{"schema_version":"1.7.2","id":"OESA-2025-2887","modified":"2025-12-30T12:17:29Z","published":"2025-12-30T12:17:29Z","upstream":["CVE-2022-49426","CVE-2023-52880","CVE-2023-53466","CVE-2024-46763","CVE-2024-47740","CVE-2024-53138","CVE-2024-53241","CVE-2025-21744","CVE-2025-21806","CVE-2025-21820","CVE-2025-37807","CVE-2025-38561","CVE-2025-39756","CVE-2025-39901","CVE-2025-40211"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu-v3-sva: Fix mm use-after-free\n\nWe currently call arm64_mm_context_put() without holding a reference to\nthe mm, which can result in use-after-free. Call mmgrab()/mmdrop() to\nensure the mm only gets freed after we unpinned the ASID.(CVE-2022-49426)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc\n\nAny unprivileged user can attach N_GSM0710 ldisc, but it requires\nCAP_NET_ADMIN to create a GSM network anyway.\n\nRequire initial namespace CAP_NET_ADMIN to do that.(CVE-2023-52880)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7915: fix memory leak in mt7915_mcu_exit\n\nAlways purge mcu skb queues in mt7915_mcu_exit routine even if\nmt7915_firmware_state fails.(CVE-2023-53466)\n\nIn the Linux kernel, the following vulnerability has been resolved:fou: Fix null-ptr-deref in GRO.We observed a null-ptr-deref in fou_gro_receive() while shutting downa host.  [0]The NULL pointer is sk->sk_user_data, and the offset 8 is of protocolin struct fou.When fou_release() is called due to netns dismantle or explicit tunnelteardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data.Then, the tunnel socket is destroyed after a single RCU grace period.So, in-flight udp4_gro_receive() could find the socket and execute theFOU GRO handler, where sk->sk_user_data could be NULL.Let s use rcu_dereference_sk_user_data() in fou_from_sock() and add NULLchecks in FOU GRO handlers.[0]:BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present pagePGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0SMP PTICPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou]Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0FS:  0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400PKRU: 55555554Call Trace: <IRQ> ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? no_context (arch/x86/mm/fault.c:752) ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483) ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571) ? fou_gro_receive (net/ipv4/fou.c:233) [fou] udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559) udp4_gro_receive (net/ipv4/udp_offload.c:604) inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7)) dev_gro_receive (net/core/dev.c:6035 (discriminator 4)) napi_gro_receive (net/core/dev.c:6170) ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena] ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena] napi_poll (net/core/dev.c:6847) net_rx_action (net/core/dev.c:6917) __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299) asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809)</IRQ> do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77) irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435) common_interrupt (arch/x86/kernel/irq.c:239) asm_common_interrupt (arch/x86/include/asm/idtentry.h:626)RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575)Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 <fa> c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900RDX: ffff93daee800000 RSI: ffff93d---truncated---(CVE-2024-46763)\n\nIn the Linux kernel, the following vulnerability has been resolved:f2fs: Require FMODE_WRITE for atomic write ioctlsThe F2FS ioctls for starting and committing atomic writes check forinode_owner_or_capable(), but this does not give LSMs like SELinux orLandlock an opportunity to deny the write access - if the caller s FSUIDmatches the inode s UID, inode_owner_or_capable() immediately returns true.There are scenarios where LSMs want to deny a process the ability to writeparticular files, even files that the FSUID of the process owns; but thiscan currently partially be bypassed using atomic write ioctls in two ways: - F2FS_IOC_START_ATOMIC_REPLACE + F2FS_IOC_COMMIT_ATOMIC_WRITE can   truncate an inode to size 0 - F2FS_IOC_START_ATOMIC_WRITE + F2FS_IOC_ABORT_ATOMIC_WRITE can revert   changes another process concurrently made to a fileFix it by requiring FMODE_WRITE for these operations, just like forF2FS_IOC_MOVE_RANGE. Since any legitimate caller should only be using theseioctls when intending to write into the file, that seems unlikely to breakanything.