Amazon Linux 2023 Security Advisory: ALAS2023-2025-994
Advisory Released Date: 2025-06-10
Advisory Updated Date: 2025-08-26
FAQs regarding Amazon Linux ALAS/CVE Severity
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do proper folio cleanup when cow_file_range() failed (CVE-2024-57976)
In the Linux kernel, the following vulnerability has been resolved:
kernel: be more careful about dup_mmap() failures and uprobe registering (CVE-2025-21709)
In the Linux kernel, the following vulnerability has been resolved:
block: fix queue freeze vs limits lock order in sysfs store methods (CVE-2025-21807)
In the Linux kernel, the following vulnerability has been resolved:
block: mark GFP_NOIO around sysfs ->store() (CVE-2025-21817)
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE (CVE-2025-21833)
In the Linux kernel, the following vulnerability has been resolved:
net: better track kernel sockets lifetime (CVE-2025-21884)
In the Linux kernel, the following vulnerability has been resolved:
bnxt_en: Mask the bd_cnt field in the TX BD properly (CVE-2025-22108)
In the Linux kernel, the following vulnerability has been resolved:
ext4: goto right label 'out_mmap_sem' in ext4_setattr() (CVE-2025-22120)
In the Linux kernel, the following vulnerability has been resolved:
net_sched: hfsc: Fix a UAF vulnerability in class handling (CVE-2025-37797)
In the Linux kernel, the following vulnerability has been resolved:
vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp (CVE-2025-37799)
In the Linux kernel, the following vulnerability has been resolved:
driver core: fix potential NULL pointer dereference in dev_uevent() (CVE-2025-37800)
In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Keep write operations atomic (CVE-2025-37806)
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix kmemleak warning for percpu hashmap (CVE-2025-37807)
In the Linux kernel, the following vulnerability has been resolved:
crypto: null - Use spin lock instead of mutex (CVE-2025-37808)
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: class: Fix NULL pointer access (CVE-2025-37809)
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Fix invalid pointer dereference in Etron workaround (CVE-2025-37813)
In the Linux kernel, the following vulnerability has been resolved:
tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT (CVE-2025-37814)
In the Linux kernel, the following vulnerability has been resolved:
irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() (CVE-2025-37819)
In the Linux kernel, the following vulnerability has been resolved:
xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() (CVE-2025-37820)
In the Linux kernel, the following vulnerability has been resolved:
sched/eevdf: Fix se->slice being set to U64_MAX and resulting crash (CVE-2025-37821)
In the Linux kernel, the following vulnerability has been resolved:
net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (CVE-2025-37823)
In the Linux kernel, the following vulnerability has been resolved:
btrfs: zoned: return EIO on RAID1 block group write pointer mismatch (CVE-2025-37827)
In the Linux kernel, the following vulnerability has been resolved:
mm/vmscan: don't try to reclaim hwpoison folio (CVE-2025-37834)
In the Linux kernel, the following vulnerability has been resolved:
netfs: Only create /proc/fs/netfs with CONFIG_PROC_FS (CVE-2025-37876)
In the Linux kernel, the following vulnerability has been resolved:
iommu: Clear iommu-dma ops on cleanup (CVE-2025-37877)
In the Linux kernel, the following vulnerability has been resolved:
perf/core: Fix WARN_ON(!ctx) in __free_event() for partial init (CVE-2025-37878)
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci: Fix isochronous Ring Underrun/Overrun event handling (CVE-2025-37882)
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix deadlock between rcu_tasks_trace and event_mutex. (CVE-2025-37884)
