Amazon Linux 2 Security Advisory: ALAS2KERNEL-5.15-2025-069
Advisory Released Date: 2025-04-01
Advisory Updated Date: 2025-06-19
FAQs regarding Amazon Linux ALAS/CVE Severity
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: check the inode number is not the invalid value of zero (CVE-2024-26982)
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS (CVE-2024-46830)
In the Linux kernel, the following vulnerability has been resolved:
memcg: fix soft lockup in the OOM process (CVE-2024-57977)
In the Linux kernel, the following vulnerability has been resolved:
pps: Fix a use-after-free (CVE-2024-57979)
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Fix NULL pointer dereference on certain command aborts (CVE-2024-57981)
In the Linux kernel, the following vulnerability has been resolved:
HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections (CVE-2024-57986)
In the Linux kernel, the following vulnerability has been resolved:
tpm: Change to kvalloc() in eventlog/acpi.c (CVE-2024-58005)
In the Linux kernel, the following vulnerability has been resolved:
safesetid: check size of policy writes (CVE-2024-58016)
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: Add NULL check in mt_input_configured (CVE-2024-58020)
In the Linux kernel, the following vulnerability has been resolved:
team: prevent adding a device which is already a team device lower (CVE-2024-58071)
In the Linux kernel, the following vulnerability has been resolved:
KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() (CVE-2024-58083)
In the Linux kernel, the following vulnerability has been resolved:
sched/core: Prevent rescheduling when interrupts are disabled (CVE-2024-58090)
In the Linux kernel, the following vulnerability has been resolved:
net: sched: Disallow replacing of child qdisc from one parent to another (CVE-2025-21700)
In the Linux kernel, the following vulnerability has been resolved:
net: avoid race between device unregistration and ethnl ops (CVE-2025-21701)
In the Linux kernel, the following vulnerability has been resolved:
mptcp: consolidate suboption status (CVE-2025-21707)
In the Linux kernel, the following vulnerability has been resolved:
ipmr: do not call mr_mfc_uses_dev() for unres entries (CVE-2025-21719)
In the Linux kernel, the following vulnerability has been resolved:
padata: avoid UAF for reorder_work (CVE-2025-21726)
In the Linux kernel, the following vulnerability has been resolved:
padata: fix UAF in padata_reorder (CVE-2025-21727)
In the Linux kernel, the following vulnerability has been resolved:
bpf: Send signals asynchronously if !preemptible (CVE-2025-21728)
In the Linux kernel, the following vulnerability has been resolved:
nbd: don't allow reconnect after disconnect (CVE-2025-21731)
In the Linux kernel, the following vulnerability has been resolved:
blk-cgroup: Fix class @block_class's subsystem refcount leakage (CVE-2025-21745)
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix use-after-free when attempting to join an aborted transaction (CVE-2025-21753)
In the Linux kernel, the following vulnerability has been resolved:
vsock: Keep the binding until socket destruction (CVE-2025-21756)
In the Linux kernel, the following vulnerability has been resolved:
ipv6: mcast: add RCU protection to mld_newpack() (CVE-2025-21758)
In the Linux kernel, the following vulnerability has been resolved:
ndisc: extend RCU protection in ndisc_send_skb() (CVE-2025-21760)
In the Linux kernel, the following vulnerability has been resolved:
openvswitch: use RCU protection in ovs_vport_cmd_fill_info() (CVE-2025-21761)
In the Linux kernel, the following vulnerability has been resolved:
arp: use RCU protection in arp_xmit() (CVE-2025-21762)
In the Linux kernel, the following vulnerability has been resolved:
neighbour: use RCU protection in __neigh_notify() (CVE-2025-21763)
In the Linux kernel, the following vulnerability has been resolved:
ndisc: use RCU protection in ndisc_alloc_skb() (CVE-2025-21764)
In the Linux kernel, the following vulnerability has been resolved:
ipv4: use RCU protection in __ip_rt_update_pmtu() (CVE-2025-21766)
In the Linux kernel, the following vulnerability has been resolved:
clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context (CVE-2025-21767)
In the Linux kernel, the following vulnerability has been resolved:
USB: hub: Ignore non-compliant devices with too many configs or interfaces (CVE-2025-21776)
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel (CVE-2025-21779)
In the Linux kernel, the following vulnerability has been resolved:
arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (CVE-2025-21785)
In the Linux kernel, the following vulnerability has been resolved:
team: better TEAM_OPTION_TYPE_STRING validation (CVE-2025-21787)
In the Linux kernel, the following vulnerability has been resolved:
vrf: use RCU protection in l3mdev_l3_out() (CVE-2025-21791)
In the Linux kernel, the following vulnerability has been resolved:
NFSD: fix hang in nfsd4_shutdown_callback (CVE-2025-21795)
In the Linux kernel, the following vulnerability has been resolved:
nfsd: clear acl_access/acl_default after releasing them (CVE-2025-21796)
In the Linux kernel, the following vulnerability has been resolved:
net: let net.core.dev_weight always be non-zero (CVE-2025-21806)
In the Linux kernel, the following vulnerability has been resolved:
ptp: Ensure info->enable callback is always set (CVE-2025-21814)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: reject mismatching sum of field_len with set key length (CVE-2025-21826)
In the Linux kernel, the following vulnerability has been resolved:
smb: client: Add check for next_buffer in receive_encrypted_standard() (CVE-2025-21844)
In the Linux kernel, the following vulnerability has been resolved:
acct: perform last write from workqueue (CVE-2025-21846)
In the Linux kernel, the following vulnerability has been resolved:
geneve: Fix use-after-free in geneve_find_dev(). (CVE-2025-21858)
In the Linux kernel, the following vulnerability has been resolved:
mptcp: always handle address removal under msk socket lock (CVE-2025-21875)
In the Linux kernel, the following vulnerability has been resolved:
ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up (CVE-2025-21887)
In the Linux kernel, the following vulnerability has been resolved:
sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (CVE-2025-21919)
In the Linux kernel, the following vulnerability has been resolved:
vlan: enforce underlying device type (CVE-2025-21920)
In the Linux kernel, the following vulnerability has been resolved:
net: gso: fix ownership in __udp_gso_segment (CVE-2025-21926)
In the Linux kernel, the following vulnerability has been resolved:
HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() (CVE-2025-21928)
In the Linux kernel, the following vulnerability has been resolved:
HID: appleir: Fix potential NULL dereference at raw event handle (CVE-2025-21948)
Affected Packages:
kernel
Note:
This advisory is applicable to Amazon Linux 2 - Kernel-5.15 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update kernel to update your system.