(CVE-2024-47740)\n\nIn the Linux kernel, the following vulnerability has been resolved:net/mlx5e: kTLS, Fix incorrect page refcountingThe kTLS tx handling code is using a mix of get_page() andpage_ref_inc() APIs to increment the page reference. But on the releasepath (mlx5e_ktls_tx_handle_resync_dump_comp()), only put_page() is used.This is an issue when using pages from large folios: the get_page()references are stored on the folio page while the page_ref_inc()references are stored directly in the given page. On release the foliopage will be dereferenced too many times.This was found while doing kTLS testing with sendfile() + ZC when theserved file was read from NFS on a kernel with NFS large folios support(commit 49b29a573da8 ( nfs: add support for large folios )).(CVE-2024-53138)\n\nIn the Linux kernel, the following vulnerability has been resolved:x86/xen: don t do PV iret hypercall through hypercall pageInstead of jumping to the Xen hypercall page for doing the irethypercall, directly code the required sequence in xen-asm.S.This is done in preparation of no longer using hypercall page at all,as it has shown to cause problems with speculation mitigations.This is part of XSA-466 / CVE-2024-53241.(CVE-2024-53241)\n\nIn the Linux kernel, the following vulnerability has been resolved:wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()On removal of the device or unloading of the kernel module a potential NULLpointer dereference occurs.The following sequence deletes the interface:  brcmf_detach()    brcmf_remove_interface()      brcmf_del_if()Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated toBRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches.After brcmf_remove_interface() call the brcmf_proto_detach() function iscalled providing the following sequence:  brcmf_detach()    brcmf_proto_detach()      brcmf_proto_msgbuf_detach()        brcmf_flowring_detach()          brcmf_msgbuf_delete_flowring()            brcmf_msgbuf_remove_flowring()              brcmf_flowring_delete()                brcmf_get_ifp()                brcmf_txfinalize()Since brcmf_get_ip() can and actually will return NULL in this case thecall to brcmf_txfinalize() will result in a NULL pointer dereference insidebrcmf_txfinalize() when trying to update ifp->ndev->stats.tx_errors.This will only happen if a flowring still has an skb.Although the NULL pointer dereference has only been seen when trying toupdate the tx statistic, all other uses of the ifp pointer have beenguarded as well with an early return if ifp is NULL.(CVE-2025-21744)\n\nIn the Linux kernel, the following vulnerability has been resolved:net: let net.core.dev_weight always be non-zeroThe following problem was encountered during stability test:(NULL net_device): NAPI poll function process_backlog+0x0/0x530   returned 1, exceeding its budget of 0.------------[ cut here ]------------list_add double add: new=ffff88905f746f48, prev=ffff88905f746f48,   next=ffff88905f746e40.WARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35   __list_add_valid_or_report+0xf3/0x130CPU: 18 UID: 0 PID: 5462 Comm: ping Kdump: loaded Not tainted 6.13.0-rc7+RIP: 0010:__list_add_valid_or_report+0xf3/0x130Call Trace:? __warn+0xcd/0x250? __list_add_valid_or_report+0xf3/0x130enqueue_to_backlog+0x923/0x1070netif_rx_internal+0x92/0x2b0__netif_rx+0x15/0x170loopback_xmit+0x2ef/0x450dev_hard_start_xmit+0x103/0x490__dev_queue_xmit+0xeac/0x1950ip_finish_output2+0x6cc/0x1620ip_output+0x161/0x270ip_push_pending_frames+0x155/0x1a0raw_sendmsg+0xe13/0x1550__sys_sendto+0x3bf/0x4e0__x64_sys_sendto+0xdc/0x1b0do_syscall_64+0x5b/0x170entry_SYSCALL_64_after_hwframe+0x76/0x7eThe reproduction command is as follows:  sysctl -w net.core.dev_weight=0  ping 127.0.0.1This is because when the napi s weight is set to 0, process_backlog() mayreturn 0 and clear the NAPI_STATE_SCHED bit of napi->state, causing thisnapi to be re-polled in net_rx_action() until __do_softirq() times out.Since the NAPI_STATE_SCHED bit has been cleared, napi_schedule_rps() canbe retriggered in enqueue_to_backlog(), causing this issue.Making the napi s weight always non-zero solves this problem.Triggering this issue requires system-wide admin (setting isnot namespaced).