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Reset IRTE to host control if *new* route isn't postable (CVE-2025-37885)
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() (CVE-2025-37888)
In the Linux kernel, the following vulnerability has been resolved:
net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (CVE-2025-37890)
In the Linux kernel, the following vulnerability has been resolved:
net: use sock_gen_put() when sk_state is TCP_TIME_WAIT (CVE-2025-37894)
In the Linux kernel, the following vulnerability has been resolved:
iommu: Fix two issues in iommu_copy_struct_from_user() (CVE-2025-37900)
In the Linux kernel, the following vulnerability has been resolved:
mm, slab: clean up slab->obj_exts always (CVE-2025-37908)
In the Linux kernel, the following vulnerability has been resolved:
net_sched: qfq: Fix double list add in class with netem as child qdisc (CVE-2025-37913)
In the Linux kernel, the following vulnerability has been resolved:
net_sched: ets: Fix double list add in class with netem as child qdisc (CVE-2025-37914)
In the Linux kernel, the following vulnerability has been resolved:
net_sched: drr: Fix double list add in class with netem as child qdisc (CVE-2025-37915)
In the Linux kernel, the following vulnerability has been resolved:
xsk: Fix race condition in AF_XDP generic RX path (CVE-2025-37920)
In the Linux kernel, the following vulnerability has been resolved:
vxlan: vnifilter: Fix unlocked deletion of default FDB entry (CVE-2025-37921)
In the Linux kernel, the following vulnerability has been resolved:
tracing: Fix oob write in trace_seq_to_buffer() (CVE-2025-37923)
In the Linux kernel, the following vulnerability has been resolved:
iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (CVE-2025-37927)
In the Linux kernel, the following vulnerability has been resolved:
dm-bufio: don't schedule in atomic context (CVE-2025-37928)
In the Linux kernel, the following vulnerability has been resolved:
arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (CVE-2025-37929)
In the Linux kernel, the following vulnerability has been resolved:
btrfs: adjust subpage bit start based on sectorsize (CVE-2025-37931)
In the Linux kernel, the following vulnerability has been resolved:
sch_htb: make htb_qlen_notify() idempotent (CVE-2025-37932)
In the Linux kernel, the following vulnerability has been resolved:
perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. (CVE-2025-37936)
In the Linux kernel, the following vulnerability has been resolved:
tracing: Verify event formats that have "%*p.." (CVE-2025-37938)
In the Linux kernel, the following vulnerability has been resolved:
arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs (CVE-2025-37948)
In the Linux kernel, the following vulnerability has been resolved:
xenbus: Use kref to track req lifetime (CVE-2025-37949)
In the Linux kernel, the following vulnerability has been resolved:
smb: client: Avoid race in open_cached_dir with lease breaks (CVE-2025-37954)
In the Linux kernel, the following vulnerability has been resolved:
virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable() (CVE-2025-37955)
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception (CVE-2025-37957)
In the Linux kernel, the following vulnerability has been resolved:
mm/huge_memory: fix dereferencing invalid pmd migration entry (CVE-2025-37958)
In the Linux kernel, the following vulnerability has been resolved:
bpf: Scrub packet on bpf_redirect_peer (CVE-2025-37959)
In the Linux kernel, the following vulnerability has been resolved:
memblock: Accept allocated memory before use in memblock_double_array() (CVE-2025-37960)
In the Linux kernel, the following vulnerability has been resolved:
ipvs: fix uninit-value for saddr in do_output_route4 (CVE-2025-37961)
