ALAS2023-2025-901

References: CVE-2023-52927  CVE-2024-53179  CVE-2024-57977  CVE-2024-58005  CVE-2024-58090  CVE-2025-21702  CVE-2025-21844  CVE-2025-21846  CVE-2025-21858  CVE-2025-21864  CVE-2025-21867  CVE-2025-21875  CVE-2025-21881  CVE-2025-21887  CVE-2025-21891  CVE-2025-21899 
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

In the Linux kernel, the following vulnerability has been resolved:

netfilter: allow exp not to be removed in nf_ct_find_expectation (CVE-2023-52927)

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix use-after-free of signing key (CVE-2024-53179)

In the Linux kernel, the following vulnerability has been resolved:

memcg: fix soft lockup in the OOM process (CVE-2024-57977)

In the Linux kernel, the following vulnerability has been resolved:

tpm: Change to kvalloc() in eventlog/acpi.c (CVE-2024-58005)

In the Linux kernel, the following vulnerability has been resolved:

sched/core: Prevent rescheduling when interrupts are disabled (CVE-2024-58090)

In the Linux kernel, the following vulnerability has been resolved:

pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (CVE-2025-21702)

In the Linux kernel, the following vulnerability has been resolved:

smb: client: Add check for next_buffer in receive_encrypted_standard() (CVE-2025-21844)

In the Linux kernel, the following vulnerability has been resolved:

acct: perform last write from workqueue (CVE-2025-21846)

In the Linux kernel, the following vulnerability has been resolved:

geneve: Fix use-after-free in geneve_find_dev(). (CVE-2025-21858)

In the Linux kernel, the following vulnerability has been resolved:

tcp: drop secpath at the same time as we currently drop dst (CVE-2025-21864)

In the Linux kernel, the following vulnerability has been resolved:

bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() (CVE-2025-21867)

In the Linux kernel, the following vulnerability has been resolved:

mptcp: always handle address removal under msk socket lock (CVE-2025-21875)

In the Linux kernel, the following vulnerability has been resolved:

uprobes: Reject the shared zeropage in uprobe_write_opcode() (CVE-2025-21881)

In the Linux kernel, the following vulnerability has been resolved:

ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up (CVE-2025-21887)

In the Linux kernel, the following vulnerability has been resolved:

ipvlan: ensure network headers are in skb linear part (CVE-2025-21891)

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix bad hist from corrupting named_triggers list (CVE-2025-21899)

Issue Correction:
Run dnf update kernel --releasever 2023.6.20250317 to update your system.
System reboot is required in order to complete this update.

New Packages:

aarch64:
    kernel-tools-6.1.130-139.222.amzn2023.aarch64
    kernel-libbpf-static-6.1.130-139.222.amzn2023.aarch64
    kernel-libbpf-devel-6.1.130-139.222.amzn2023.aarch64
    bpftool-debuginfo-6.1.130-139.222.amzn2023.aarch64
    kernel-livepatch-6.1.130-139.222-1.0-0.amzn2023.aarch64
    perf-debuginfo-6.1.130-139.222.amzn2023.aarch64
    perf-6.1.130-139.222.amzn2023.aarch64
    kernel-libbpf-6.1.130-139.222.amzn2023.aarch64
    kernel-modules-extra-common-6.1.130-139.222.amzn2023.aarch64
    bpftool-6.1.130-139.222.amzn2023.aarch64
    python3-perf-6.1.130-139.222.amzn2023.aarch64
    kernel-headers-6.1.130-139.222.amzn2023.aarch64
    kernel-tools-devel-6.1.130-139.222.amzn2023.aarch64
    kernel-tools-debuginfo-6.1.130-139.222.amzn2023.aarch64
    kernel-modules-extra-6.1.130-139.222.amzn2023.aarch64
    python3-perf-debuginfo-6.1.130-139.222.amzn2023.aarch64
    kernel-debuginfo-6.1.130-139.222.amzn2023.aarch64
    kernel-6.1.130-139.222.amzn2023.aarch64
    kernel-debuginfo-common-aarch64-6.1.130-139.222.amzn2023.aarch64
    kernel-devel-6.1.130-139.222.amzn2023.aarch64

src:
    kernel-6.1.130-139.222.amzn2023.src

x86_64:
    kernel-libbpf-static-6.1.130-139.222.amzn2023.x86_64
    kernel-libbpf-6.1.130-139.222.amzn2023.x86_64
    kernel-tools-debuginfo-6.1.130-139.222.amzn2023.x86_64
    perf-6.1.130-139.222.amzn2023.x86_64
    kernel-tools-6.1.130-139.222.amzn2023.x86_64
    bpftool-6.1.130-139.222.amzn2023.x86_64
    bpftool-debuginfo-6.1.130-139.222.amzn2023.x86_64
    python3-perf-debuginfo-6.1.130-139.222.amzn2023.x86_64
    kernel-modules-extra-6.1.130-139.222.amzn2023.x86_64
    kernel-livepatch-6.1.130-139.222-1.0-0.amzn2023.x86_64
    perf-debuginfo-6.1.130-139.222.amzn2023.x86_64
    kernel-libbpf-devel-6.1.130-139.222.amzn2023.x86_64
    kernel-tools-devel-6.1.130-139.222.amzn2023.x86_64
    kernel-modules-extra-common-6.1.130-139.222.amzn2023.x86_64
    python3-perf-6.1.130-139.222.amzn2023.x86_64
    kernel-headers-6.1.130-139.222.amzn2023.x86_64
    kernel-debuginfo-6.1.130-139.222.amzn2023.x86_64
    kernel-6.1.130-139.222.amzn2023.x86_64
    kernel-debuginfo-common-x86_64-6.1.130-139.222.amzn2023.x86_64
    kernel-devel-6.1.130-139.222.amzn2023.x86_64

Changelog:

2025-06-19: CVE-2025-21899 was added to this advisory.

2025-06-05: CVE-2025-21881 was added to this advisory.

2025-06-05: CVE-2025-21867 was added to this advisory.

2025-06-05: CVE-2024-58005 was added to this advisory.

2025-06-05: CVE-2025-21846 was added to this advisory.

2025-06-05: CVE-2024-57977 was added to this advisory.

2025-06-05: CVE-2025-21875 was added to this advisory.

2025-06-05: CVE-2023-52927 was added to this advisory.

2025-06-05: CVE-2025-21864 was added to this advisory.

2025-06-05: CVE-2025-21891 was added to this advisory.

2025-06-05: CVE-2024-58090 was added to this advisory.

2025-06-05: CVE-2025-21844 was added to this advisory.

2025-04-07: CVE-2025-21858 was added to this advisory.

2025-04-07: CVE-2025-21887 was added to this advisory.