[El-errata] ELSA-2025-21112 Moderate: Oracle Linux 9 kernel security update

Thu Nov 27 21:58:31 UTC 2025

Oracle Linux Security Advisory ELSA-2025-21112

http://linux.oracle.com/errata/ELSA-2025-21112.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
kernel-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-abi-stablelists-5.14.0-611.7.1.el9_7.noarch.rpm
kernel-core-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-cross-headers-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-debug-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-debug-core-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-debug-devel-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-debug-devel-matched-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-debug-modules-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-debug-modules-core-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-debug-modules-extra-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-debug-uki-virt-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-devel-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-devel-matched-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-doc-5.14.0-611.7.1.el9_7.noarch.rpm
kernel-headers-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-modules-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-modules-core-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-modules-extra-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-tools-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-tools-libs-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-tools-libs-devel-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-uki-virt-5.14.0-611.7.1.el9_7.x86_64.rpm
kernel-uki-virt-addons-5.14.0-611.7.1.el9_7.x86_64.rpm
libperf-5.14.0-611.7.1.el9_7.x86_64.rpm
perf-5.14.0-611.7.1.el9_7.x86_64.rpm
python3-perf-5.14.0-611.7.1.el9_7.x86_64.rpm
rtla-5.14.0-611.7.1.el9_7.x86_64.rpm
rv-5.14.0-611.7.1.el9_7.x86_64.rpm

aarch64:
kernel-cross-headers-5.14.0-611.7.1.el9_7.aarch64.rpm
kernel-headers-5.14.0-611.7.1.el9_7.aarch64.rpm
kernel-tools-5.14.0-611.7.1.el9_7.aarch64.rpm
kernel-tools-libs-5.14.0-611.7.1.el9_7.aarch64.rpm
kernel-tools-libs-devel-5.14.0-611.7.1.el9_7.aarch64.rpm
libperf-5.14.0-611.7.1.el9_7.aarch64.rpm
perf-5.14.0-611.7.1.el9_7.aarch64.rpm
python3-perf-5.14.0-611.7.1.el9_7.aarch64.rpm
rtla-5.14.0-611.7.1.el9_7.aarch64.rpm
rv-5.14.0-611.7.1.el9_7.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/kernel-5.14.0-611.7.1.el9_7.src.rpm

Related CVEs:

CVE-2022-50087
CVE-2022-50367
CVE-2023-53331
CVE-2023-53373
CVE-2023-53494
CVE-2025-38566
CVE-2025-38571
CVE-2025-39702
CVE-2025-39718
CVE-2025-39817
CVE-2025-39841
CVE-2025-39849
CVE-2025-40300

Description of changes:

[5.14.0-611.7.1]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764]

[5.14.0-611.7.1]
- The rpminspect.yaml emptyrpm list needs to be expanded (Alexandra Hájková)
- crypto: xts - Handle EBUSY correctly (Vladis Dronov) [RHEL-119236] {CVE-2023-53494}
- ice: fix NULL access of tx->in_use in ice_ll_ts_intr (Petr Oros) [RHEL-112874]
- ice: fix NULL access of tx->in_use in ice_ptp_ts_irq (Petr Oros) [RHEL-112874]
- ice: fix Rx page leak on multi-buffer frames (Petr Oros) [RHEL-116540]
- xfs: do not propagate ENODATA disk errors into xattr code (Carlos Maiolino) [RHEL-115730]
- ipv6: sr: Fix MAC comparison to be constant-time (CKI Backport Bot) [RHEL-116383] {CVE-2025-39702}
- s390/hypfs: Enable limited access during lockdown (CKI Backport Bot) [RHEL-114434]
- s390/hypfs: Avoid unnecessary ioctl registration in debugfs (CKI Backport Bot) [RHEL-114434]
- vsock/virtio: Validate length in packet header before skb_put() (Jon Maloy) [RHEL-114298] {CVE-2025-39718}