In the Linux kernel, the following vulnerability has been resolved:
arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users (CVE-2025-37963)
In the Linux kernel, the following vulnerability has been resolved:
x86/mm: Eliminate window where TLB flushes may be inadvertently skipped (CVE-2025-37964)
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: class: Invalidate USB device pointers on partner unregistration (CVE-2025-37986)
In the Linux kernel, the following vulnerability has been resolved:
fix a couple of races in MNT_TREE_BENEATH handling by do_move_mount() (CVE-2025-37988)
In the Linux kernel, the following vulnerability has been resolved:
net: phy: leds: fix memory leak (CVE-2025-37989)
In the Linux kernel, the following vulnerability has been resolved:
module: ensure that kobject_put() is safe for module type kobjects (CVE-2025-37995)
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ipset: fix region locking in hash types (CVE-2025-37997)
In the Linux kernel, the following vulnerability has been resolved:
openvswitch: Fix unsafe attribute parsing in output_userspace() (CVE-2025-37998)
In the Linux kernel, the following vulnerability has been resolved:
fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio() (CVE-2025-37999)
In the Linux kernel, the following vulnerability has been resolved:
sch_hfsc: make hfsc_qlen_notify() idempotent (CVE-2025-38177)
Affected Packages:
kernel6.12
Issue Correction:
Run dnf update kernel6.12 --releasever 2023.7.20250609 or dnf update --advisory ALAS2023-2025-994 --releasever 2023.7.20250609 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
kernel-libbpf-debuginfo-6.12.29-33.102.amzn2023.aarch64
kernel-modules-extra-common-6.12.29-33.102.amzn2023.aarch64
bpftool-debuginfo-6.12.29-33.102.amzn2023.aarch64
python3-perf6.12-6.12.29-33.102.amzn2023.aarch64
kernel-tools-debuginfo-6.12.29-33.102.amzn2023.aarch64
python3-perf6.12-debuginfo-6.12.29-33.102.amzn2023.aarch64
kernel-livepatch-6.12.29-33.102-1.0-0.amzn2023.aarch64
kernel-tools-devel-6.12.29-33.102.amzn2023.aarch64
bpftool-6.12.29-33.102.amzn2023.aarch64
kernel-libbpf-devel-6.12.29-33.102.amzn2023.aarch64
perf6.12-6.12.29-33.102.amzn2023.aarch64
perf6.12-debuginfo-6.12.29-33.102.amzn2023.aarch64
kernel-libbpf-6.12.29-33.102.amzn2023.aarch64
kernel-libbpf-static-6.12.29-33.102.amzn2023.aarch64
kernel6.12-modules-extra-6.12.29-33.102.amzn2023.aarch64
kernel-tools-6.12.29-33.102.amzn2023.aarch64
kernel6.12-debuginfo-6.12.29-33.102.amzn2023.aarch64
kernel-headers-6.12.29-33.102.amzn2023.aarch64
kernel6.12-6.12.29-33.102.amzn2023.aarch64
kernel6.12-debuginfo-common-aarch64-6.12.29-33.102.amzn2023.aarch64
kernel-devel-6.12.29-33.102.amzn2023.aarch64
src:
kernel6.12-6.12.29-33.102.amzn2023.src
x86_64:
kernel-libbpf-debuginfo-6.12.29-33.102.amzn2023.x86_64
kernel-tools-debuginfo-6.12.29-33.102.amzn2023.x86_64
bpftool-debuginfo-6.12.29-33.102.amzn2023.x86_64
python3-perf6.12-debuginfo-6.12.29-33.102.amzn2023.x86_64
kernel-tools-6.12.29-33.102.amzn2023.x86_64
kernel-libbpf-devel-6.12.29-33.102.amzn2023.x86_64
kernel-modules-extra-common-6.12.29-33.102.amzn2023.x86_64
kernel-libbpf-6.12.29-33.102.amzn2023.x86_64
perf6.12-6.12.29-33.102.amzn2023.x86_64
perf6.12-debuginfo-6.12.29-33.102.amzn2023.x86_64
bpftool-6.12.29-33.102.amzn2023.x86_64
kernel-tools-devel-6.12.29-33.102.amzn2023.x86_64
kernel-livepatch-6.12.29-33.102-1.0-0.amzn2023.x86_64
kernel-headers-6.12.29-33.102.amzn2023.x86_64
kernel-libbpf-static-6.12.29-33.102.amzn2023.x86_64
python3-perf6.12-6.12.29-33.102.amzn2023.x86_64
kernel6.12-modules-extra-6.12.29-33.102.amzn2023.x86_64
kernel6.12-debuginfo-6.12.29-33.102.amzn2023.x86_64
kernel6.12-6.12.29-33.102.amzn2023.x86_64
kernel6.12-debuginfo-common-x86_64-6.12.29-33.102.amzn2023.x86_64
kernel-devel-6.12.29-33.102.amzn2023.x86_64
2025-08-26: CVE-2025-37908 was added to this advisory.
