Threats Tagged 'cve-2025-39766'

This advisory addresses two security vulnerabilities in the Linux kernel packages used by Red Hat Enterprise Linux 10 and related products. The first vulnerability (CVE-2025-39766) involves the net/sched subsystem where the cake_enqueue function did not properly handle conditions past the buffer limit. The second vulnerability (CVE-2025-68741) concerns the scsi qla2xxx driver, which had an issue with improper freeing of a purex item. Red Hat has released an important security update to fix these issues, requiring a system reboot to apply the changes.

This advisory addresses two security vulnerabilities in the Linux kernel packages used by Red Hat Enterprise Linux 9 and related products. The first vulnerability (CVE-2025-39766) involves the network scheduler component where the cake_enqueue function did not properly handle conditions past the buffer limit. The second vulnerability (CVE-2025-68741) concerns improper freeing of a purex item in the SCSI qla2xxx driver. Red Hat has released an important security update that fixes these issues. The update requires a system reboot to take effect. No known exploits in the wild have been reported at this time.

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: net: af_can: do not leave a dangling sk pointer in can_create() (CVE-2024-56603) * kernel: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit (CVE-2025-39766) * kernel: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id (CVE-2025-68724) * kernel: scsi: qla2xxx: Fix improper freeing of purex item (CVE-2025-68741) * kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation (CVE-2026-23270) * kernel: Linux kernel KVM: Privilege escalation or denial of service due to improper shadow page table entry handling (CVE-2026-23401) * kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (CVE-2026-31402) * kernel: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold (CVE-2026-31408) * kernel: usbip: validate number_of_packets in usbip_pack_ret_submit() (CVE-2026-31607) * kernel: RDMA/umem: Fix double dma_buf_unpin in failure path (CVE-2026-43128) * kernel: "Dirty Frag" is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel (CVE-2026-43284) * kernel: "Fragnesia" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel (CVE-2026-46300) * kernel: Read root-owned files as an unprivileged user (CVE-2026-46333) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit (CVE-2025-39766) * kernel: scsi: qla2xxx: Fix improper freeing of purex item (CVE-2025-68741) * kernel: libceph: make decode_pool() more resilient against corrupted osdmaps (CVE-2025-71116) * kernel: libceph: prevent potential out-of-bounds reads in handle_auth_done() (CVE-2026-22984) * kernel: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() (CVE-2026-22990) * kernel: Linux kernel: Denial of Service in libceph OSD client due to unreset sparse-read state (CVE-2026-23136) * kernel: net/sched: cls_u32: use skb_header_pointer_careful() (CVE-2026-23204) * kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation (CVE-2026-23270) * kernel: Linux kernel KVM: Privilege escalation or denial of service due to improper shadow page table entry handling (CVE-2026-23401) * kernel: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (CVE-2026-31402) * kernel: can: raw: fix ro->uniq use-after-free in raw_rcv() (CVE-2026-31532) * kernel: usbip: validate number_of_packets in usbip_pack_ret_submit() (CVE-2026-31607) * kernel: md/bitmap: fix GPF in write_page caused by resize race (CVE-2026-43163) * kernel: RDMA/umem: Fix double dma_buf_unpin in failure path (CVE-2026-43128) * kernel: "Dirty Frag" is a new universal Local Privilege Escalation (LPE) vulnerability in the Linux kernel (CVE-2026-43284) * kernel: "Fragnesia" is a variant of Dirty Frag vulnerability in the ESP/XFRM leading to Local Privilege Escalation (LPE) vulnerability in the Linux kernel (CVE-2026-46300) * kernel: Read root-owned files as an unprivileged user (CVE-2026-46333) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: proc: fix UAF in proc_get_inode() (CVE-2025-21999) * kernel: proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al (CVE-2025-38653) * kernel: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit (CVE-2025-39766) * kernel: nbd: defer config unlock in nbd_genl_connect (CVE-2025-68366) * kernel: scsi: qla2xxx: Fix improper freeing of purex item (CVE-2025-68741) * kernel: Linux kernel: Denial of service and memory corruption in RDMA umad (CVE-2026-23243) * kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation (CVE-2026-23270) * kernel: Linux kernel: Use-after-free in bonding driver leads to denial of service (CVE-2026-31419) * kernel: md/bitmap: fix GPF in write_page caused by resize race (CVE-2026-43163) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * kernel: proc: fix UAF in proc_get_inode() (CVE-2025-21999) * kernel: proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al (CVE-2025-38653) * kernel: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit (CVE-2025-39766) * kernel: nbd: defer config unlock in nbd_genl_connect (CVE-2025-68366) * kernel: scsi: qla2xxx: Fix improper freeing of purex item (CVE-2025-68741) * kernel: Linux kernel: Denial of service and memory corruption in RDMA umad (CVE-2026-23243) * kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation (CVE-2026-23270) * kernel: Linux kernel: Use-after-free in bonding driver leads to denial of service (CVE-2026-31419) * kernel: md/bitmap: fix GPF in write_page caused by resize race (CVE-2026-43163) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.