 for CVE-2024-49974",
"url": "https://bugzilla.suse.com/1232383"
},
{
"category": "external",
"summary": "SUSE Bug 1232384 for CVE-2024-49974",
"url": "https://bugzilla.suse.com/1232384"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-22T11:06:14Z",
"details": "important"
}
],
"title": "CVE-2024-49974"
},
{
"cve": "CVE-2025-21971",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-21971"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-21971",
"url": "https://www.suse.com/security/cve/CVE-2025-21971"
},
{
"category": "external",
"summary": "SUSE Bug 1240799 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1240799"
},
{
"category": "external",
"summary": "SUSE Bug 1245794 for CVE-2025-21971",
"url": "https://bugzilla.suse.com/1245794"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-22T11:06:14Z",
"details": "important"
}
],
"title": "CVE-2025-21971"
},
{
"cve": "CVE-2025-38206",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38206"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nexfat: fix double free in delayed_free\n\nThe double free could happen in the following path.\n\nexfat_create_upcase_table()\n exfat_create_upcase_table() : return error\n exfat_free_upcase_table() : free -\u003evol_utbl\n exfat_load_default_upcase_table : return error\n exfat_kill_sb()\n delayed_free()\n exfat_free_upcase_table() \u003c--------- double free\nThis patch set -\u003evol_util as NULL after freeing it.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38206",
"url": "https://www.suse.com/security/cve/CVE-2025-38206"
},
{
"category": "external",
"summary": "SUSE Bug 1246073 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246073"
},
{
"category": "external",
"summary": "SUSE Bug 1246075 for CVE-2025-38206",
"url": "https://bugzilla.suse.com/1246075"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-22T11:06:14Z",
"details": "important"
}
],
"title": "CVE-2025-38206"
},
{
"cve": "CVE-2025-38499",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38499"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nclone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns\n\nWhat we want is to verify there is that clone won\u0027t expose something\nhidden by a mount we wouldn\u0027t be able to undo. \"Wouldn\u0027t be able to undo\"\nmay be a result of MNT_LOCKED on a child, but it may also come from\nlacking admin rights in the userns of the namespace mount belongs to.\n\nclone_private_mnt() checks the former, but not the latter.\n\nThere\u0027s a number of rather confusing CAP_SYS_ADMIN checks in various\nuserns during the mount, especially with the new mount API; they serve\ndifferent purposes and in case of clone_private_mnt() they usually,\nbut not always end up covering the missing check mentioned above.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38499",
"url": "https://www.suse.com/security/cve/CVE-2025-38499"
},
{
"category": "external",
"summary": "SUSE Bug 1247976 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1247976"
},
{
"category": "external",
"summary": "SUSE Bug 1248673 for CVE-2025-38499",
"url": "https://bugzilla.suse.com/1248673"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-22T11:06:14Z",
"details": "important"
}
],
"title": "CVE-2025-38499"
},
{
"cve": "CVE-2025-38644",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38644"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: reject TDLS operations when station is not associated\n\nsyzbot triggered a WARN in ieee80211_tdls_oper() by sending\nNL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT,\nbefore association completed and without prior TDLS setup.\n\nThis left internal state like sdata-\u003eu.mgd.tdls_peer uninitialized,\nleading to a WARN_ON() in code paths that assumed it was valid.\n\nReject the operation early if not in station mode or not associated.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38644",
"url": "https://www.suse.com/security/cve/CVE-2025-38644"
},
{
"category": "external",
"summary": "SUSE Bug 1248748 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248748"
},
{
"category": "external",
"summary": "SUSE Bug 1248749 for CVE-2025-38644",
"url": "https://bugzilla.suse.com/1248749"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-22T11:06:14Z",
"details": "important"
}
],
"title": "CVE-2025-38644"
},
{
"cve": "CVE-2025-38678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38678"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: reject duplicate device on updates\n\nA chain/flowtable update with duplicated devices in the same batch is\npossible. Unfortunately, netdev event path only removes the first\ndevice that is found, leaving unregistered the hook of the duplicated\ndevice.\n\nCheck if a duplicated device exists in the transaction batch, bail out\nwith EEXIST in such case.\n\nWARNING is hit when unregistering the hook:\n\n [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150\n [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full)\n [...]\n [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38678",
"url": "https://www.suse.com/security/cve/CVE-2025-38678"
},
{
"category": "external",
"summary": "SUSE Bug 1249126 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249126"
},
{
"category": "external",
"summary": "SUSE Bug 1249534 for CVE-2025-38678",
"url": "https://bugzilla.suse.com/1249534"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.s390x",
"SUSE Linux Enterprise Live Patching 15 SP5:kernel-livepatch-5_14_21-150500_55_80-default-17-150500.2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-22T11:06:14Z",
"details": "important"
}
],
"title": "CVE-2025-38678"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…