An update for kernel is now available for openEuler-22.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1648 Final 1.0 1.0 2025-06-20 Initial 2025-06-20 2025-06-20 openEuler SA Tool V1.0 2025-06-20 kernel security update An update for kernel is now available for openEuler-22.03-LTS-SP3 The Linux Kernel, the operating system core itself. Security Fix(es): In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix WRITE_SAME No Data Buffer crash In newer version of the SBC specs, we have a NDOB bit that indicates there is no data buffer that gets written out. If this bit is set using commands like "sg_write_same --ndob" we will crash in target_core_iblock/file's execute_write_same handlers when we go to access the se_cmd->t_data_sg because its NULL. This patch adds a check for the NDOB bit in the common WRITE SAME code because we don't support it. And, it adds a check for zero SG elements in each handler in case the initiator tries to send a normal WRITE SAME with no data buffer.(CVE-2022-21546) In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: ipc: Fix potential use-after-free in work function When a reset notify IPC message is received, the ISR schedules a work function and passes the ISHTP device to it via a global pointer ishtp_dev. If ish_probe() fails, the devm-managed device resources including ishtp_dev are freed, but the work is not cancelled, causing a use-after-free when the work function tries to access ishtp_dev. Use devm_work_autocancel() instead, so that the work is automatically cancelled if probe fails.(CVE-2023-53039) In the Linux kernel, the following vulnerability has been resolved: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() Explicitly verify the target vCPU is fully online _prior_ to clamping the index in kvm_get_vcpu(). If the index is "bad", the nospec clamping will generate '0', i.e. KVM will return vCPU0 instead of NULL. In practice, the bug is unlikely to cause problems, as it will only come into play if userspace or the guest is buggy or misbehaving, e.g. KVM may send interrupts to vCPU0 instead of dropping them on the floor. However, returning vCPU0 when it shouldn't exist per online_vcpus is problematic now that KVM uses an xarray for the vCPUs array, as KVM needs to insert into the xarray before publishing the vCPU to userspace (see commit c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray")), i.e. before vCPU creation is guaranteed to succeed. As a result, incorrectly providing access to vCPU0 will trigger a use-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu() bails out of vCPU creation due to an error and frees vCPU0. Commit afb2acb2e3a3 ("KVM: Fix vcpu_array[0] races") papered over that issue, but in doing so introduced an unsolvable teardown conundrum. Preventing accesses to vCPU0 before it's fully online will allow reverting commit afb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race.(CVE-2024-58083) In the Linux kernel, the following vulnerability has been resolved: usb: cdc-acm: Check control transfer buffer size before access If the first fragment is shorter than struct usb_cdc_notification, we can't calculate an expected_size. Log an error and discard the notification instead of reading lengths from memory outside the received data, which can lead to memory corruption when the expected_size decreases between fragments, causing `expected_size - acm->nb_index` to wrap. This issue has been present since the beginning of git history; however, it only leads to memory corruption since commit ea2583529cd1 ("cdc-acm: reassemble fragmented notifications"). A mitigating factor is that acm_ctrl_irq() can only execute after userspace has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will do that automatically depending on the USB device's vendor/product IDs and its other interfaces.(CVE-2025-21704) An update for kernel is now available for openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-22.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High kernel https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1648 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2022-21546 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-53039 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-58083 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2025-21704 https://nvd.nist.gov/vuln/detail/CVE-2022-21546 https://nvd.nist.gov/vuln/detail/CVE-2023-53039 https://nvd.nist.gov/vuln/detail/CVE-2024-58083 https://nvd.nist.gov/vuln/detail/CVE-2025-21704 openEuler-22.03-LTS-SP3 kernel-5.10.0-268.0.0.170.oe2203sp3.x86_64.rpm kernel-debuginfo-5.10.0-268.0.0.170.oe2203sp3.x86_64.rpm kernel-debugsource-5.10.0-268.0.0.170.oe2203sp3.x86_64.rpm kernel-devel-5.10.0-268.0.0.170.oe2203sp3.x86_64.rpm kernel-headers-5.10.0-268.0.0.170.oe2203sp3.x86_64.rpm kernel-source-5.10.0-268.0.0.170.oe2203sp3.x86_64.rpm kernel-tools-5.10.0-268.0.0.170.oe2203sp3.x86_64.rpm kernel-tools-debuginfo-5.10.0-268.0.0.170.oe2203sp3.x86_64.rpm kernel-tools-devel-5.10.0-268.0.0.170.oe2203sp3.x86_64.rpm perf-5.10.0-268.0.0.170.oe2203sp3.x86_64.rpm perf-debuginfo-5.10.0-268.0.0.170.oe2203sp3.x86_64.rpm