1. Ubuntu Security Notices
  2. LSN-0116-1

LSN-0116-1: Kernel Live Patch Security Notice

Publication date

17 November 2025

Overview

Several security issues were fixed in the kernel.

Releases

Software description

  • aws – Linux kernel for Amazon Web Services (AWS) systems - (>= 4.15.0-1159, >= 5.4.0-1009, >= 5.4.0-1061, >= 5.15.0-1000, >= 6.8.0-1008, >= 4.4.0-1159)
  • aws-5.15 – Linux kernel for Amazon Web Services (AWS) systems - (>= 5.15.0-1000)
  • aws-hwe – Linux kernel for Amazon Web Services (AWS-HWE) systems - (>= 4.15.0-1126)
  • azure – Linux kernel for Microsoft Azure Cloud systems - (>= 5.15.0-1000, >= 6.8.0-1007)
  • azure-5.15 – Linux kernel for Microsoft Azure cloud systems - (>= 5.15.0-1069)
  • gcp – Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.15.0-1000, >= 6.8.0-1007, >= 4.15.0-1118)
  • gcp-4.15 – Linux kernel for Google Cloud Platform (GCP) systems - (>= 4.15.0-1154)
  • gcp-5.15 – Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.15.0-1000)
  • generic-4.15 – Linux hardware enablement (HWE) kernel - (>= 4.15.0-214, >= 4.15.0-143)
  • generic-4.4 – Linux kernel - (>= 4.4.0-168, >= 4.4.0-243)
  • generic-5.15 – Linux hardware enablement (HWE) kernel - (>= 5.15.0-0)
  • generic-5.4 – Linux kernel - (>= 5.4.0-150, >= 5.4.0-26)
  • aws – Linux kernel for Amazon Web Services (AWS) systems - (>= 4.15.0-1159, >= 5.4.0-1009, >= 5.4.0-1061, >= 5.15.0-1000, >= 6.8.0-1008, >= 4.4.0-1159)
  • aws-5.15 – Linux kernel for Amazon Web Services (AWS) systems - (>= 5.15.0-1000)
  • aws-hwe – Linux kernel for Amazon Web Services (AWS-HWE) systems - (>= 4.15.0-1126)
  • azure – Linux kernel for Microsoft Azure Cloud systems - (>= 5.15.0-1000, >= 6.8.0-1007)
  • azure-5.15 – Linux kernel for Microsoft Azure cloud systems - (>= 5.15.0-1069)
  • gcp – Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.15.0-1000, >= 6.8.0-1007, >= 4.15.0-1118)
  • gcp-4.15 – Linux kernel for Google Cloud Platform (GCP) systems - (>= 4.15.0-1154)
  • gcp-5.15 – Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.15.0-1000)
  • generic-4.15 – Linux hardware enablement (HWE) kernel - (>= 4.15.0-214, >= 4.15.0-143)
  • generic-4.4 – Linux kernel - (>= 4.4.0-168, >= 4.4.0-243)
  • generic-5.15 – Linux hardware enablement (HWE) kernel - (>= 5.15.0-0)
  • generic-5.4 – Linux kernel - (>= 5.4.0-150, >= 5.4.0-26)
  • gke – Linux kernel for Google Container Engine (GKE) systems - (>= 5.15.0-1000)
  • ibm – Linux kernel for IBM cloud systems - (>= 5.15.0-1000, >= 6.8.0-1005)
  • ibm-5.15 – Linux kernel for IBM cloud systems - (>= 5.15.0-1000)
  • linux – Linux kernel - (>= 5.15.0-71, >= 5.15.0-24, >= 6.8.0-1)
  • lowlatency-4.15 – Linux hardware enablement (HWE) kernel - (>= 4.15.0-214, >= 4.15.0-143)
  • lowlatency-4.4 – Linux kernel - (>= 4.4.0-168, >= 4.4.0-243)
  • lowlatency-5.15 – Linux hardware enablement (HWE) kernel - (>= 5.15.0-0)
  • lowlatency-5.4 – Linux kernel - (>= 5.4.0-150, >= 5.4.0-26)
  • oracle – Linux kernel for Oracle Cloud systems - (>= 4.15.0-1129, >= 5.15.0-1055, >= 6.8.0-1005)
  • oracle-5.15 – Linux kernel for Oracle Cloud systems - (>= 5.15.0-1055)

