Detections
Analytics

Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2025-28068)

critical Nessus Plugin ID 279633

Language:

Synopsis

The remote Oracle Linux host is missing a security update.

Description

The remote Oracle Linux 7 / 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2025-28068 advisory.

 - fs/proc: fix uaf in proc_readdir_de() (Wei Yang) [Orabug: 38786776] {CVE-2025-40271}
 - NFSD: Define a proc_layoutcommit for the FlexFiles layout type (Chuck Lever) [Orabug: 38601819] {CVE-2025-40087}
 - vfs: Don't leak disconnected dentries on umount (Jan Kara) [Orabug: 38601924] {CVE-2025-40105}
 - ext4: detect invalid INLINE_DATA + EXTENTS flag combination (Deepanshu Kartikey) [Orabug: 38649223] {CVE-2025-40167}
 - ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() (Theodore Ts'O) [Orabug:
 38649412] {CVE-2025-40198}
 - ocfs2: clear extent cache after moving/defragmenting extents (Deepanshu Kartikey) [Orabug: 38730547] {CVE-2025-40233}
 - sctp: avoid NULL dereference when chunk data buffer is missing (Alexey Simakov) [Orabug: 38730567] {CVE-2025-40240}
 - net/ip6_tunnel: Prevent perpetual tunnel growth (Dmitry Safonov) [Orabug: 38649261] {CVE-2025-40173}
 - btrfs: avoid potential out-of-bounds in btrfs_encode_fh() (Anderson Nascimento) [Orabug: 38649463] {CVE-2025-40205}
 - pid: Add a judgment for ns null in pid_nr_ns (Gaoxiang17) [Orabug: 38649276] {CVE-2025-40178}
 - tracing: Fix race condition in kprobe initialization causing NULL pointer dereference (Yuan Chen) [Orabug: 38592033] {CVE-2025-40042}
 - dm: fix NULL pointer dereference in __dm_suspend() (Zheng Qixing) [Orabug: 38649057] {CVE-2025-40134}
 - Squashfs: reject negative file sizes in squashfs_read_inode() (Phillip Lougher) [Orabug: 38649425] {CVE-2025-40200}
 - media: mc: Clear minor number before put device (Edward Adam Davis) [Orabug: 38649399] {CVE-2025-40197}
 - fs: udf: fix OOB read in lengthAllocDescs handling (Larshin Sergey) [Orabug: 38592048] {CVE-2025-40044}
 - KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O (Sean Christopherson) [Orabug:
 38591959] {CVE-2025-40026}
 - net/9p: fix double req put in p9_fd_cancelled (Nalivayko Sergey) [Orabug: 38591965] {CVE-2025-40027}
 - ext4: guard against EA inode refcount underflow in xattr update (Ahmet Eray Karadag) [Orabug: 38649330] {CVE-2025-40190}
 - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV (Niklas Schnelle) [Orabug:
 38730513] {CVE-2025-40219}
 - sctp: Fix MAC comparison to be constant-time (Eric Biggers) [Orabug: 38649451] {CVE-2025-40204}
 - cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() (Rafael J. Wysocki) [Orabug:
 38649367] {CVE-2025-40194}
 - crypto: essiv - Check ssize for decryption and in-place encryption (Herbert Xu) [Orabug:
 38581456,38705546] {CVE-2025-40019}
 - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). (Kuniyuki Iwashima) [Orabug: 38649579] {CVE-2025-40186}
 - net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() (Alexandr Sapozhnikov) [Orabug: 38649313] {CVE-2025-40187}
 - drm/vmwgfx: Fix Use-after-free in validation (Ian Forbes) [Orabug: 38643546] {CVE-2025-40111}
 - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue (Duoming Zhou) [Orabug: 38557654] {CVE-2025-40001}
 - pinctrl: check the return value of pinmux_ops::get_function_name() (Bartosz Golaszewski) [Orabug:
 38591981] {CVE-2025-40030}
 - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak (Zhen Ni) [Orabug: 38592002] {CVE-2025-40035}
 - mm: hugetlb: avoid soft lockup when mprotect to large memory area (Yang Shi) [Orabug: 38649150] {CVE-2025-40153}
 - uio_hv_generic: Let userspace take care of interrupt mask (Naman Jain) [Orabug: 38592067] {CVE-2025-40048}
 - Squashfs: fix uninit-value in squashfs_get_parent (Phillip Lougher) [Orabug: 38592077] {CVE-2025-40049}
 - ocfs2: fix double free in user_cluster_connect() (Dan Carpenter) [Orabug: 38592110] {CVE-2025-40055}
 - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast (I Viswanath) [Orabug: 38649096] {CVE-2025-40140}
 - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() (Ranjan Kumar) [Orabug: 38648982] {CVE-2025-40115}
 - ipvs: Defer ip_vs_ftp unregister during netns cleanup (Slavin Liu) [Orabug: 38581446] {CVE-2025-40018}
 - pps: fix warning in pps_register_cdev when register device fail (Wang Liang) [Orabug: 38592170] {CVE-2025-40070}
 - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod (Niklas Cassel) [Orabug: 38649567] {CVE-2025-40118}
 - bpf: Explicitly check accesses to bpf_sock_addr (Paul Chaignon) [Orabug: 38592205] {CVE-2025-40078}
 - blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx (Li Nan) [Orabug:
 38649026] {CVE-2025-40125}
 - perf: arm_spe: Prevent overflow in PERF_IDX2OFF() (Leo Yan) [Orabug: 38592223] {CVE-2025-40081}