(CVE-2025-21806)\n\nIn the Linux kernel, the following vulnerability has been resolved:tty: xilinx_uartps: split sysrq handlinglockdep detects the following circular locking dependency:CPU 0                      CPU 1========================== ============================cdns_uart_isr()            printk()  uart_port_lock(port)       console_lock()        cdns_uart_console_write()                               if (!port->sysrq)                                 uart_port_lock(port)  uart_handle_break()    port->sysrq = ...  uart_handle_sysrq_char()    printk()      console_lock()The fixed commit attempts to avoid this situation by only taking theport lock in cdns_uart_console_write if port->sysrq unset. However, if(as shown above) cdns_uart_console_write runs before port->sysrq is set,then it will try to take the port lock anyway. This may result in adeadlock.Fix this by splitting sysrq handling into two parts. We use the preparehelper under the port lock and defer handling until we release the lock.(CVE-2025-21820)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix kmemleak warning for percpu hashmap\n\nVlad Poenaru reported the following kmemleak issue:\n\n  unreferenced object 0x606fd7c44ac8 (size 32):\n    backtrace (crc 0):\n      pcpu_alloc_noprof+0x730/0xeb0\n      bpf_map_alloc_percpu+0x69/0xc0\n      prealloc_init+0x9d/0x1b0\n      htab_map_alloc+0x363/0x510\n      map_create+0x215/0x3a0\n      __sys_bpf+0x16b/0x3e0\n      __x64_sys_bpf+0x18/0x20\n      do_syscall_64+0x7b/0x150\n      entry_SYSCALL_64_after_hwframe+0x4b/0x53\n\nFurther investigation shows the reason is due to not 8-byte aligned\nstore of percpu pointer in htab_elem_set_ptr():\n  *(void __percpu **)(l->key + key_size) = pptr;\n\nNote that the whole htab_elem alignment is 8 (for x86_64). If the key_size\nis 4, that means pptr is stored in a location which is 4 byte aligned but\nnot 8 byte aligned. In mm/kmemleak.c, scan_block() scans the memory based\non 8 byte stride, so it won't detect above pptr, hence reporting the memory\nleak.\n\nIn htab_map_alloc(), we already have\n\n        htab->elem_size = sizeof(struct htab_elem) +\n                          round_up(htab->map.key_size, 8);\n        if (percpu)\n                htab->elem_size += sizeof(void *);\n        else\n                htab->elem_size += round_up(htab->map.value_size, 8);\n\nSo storing pptr with 8-byte alignment won't cause any problem and can fix\nkmemleak too.\n\nThe issue can be reproduced with bpf selftest as well:\n  1. Enable CONFIG_DEBUG_KMEMLEAK config\n  2. Add a getchar() before skel destroy in test_hash_map() in prog_tests/for_each.c.\n     The purpose is to keep map available so kmemleak can be detected.\n  3. run './test_progs -t for_each/hash_map &' and a kmemleak should be reported.(CVE-2025-37807)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix Preauh_HashValue race condition\n\nIf client send multiple session setup requests to ksmbd,\nPreauh_HashValue race condition could happen.\nThere is no need to free sess->Preauh_HashValue at session setup phase.\nIt can be freed together with session at connection termination phase.(CVE-2025-38561)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nfs: Prevent file descriptor table allocations exceeding INT_MAX\n\nWhen sysctl_nr_open is set to a very high value (for example, 1073741816\nas set by systemd), processes attempting to use file descriptors near\nthe limit can trigger massive memory allocation attempts that exceed\nINT_MAX, resulting in a WARNING in mm/slub.c:\n\n  WARNING: CPU: 0 PID: 44 at mm/slub.c:5027 __kvmalloc_node_noprof+0x21a/0x288\n\nThis happens because kvmalloc_array() and kvmalloc() check if the\nrequested size exceeds INT_MAX and emit a warning when the allocation is\nnot flagged with __GFP_NOWARN.