RHEL 9 : kernel (RHSA-2025:20518)

high Nessus Plugin ID 274839

Language:

Synopsis

The remote Red Hat host is missing one or more security updates for kernel.

Description

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:20518 advisory.

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: can: isotp: fix potential CAN frame reception race in isotp_rcv() (CVE-2022-48830)

* kernel: soc: qcom: cmd-db: Map shared memory as WC, not WB (CVE-2024-46689)

* kernel: Squashfs: sanity check symbolic link size (CVE-2024-46744)

* kernel: vfs: fix race between evice_inodes() and find_inode()&iput() (CVE-2024-47679)

* kernel: x86/tdx: Fix in-kernel MMIO check (CVE-2024-47727)

* kernel: rxrpc: Fix a race between socket set up and I/O thread creation (CVE-2024-49864)

* kernel: io_uring: check if we need to reschedule during overflow flush (CVE-2024-50060)

* kernel: can: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods (CVE-2022-49024)

* kernel: posix-clock: Fix missing timespec64 check in pc_clock_settime() (CVE-2024-50195)

* kernel: rxrpc: Fix missing locking causing hanging calls (CVE-2024-50294)

* kernel: io_uring/rw: fix missing NOWAIT check for O_DIRECT start write (CVE-2024-53052)

* kernel: afs: Fix lock recursion (CVE-2024-53090)

* kernel: virtio/vsock: Fix accept_queue memory leak (CVE-2024-53119)

* kernel: KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN (CVE-2024-53135)

* kernel: xen: Xen hypercall page unsafe against speculative attacks (Xen Security Advisory 466) (CVE-2024-53241)

* kernel: RDMA/rxe: Fix the qp flush warnings in req (CVE-2024-53229)

* kernel: block: fix uaf for flush rq while iterating tags (CVE-2024-53170)

* kernel: nfsd: release svc_expkey/svc_export with rcu_work (CVE-2024-53216)

* kernel: net: af_can: do not leave a dangling sk pointer in can_create() (CVE-2024-56603)

* kernel: blk-cgroup: Fix UAF in blkcg_unpin_online() (CVE-2024-56672)

* kernel: acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl (CVE-2024-56662)

* kernel: bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors (CVE-2024-56675)

* kernel: can: j1939: j1939_session_new(): fix skb reference counting (CVE-2024-56645)

* kernel: crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY (CVE-2024-56690)

* kernel: io_uring: check if iowq is killed before queuing (CVE-2024-56709)

* kernel: rtc: check if __rtc_read_time was successful in rtc_timer_do_work() (CVE-2024-56739)

* kernel: bpf: put bpf_link's program when link is safe to be deallocated (CVE-2024-56786)

* kernel: igb: Fix potential invalid memory access in igb_init_module() (CVE-2024-52332)

* kernel: ipvs: fix UB due to uninitialized stack access in ip_vs_protocol_init() (CVE-2024-53680)

* kernel: netfilter: conntrack: clamp maximum hashtable size to INT_MAX (CVE-2025-21648)

* kernel: sched: sch_cake: add bounds checks to host bulk flow fairness counts (CVE-2025-21647)

* kernel: block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() (CVE-2025-21631)

* kernel: zram: fix potential UAF of zram table (CVE-2025-21671)

* kernel: afs: Fix merge preference rule failure condition (CVE-2025-21672)

* kernel: mm: zswap: properly synchronize freeing resources during CPU hotunplug (CVE-2025-21693)

* kernel: cachestat: fix page cache statistics permission checking (CVE-2025-21691)

* kernel: mm: clear uffd-wp PTE/PMD state on mremap() (CVE-2025-21696)

* kernel: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 (CVE-2025-21702)

* kernel: usbnet: fix memory leak in error case (CVE-2022-49657)

* kernel: powerpc/xics: fix refcount leak in icp_opal_init() (CVE-2022-49432)

* kernel: net: tun: unlink NAPI from device on destruction (CVE-2022-49672)

* kernel: powerpc/papr_scm: don't requests stats with '0' sized stats buffer (CVE-2022-49353)

* kernel: powerpc/xive: Fix refcount leak in xive_spapr_init (CVE-2022-49437)

* kernel: ima: Fix potential memory leak in ima_init_crypto() (CVE-2022-49627)

* kernel: linux/dim: Fix divide by 0 in RDMA DIM (CVE-2022-49670)

