ALAS2023-2025-947

Amazon Linux 2023 Security Advisory: ALAS2023-2025-947
Advisory Released Date: 2025-04-29
Advisory Updated Date: 2025-06-19

Severity: Important

References: CVE-2024-46753 CVE-2025-21759 CVE-2025-22021 CVE-2025-22025 CVE-2025-22027 CVE-2025-22033 CVE-2025-22035 CVE-2025-22044 CVE-2025-22045 CVE-2025-22055 CVE-2025-22056 CVE-2025-22058 CVE-2025-22063 CVE-2025-22075 CVE-2025-22081 CVE-2025-22086 CVE-2025-22089 CVE-2025-23136 CVE-2025-37785 CVE-2025-38637
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

In the Linux kernel, the following vulnerability has been resolved:

btrfs: handle errors from btrfs_dec_ref() properly (CVE-2024-46753)

In the Linux kernel, the following vulnerability has been resolved:

ipv6: mcast: extend RCU protection in igmp6_send() (CVE-2025-21759)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: socket: Lookup orig tuple for IPv6 SNAT (CVE-2025-22021)

In the Linux kernel, the following vulnerability has been resolved:

nfsd: put dl_stid if fail to queue dl_recall (CVE-2025-22025)

In the Linux kernel, the following vulnerability has been resolved:

media: streamzap: fix race between device disconnection and urb callback (CVE-2025-22027)

In the Linux kernel, the following vulnerability has been resolved:

arm64: Don't call NULL in do_compat_alignment_fixup() (CVE-2025-22033)

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix use-after-free in print_graph_function_flags during tracer switching (CVE-2025-22035)

In the Linux kernel, the following vulnerability has been resolved:

acpi: nfit: fix narrowing conversion in acpi_nfit_ctl (CVE-2025-22044)

In the Linux kernel, the following vulnerability has been resolved:

x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs (CVE-2025-22045)

In the Linux kernel, the following vulnerability has been resolved:

net: fix geneve_opt length integer overflow (CVE-2025-22055)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_tunnel: fix geneve_opt type confusion addition (CVE-2025-22056)

In the Linux kernel, the following vulnerability has been resolved:

udp: Fix memory accounting leak. (CVE-2025-22058)

In the Linux kernel, the following vulnerability has been resolved:

netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets (CVE-2025-22063)

In the Linux kernel, the following vulnerability has been resolved:

rtnetlink: Allocate vfinfo size for VF GUIDs when supported (CVE-2025-22075)

In the Linux kernel, the following vulnerability has been resolved:

fs/ntfs3: Fix a couple integer overflows on 32bit systems (CVE-2025-22081)

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow (CVE-2025-22086)

In the Linux kernel, the following vulnerability has been resolved:

RDMA/core: Don't expose hw_counters outside of init net namespace (CVE-2025-22089)

In the Linux kernel, the following vulnerability has been resolved:

thermal: int340x: Add NULL check for adev (CVE-2025-23136)

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix OOB read when checking dotdot dir (CVE-2025-37785)

In the Linux kernel, the following vulnerability has been resolved:

net_sched: skbprio: Remove overly strict queue assertions (CVE-2025-38637)

Affected Packages:

kernel

Issue Correction:
Run dnf update kernel --releasever 2023.7.20250428 to update your system.
System reboot is required in order to complete this update.

New Packages:

aarch64:
    kernel-livepatch-6.1.134-150.224-1.0-0.amzn2023.aarch64
    kernel-libbpf-debuginfo-6.1.134-150.224.amzn2023.aarch64
    kernel-modules-extra-6.1.134-150.224.amzn2023.aarch64
    bpftool-6.1.134-150.224.amzn2023.aarch64
    kernel-modules-extra-common-6.1.134-150.224.amzn2023.aarch64
    python3-perf-6.1.134-150.224.amzn2023.aarch64
    kernel-tools-6.1.134-150.224.amzn2023.aarch64
    kernel-libbpf-devel-6.1.134-150.224.amzn2023.aarch64
    kernel-headers-6.1.134-150.224.amzn2023.aarch64
    python3-perf-debuginfo-6.1.134-150.224.amzn2023.aarch64
    kernel-tools-debuginfo-6.1.134-150.224.amzn2023.aarch64
    kernel-libbpf-6.1.134-150.224.amzn2023.aarch64
    bpftool-debuginfo-6.1.134-150.224.amzn2023.aarch64
    perf-debuginfo-6.1.134-150.224.amzn2023.aarch64
    perf-6.1.134-150.224.amzn2023.aarch64
    kernel-tools-devel-6.1.134-150.224.amzn2023.aarch64
    kernel-6.1.134-150.224.amzn2023.aarch64
    kernel-libbpf-static-6.1.134-150.224.amzn2023.aarch64
    kernel-debuginfo-6.1.134-150.224.amzn2023.aarch64
    kernel-debuginfo-common-aarch64-6.1.134-150.224.amzn2023.aarch64
    kernel-devel-6.1.134-150.224.amzn2023.aarch64