 - media: rc: fix races with imon_disconnect() (Larshin Sergey) [Orabug: 38548027] {CVE-2025-39993}
 - media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe (Duoming Zhou) [Orabug:
 38548044] {CVE-2025-39995}
 - media: tuner: xc5000: Fix use-after-free in xc5000_release (Duoming Zhou) [Orabug: 38548037] {CVE-2025-39994}
 - udp: Fix memory accounting leak. (Kuniyuki Iwashima) [Orabug: 37844325] {CVE-2025-22058}
 - media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove (Duoming Zhou) [Orabug:
 38548051] {CVE-2025-39996}
 - scsi: target: target_core_configfs: Add length check to avoid buffer overflow (Wang Haoran) [Orabug:
 38548059] {CVE-2025-39998}
 - mm/hugetlb: fix folio is still mapped when deleted (Tu Jinjiang) [Orabug: 38560482] {CVE-2025-40006}
 - i40e: fix validation of VF state in get resources (Lukasz Czapnik) [Orabug: 38547929] {CVE-2025-39969}
 - i40e: fix idx validation in config queues msg (Lukasz Czapnik) [Orabug: 38547938] {CVE-2025-39971}
 - i40e: add validation for ring_len param (Lukasz Czapnik) [Orabug: 38547952,38604168,38604171] {CVE-2025-39973}
 - fbcon: fix integer overflow in fbcon_do_set_font (Samasth Norway Ananda) [Orabug: 38547913] {CVE-2025-39967}
 - i40e: add max boundary check for VF filters (Lukasz Czapnik) [Orabug: 38547923] {CVE-2025-39968}
 - i40e: fix input validation logic for action_meta (Lukasz Czapnik) [Orabug: 38547933] {CVE-2025-39970}
 - i40e: fix idx validation in i40e_validate_queue_map (Lukasz Czapnik) [Orabug: 38547946] {CVE-2025-39972}
 - drm/gma500: Fix null dereference in hdmi teardown (Zabelin Nikita) [Orabug: 38560496] {CVE-2025-40011}
 - can: peak_usb: fix shift-out-of-bounds issue (Stephane Grosjean) [Orabug: 38581463] {CVE-2025-40020}
 - cnic: Fix use-after-free bugs in cnic_delete_task (Duoming Zhou) [Orabug: 38503849] {CVE-2025-39945}
 - tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). (Kuniyuki Iwashima) [Orabug: 38526388] {CVE-2025-39955}
 - cgroup: split cgroup_destroy_wq into 3 workqueues (Chen Ridong) [Orabug: 38503892] {CVE-2025-39953}
 - mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory (Miaohe Lin) [Orabug:
 38461848] {CVE-2025-39883}
 - dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees (Stephan Gerhold) [Orabug:
 38494822] {CVE-2025-39923}
 - i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path (Michal Schmidt) [Orabug: 38494787] {CVE-2025-39911}
 - ocfs2: fix recursive semaphore deadlock in fiemap call (Mark Tinguely) [Orabug: 38461859] {CVE-2025-39885}
 - tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. (Kuniyuki Iwashima) [Orabug: 38494797] {CVE-2025-39913}
 - net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. (Kuniyuki Iwashima) [Orabug:
 37901604] {CVE-2025-23143}
 - device-dax: correct pgoff align in dax_set_mapping() (Kun(Llfl)) [Orabug: 37206404] {CVE-2024-50022}
 - scsi: lpfc: Fix buffer free/clear order in deferred receive path (John Evans) [Orabug: 38456754] {CVE-2025-39841}
 - iio: light: opt3001: fix deadlock due to concurrent flag access (Luca Ceresoli) [Orabug: 37977028] {CVE-2025-37968}
 - mm/slub: avoid accessing metadata when pointer is invalid in object_err() (Li Qiong) [Orabug: 38494761] {CVE-2025-39902}
 - wifi: mwifiex: Initialize the chan_stats array to zero (Rong Qianfeng) [Orabug: 38494723] {CVE-2025-39891}
 - ppp: fix memory leak in pad_compress_skb (Qingfang Deng) [Orabug: 38456781] {CVE-2025-39847}
 - i40e: Fix potential invalid access when MAC list is empty (Zhen Ni) [Orabug: 38456814] {CVE-2025-39853}
 - Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() (Kuniyuki Iwashima) [Orabug: 38456834] {CVE-2025-39860}
 - wifi: cfg80211: fix use-after-free in cmp_bss() (Dmitry Antipov) [Orabug: 38456860] {CVE-2025-39864}
 - clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns (Al Viro) [Orabug:
 38310007,38453918] {CVE-2025-38499}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2025-28068.html

Plugin Details

Severity: Critical

ID: 279633

File Name: oraclelinux_ELSA-2025-28068.nasl

Version: 1.2

Type: local

Agent: unix

Published: 12/23/2025

Updated: 12/23/2025

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.1

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-40271

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:oracle:linux:8:10:baseos_patch, p-cpe:/a:oracle:linux:kernel-uek-container, p-cpe:/a:oracle:linux:kernel-uek-debug-devel, cpe:/o:oracle:linux:7, cpe:/o:oracle:linux:8, p-cpe:/a:oracle:linux:kernel-uek-debug, p-cpe:/a:oracle:linux:kernel-uek-devel, p-cpe:/a:oracle:linux:kernel-uek-doc, p-cpe:/a:oracle:linux:kernel-uek-container-debug, p-cpe:/a:oracle:linux:kernel-uek-tools, p-cpe:/a:oracle:linux:kernel-uek

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 12/22/2025

Vulnerability Publication Date: 12/6/2025

Reference Information

CVE: CVE-2025-40271