* kernel: can: isotp: sanitize CAN ID checks in isotp_bind() (CVE-2022-49269)

* kernel: ima: Fix a potential integer overflow in ima_appraise_measurement (CVE-2022-49643)

* kernel: powerpc/xive/spapr: correct bitmap allocation size (CVE-2022-49623)

* kernel: efi: Do not import certificates from UEFI Secure Boot for T2 Macs (CVE-2022-49357)

* kernel: list: fix a data-race around ep->rdllist (CVE-2022-49443)

* kernel: tracing/histograms: Fix memory leak problem (CVE-2022-49648)

* kernel: Input: synaptics - fix crash when enabling pass-through port (CVE-2025-21746)

* kernel: NFSD: fix hang in nfsd4_shutdown_callback (CVE-2025-21795)

* kernel: bpf: Send signals asynchronously if !preemptible (CVE-2025-21728)

* kernel: NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client() (CVE-2024-54456)

* kernel: Bluetooth: btrtl: check for NULL in btrtl_setup_realtek() (CVE-2024-57987)

* kernel: wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() (CVE-2024-58014)

* kernel: Bluetooth: btbcm: Fix NULL deref in btbcm_get_board_name() (CVE-2024-57988)

* kernel: RDMA/mlx5: Fix implicit ODP use after free (CVE-2025-21714)

* kernel: drm/xe/tracing: Fix a potential TP_printk UAF (CVE-2024-49570)

* kernel: HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check (CVE-2024-57993)

* kernel: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion (CVE-2025-21729)

* kernel: wifi: mt76: mt7925: fix NULL deref check in mt7925_change_vif_links (CVE-2024-57989)

* kernel: wifi: ath12k: Fix for out-of bound access error (CVE-2024-58015)

* kernel: OPP: add index check to assert to avoid buffer overflow in _read_freq() (CVE-2024-57998)

* kernel: wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev() (CVE-2024-57995)

* kernel: nfsd: clear acl_access/acl_default after releasing them (CVE-2025-21796)

* kernel: scsi: ufs: core: Fix use-after free in init error and remove paths (CVE-2025-21739)

* kernel: workqueue: Put the pwq after detaching the rescuer from the pool (CVE-2025-21786)

* kernel: ata: libata-sff: Ensure that we cannot write outside the allocated buffer (CVE-2025-21738)

* kernel: HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections (CVE-2024-57986)

* kernel: padata: avoid UAF for reorder_work (CVE-2025-21726)

* kernel: vrf: use RCU protection in l3mdev_l3_out() (CVE-2025-21791)

* kernel: team: better TEAM_OPTION_TYPE_STRING validation (CVE-2025-21787)

* kernel: usb: xhci: Fix NULL pointer dereference on certain command aborts (CVE-2024-57981)

* kernel: vxlan: check vxlan_vnigroup_init() return value (CVE-2025-21790)

* kernel: wifi: mt76: mt7925: fix off by one in mt7925_load_clc() (CVE-2024-57990)

* kernel: ipv6: use RCU protection in ip6_default_advmss() (CVE-2025-21765)

* kernel: ASoC: SOF: Intel: hda-dai: Ensure DAI widget is valid during params (CVE-2024-58012)

* kernel: blk-cgroup: Fix class @block_class's subsystem refcount leakage (CVE-2025-21745)

* kernel: net: let net.core.dev_weight always be non-zero (CVE-2025-21806)

* kernel: wifi: rtlwifi: remove unused check_buddy_priv (CVE-2024-58072)

* kernel: OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized (CVE-2024-58068)

* kernel: wifi: iwlwifi: mvm: avoid NULL pointer dereference (CVE-2024-58062)

* kernel: idpf: convert workqueues to unbound (CVE-2024-58057)

* kernel: wifi: mac80211: don't flush non-uploaded STAs (CVE-2025-21828)

* kernel: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() (CVE-2024-58083)

* kernel: netfilter: nf_tables: reject mismatching sum of field_len with set key length (CVE-2025-21826)

* kernel: ASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback (CVE-2024-58077)

* kernel: crypto: tegra - do not transfer req when tegra init fails (CVE-2024-58075)

* kernel: RDMA/rxe: Fix the warning __rxe_cleanup+0x12c/0x170 [rdma_rxe] (CVE-2025-21829)

* kernel: KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop (CVE-2025-21839)

