ALAS2-2025-2843

Amazon Linux 2 Security Advisory: ALAS2-2025-2843
Advisory Released Date: 2025-04-30
Advisory Updated Date: 2025-05-19

Severity: Important

References: CVE-2021-46981 CVE-2023-1611 CVE-2023-39189 CVE-2023-52784 CVE-2023-52975 CVE-2024-47745 CVE-2024-49882 CVE-2024-50036 CVE-2024-50278 CVE-2024-50301 CVE-2025-21759 CVE-2025-21791 CVE-2025-21796 CVE-2025-21858 CVE-2025-21991
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

In the Linux kernel, the following vulnerability has been resolved:

nbd: Fix NULL pointer in flush_workqueue (CVE-2021-46981)

A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea (CVE-2023-1611)

nftables out-of-bounds read in nf_osf_match_one() (CVE-2023-39189)

In the Linux kernel, the following vulnerability has been resolved:

bonding: stop the device in bond_setup_by_slave() (CVE-2023-52784)

In the Linux kernel, the following vulnerability has been resolved:

scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress (CVE-2023-52975)

In the Linux kernel, the following vulnerability has been resolved:

mm: call the security_mmap_file() LSM hook in remap_file_pages() (CVE-2024-47745)

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix double brelse() the buffer of the extents path (CVE-2024-49882)

In the Linux kernel, the following vulnerability has been resolved:

net: do not delay dst_entries_add() in dst_release() (CVE-2024-50036)

In the Linux kernel, the following vulnerability has been resolved:

dm cache: fix potential out-of-bounds access on the first resume (CVE-2024-50278)

In the Linux kernel, the following vulnerability has been resolved:

security/keys: fix slab-out-of-bounds in key_task_permission (CVE-2024-50301)

In the Linux kernel, the following vulnerability has been resolved:

ipv6: mcast: extend RCU protection in igmp6_send() (CVE-2025-21759)

In the Linux kernel, the following vulnerability has been resolved:

vrf: use RCU protection in l3mdev_l3_out() (CVE-2025-21791)

In the Linux kernel, the following vulnerability has been resolved:

nfsd: clear acl_access/acl_default after releasing them (CVE-2025-21796)

In the Linux kernel, the following vulnerability has been resolved:

geneve: Fix use-after-free in geneve_find_dev(). (CVE-2025-21858)

In the Linux kernel, the following vulnerability has been resolved:

x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes (CVE-2025-21991)

Affected Packages:

kernel

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update kernel to update your system.
System reboot is required in order to complete this update.

New Packages:

aarch64:
    kernel-4.14.355-276.639.amzn2.aarch64
    kernel-headers-4.14.355-276.639.amzn2.aarch64
    kernel-debuginfo-common-aarch64-4.14.355-276.639.amzn2.aarch64
    perf-4.14.355-276.639.amzn2.aarch64
    perf-debuginfo-4.14.355-276.639.amzn2.aarch64
    python-perf-4.14.355-276.639.amzn2.aarch64
    python-perf-debuginfo-4.14.355-276.639.amzn2.aarch64
    kernel-tools-4.14.355-276.639.amzn2.aarch64
    kernel-tools-devel-4.14.355-276.639.amzn2.aarch64
    kernel-tools-debuginfo-4.14.355-276.639.amzn2.aarch64
    kernel-devel-4.14.355-276.639.amzn2.aarch64
    kernel-debuginfo-4.14.355-276.639.amzn2.aarch64

i686:
    kernel-headers-4.14.355-276.639.amzn2.i686

src:
    kernel-4.14.355-276.639.amzn2.src

x86_64:
    kernel-4.14.355-276.639.amzn2.x86_64
    kernel-headers-4.14.355-276.639.amzn2.x86_64
    kernel-debuginfo-common-x86_64-4.14.355-276.639.amzn2.x86_64
    perf-4.14.355-276.639.amzn2.x86_64
    perf-debuginfo-4.14.355-276.639.amzn2.x86_64
    python-perf-4.14.355-276.639.amzn2.x86_64
    python-perf-debuginfo-4.14.355-276.639.amzn2.x86_64
    kernel-tools-4.14.355-276.639.amzn2.x86_64
    kernel-tools-devel-4.14.355-276.639.amzn2.x86_64
    kernel-tools-debuginfo-4.14.355-276.639.amzn2.x86_64
    kernel-devel-4.14.355-276.639.amzn2.x86_64
    kernel-debuginfo-4.14.355-276.639.amzn2.x86_64
    kernel-livepatch-4.14.355-276.639-1.0-0.amzn2.x86_64

Changelog:

2025-05-19: CVE-2025-21991 was added to this advisory.

2025-05-05: CVE-2023-52975 was added to this advisory.

2025-05-05: CVE-2023-1611 was added to this advisory.

2025-05-05: CVE-2024-49882 was added to this advisory.

2025-05-05: CVE-2023-52784 was added to this advisory.

2025-05-05: CVE-2024-50036 was added to this advisory.

2025-05-05: CVE-2025-21796 was added to this advisory.

2025-05-05: CVE-2025-21791 was added to this advisory.

2025-05-05: CVE-2025-21759 was added to this advisory.

2025-05-05: CVE-2023-39189 was added to this advisory.

2025-05-05: CVE-2021-46981 was added to this advisory.

2025-05-05: CVE-2024-50301 was added to this advisory.

2025-05-05: CVE-2024-50278 was added to this advisory.

2025-05-05: CVE-2024-47745 was added to this advisory.

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2021-46981, CVE-2023-1611, CVE-2023-39189, CVE-2023-52784, CVE-2023-52975, CVE-2024-47745, CVE-2024-49882, CVE-2024-50036, CVE-2024-50278, CVE-2024-50301, CVE-2025-21759, CVE-2025-21791, CVE-2025-21796, CVE-2025-21858, CVE-2025-21991

Mitre: CVE-2021-46981, CVE-2023-1611, CVE-2023-39189, CVE-2023-52784, CVE-2023-52975, CVE-2024-47745, CVE-2024-49882, CVE-2024-50036, CVE-2024-50278, CVE-2024-50301, CVE-2025-21759, CVE-2025-21791, CVE-2025-21796, CVE-2025-21858, CVE-2025-21991