\n\nSpecifically, when nr_open is set to 1073741816 (0x3ffffff8) and a\nprocess calls dup2(oldfd, 1073741880), the kernel attempts to allocate:\n- File descriptor array: 1073741880 * 8 bytes = 8,589,935,040 bytes\n- Multiple bitmaps: ~400MB\n- Total allocation size: > 8GB (exceeding INT_MAX = 2,147,483,647)\n\nReproducer:\n1. Set /proc/sys/fs/nr_open to 1073741816:\n   # echo 1073741816 > /proc/sys/fs/nr_open\n\n2. Run a program that uses a high file descriptor:\n   #include <unistd.h>\n   #include <sys/resource.h>\n\n   int main() {\n       struct rlimit rlim = {1073741824, 1073741824};\n       setrlimit(RLIMIT_NOFILE, &rlim);\n       dup2(2, 1073741880);  // Triggers the warning\n       return 0;\n   }\n\n3. Observe WARNING in dmesg at mm/slub.c:5027\n\nsystemd commit a8b627a introduced automatic bumping of fs.nr_open to the\nmaximum possible value. The rationale was that systems with memory\ncontrol groups (memcg) no longer need separate file descriptor limits\nsince memory is properly accounted. However, this change overlooked\nthat:\n\n1. The kernel's allocation functions still enforce INT_MAX as a maximum\n   size regardless of memcg accounting\n2. Programs and tests that legitimately test file descriptor limits can\n   inadvertently trigger massive allocations\n3. The resulting allocations (>8GB) are impractical and will always fail\n\nsystemd's algorithm starts with INT_MAX and keeps halving the value\nuntil the kernel accepts it. On most systems, this results in nr_open\nbeing set to 1073741816 (0x3ffffff8), which is just under 1GB of file\ndescriptors.\n\nWhile processes rarely use file descriptors near this limit in normal\noperation, certain selftests (like\ntools/testing/selftests/core/unshare_test.c) and programs that test file\ndescriptor limits can trigger this issue.\n\nFix this by adding a check in alloc_fdtable() to ensure the requested\nallocation size does not exceed INT_MAX. This causes the operation to\nfail with -EMFILE instead of triggering a kernel warning and avoids the\nimpractical >8GB memory allocation request.(CVE-2025-39756)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\ni40e: remove read access to debugfs files\n\nThe 'command' and 'netdev_ops' debugfs files are a legacy debugging\ninterface supported by the i40e driver since its early days by commit\n02e9c290814c ("i40e: debugfs interface").\n\nBoth of these debugfs files provide a read handler which is mostly useless,\nand which is implemented with questionable logic. They both use a static\n256 byte buffer which is initialized to the empty string. In the case of\nthe 'command' file this buffer is literally never used and simply wastes\nspace. In the case of the 'netdev_ops' file, the last command written is\nsaved here.\n\nOn read, the files contents are presented as the name of the device\nfollowed by a colon and then the contents of their respective static\nbuffer. For 'command' this will always be "<device>: ". For 'netdev_ops',\nthis will be "<device>: <last command written>". But note the buffer is\nshared between all devices operated by this module. At best, it is mostly\nmeaningless information, and at worse it could be accessed simultaneously\nas there doesn't appear to be any locking mechanism.\n\nWe have also recently received multiple reports for both read functions\nabout their use of snprintf and potential overflow that could result in\nreading arbitrary kernel memory. For the 'command' file, this is definitely\nimpossible, since the static buffer is always zero and never written to.\nFor the 'netdev_ops' file, it does appear to be possible, if the user\ncarefully crafts the command input, it will be copied into the buffer,\nwhich could be large enough to cause snprintf to truncate, which then\ncauses the copy_to_user to read beyond the length of the buffer allocated\nby kzalloc.\n\nA minimal fix would be to replace snprintf() with scnprintf() which would\ncap the return to the number of bytes written, preventing an overflow. A\nmore involved fix would be to drop the mostly useless static buffers,\nsaving 512 bytes and modifying the read functions to stop needing those as\ninput.\n\nInstead, lets just completely drop the read access to these files. These\nare debug interfaces exposed as part of debugfs, and I don't believe that\ndropping read access will break any script, as the provided output is\npretty useless. You can find the netdev name through other more standard\ninterfaces, and the 'netdev_ops' interface can easily result in garbage if\nyou issue simultaneous writes to multiple devices at once.