Amazon Linux 2 Security Advisory: ALAS2KERNEL-5.4-2025-097
Advisory Released Date: 2025-04-01
Advisory Updated Date: 2025-06-19
FAQs regarding Amazon Linux ALAS/CVE Severity
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: check the inode number is not the invalid value of zero (CVE-2024-26982)
In the Linux kernel, the following vulnerability has been resolved:
smb: client: fix UAF in smb2_reconnect_server() (CVE-2024-35870)
In the Linux kernel, the following vulnerability has been resolved:
rdma/cxgb4: Prevent potential integer overflow on 32bit (CVE-2024-57973)
In the Linux kernel, the following vulnerability has been resolved:
memcg: fix soft lockup in the OOM process (CVE-2024-57977)
In the Linux kernel, the following vulnerability has been resolved:
pps: Fix a use-after-free (CVE-2024-57979)
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Fix NULL pointer dereference on certain command aborts (CVE-2024-57981)
In the Linux kernel, the following vulnerability has been resolved:
HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections (CVE-2024-57986)
In the Linux kernel, the following vulnerability has been resolved:
HID: multitouch: Add NULL check in mt_input_configured (CVE-2024-58020)
In the Linux kernel, the following vulnerability has been resolved:
rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read (CVE-2024-58069)
In the Linux kernel, the following vulnerability has been resolved:
team: prevent adding a device which is already a team device lower (CVE-2024-58071)
In the Linux kernel, the following vulnerability has been resolved:
KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() (CVE-2024-58083)
In the Linux kernel, the following vulnerability has been resolved:
sched/core: Prevent rescheduling when interrupts are disabled (CVE-2024-58090)
In the Linux kernel, the following vulnerability has been resolved:
sched: sch_cake: add bounds checks to host bulk flow fairness counts (CVE-2025-21647)
In the Linux kernel, the following vulnerability has been resolved:
net: sched: Disallow replacing of child qdisc from one parent to another (CVE-2025-21700)
In the Linux kernel, the following vulnerability has been resolved:
pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (CVE-2025-21702)
In the Linux kernel, the following vulnerability has been resolved:
net: usb: rtl8150: enable basic endpoint checking (CVE-2025-21708)
In the Linux kernel, the following vulnerability has been resolved:
ipmr: do not call mr_mfc_uses_dev() for unres entries (CVE-2025-21719)
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: handle errors that nilfs_prepare_chunk() may return (CVE-2025-21721)
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: do not force clear folio if buffer is referenced (CVE-2025-21722)
In the Linux kernel, the following vulnerability has been resolved:
bpf: Send signals asynchronously if !preemptible (CVE-2025-21728)
In the Linux kernel, the following vulnerability has been resolved:
nbd: don't allow reconnect after disconnect (CVE-2025-21731)
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix use-after-free when attempting to join an aborted transaction (CVE-2025-21753)
In the Linux kernel, the following vulnerability has been resolved:
ndisc: extend RCU protection in ndisc_send_skb() (CVE-2025-21760)
In the Linux kernel, the following vulnerability has been resolved:
openvswitch: use RCU protection in ovs_vport_cmd_fill_info() (CVE-2025-21761)
In the Linux kernel, the following vulnerability has been resolved:
arp: use RCU protection in arp_xmit() (CVE-2025-21762)
In the Linux kernel, the following vulnerability has been resolved:
neighbour: use RCU protection in __neigh_notify() (CVE-2025-21763)
In the Linux kernel, the following vulnerability has been resolved:
ndisc: use RCU protection in ndisc_alloc_skb() (CVE-2025-21764)
In the Linux kernel, the following vulnerability has been resolved:
partitions: mac: fix handling of bogus partition table (CVE-2025-21772)
In the Linux kernel, the following vulnerability has been resolved:
USB: hub: Ignore non-compliant devices with too many configs or interfaces (CVE-2025-21776)
In the Linux kernel, the following vulnerability has been resolved:
arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (CVE-2025-21785)
In the Linux kernel, the following vulnerability has been resolved:
team: better TEAM_OPTION_TYPE_STRING validation (CVE-2025-21787)
In the Linux kernel, the following vulnerability has been resolved:
vrf: use RCU protection in l3mdev_l3_out() (CVE-2025-21791)
In the Linux kernel, the following vulnerability has been resolved:
net: let net.core.dev_weight always be non-zero (CVE-2025-21806)
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: protect access to buffers with no active references (CVE-2025-21811)
In the Linux kernel, the following vulnerability has been resolved:
ptp: Ensure info->enable callback is always set (CVE-2025-21814)
In the Linux kernel, the following vulnerability has been resolved:
acct: perform last write from workqueue (CVE-2025-21846)
In the Linux kernel, the following vulnerability has been resolved:
geneve: Fix use-after-free in geneve_find_dev(). (CVE-2025-21858)
In the Linux kernel, the following vulnerability has been resolved:
drop_monitor: fix incorrect initialization order (CVE-2025-21862)
In the Linux kernel, the following vulnerability has been resolved:
usbnet: gl620a: fix endpoint checking in genelink_bind() (CVE-2025-21877)
In the Linux kernel, the following vulnerability has been resolved:
vlan: enforce underlying device type (CVE-2025-21920)
In the Linux kernel, the following vulnerability has been resolved:
ppp: Fix KMSAN uninit-value warning with bpf (CVE-2025-21922)
In the Linux kernel, the following vulnerability has been resolved:
net: gso: fix ownership in __udp_gso_segment (CVE-2025-21926)
In the Linux kernel, the following vulnerability has been resolved:
HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() (CVE-2025-21928)
In the Linux kernel, the following vulnerability has been resolved:
HID: appleir: Fix potential NULL dereference at raw event handle (CVE-2025-21948)
Affected Packages:
kernel
Note:
This advisory is applicable to Amazon Linux 2 - Kernel-5.4 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update kernel to update your system.