2025-08-26: CVE-2025-37954 was added to this advisory.
2025-08-26: CVE-2025-37894 was added to this advisory.
2025-08-26: CVE-2025-37988 was added to this advisory.
2025-08-26: CVE-2025-37890 was added to this advisory.
2025-08-26: CVE-2025-37807 was added to this advisory.
2025-08-26: CVE-2025-38177 was added to this advisory.
2025-08-26: CVE-2025-37932 was added to this advisory.
2025-08-26: CVE-2025-37834 was added to this advisory.
2025-08-26: CVE-2025-37921 was added to this advisory.
2025-08-26: CVE-2025-37995 was added to this advisory.
2025-08-26: CVE-2025-37955 was added to this advisory.
2025-08-26: CVE-2025-37986 was added to this advisory.
2025-08-26: CVE-2025-37938 was added to this advisory.
2025-08-26: CVE-2025-37936 was added to this advisory.
2025-08-26: CVE-2025-37999 was added to this advisory.
2025-07-29: CVE-2025-37931 was added to this advisory.
2025-07-29: CVE-2025-37876 was added to this advisory.
2025-07-29: CVE-2025-37882 was added to this advisory.
2025-07-29: CVE-2025-37989 was added to this advisory.
2025-07-29: CVE-2025-37949 was added to this advisory.
2025-07-29: CVE-2025-37823 was added to this advisory.
2025-07-29: CVE-2025-37877 was added to this advisory.
2025-07-29: CVE-2025-37888 was added to this advisory.
2025-07-29: CVE-2025-37998 was added to this advisory.
2025-07-29: CVE-2025-37819 was added to this advisory.
2025-07-29: CVE-2025-37927 was added to this advisory.
2025-07-29: CVE-2025-37963 was added to this advisory.
2025-07-29: CVE-2025-37820 was added to this advisory.
2025-07-29: CVE-2025-37885 was added to this advisory.
2025-07-29: CVE-2025-37808 was added to this advisory.
2025-07-29: CVE-2025-37827 was added to this advisory.
2025-07-29: CVE-2025-37809 was added to this advisory.
2025-07-29: CVE-2025-37958 was added to this advisory.
2025-07-29: CVE-2025-37928 was added to this advisory.
2025-07-29: CVE-2025-37884 was added to this advisory.
2025-07-29: CVE-2025-37948 was added to this advisory.
2025-07-29: CVE-2025-37960 was added to this advisory.
2025-07-29: CVE-2025-37800 was added to this advisory.
2025-07-29: CVE-2025-37959 was added to this advisory.
2025-07-29: CVE-2025-37821 was added to this advisory.
2025-07-29: CVE-2025-37961 was added to this advisory.
2025-07-29: CVE-2025-37806 was added to this advisory.
2025-07-01: CVE-2025-37997 was added to this advisory.
2025-07-01: CVE-2025-37814 was added to this advisory.
2025-07-01: CVE-2025-37964 was added to this advisory.
2025-07-01: CVE-2025-37813 was added to this advisory.
2025-07-01: CVE-2025-37920 was added to this advisory.
2025-07-01: CVE-2025-37929 was added to this advisory.
2025-07-01: CVE-2025-37799 was added to this advisory.
2025-07-01: CVE-2025-37957 was added to this advisory.
2025-07-01: CVE-2025-37900 was added to this advisory.
2025-06-26: CVE-2025-37923 was added to this advisory.
2025-06-19: CVE-2025-22120 was added to this advisory.
2025-06-19: CVE-2025-37913 was added to this advisory.
2025-06-19: CVE-2025-37797 was added to this advisory.
2025-06-19: CVE-2025-37915 was added to this advisory.
2025-06-19: CVE-2025-37878 was added to this advisory.