ALAS2023-2025-994

Amazon Linux 2023 Security Advisory: ALAS2023-2025-994
Advisory Released Date: 2025-06-10
Advisory Updated Date: 2025-07-01

Severity: Important

References: CVE-2024-57976 CVE-2025-21709 CVE-2025-21807 CVE-2025-21817 CVE-2025-21833 CVE-2025-21884 CVE-2025-22108 CVE-2025-22120 CVE-2025-37797 CVE-2025-37799 CVE-2025-37813 CVE-2025-37814 CVE-2025-37878 CVE-2025-37900 CVE-2025-37913 CVE-2025-37914 CVE-2025-37915 CVE-2025-37920 CVE-2025-37923 CVE-2025-37929 CVE-2025-37957 CVE-2025-37964 CVE-2025-37997
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

In the Linux kernel, the following vulnerability has been resolved:

btrfs: do proper folio cleanup when cow_file_range() failed (CVE-2024-57976)

In the Linux kernel, the following vulnerability has been resolved:

kernel: be more careful about dup_mmap() failures and uprobe registering (CVE-2025-21709)

In the Linux kernel, the following vulnerability has been resolved:

block: fix queue freeze vs limits lock order in sysfs store methods (CVE-2025-21807)

In the Linux kernel, the following vulnerability has been resolved:

block: mark GFP_NOIO around sysfs ->store() (CVE-2025-21817)

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE (CVE-2025-21833)

In the Linux kernel, the following vulnerability has been resolved:

net: better track kernel sockets lifetime (CVE-2025-21884)

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: Mask the bd_cnt field in the TX BD properly (CVE-2025-22108)

In the Linux kernel, the following vulnerability has been resolved:

ext4: goto right label 'out_mmap_sem' in ext4_setattr() (CVE-2025-22120)

In the Linux kernel, the following vulnerability has been resolved:

net_sched: hfsc: Fix a UAF vulnerability in class handling (CVE-2025-37797)

In the Linux kernel, the following vulnerability has been resolved:

vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp (CVE-2025-37799)

In the Linux kernel, the following vulnerability has been resolved:

usb: xhci: Fix invalid pointer dereference in Etron workaround (CVE-2025-37813)

In the Linux kernel, the following vulnerability has been resolved:

tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT (CVE-2025-37814)

In the Linux kernel, the following vulnerability has been resolved:

perf/core: Fix WARN_ON(!ctx) in __free_event() for partial init (CVE-2025-37878)

In the Linux kernel, the following vulnerability has been resolved:

iommu: Fix two issues in iommu_copy_struct_from_user() (CVE-2025-37900)

In the Linux kernel, the following vulnerability has been resolved:

net_sched: qfq: Fix double list add in class with netem as child qdisc (CVE-2025-37913)

In the Linux kernel, the following vulnerability has been resolved:

net_sched: ets: Fix double list add in class with netem as child qdisc (CVE-2025-37914)

In the Linux kernel, the following vulnerability has been resolved:

net_sched: drr: Fix double list add in class with netem as child qdisc (CVE-2025-37915)

In the Linux kernel, the following vulnerability has been resolved:

xsk: Fix race condition in AF_XDP generic RX path (CVE-2025-37920)

In the Linux kernel, the following vulnerability has been resolved:

tracing: Fix oob write in trace_seq_to_buffer() (CVE-2025-37923)

In the Linux kernel, the following vulnerability has been resolved:

arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (CVE-2025-37929)

In the Linux kernel, the following vulnerability has been resolved:

KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception (CVE-2025-37957)

In the Linux kernel, the following vulnerability has been resolved:

x86/mm: Eliminate window where TLB flushes may be inadvertently skipped (CVE-2025-37964)

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ipset: fix region locking in hash types (CVE-2025-37997)

Affected Packages:

kernel6.12

Issue Correction:
Follow the instructions in the Amazon Linux 2023 documentation to update the system.

New Packages:

aarch64:
    kernel-libbpf-debuginfo-6.12.29-33.102.amzn2023.aarch64
    kernel-modules-extra-common-6.12.29-33.102.amzn2023.aarch64
    bpftool-debuginfo-6.12.29-33.102.amzn2023.aarch64
    python3-perf6.12-6.12.29-33.102.amzn2023.aarch64
    kernel-tools-debuginfo-6.12.29-33.102.amzn2023.aarch64
    python3-perf6.12-debuginfo-6.12.29-33.102.amzn2023.aarch64
    kernel-livepatch-6.12.29-33.102-1.0-0.amzn2023.aarch64
    kernel-tools-devel-6.12.29-33.102.amzn2023.aarch64
    bpftool-6.12.29-33.102.amzn2023.aarch64
    kernel-libbpf-devel-6.12.29-33.102.amzn2023.aarch64
    perf6.12-6.12.29-33.102.amzn2023.aarch64
    perf6.12-debuginfo-6.12.29-33.102.amzn2023.aarch64
    kernel-libbpf-6.12.29-33.102.amzn2023.aarch64
    kernel-libbpf-static-6.12.29-33.102.amzn2023.aarch64
    kernel6.12-modules-extra-6.12.29-33.102.amzn2023.aarch64
    kernel-tools-6.12.29-33.102.amzn2023.aarch64
    kernel6.12-debuginfo-6.12.29-33.102.amzn2023.aarch64
    kernel-headers-6.12.29-33.102.amzn2023.aarch64
    kernel6.12-6.12.29-33.102.amzn2023.aarch64
    kernel6.12-debuginfo-common-aarch64-6.12.29-33.102.amzn2023.aarch64
    kernel-devel-6.12.29-33.102.amzn2023.aarch64