src:
    kernel-6.1.134-150.224.amzn2023.src

x86_64:
    bpftool-6.1.134-150.224.amzn2023.x86_64
    kernel-libbpf-debuginfo-6.1.134-150.224.amzn2023.x86_64
    kernel-libbpf-6.1.134-150.224.amzn2023.x86_64
    kernel-tools-6.1.134-150.224.amzn2023.x86_64
    perf-debuginfo-6.1.134-150.224.amzn2023.x86_64
    kernel-modules-extra-6.1.134-150.224.amzn2023.x86_64
    kernel-livepatch-6.1.134-150.224-1.0-0.amzn2023.x86_64
    kernel-modules-extra-common-6.1.134-150.224.amzn2023.x86_64
    kernel-tools-debuginfo-6.1.134-150.224.amzn2023.x86_64
    python3-perf-debuginfo-6.1.134-150.224.amzn2023.x86_64
    perf-6.1.134-150.224.amzn2023.x86_64
    kernel-libbpf-static-6.1.134-150.224.amzn2023.x86_64
    kernel-headers-6.1.134-150.224.amzn2023.x86_64
    kernel-libbpf-devel-6.1.134-150.224.amzn2023.x86_64
    python3-perf-6.1.134-150.224.amzn2023.x86_64
    kernel-tools-devel-6.1.134-150.224.amzn2023.x86_64
    bpftool-debuginfo-6.1.134-150.224.amzn2023.x86_64
    kernel-debuginfo-6.1.134-150.224.amzn2023.x86_64
    kernel-6.1.134-150.224.amzn2023.x86_64
    kernel-debuginfo-common-x86_64-6.1.134-150.224.amzn2023.x86_64
    kernel-devel-6.1.134-150.224.amzn2023.x86_64

Changelog:

2025-06-19: CVE-2025-22025 was added to this advisory.

2025-06-19: CVE-2025-22089 was added to this advisory.

2025-06-19: CVE-2025-22033 was added to this advisory.

2025-06-19: CVE-2025-22081 was added to this advisory.

2025-06-19: CVE-2025-38637 was added to this advisory.

2025-06-19: CVE-2025-22075 was added to this advisory.

2025-06-19: CVE-2025-22063 was added to this advisory.

2025-06-19: CVE-2025-22044 was added to this advisory.

2025-06-19: CVE-2025-23136 was added to this advisory.

2025-06-19: CVE-2025-22027 was added to this advisory.

2025-06-19: CVE-2025-22045 was added to this advisory.

2025-06-19: CVE-2025-37785 was added to this advisory.

2025-06-19: CVE-2025-22086 was added to this advisory.

2025-06-19: CVE-2025-22021 was added to this advisory.

2025-06-05: CVE-2025-22055 was added to this advisory.

2025-06-05: CVE-2025-22058 was added to this advisory.

2025-06-05: CVE-2025-22056 was added to this advisory.

2025-06-05: CVE-2025-22035 was added to this advisory.

2025-05-06: CVE-2024-46753 was added to this advisory.

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2024-46753, CVE-2025-21759, CVE-2025-22021, CVE-2025-22025, CVE-2025-22027, CVE-2025-22033, CVE-2025-22035, CVE-2025-22044, CVE-2025-22045, CVE-2025-22055, CVE-2025-22056, CVE-2025-22058, CVE-2025-22063, CVE-2025-22075, CVE-2025-22081, CVE-2025-22086, CVE-2025-22089, CVE-2025-23136, CVE-2025-37785, CVE-2025-38637

Mitre: CVE-2024-46753, CVE-2025-21759, CVE-2025-22021, CVE-2025-22025, CVE-2025-22027, CVE-2025-22033, CVE-2025-22035, CVE-2025-22044, CVE-2025-22045, CVE-2025-22055, CVE-2025-22056, CVE-2025-22058, CVE-2025-22063, CVE-2025-22075, CVE-2025-22081, CVE-2025-22086, CVE-2025-22089, CVE-2025-23136, CVE-2025-37785, CVE-2025-38637