System reboot is required in order to complete this update.
aarch64:
kernel-5.15.179-121.185.amzn2.aarch64
kernel-headers-5.15.179-121.185.amzn2.aarch64
kernel-debuginfo-common-aarch64-5.15.179-121.185.amzn2.aarch64
perf-5.15.179-121.185.amzn2.aarch64
perf-debuginfo-5.15.179-121.185.amzn2.aarch64
python-perf-5.15.179-121.185.amzn2.aarch64
python-perf-debuginfo-5.15.179-121.185.amzn2.aarch64
kernel-tools-5.15.179-121.185.amzn2.aarch64
kernel-tools-devel-5.15.179-121.185.amzn2.aarch64
kernel-tools-debuginfo-5.15.179-121.185.amzn2.aarch64
bpftool-5.15.179-121.185.amzn2.aarch64
bpftool-debuginfo-5.15.179-121.185.amzn2.aarch64
kernel-devel-5.15.179-121.185.amzn2.aarch64
kernel-debuginfo-5.15.179-121.185.amzn2.aarch64
kernel-livepatch-5.15.179-121.185-1.0-0.amzn2.aarch64
i686:
kernel-headers-5.15.179-121.185.amzn2.i686
src:
kernel-5.15.179-121.185.amzn2.src
x86_64:
kernel-5.15.179-121.185.amzn2.x86_64
kernel-headers-5.15.179-121.185.amzn2.x86_64
kernel-debuginfo-common-x86_64-5.15.179-121.185.amzn2.x86_64
perf-5.15.179-121.185.amzn2.x86_64
perf-debuginfo-5.15.179-121.185.amzn2.x86_64
python-perf-5.15.179-121.185.amzn2.x86_64
python-perf-debuginfo-5.15.179-121.185.amzn2.x86_64
kernel-tools-5.15.179-121.185.amzn2.x86_64
kernel-tools-devel-5.15.179-121.185.amzn2.x86_64
kernel-tools-debuginfo-5.15.179-121.185.amzn2.x86_64
bpftool-5.15.179-121.185.amzn2.x86_64
bpftool-debuginfo-5.15.179-121.185.amzn2.x86_64
kernel-devel-5.15.179-121.185.amzn2.x86_64
kernel-debuginfo-5.15.179-121.185.amzn2.x86_64
kernel-livepatch-5.15.179-121.185-1.0-0.amzn2.x86_64
2025-06-19: CVE-2025-21948 was added to this advisory.
2025-05-21: CVE-2025-21767 was added to this advisory.
2025-05-21: CVE-2025-21875 was added to this advisory.
2025-05-21: CVE-2025-21795 was added to this advisory.
2025-05-21: CVE-2025-21844 was added to this advisory.
2025-05-21: CVE-2025-21806 was added to this advisory.
2025-05-21: CVE-2024-58090 was added to this advisory.
2025-05-21: CVE-2025-21745 was added to this advisory.
2025-05-21: CVE-2025-21846 was added to this advisory.
2025-05-21: CVE-2024-57977 was added to this advisory.
2025-05-21: CVE-2025-21719 was added to this advisory.
2025-05-21: CVE-2025-21728 was added to this advisory.
2025-05-21: CVE-2024-58071 was added to this advisory.
2025-05-21: CVE-2024-58005 was added to this advisory.
2025-05-21: CVE-2025-21707 was added to this advisory.
2025-05-21: CVE-2024-58020 was added to this advisory.
2025-05-21: CVE-2024-57986 was added to this advisory.
2025-05-21: CVE-2025-21766 was added to this advisory.
2025-05-21: CVE-2025-21814 was added to this advisory.
2025-05-21: CVE-2025-21926 was added to this advisory.
2025-05-21: CVE-2025-21826 was added to this advisory.
2025-05-21: CVE-2024-58016 was added to this advisory.
2025-05-21: CVE-2024-57981 was added to this advisory.
2025-05-21: CVE-2025-21776 was added to this advisory.
2025-05-21: CVE-2025-21787 was added to this advisory.
2025-05-08: CVE-2025-21779 was added to this advisory.
2025-04-23: CVE-2025-21919 was added to this advisory.
2025-04-23: CVE-2025-21928 was added to this advisory.
2025-04-23: CVE-2025-21920 was added to this advisory.
2025-04-09: CVE-2025-21785 was added to this advisory.
2025-04-09: CVE-2025-21858 was added to this advisory.
2025-04-09: CVE-2024-58083 was added to this advisory.
2025-04-09: CVE-2025-21887 was added to this advisory.