System reboot is required in order to complete this update.
aarch64:
kernel-5.4.291-206.400.amzn2.aarch64
kernel-headers-5.4.291-206.400.amzn2.aarch64
kernel-debuginfo-common-aarch64-5.4.291-206.400.amzn2.aarch64
perf-5.4.291-206.400.amzn2.aarch64
perf-debuginfo-5.4.291-206.400.amzn2.aarch64
python-perf-5.4.291-206.400.amzn2.aarch64
python-perf-debuginfo-5.4.291-206.400.amzn2.aarch64
kernel-tools-5.4.291-206.400.amzn2.aarch64
kernel-tools-devel-5.4.291-206.400.amzn2.aarch64
kernel-tools-debuginfo-5.4.291-206.400.amzn2.aarch64
bpftool-5.4.291-206.400.amzn2.aarch64
bpftool-debuginfo-5.4.291-206.400.amzn2.aarch64
kernel-devel-5.4.291-206.400.amzn2.aarch64
kernel-debuginfo-5.4.291-206.400.amzn2.aarch64
i686:
kernel-headers-5.4.291-206.400.amzn2.i686
src:
kernel-5.4.291-206.400.amzn2.src
x86_64:
kernel-5.4.291-206.400.amzn2.x86_64
kernel-headers-5.4.291-206.400.amzn2.x86_64
kernel-debuginfo-common-x86_64-5.4.291-206.400.amzn2.x86_64
perf-5.4.291-206.400.amzn2.x86_64
perf-debuginfo-5.4.291-206.400.amzn2.x86_64
python-perf-5.4.291-206.400.amzn2.x86_64
python-perf-debuginfo-5.4.291-206.400.amzn2.x86_64
kernel-tools-5.4.291-206.400.amzn2.x86_64
kernel-tools-devel-5.4.291-206.400.amzn2.x86_64
kernel-tools-debuginfo-5.4.291-206.400.amzn2.x86_64
bpftool-5.4.291-206.400.amzn2.x86_64
bpftool-debuginfo-5.4.291-206.400.amzn2.x86_64
kernel-devel-5.4.291-206.400.amzn2.x86_64
kernel-debuginfo-5.4.291-206.400.amzn2.x86_64
2025-06-19: CVE-2025-21948 was added to this advisory.
2025-06-19: CVE-2025-21922 was added to this advisory.
2025-05-21: CVE-2024-57973 was added to this advisory.
2025-05-21: CVE-2025-21708 was added to this advisory.
2025-05-21: CVE-2025-21806 was added to this advisory.
2025-05-21: CVE-2025-21877 was added to this advisory.
2025-05-21: CVE-2024-58090 was added to this advisory.
2025-05-21: CVE-2025-21862 was added to this advisory.
2025-05-21: CVE-2025-21846 was added to this advisory.
2025-05-21: CVE-2024-57977 was added to this advisory.
2025-05-21: CVE-2025-21719 was added to this advisory.
2025-05-21: CVE-2025-21728 was added to this advisory.
2025-05-21: CVE-2024-58071 was added to this advisory.
2025-05-21: CVE-2025-21721 was added to this advisory.
2025-05-21: CVE-2025-21772 was added to this advisory.
2025-05-21: CVE-2024-58020 was added to this advisory.
2025-05-21: CVE-2024-57986 was added to this advisory.
2025-05-21: CVE-2025-21814 was added to this advisory.
2025-05-21: CVE-2025-21926 was added to this advisory.
2025-05-21: CVE-2024-57981 was added to this advisory.
2025-05-21: CVE-2025-21776 was added to this advisory.
2025-05-21: CVE-2025-21787 was added to this advisory.
2025-04-23: CVE-2025-21928 was added to this advisory.
2025-04-23: CVE-2025-21920 was added to this advisory.
2025-04-09: CVE-2025-21785 was added to this advisory.
2025-04-09: CVE-2025-21811 was added to this advisory.
2025-04-09: CVE-2025-21858 was added to this advisory.
2025-04-09: CVE-2024-58083 was added to this advisory.