\n\nIn order to properly remove the i40e_dbg_netdev_ops_buf, we need to\nrefactor its write function to avoid using the static buffer. Instead, use\nthe same logic as the i40e_dbg_command_write, with an allocated buffer.\nUpdate the code to use this instead of the static buffer, and ensure we\nfree the buffer on exit. This fixes simultaneous writes to 'netdev_ops' on\nmultiple devices, and allows us to remove the now unused static buffer\nalong with removing the read access.(CVE-2025-39901)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\nACPI: video: Fix use-after-free in acpi_video_switch_brightness()\n\nThe switch_brightness_work delayed work accesses device->brightness\nand device->backlight, freed by acpi_video_dev_unregister_backlight()\nduring device removal.\n\nIf the work executes after acpi_video_bus_unregister_backlight()\nfrees these resources, it causes a use-after-free when\nacpi_video_switch_brightness() dereferences device->brightness or\ndevice->backlight.\n\nFix this by calling cancel_delayed_work_sync() for each device's\nswitch_brightness_work in acpi_video_bus_remove_notify_handler()\nafter removing the notify handler that queues the work. This ensures\nthe work completes before the memory is freed.\n\n[ rjw: Changelog edit ](CVE-2025-40211)","affected":[{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"kernel","purl":"pkg:rpm/openEuler/kernel&distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.0-296.0.0.199.oe2203sp4"}]}],"ecosystem_specific":{"aarch64":["bpftool-5.10.0-296.0.0.199.oe2203sp4.aarch64.rpm","bpftool-debuginfo-5.10.0-296.0.0.199.oe2203sp4.aarch64.rpm","kernel-5.10.0-296.0.0.199.oe2203sp4.aarch64.rpm","kernel-debuginfo-5.10.0-296.0.0.199.oe2203sp4.aarch64.rpm","kernel-debugsource-5.10.0-296.0.0.199.oe2203sp4.aarch64.rpm","kernel-devel-5.10.0-296.0.0.199.oe2203sp4.aarch64.rpm","kernel-headers-5.10.0-296.0.0.199.oe2203sp4.aarch64.rpm","kernel-source-5.10.0-296.0.0.199.oe2203sp4.aarch64.rpm","kernel-tools-5.10.0-296.0.0.199.oe2203sp4.aarch64.rpm","kernel-tools-debuginfo-5.10.0-296.0.0.199.oe2203sp4.aarch64.rpm","kernel-tools-devel-5.10.0-296.0.0.199.oe2203sp4.aarch64.rpm","perf-5.10.0-296.0.0.199.oe2203sp4.aarch64.rpm","perf-debuginfo-5.10.0-296.0.0.199.oe2203sp4.aarch64.rpm","python3-perf-5.10.0-296.0.0.199.oe2203sp4.aarch64.rpm","python3-perf-debuginfo-5.10.0-296.0.0.199.oe2203sp4.aarch64.rpm"],"src":["kernel-5.10.0-296.0.0.199.oe2203sp4.src.rpm"],"x86_64":["bpftool-5.10.0-296.0.0.199.oe2203sp4.x86_64.rpm","bpftool-debuginfo-5.10.0-296.0.0.199.oe2203sp4.x86_64.rpm","kernel-5.10.0-296.0.0.199.oe2203sp4.x86_64.rpm","kernel-debuginfo-5.10.0-296.0.0.199.oe2203sp4.x86_64.rpm","kernel-debugsource-5.10.0-296.0.0.199.oe2203sp4.x86_64.rpm","kernel-devel-5.10.0-296.0.0.199.oe2203sp4.x86_64.rpm","kernel-headers-5.10.0-296.0.0.199.oe2203sp4.x86_64.rpm","kernel-source-5.10.0-296.0.0.199.oe2203sp4.x86_64.rpm","kernel-tools-5.10.0-296.0.0.199.oe2203sp4.x86_64.rpm","kernel-tools-debuginfo-5.10.0-296.0.0.199.oe2203sp4.x86_64.rpm","kernel-tools-devel-5.10.0-296.0.0.199.oe2203sp4.x86_64.rpm","perf-5.10.0-296.0.0.199.oe2203sp4.x86_64.rpm","perf-debuginfo-5.10.0-296.0.0.199.oe2203sp4.x86_64.rpm","python3-perf-5.10.0-296.0.0.199.oe2203sp4.x86_64.rpm","python3-perf-debuginfo-5.10.0-296.0.0.199.oe2203sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2887"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49426"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-52880"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-53466"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46763"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47740"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53138"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53241"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21744"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21806"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21820"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37807"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38561"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39756"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39901"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40211"}],"database_specific":{"severity":"High"}}