src:
    kernel6.12-6.12.29-33.102.amzn2023.src

x86_64:
    kernel-libbpf-debuginfo-6.12.29-33.102.amzn2023.x86_64
    kernel-tools-debuginfo-6.12.29-33.102.amzn2023.x86_64
    bpftool-debuginfo-6.12.29-33.102.amzn2023.x86_64
    python3-perf6.12-debuginfo-6.12.29-33.102.amzn2023.x86_64
    kernel-tools-6.12.29-33.102.amzn2023.x86_64
    kernel-libbpf-devel-6.12.29-33.102.amzn2023.x86_64
    kernel-modules-extra-common-6.12.29-33.102.amzn2023.x86_64
    kernel-libbpf-6.12.29-33.102.amzn2023.x86_64
    perf6.12-6.12.29-33.102.amzn2023.x86_64
    perf6.12-debuginfo-6.12.29-33.102.amzn2023.x86_64
    bpftool-6.12.29-33.102.amzn2023.x86_64
    kernel-tools-devel-6.12.29-33.102.amzn2023.x86_64
    kernel-livepatch-6.12.29-33.102-1.0-0.amzn2023.x86_64
    kernel-headers-6.12.29-33.102.amzn2023.x86_64
    kernel-libbpf-static-6.12.29-33.102.amzn2023.x86_64
    python3-perf6.12-6.12.29-33.102.amzn2023.x86_64
    kernel6.12-modules-extra-6.12.29-33.102.amzn2023.x86_64
    kernel6.12-debuginfo-6.12.29-33.102.amzn2023.x86_64
    kernel6.12-6.12.29-33.102.amzn2023.x86_64
    kernel6.12-debuginfo-common-x86_64-6.12.29-33.102.amzn2023.x86_64
    kernel-devel-6.12.29-33.102.amzn2023.x86_64

Changelog:

2025-07-01: CVE-2025-37997 was added to this advisory.

2025-07-01: CVE-2025-37814 was added to this advisory.

2025-07-01: CVE-2025-37964 was added to this advisory.

2025-07-01: CVE-2025-37813 was added to this advisory.

2025-07-01: CVE-2025-37920 was added to this advisory.

2025-07-01: CVE-2025-37929 was added to this advisory.

2025-07-01: CVE-2025-37799 was added to this advisory.

2025-07-01: CVE-2025-37957 was added to this advisory.

2025-07-01: CVE-2025-37900 was added to this advisory.

2025-06-26: CVE-2025-37923 was added to this advisory.

2025-06-19: CVE-2025-22120 was added to this advisory.

2025-06-19: CVE-2025-37913 was added to this advisory.

2025-06-19: CVE-2025-37797 was added to this advisory.

2025-06-19: CVE-2025-37915 was added to this advisory.

2025-06-19: CVE-2025-37878 was added to this advisory.

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2024-57976, CVE-2025-21709, CVE-2025-21807, CVE-2025-21817, CVE-2025-21833, CVE-2025-21884, CVE-2025-22108, CVE-2025-22120, CVE-2025-37797, CVE-2025-37799, CVE-2025-37813, CVE-2025-37814, CVE-2025-37878, CVE-2025-37900, CVE-2025-37913, CVE-2025-37914, CVE-2025-37915, CVE-2025-37920, CVE-2025-37923, CVE-2025-37929, CVE-2025-37957, CVE-2025-37964, CVE-2025-37997

Mitre: CVE-2024-57976, CVE-2025-21709, CVE-2025-21807, CVE-2025-21817, CVE-2025-21833, CVE-2025-21884, CVE-2025-22108, CVE-2025-22120, CVE-2025-37797, CVE-2025-37799, CVE-2025-37813, CVE-2025-37814, CVE-2025-37878, CVE-2025-37900, CVE-2025-37913, CVE-2025-37914, CVE-2025-37915, CVE-2025-37920, CVE-2025-37923, CVE-2025-37929, CVE-2025-37957, CVE-2025-37964, CVE-2025-37997