ALAS2023-2025-915

Amazon Linux 2023 Security Advisory: ALAS2023-2025-915
Advisory Released Date: 2025-04-01
Advisory Updated Date: 2025-06-19

Severity: Important

References: CVE-2024-26982 CVE-2024-53166 CVE-2024-56549 CVE-2024-57979 CVE-2025-21700 CVE-2025-21701 CVE-2025-21726 CVE-2025-21727 CVE-2025-21731 CVE-2025-21753 CVE-2025-21756 CVE-2025-21758 CVE-2025-21760 CVE-2025-21761 CVE-2025-21762 CVE-2025-21763 CVE-2025-21764 CVE-2025-21791 CVE-2025-21796 CVE-2025-21913 CVE-2025-21919 CVE-2025-21920 CVE-2025-21926 CVE-2025-21928 CVE-2025-21938 CVE-2025-21948
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

In the Linux kernel, the following vulnerability has been resolved:

Squashfs: check the inode number is not the invalid value of zero (CVE-2024-26982)

In the Linux kernel, the following vulnerability has been resolved:

block, bfq: fix bfqq uaf in bfq_limit_depth() (CVE-2024-53166)

In the Linux kernel, the following vulnerability has been resolved:

cachefiles: Fix NULL pointer dereference in object->file (CVE-2024-56549)

In the Linux kernel, the following vulnerability has been resolved:

pps: Fix a use-after-free (CVE-2024-57979)

In the Linux kernel, the following vulnerability has been resolved:

net: sched: Disallow replacing of child qdisc from one parent to another (CVE-2025-21700)

In the Linux kernel, the following vulnerability has been resolved:

net: avoid race between device unregistration and ethnl ops (CVE-2025-21701)

In the Linux kernel, the following vulnerability has been resolved:

padata: avoid UAF for reorder_work (CVE-2025-21726)

In the Linux kernel, the following vulnerability has been resolved:

padata: fix UAF in padata_reorder (CVE-2025-21727)

In the Linux kernel, the following vulnerability has been resolved:

nbd: don't allow reconnect after disconnect (CVE-2025-21731)

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix use-after-free when attempting to join an aborted transaction (CVE-2025-21753)

In the Linux kernel, the following vulnerability has been resolved:

vsock: Keep the binding until socket destruction (CVE-2025-21756)

In the Linux kernel, the following vulnerability has been resolved:

ipv6: mcast: add RCU protection to mld_newpack() (CVE-2025-21758)

In the Linux kernel, the following vulnerability has been resolved:

ndisc: extend RCU protection in ndisc_send_skb() (CVE-2025-21760)

In the Linux kernel, the following vulnerability has been resolved:

openvswitch: use RCU protection in ovs_vport_cmd_fill_info() (CVE-2025-21761)

In the Linux kernel, the following vulnerability has been resolved:

arp: use RCU protection in arp_xmit() (CVE-2025-21762)

In the Linux kernel, the following vulnerability has been resolved:

neighbour: use RCU protection in __neigh_notify() (CVE-2025-21763)

In the Linux kernel, the following vulnerability has been resolved:

ndisc: use RCU protection in ndisc_alloc_skb() (CVE-2025-21764)

In the Linux kernel, the following vulnerability has been resolved:

vrf: use RCU protection in l3mdev_l3_out() (CVE-2025-21791)

In the Linux kernel, the following vulnerability has been resolved:

nfsd: clear acl_access/acl_default after releasing them (CVE-2025-21796)

In the Linux kernel, the following vulnerability has been resolved:

x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range() (CVE-2025-21913)

In the Linux kernel, the following vulnerability has been resolved:

sched/fair: Fix potential memory corruption in child_cfs_rq_on_list (CVE-2025-21919)

In the Linux kernel, the following vulnerability has been resolved:

vlan: enforce underlying device type (CVE-2025-21920)

In the Linux kernel, the following vulnerability has been resolved:

net: gso: fix ownership in __udp_gso_segment (CVE-2025-21926)

In the Linux kernel, the following vulnerability has been resolved:

HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() (CVE-2025-21928)

In the Linux kernel, the following vulnerability has been resolved:

mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr (CVE-2025-21938)

In the Linux kernel, the following vulnerability has been resolved:

HID: appleir: Fix potential NULL dereference at raw event handle (CVE-2025-21948)

Affected Packages:

kernel

Issue Correction:
Run dnf update kernel --releasever 2023.7.20250331 to update your system.
System reboot is required in order to complete this update.