* kernel: io_uring/uring_cmd: unconditionally copy SQEs at prep time (CVE-2025-21837)

* kernel: information leak via transient execution vulnerability in some AMD processors (CVE-2024-36350)

* kernel: transient execution vulnerability in some AMD processors (CVE-2024-36357)

* kernel: bpf: Fix softlockup in arena_map_free on 64k page kernel (CVE-2025-21851)

* kernel: ibmvnic: Don't reference skb after sending to VIOS (CVE-2025-21855)

* kernel: smb: client: Add check for next_buffer in receive_encrypted_standard() (CVE-2025-21844)

* kernel: bpf: avoid holding freeze_mutex during mmap operation (CVE-2025-21853)

* kernel: ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() (CVE-2025-21847)

* kernel: tcp: drop secpath at the same time as we currently drop dst (CVE-2025-21864)

* kernel: bpf: Fix deadlock when freeing cgroup storage (CVE-2024-58088)

* kernel: acct: perform last write from workqueue (CVE-2025-21846)

* kernel: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() (CVE-2025-21861)

* kernel: io_uring: prevent opcode speculation (CVE-2025-21863)

* kernel: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() (CVE-2025-21848)

* kernel: netfilter: nft_tunnel: fix geneve_opt type confusion addition (CVE-2025-22056)

* kernel: can: j1939: j1939_send_one(): fix missing CAN header initialization (CVE-2022-49845)

* kernel: usb: typec: ucsi: displayport: Fix NULL pointer access (CVE-2025-37994)

* kernel: wifi: ath12k: fix uaf in ath12k_core_init() (CVE-2025-38116)

* kernel: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass (CVE-2025-38396)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9 Release Notes linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL kernel package based on the guidance in RHSA-2025:20518.

Plugin Details

Severity: High

ID: 274839

File Name: redhat-RHSA-2025-20518.nasl

Version: 1.2

Type: local

Agent: unix

Family: Red Hat Local Security Checks

Published: 11/12/2025

Updated: 11/17/2025

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

Vendor

Vendor Severity: Moderate

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-22056

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:kernel-64k-debug-devel-matched, p-cpe:/a:redhat:enterprise_linux:kernel-debug-modules-core, p-cpe:/a:redhat:enterprise_linux:kernel-rt-core, p-cpe:/a:redhat:enterprise_linux:kernel-rt-modules, p-cpe:/a:redhat:enterprise_linux:kernel-64k-debug-devel, p-cpe:/a:redhat:enterprise_linux:kernel-debug-core, p-cpe:/a:redhat:enterprise_linux:kernel-64k-debug-core, p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel, p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-modules-core, p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel, p-cpe:/a:redhat:enterprise_linux:kernel-64k-debug-modules-core, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-devel, p-cpe:/a:redhat:enterprise_linux:kernel-core, p-cpe:/a:redhat:enterprise_linux:kernel-64k-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-rt, p-cpe:/a:redhat:enterprise_linux:kernel-64k-modules, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-modules, p-cpe:/a:redhat:enterprise_linux:kernel-debug-uki-virt, p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-modules, p-cpe:/a:redhat:enterprise_linux:perf, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel, p-cpe:/a:redhat:enterprise_linux:kernel-tools, p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump, cpe:/o:redhat:enterprise_linux:9, p-cpe:/a:redhat:enterprise_linux:kernel-64k, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-debug, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-debug-core, p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-devel-matched, p-cpe:/a:redhat:enterprise_linux:kernel-64k-modules-core, p-cpe:/a:redhat:enterprise_linux:kernel-debug-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-modules-extra, p-cpe:/a:redhat:enterprise_linux:rv, p-cpe:/a:redhat:enterprise_linux:kernel-64k-debug-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-debug-modules-core, p-cpe:/a:redhat:enterprise_linux:kernel-64k-debug, p-cpe:/a:redhat:enterprise_linux:kernel, p-cpe:/a:redhat:enterprise_linux:kernel-devel, p-cpe:/a:redhat:enterprise_linux:kernel-64k-devel, p-cpe:/a:redhat:enterprise_linux:kernel-uki-virt, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-debug-modules, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k, p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-core, p-cpe:/a:redhat:enterprise_linux:kernel-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-core, p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel, p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-64k-debug-modules, p-cpe:/a:redhat:enterprise_linux:libperf, p-cpe:/a:redhat:enterprise_linux:kernel-modules, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-modules, p-cpe:/a:redhat:enterprise_linux:kernel-modules-core, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-debug-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-debug-devel, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-modules-core, p-cpe:/a:redhat:enterprise_linux:kernel-zfcpdump-devel, p-cpe:/a:redhat:enterprise_linux:kernel-uki-virt-addons, p-cpe:/a:redhat:enterprise_linux:kernel-debug-modules, p-cpe:/a:redhat:enterprise_linux:kernel-debug, p-cpe:/a:redhat:enterprise_linux:kernel-rt-modules-core, p-cpe:/a:redhat:enterprise_linux:python3-perf, p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel-matched, p-cpe:/a:redhat:enterprise_linux:kernel-rt-modules-extra, p-cpe:/a:redhat:enterprise_linux:kernel-devel-matched, p-cpe:/a:redhat:enterprise_linux:rtla, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-modules-core, p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug, p-cpe:/a:redhat:enterprise_linux:kernel-64k-core, p-cpe:/a:redhat:enterprise_linux:kernel-rt-64k-core, p-cpe:/a:redhat:enterprise_linux:kernel-64k-devel-matched