python3-perf-5.10.0-268.0.0.170.oe2203sp3.x86_64.rpm python3-perf-debuginfo-5.10.0-268.0.0.170.oe2203sp3.x86_64.rpm kernel-5.10.0-268.0.0.170.oe2203sp3.aarch64.rpm kernel-debuginfo-5.10.0-268.0.0.170.oe2203sp3.aarch64.rpm kernel-debugsource-5.10.0-268.0.0.170.oe2203sp3.aarch64.rpm kernel-devel-5.10.0-268.0.0.170.oe2203sp3.aarch64.rpm kernel-headers-5.10.0-268.0.0.170.oe2203sp3.aarch64.rpm kernel-source-5.10.0-268.0.0.170.oe2203sp3.aarch64.rpm kernel-tools-5.10.0-268.0.0.170.oe2203sp3.aarch64.rpm kernel-tools-debuginfo-5.10.0-268.0.0.170.oe2203sp3.aarch64.rpm kernel-tools-devel-5.10.0-268.0.0.170.oe2203sp3.aarch64.rpm perf-5.10.0-268.0.0.170.oe2203sp3.aarch64.rpm perf-debuginfo-5.10.0-268.0.0.170.oe2203sp3.aarch64.rpm python3-perf-5.10.0-268.0.0.170.oe2203sp3.aarch64.rpm python3-perf-debuginfo-5.10.0-268.0.0.170.oe2203sp3.aarch64.rpm kernel-5.10.0-268.0.0.170.oe2203sp3.src.rpm In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix WRITE_SAME No Data Buffer crash In newer version of the SBC specs, we have a NDOB bit that indicates there is no data buffer that gets written out. If this bit is set using commands like "sg_write_same --ndob" we will crash in target_core_iblock/file's execute_write_same handlers when we go to access the se_cmd->t_data_sg because its NULL. This patch adds a check for the NDOB bit in the common WRITE SAME code because we don't support it. And, it adds a check for zero SG elements in each handler in case the initiator tries to send a normal WRITE SAME with no data buffer. 2025-06-20 CVE-2022-21546 openEuler-22.03-LTS-SP3 High 7.7 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H kernel security update 2025-06-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1648 In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: ipc: Fix potential use-after-free in work function When a reset notify IPC message is received, the ISR schedules a work function and passes the ISHTP device to it via a global pointer ishtp_dev. If ish_probe() fails, the devm-managed device resources including ishtp_dev are freed, but the work is not cancelled, causing a use-after-free when the work function tries to access ishtp_dev. Use devm_work_autocancel() instead, so that the work is automatically cancelled if probe fails. 2025-06-20 CVE-2023-53039 openEuler-22.03-LTS-SP3 Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H kernel security update 2025-06-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1648 In the Linux kernel, the following vulnerability has been resolved: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() Explicitly verify the target vCPU is fully online _prior_ to clamping the index in kvm_get_vcpu(). If the index is "bad", the nospec clamping will generate '0', i.e. KVM will return vCPU0 instead of NULL. In practice, the bug is unlikely to cause problems, as it will only come into play if userspace or the guest is buggy or misbehaving, e.g. KVM may send interrupts to vCPU0 instead of dropping them on the floor. However, returning vCPU0 when it shouldn't exist per online_vcpus is problematic now that KVM uses an xarray for the vCPUs array, as KVM needs to insert into the xarray before publishing the vCPU to userspace (see commit c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray")), i.e. before vCPU creation is guaranteed to succeed. As a result, incorrectly providing access to vCPU0 will trigger a use-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu() bails out of vCPU creation due to an error and frees vCPU0. Commit afb2acb2e3a3 ("KVM: Fix vcpu_array[0] races") papered over that issue, but in doing so introduced an unsolvable teardown conundrum. Preventing accesses to vCPU0 before it's fully online will allow reverting commit afb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race. 2025-06-20 CVE-2024-58083 openEuler-22.03-LTS-SP3 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H kernel security update 2025-06-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1648 In the Linux kernel, the following vulnerability has been resolved: usb: cdc-acm: Check control transfer buffer size before access If the first fragment is shorter than struct usb_cdc_notification, we can't calculate an expected_size. Log an error and discard the notification instead of reading lengths from memory outside the received data, which can lead to memory corruption when the expected_size decreases between fragments, causing `expected_size - acm->nb_index` to wrap. This issue has been present since the beginning of git history; however, it only leads to memory corruption since commit ea2583529cd1 ("cdc-acm: reassemble fragmented notifications"). A mitigating factor is that acm_ctrl_irq() can only execute after userspace has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will do that automatically depending on the USB device's vendor/product IDs and its other interfaces. 2025-06-20 CVE-2025-21704 openEuler-22.03-LTS-SP3 Low 3.9 AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L kernel security update 2025-06-20 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1648