Details

In the Linux kernel, the following vulnerability has been
resolved: net: atlantic: eliminate double free in error handling logic
Driver has a logic leak in ring data allocation/free, where aq_ring_free
could be called multiple times on same ring, if system is under stress and
got memory allocation error.

In the Linux kernel, the following vulnerability has been
resolved: sctp: properly validate chunk size in sctp_sf_ootb() A size
validation fix similar to that in Commit 50619dbf8db7 ('sctp: add size
validation when walking chunks') is also required in sctp_sf_ootb() to
address a crash reported by syzbot: BUG: KMSAN: uninit-value in
sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166
sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407
sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88...

In the Linux kernel, the following vulnerability has been
resolved: net: atlantic: eliminate double free in error handling logic
Driver has a logic leak in ring data allocation/free, where aq_ring_free
could be called multiple times on same ring, if system is under stress and
got memory allocation error.

In the Linux kernel, the following vulnerability has been
resolved: sctp: properly validate chunk size in sctp_sf_ootb() A size
validation fix similar to that in Commit 50619dbf8db7 ('sctp: add size
validation when walking chunks') is also required in sctp_sf_ootb() to
address a crash reported by syzbot: BUG: KMSAN: uninit-value in
sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166
sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407
sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_rcv+0x3831/0x3b20
net/sctp/input.c:243 sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159
ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233)(CVE-2024-50299).

In the Linux kernel, the following vulnerability has been
resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock
sources The current USB-audio driver code doesn't check bLength of each
descriptor at traversing for clock descriptors.

In the Linux kernel, the following vulnerability has been
resolved: ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit
After an insertion in TNC, the tree might split and cause a node to change
its znode->parent.

In the Linux kernel, the following vulnerability has been
resolved: NFSD: Prevent NULL dereference in nfsd4_process_cb_update() @ses
is initialized to NULL.

In the Linux kernel, the following vulnerability has been
resolved: padata: fix UAF in padata_reorder A bug was found when run ltp
test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read
of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0
PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+
Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace:
dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0
print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0
padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0
process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling
'padata_find_next' in the 'padata_reorder' function, this issue could be
reproduced easily with ltp test (pcrypt_aead01).

In the Linux kernel, the following vulnerability has been
resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and
posix_cpu_timer_del() If an exiting non-autoreaping task has already passed
exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be
reaped by its parent or debugger right after unlock_task_sighand().

Checking update status

To check your kernel type and Livepatch version, enter this command:

canonical-livepatch status

The problem can be corrected in these Livepatch versions:

Kernel type 24.04 22.04 20.04 18.04 16.04 14.04
aws 116.1 116.1 116.1 116.1 116.1
aws-5.15 116.1
aws-hwe 116.1
azure 116.1 116.1
azure-5.15 116.1
gcp 116.1 116.1 116.1
gcp-4.15 116.1
gcp-5.15 116.1
generic-4.15 116.1 116.1
generic-4.4 116.1 116.1
generic-5.15 116.1
generic-5.4 116.1 116.1
gke 116.1
ibm 116.1 116.1
ibm-5.15 116.1
linux 116.1 116.1
lowlatency-4.15 116.1 116.1
lowlatency-4.4 116.1 116.1
lowlatency-5.15 116.1
lowlatency-5.4 116.1 116.1
oracle 116.1 116.1 116.1
oracle-5.15 116.1

References

Have additional questions?

Talk to a member of the team ›