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 11/11/2025

Vulnerability Publication Date: 7/15/2022

Reference Information

CVE: CVE-2022-48830, CVE-2022-49024, CVE-2022-49269, CVE-2022-49353, CVE-2022-49357, CVE-2022-49432, CVE-2022-49437, CVE-2022-49443, CVE-2022-49623, CVE-2022-49627, CVE-2022-49643, CVE-2022-49648, CVE-2022-49657, CVE-2022-49670, CVE-2022-49672, CVE-2022-49845, CVE-2024-36350, CVE-2024-36357, CVE-2024-46689, CVE-2024-46744, CVE-2024-47679, CVE-2024-47727, CVE-2024-49570, CVE-2024-49864, CVE-2024-50060, CVE-2024-50195, CVE-2024-50294, CVE-2024-52332, CVE-2024-53052, CVE-2024-53090, CVE-2024-53119, CVE-2024-53135, CVE-2024-53170, CVE-2024-53216, CVE-2024-53229, CVE-2024-53241, CVE-2024-53680, CVE-2024-54456, CVE-2024-56603, CVE-2024-56645, CVE-2024-56662, CVE-2024-56672, CVE-2024-56675, CVE-2024-56690, CVE-2024-56709, CVE-2024-56739, CVE-2024-57981, CVE-2024-57986, CVE-2024-57987, CVE-2024-57988, CVE-2024-57989, CVE-2024-57990, CVE-2024-57993, CVE-2024-57995, CVE-2024-57998, CVE-2024-58012, CVE-2024-58014, CVE-2024-58015, CVE-2024-58057, CVE-2024-58062, CVE-2024-58068, CVE-2024-58072, CVE-2024-58075, CVE-2024-58077, CVE-2024-58083, CVE-2024-58088, CVE-2025-21631, CVE-2025-21647, CVE-2025-21648, CVE-2025-21671, CVE-2025-21672, CVE-2025-21691, CVE-2025-21693, CVE-2025-21696, CVE-2025-21702, CVE-2025-21714, CVE-2025-21726, CVE-2025-21728, CVE-2025-21729, CVE-2025-21738, CVE-2025-21739, CVE-2025-21745, CVE-2025-21746, CVE-2025-21765, CVE-2025-21786, CVE-2025-21787, CVE-2025-21790, CVE-2025-21791, CVE-2025-21795, CVE-2025-21796, CVE-2025-21806, CVE-2025-21826, CVE-2025-21828, CVE-2025-21829, CVE-2025-21839, CVE-2025-21844, CVE-2025-21846, CVE-2025-21847, CVE-2025-21848, CVE-2025-21851, CVE-2025-21853, CVE-2025-21855, CVE-2025-21861, CVE-2025-21863, CVE-2025-21864, CVE-2025-22056, CVE-2025-22097, CVE-2025-37994, CVE-2025-38116, CVE-2025-38396

CWE: 119, 120, 125, 193, 20, 252, 266, 362, 367, 369, 395, 400, 401, 413, 414, 416, 438, 457, 476, 59, 665, 667, 674, 682, 703, 754, 787, 789, 833, 863, 908, 99

RHSA: 2025:20518

Detections

Analytics