suse-su-2025:03575-1
Vulnerability from csaf_suse
Published
2025-10-12 15:04
Modified
2025-10-12 15:04
Summary
Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP7)
Notes
Title of the patch
Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP7)
Description of the patch
This update for the Linux Kernel 6.4.0-150700_51 fixes several issues.
The following security issues were fixed:
- CVE-2025-38477: net/sched: sch_qfq: Fix race condition on qfq_aggregate (bsc#1247315).
- CVE-2025-22023: usb: xhci: Don't skip on Stopped - Length Invalid (bsc#1246754).
- CVE-2025-38089: sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (bsc#1245509).
Patchnames
SUSE-2025-3575,SUSE-SLE-Module-Live-Patching-15-SP7-2025-3575
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP7)",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for the Linux Kernel 6.4.0-150700_51 fixes several issues.\n\nThe following security issues were fixed:\n\n- CVE-2025-38477: net/sched: sch_qfq: Fix race condition on qfq_aggregate (bsc#1247315).\n- CVE-2025-22023: usb: xhci: Don\u0027t skip on Stopped - Length Invalid (bsc#1246754).\n- CVE-2025-38089: sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (bsc#1245509).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2025-3575,SUSE-SLE-Module-Live-Patching-15-SP7-2025-3575",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_03575-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:03575-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202503575-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:03575-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-October/042089.html"
},
{
"category": "self",
"summary": "SUSE Bug 1245509",
"url": "https://bugzilla.suse.com/1245509"
},
{
"category": "self",
"summary": "SUSE Bug 1246754",
"url": "https://bugzilla.suse.com/1246754"
},
{
"category": "self",
"summary": "SUSE Bug 1247315",
"url": "https://bugzilla.suse.com/1247315"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-22023 page",
"url": "https://www.suse.com/security/cve/CVE-2025-22023/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38089 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38089/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-38477 page",
"url": "https://www.suse.com/security/cve/CVE-2025-38477/"
}
],
"title": "Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP7)",
"tracking": {
"current_release_date": "2025-10-12T15:04:11Z",
"generator": {
"date": "2025-10-12T15:04:11Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:03575-1",
"initial_release_date": "2025-10-12T15:04:11Z",
"revision_history": [
{
"date": "2025-10-12T15:04:11Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.ppc64le",
"product": {
"name": "kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.ppc64le",
"product_id": "kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.s390x",
"product": {
"name": "kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.s390x",
"product_id": "kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.x86_64",
"product": {
"name": "kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.x86_64",
"product_id": "kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Live Patching 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Live Patching 15 SP7",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-live-patching:15:sp7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.ppc64le as component of SUSE Linux Enterprise Live Patching 15 SP7",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.ppc64le"
},
"product_reference": "kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.s390x as component of SUSE Linux Enterprise Live Patching 15 SP7",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.s390x"
},
"product_reference": "kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.x86_64 as component of SUSE Linux Enterprise Live Patching 15 SP7",
"product_id": "SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.x86_64"
},
"product_reference": "kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Live Patching 15 SP7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22023",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-22023"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: xhci: Don\u0027t skip on Stopped - Length Invalid\n\nUp until commit d56b0b2ab142 (\"usb: xhci: ensure skipped isoc TDs are\nreturned when isoc ring is stopped\") in v6.11, the driver didn\u0027t skip\nmissed isochronous TDs when handling Stoppend and Stopped - Length\nInvalid events. Instead, it erroneously cleared the skip flag, which\nwould cause the ring to get stuck, as future events won\u0027t match the\nmissed TD which is never removed from the queue until it\u0027s cancelled.\n\nThis buggy logic seems to have been in place substantially unchanged\nsince the 3.x series over 10 years ago, which probably speaks first\nand foremost about relative rarity of this case in normal usage, but\nby the spec I see no reason why it shouldn\u0027t be possible.\n\nAfter d56b0b2ab142, TDs are immediately skipped when handling those\nStopped events. This poses a potential problem in case of Stopped -\nLength Invalid, which occurs either on completed TDs (likely already\ngiven back) or Link and No-Op TRBs. Such event won\u0027t be recognized\nas matching any TD (unless it\u0027s the rare Link TRB inside a TD) and\nwill result in skipping all pending TDs, giving them back possibly\nbefore they are done, risking isoc data loss and maybe UAF by HW.