ALAS2-2025-2955

Amazon Linux 2 Security Advisory: ALAS2-2025-2955
Advisory Released Date: 2025-08-04
Advisory Updated Date: 2025-08-26

Severity: Important

References: CVE-2022-50073 CVE-2023-53131 CVE-2025-37798 CVE-2025-37932 CVE-2025-38058 CVE-2025-38064 CVE-2025-38177 CVE-2025-38324
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

In the Linux kernel, the following vulnerability has been resolved:

net: tap: NULL pointer derefence in dev_parse_header_protocol when skb->dev is null (CVE-2022-50073)

In the Linux kernel, the following vulnerability has been resolved:

SUNRPC: Fix a server shutdown leak (CVE-2023-53131)

In the Linux kernel, the following vulnerability has been resolved:

codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() (CVE-2025-37798)

In the Linux kernel, the following vulnerability has been resolved:

sch_htb: make htb_qlen_notify() idempotent (CVE-2025-37932)

In the Linux kernel, the following vulnerability has been resolved:

__legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock (CVE-2025-38058)

In the Linux kernel, the following vulnerability has been resolved:

virtio: break and reset virtio devices on device_shutdown() (CVE-2025-38064)

In the Linux kernel, the following vulnerability has been resolved:

sch_hfsc: make hfsc_qlen_notify() idempotent (CVE-2025-38177)

In the Linux kernel, the following vulnerability has been resolved:

mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). (CVE-2025-38324)

Affected Packages:

kernel

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update kernel or yum update --advisory ALAS2-2025-2955 to update your system.
System reboot is required in order to complete this update.

New Packages:

aarch64:
    kernel-4.14.355-280.664.amzn2.aarch64
    kernel-headers-4.14.355-280.664.amzn2.aarch64
    kernel-debuginfo-common-aarch64-4.14.355-280.664.amzn2.aarch64
    perf-4.14.355-280.664.amzn2.aarch64
    perf-debuginfo-4.14.355-280.664.amzn2.aarch64
    python-perf-4.14.355-280.664.amzn2.aarch64
    python-perf-debuginfo-4.14.355-280.664.amzn2.aarch64
    kernel-tools-4.14.355-280.664.amzn2.aarch64
    kernel-tools-devel-4.14.355-280.664.amzn2.aarch64
    kernel-tools-debuginfo-4.14.355-280.664.amzn2.aarch64
    kernel-devel-4.14.355-280.664.amzn2.aarch64
    kernel-debuginfo-4.14.355-280.664.amzn2.aarch64

i686:
    kernel-headers-4.14.355-280.664.amzn2.i686

src:
    kernel-4.14.355-280.664.amzn2.src

x86_64:
    kernel-4.14.355-280.664.amzn2.x86_64
    kernel-headers-4.14.355-280.664.amzn2.x86_64
    kernel-debuginfo-common-x86_64-4.14.355-280.664.amzn2.x86_64
    perf-4.14.355-280.664.amzn2.x86_64
    perf-debuginfo-4.14.355-280.664.amzn2.x86_64
    python-perf-4.14.355-280.664.amzn2.x86_64
    python-perf-debuginfo-4.14.355-280.664.amzn2.x86_64
    kernel-tools-4.14.355-280.664.amzn2.x86_64
    kernel-tools-devel-4.14.355-280.664.amzn2.x86_64
    kernel-tools-debuginfo-4.14.355-280.664.amzn2.x86_64
    kernel-devel-4.14.355-280.664.amzn2.x86_64
    kernel-debuginfo-4.14.355-280.664.amzn2.x86_64
    kernel-livepatch-4.14.355-280.664-1.0-0.amzn2.x86_64

Changelog:

2025-08-26: CVE-2025-38177 was added to this advisory.

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2022-50073, CVE-2023-53131, CVE-2025-37798, CVE-2025-37932, CVE-2025-38058, CVE-2025-38064, CVE-2025-38177, CVE-2025-38324

Mitre: CVE-2022-50073, CVE-2023-53131, CVE-2025-37798, CVE-2025-37932, CVE-2025-38058, CVE-2025-38064, CVE-2025-38177, CVE-2025-38324