New Packages:

aarch64:
    kernel-libbpf-static-6.1.131-143.221.amzn2023.aarch64
    kernel-libbpf-devel-6.1.131-143.221.amzn2023.aarch64
    python3-perf-6.1.131-143.221.amzn2023.aarch64
    perf-6.1.131-143.221.amzn2023.aarch64
    bpftool-6.1.131-143.221.amzn2023.aarch64
    kernel-livepatch-6.1.131-143.221-1.0-0.amzn2023.aarch64
    kernel-libbpf-debuginfo-6.1.131-143.221.amzn2023.aarch64
    kernel-headers-6.1.131-143.221.amzn2023.aarch64
    python3-perf-debuginfo-6.1.131-143.221.amzn2023.aarch64
    kernel-modules-extra-6.1.131-143.221.amzn2023.aarch64
    kernel-libbpf-6.1.131-143.221.amzn2023.aarch64
    perf-debuginfo-6.1.131-143.221.amzn2023.aarch64
    kernel-tools-debuginfo-6.1.131-143.221.amzn2023.aarch64
    kernel-modules-extra-common-6.1.131-143.221.amzn2023.aarch64
    bpftool-debuginfo-6.1.131-143.221.amzn2023.aarch64
    kernel-tools-devel-6.1.131-143.221.amzn2023.aarch64
    kernel-tools-6.1.131-143.221.amzn2023.aarch64
    kernel-6.1.131-143.221.amzn2023.aarch64
    kernel-debuginfo-6.1.131-143.221.amzn2023.aarch64
    kernel-debuginfo-common-aarch64-6.1.131-143.221.amzn2023.aarch64
    kernel-devel-6.1.131-143.221.amzn2023.aarch64

src:
    kernel-6.1.131-143.221.amzn2023.src

x86_64:
    kernel-modules-extra-common-6.1.131-143.221.amzn2023.x86_64
    python3-perf-debuginfo-6.1.131-143.221.amzn2023.x86_64
    bpftool-6.1.131-143.221.amzn2023.x86_64
    kernel-libbpf-static-6.1.131-143.221.amzn2023.x86_64
    perf-debuginfo-6.1.131-143.221.amzn2023.x86_64
    kernel-modules-extra-6.1.131-143.221.amzn2023.x86_64
    python3-perf-6.1.131-143.221.amzn2023.x86_64
    kernel-libbpf-6.1.131-143.221.amzn2023.x86_64
    kernel-livepatch-6.1.131-143.221-1.0-0.amzn2023.x86_64
    kernel-libbpf-devel-6.1.131-143.221.amzn2023.x86_64
    kernel-libbpf-debuginfo-6.1.131-143.221.amzn2023.x86_64
    kernel-tools-devel-6.1.131-143.221.amzn2023.x86_64
    kernel-headers-6.1.131-143.221.amzn2023.x86_64
    kernel-tools-debuginfo-6.1.131-143.221.amzn2023.x86_64
    kernel-tools-6.1.131-143.221.amzn2023.x86_64
    bpftool-debuginfo-6.1.131-143.221.amzn2023.x86_64
    perf-6.1.131-143.221.amzn2023.x86_64
    kernel-debuginfo-6.1.131-143.221.amzn2023.x86_64
    kernel-6.1.131-143.221.amzn2023.x86_64
    kernel-debuginfo-common-x86_64-6.1.131-143.221.amzn2023.x86_64
    kernel-devel-6.1.131-143.221.amzn2023.x86_64

Changelog:

2025-06-19: CVE-2025-21948 was added to this advisory.

2025-06-05: CVE-2025-21913 was added to this advisory.

2025-06-05: CVE-2025-21938 was added to this advisory.

2025-04-23: CVE-2025-21920 was added to this advisory.

2025-04-23: CVE-2025-21919 was added to this advisory.

2025-04-23: CVE-2025-21928 was added to this advisory.

2025-04-23: CVE-2025-21926 was added to this advisory.

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2024-26982, CVE-2024-53166, CVE-2024-56549, CVE-2024-57979, CVE-2025-21700, CVE-2025-21701, CVE-2025-21726, CVE-2025-21727, CVE-2025-21731, CVE-2025-21753, CVE-2025-21756, CVE-2025-21758, CVE-2025-21760, CVE-2025-21761, CVE-2025-21762, CVE-2025-21763, CVE-2025-21764, CVE-2025-21791, CVE-2025-21796, CVE-2025-21913, CVE-2025-21919, CVE-2025-21920, CVE-2025-21926, CVE-2025-21928, CVE-2025-21938, CVE-2025-21948

Mitre: CVE-2024-26982, CVE-2024-53166, CVE-2024-56549, CVE-2024-57979, CVE-2025-21700, CVE-2025-21701, CVE-2025-21726, CVE-2025-21727, CVE-2025-21731, CVE-2025-21753, CVE-2025-21756, CVE-2025-21758, CVE-2025-21760, CVE-2025-21761, CVE-2025-21762, CVE-2025-21763, CVE-2025-21764, CVE-2025-21791, CVE-2025-21796, CVE-2025-21913, CVE-2025-21919, CVE-2025-21920, CVE-2025-21926, CVE-2025-21928, CVE-2025-21938, CVE-2025-21948