\n\nAs a compromise, don\u0027t skip and don\u0027t clear the skip flag on this\nkind of event. Then the next event will skip missed TDs. A downside\nof not handling Stopped - Length Invalid on a Link inside a TD is\nthat if the TD is cancelled, its actual length will not be updated\nto account for TRBs (silently) completed before the TD was stopped.\n\nI had no luck producing this sequence of completion events so there\nis no compelling demonstration of any resulting disaster. It may be\na very rare, obscure condition. The sole motivation for this patch\nis that if such unlikely event does occur, I\u0027d rather risk reporting\na cancelled partially done isoc frame as empty than gamble with UAF.\n\nThis will be fixed more properly by looking at Stopped event\u0027s TRB\npointer when making skipping decisions, but such rework is unlikely\nto be backported to v6.12, which will stay around for a few years.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.s390x",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-22023",
"url": "https://www.suse.com/security/cve/CVE-2025-22023"
},
{
"category": "external",
"summary": "SUSE Bug 1241298 for CVE-2025-22023",
"url": "https://bugzilla.suse.com/1241298"
},
{
"category": "external",
"summary": "SUSE Bug 1246754 for CVE-2025-22023",
"url": "https://bugzilla.suse.com/1246754"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.s390x",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.s390x",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-12T15:04:11Z",
"details": "important"
}
],
"title": "CVE-2025-22023"
},
{
"cve": "CVE-2025-38089",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38089"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nsunrpc: handle SVC_GARBAGE during svc auth processing as auth error\n\ntianshuo han reported a remotely-triggerable crash if the client sends a\nkernel RPC server a specially crafted packet. If decoding the RPC reply\nfails in such a way that SVC_GARBAGE is returned without setting the\nrq_accept_statp pointer, then that pointer can be dereferenced and a\nvalue stored there.\n\nIf it\u0027s the first time the thread has processed an RPC, then that\npointer will be set to NULL and the kernel will crash. In other cases,\nit could create a memory scribble.\n\nThe server sunrpc code treats a SVC_GARBAGE return from svc_authenticate\nor pg_authenticate as if it should send a GARBAGE_ARGS reply. RFC 5531\nsays that if authentication fails that the RPC should be rejected\ninstead with a status of AUTH_ERR.\n\nHandle a SVC_GARBAGE return as an AUTH_ERROR, with a reason of\nAUTH_BADCRED instead of returning GARBAGE_ARGS in that case. This\nsidesteps the whole problem of touching the rpc_accept_statp pointer in\nthis situation and avoids the crash.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.s390x",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38089",
"url": "https://www.suse.com/security/cve/CVE-2025-38089"
},
{
"category": "external",
"summary": "SUSE Bug 1245508 for CVE-2025-38089",
"url": "https://bugzilla.suse.com/1245508"
},
{
"category": "external",
"summary": "SUSE Bug 1245509 for CVE-2025-38089",
"url": "https://bugzilla.suse.com/1245509"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.s390x",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.s390x",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-12T15:04:11Z",
"details": "important"
}
],
"title": "CVE-2025-38089"
},
{
"cve": "CVE-2025-38477",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-38477"
}
],
"notes": [
{
"category": "general",
"text": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix race condition on qfq_aggregate\n\nA race condition can occur when \u0027agg\u0027 is modified in qfq_change_agg\n(called during qfq_enqueue) while other threads access it\nconcurrently. For example, qfq_dump_class may trigger a NULL\ndereference, and qfq_delete_class may cause a use-after-free.\n\nThis patch addresses the issue by:\n\n1. Moved qfq_destroy_class into the critical section.\n\n2. Added sch_tree_lock protection to qfq_dump_class and\nqfq_dump_class_stats.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.s390x",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-38477",
"url": "https://www.suse.com/security/cve/CVE-2025-38477"
},
{
"category": "external",
"summary": "SUSE Bug 1247314 for CVE-2025-38477",
"url": "https://bugzilla.suse.com/1247314"
},
{
"category": "external",
"summary": "SUSE Bug 1247315 for CVE-2025-38477",
"url": "https://bugzilla.suse.com/1247315"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.s390x",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.ppc64le",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.s390x",
"SUSE Linux Enterprise Live Patching 15 SP7:kernel-livepatch-6_4_0-150700_51-default-5-150700.3.12.2.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-10-12T15:04:11Z",
"details": "important"
}
],
"title": "CVE-2025-38477"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…