[5.14.0-611.6.1]
- pstore/ram: Check start of empty przs during init (CKI Backport Bot) [RHEL-122068] {CVE-2023-53331}
- ixgbe: fix ixgbe_orom_civd_info struct layout (Michal Schmidt) [RHEL-119074]
- scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119130] {CVE-2025-39841}
- efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare (CKI Backport Bot) [RHEL-118257] {CVE-2025-39817}
- SUNRPC: call xs_sock_process_cmsg for all cmsg (Olga Kornievskaia) [RHEL-110810]
- sunrpc: fix client side handling of tls alerts (Olga Kornievskaia) [RHEL-110810] {CVE-2025-38571}
- smb: client: fix wrong index reference in smb2_compound_op() (Paulo Alcantara) [RHEL-117880]
- smb: client: handle unlink(2) of files open by different clients (Paulo Alcantara) [RHEL-117880]
- smb: client: fix file open check in __cifs_unlink() (Paulo Alcantara) [RHEL-117880]
- smb: client: fix filename matching of deferred files (Paulo Alcantara) [RHEL-117880]
- smb: client: fix data loss due to broken rename(2) (Paulo Alcantara) [RHEL-117880]
- smb: client: fix compound alignment with encryption (Paulo Alcantara) [RHEL-117880]
- fs/smb: Fix inconsistent refcnt update (Paulo Alcantara) [RHEL-117880] {CVE-2025-39819}
- sunrpc: fix handling of server side tls alerts (Steve Dickson) [RHEL-111069] {CVE-2025-38566}
- wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() (CKI Backport Bot) [RHEL-117580] {CVE-2025-39849}
- crypto: seqiv - Handle EBUSY correctly (CKI Backport Bot) [RHEL-117235] {CVE-2023-53373}
- ibmvnic: Increase max subcrq indirect entries with fallback (Mamatha Inamdar) [RHEL-116187]
- fs: fix UAF/GPF bug in nilfs_mdt_destroy (CKI Backport Bot) [RHEL-116662] {CVE-2022-50367}
- firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails (Charles Mirabile) [RHEL-113837] {CVE-2022-50087}
- hv_netvsc: Fix panic during namespace deletion with VF (Maxim Levitsky) [RHEL-115070]
- RDMA/mana_ib: Fix DSCP value in modify QP (Maxim Levitsky) [RHEL-115070]
- net: mana: Handle Reset Request from MANA NIC (Maxim Levitsky) [RHEL-115070]
- net: mana: Set tx_packets to post gso processing packet count (Maxim Levitsky) [RHEL-115070]
- net: mana: Handle unsupported HWC commands (Maxim Levitsky) [RHEL-115070]
- net: mana: Add handler for hardware servicing events (Maxim Levitsky) [RHEL-115070]
- RDMA/mana_ib: Add device statistics support (Maxim Levitsky) [RHEL-115070]
- net: mana: Expose additional hardware counters for drop and TC via ethtool. (Maxim Levitsky) [RHEL-115070]
- net: mana: Fix warnings for missing export.h header inclusion (Maxim Levitsky) [RHEL-115070]
- net: mana: Record doorbell physical address in PF mode (Maxim Levitsky) [RHEL-115070]
- s390/pci: Do not try re-enabling load/store if device is disabled (CKI Backport Bot) [RHEL-114451]
- s390/pci: Fix stale function handles in error handling (CKI Backport Bot) [RHEL-114451]
- redhat: enable TDX host config (Paolo Bonzini) [RHEL-27146]
- KVM: TDX: Explicitly do WBINVD when no more TDX SEAMCALLs (Paolo Bonzini) [RHEL-27146]
- x86/virt/tdx: Update the kexec section in the TDX documentation (Paolo Bonzini) [RHEL-27146]
- x86/virt/tdx: Remove the !KEXEC_CORE dependency (Paolo Bonzini) [RHEL-27146]
- x86/kexec: Disable kexec/kdump on platforms with TDX partial write erratum (Paolo Bonzini) [RHEL-27146]
- x86/virt/tdx: Mark memory cache state incoherent when making SEAMCALL (Paolo Bonzini) [RHEL-27146]
- x86/sme: Use percpu boolean to control WBINVD during kexec (Paolo Bonzini) [RHEL-27146]
- x86/virt/tdx: Avoid indirect calls to TDX assembly functions (Paolo Bonzini) [RHEL-27146]
- ibmvnic: Use ndo_get_stats64 to fix inaccurate SAR reporting (Mamatha Inamdar) [RHEL-114437]
- ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof (Mamatha Inamdar) [RHEL-114437]
- ibmvnic: Add stat for tx direct vs tx batched (Mamatha Inamdar) [RHEL-114437]
- redhat/configs: Enable CONFIG_MITIGATION_VMSCAPE for x86 (Waiman Long) [RHEL-114272]
- x86/vmscape: Add old Intel CPUs to affected list (Waiman Long) [RHEL-114272] {CVE-2025-40300}
- x86/vmscape: Warn when STIBP is disabled with SMT (Waiman Long) [RHEL-114272] {CVE-2025-40300}
- x86/bugs: Move cpu_bugs_smt_update() down (Waiman Long) [RHEL-114272] {CVE-2025-40300}
- x86/vmscape: Enable the mitigation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
- x86/vmscape: Add conditional IBPB mitigation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
- x86/vmscape: Enumerate VMSCAPE bug (Waiman Long) [RHEL-114272] {CVE-2025-40300}
- Documentation/hw-vuln: Add VMSCAPE documentation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
- randomize_kstack: Remove non-functional per-arch entropy filtering (Waiman Long) [RHEL-114272]
- tunnels: reset the GSO metadata before reusing the skb (Antoine Tenart) [RHEL-113917]