[Ksplice][Ubuntu-24.04-Updates] New Ksplice updates for Ubuntu 24.04 Noble (USN-7513-1)

Oracle Ksplice gregory.herrero at oracle.com
Thu Jun 26 16:55:48 UTC 2025 

Synopsis: USN-7513-1 can now be patched using Ksplice
CVEs: CVE-2024-41013 CVE-2024-53179 CVE-2024-53241 CVE-2024-53685 CVE-2024-56372 CVE-2024-56664 CVE-2024-56758 CVE-2024-57801 CVE-2024-57892 CVE-2024-57901 CVE-2024-57902 CVE-2024-57925 CVE-2024-57932 CVE-2024-57933 CVE-2025-21631 CVE-2025-21636 CVE-2025-21637 CVE-2025-21638 CVE-2025-21639 CVE-2025-21640 CVE-2025-21642 CVE-2025-21647 CVE-2025-21652 CVE-2025-21659 CVE-2025-21662 CVE-2025-21971

Systems running Ubuntu 24.04 Noble can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-7513-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 24.04
Noble install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2024-41013: Privilege escalation in XFS filesystem driver.

A missing check when using the XFS filesystem driver could lead to an
out-of-bounds memory access. A local attacker could use this flaw and a
crafted XFS image to gain root privileges.


* CVE-2024-53179: Denial-of-service in SMB3 and CIFS driver.

A race condition when performing SMB2.1 + sign mounts in the
SMB3 and CIFS driver could lead to a use-after-free. An attacker
could use this flaw to cause a denial-of-service.


* CVE-2024-53685: Denial-of-service in Ceph distributed file system driver.

A logic error when building a dentry path in the Ceph distributed file
system driver could lead to an infinite loop. A local attacker could use
this flaw to cause a denial-of-service.


* CVE-2024-56372: Logic error in Universal TUN/TAP device driver.

* CVE-2024-56664: Privilege escalation in bpf() system call driver.

A race condition when using the bpf() system call driver could lead to
a use-after-free. A local attacker could use this flaw to escalate
privileges.


* CVE-2024-56758: Locking issue in Btrfs filesystem driver.

* CVE-2024-57801: Privilege escalation in Mellanox SRIOV E-Switch driver.

A logic error when using the Mellanox SRIOV E-Switch driver
could lead to a use-after-free. A local attacker could use this
flaw to escalate privileges.


* CVE-2024-57892: Privilege escalation in OCFS2 file system driver.

A logic error when using quota_getnextquota() syscall in the OCFS2 file
system driver could lead to a use-after-free. A local attacker could use
this flaw to escalate privileges.


* CVE-2024-57901, CVE-2024-57902: Remote denial-of-service in packet socket driver.

A logic error when receiving raw network packets using the packet
socket interface could lead to a kernel panic. A remote attacker
could use this flaw to cause a denial-of-service.


* CVE-2024-57925: Null pointer dereference in SMB3 server driver.

* CVE-2024-57932, CVE-2024-57933: Denial-of-service in Google Virtual NIC (gVNIC) driver.

A missing check when using the Google Virtual NIC (gVNIC) driver could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.


* CVE-2025-21631: Privilege escalation in Budget Fair Queueing (BFQ) I/O scheduler.

A missing check when using the Budget Fair Queueing (BFQ) I/O scheduler
could lead to a use-after-free. A local attacker could use this flaw to
escalate privileges.


* CVE-2025-21636, CVE-2025-21637, CVE-2025-21638, CVE-2025-21639, CVE-2025-21640: Denial-of-service in SCTP.

A logic error when using the SCTP protocol driver could lead to a
NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2025-21642: Null pointer dereference in MPTCP (Multipath TCP) driver.

* CVE-2025-21647: Privilege escalation in Common Applications Kept Enhanced (CAKE) driver.

A logic error when using the Common Applications Kept Enhanced (CAKE)
driver could lead to an out-of-bounds memory access. A local attacker
could use this flaw to escalate privileges.


* CVE-2025-21652: Use-after-free in the network device link state notification subsystem.

* CVE-2025-21659: Missing check in the netlink subsystem.

* CVE-2025-21662: Denial-of-service in Mellanox devices driver.

Missing complete call when using the Mellanox devices driver could lead
to kthread hang. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2025-21971: Denial-of-service in QoS driver.

A missing check when computing statistics in the QoS driver could lead
to a kernel panic. A local attacker could use this flaw to cause a
denial-of-service.


* Remote denial-of-service in NFSv4.1 client driver.

A missing check when using the NFSv4.1 client driver could lead
to a livelock. A remote attacker could use this flaw to cause a
denial-of-service.


* Note: Oracle will not provide a zero-downtime update for CVE-2024-53241 (XSA-466).

CVE-2024-53241 (XSA-466) is an information leak from Xen guests.

Oracle has determined that patching CVE-2024-53241 (XSA-466) on a
running system would not be safe and recommends a reboot if Xen is used.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-24.04-updates mailing list