Oracle Linux Security Advisory ELSA-2026-50100 http://linux.oracle.com/errata/ELSA-2026-50100.html
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: x86_64: kernel-uek-5.4.17-2136.352.5.el8uek.x86_64.rpm kernel-uek-container-5.4.17-2136.352.5.el8uek.x86_64.rpm kernel-uek-container-debug-5.4.17-2136.352.5.el8uek.x86_64.rpm kernel-uek-debug-5.4.17-2136.352.5.el8uek.x86_64.rpm kernel-uek-debug-devel-5.4.17-2136.352.5.el8uek.x86_64.rpm kernel-uek-devel-5.4.17-2136.352.5.el8uek.x86_64.rpm kernel-uek-doc-5.4.17-2136.352.5.el8uek.noarch.rpm SRPMS: http://oss.oracle.com/ol8/SRPMS-updates/kernel-uek-5.4.17-2136.352.5.el8uek.src.rpm Related CVEs: CVE-2025-39964 CVE-2025-40022 CVE-2025-40083 CVE-2025-40211 CVE-2025-40248 CVE-2025-40254 CVE-2025-40259 CVE-2025-40263 CVE-2025-40264 CVE-2025-40271 CVE-2025-40275 CVE-2025-40277 CVE-2025-40280 CVE-2025-40281 CVE-2025-40283 CVE-2025-40304 CVE-2025-40308 CVE-2025-40309 CVE-2025-40321 CVE-2025-40322 CVE-2025-40331 CVE-2025-40363 CVE-2025-68185 CVE-2025-68192 CVE-2025-68194 CVE-2025-68229 CVE-2025-68241 CVE-2025-68245 CVE-2025-68312 CVE-2025-68734 Description of changes: [5.4.17-2136.352.5] - crypto: af_alg - Fix incorrect boolean values in af_alg_ctx (Eric Biggers) [Orabug: 38879907] {CVE-2025-40022} [5.4.17-2136.352.4] - arm64: pensando: Must boot Ortano kernel with spin-table (Rob Gardner) [Orabug: 38821197] [5.4.17-2136.352.3] - net/sched: adjust device watchdog timer to detect stopped queue at right time (Praveen Kumar Kannoju) [Orabug: 38340278] - net/mlx5: Mark the mellanox graceful_period fix as out-of-tree change (Praveen Kumar Kannoju) [Orabug: 38252416] - infiniband/xsigo: Replace BUG_ON with WARN_ON_ONCE. (Siddh Raman Pant) [Orabug: 38418469] - infiniband/xsigo: xsvnic_main: Remove unused functions (Siddh Raman Pant) [Orabug: 38418469] - infiniband/xsigo: xve_cm: Fix mixed code warning (Siddh Raman Pant) [Orabug: 38418469] - infiniband/xsigo: xve_ethtool: Remove unused variable 'priv' (Siddh Raman Pant) [Orabug: 38418469] - infiniband/xsigo: xve_ib: Fix misleading indentation (Siddh Raman Pant) [Orabug: 38418469] - infiniband/xsigo: xve_ib: Fix mixed code warning (Siddh Raman Pant) [Orabug: 38418469] - infiniband/xsigo: xve_verbs: Remove unused label 'out_free_pd' (Siddh Raman Pant) [Orabug: 38418469] - infiniband/xsigo: xve_main: Remove unused function 'xve_napi_del' (Siddh Raman Pant) [Orabug: 38418469] - infiniband/xsigo: xve_main: Fix mixed code warning (Siddh Raman Pant) [Orabug: 38418469] - infiniband/xsigo: xve_main: Fix misleading indentation (Siddh Raman Pant) [Orabug: 38418469] - inifinibad/xsigo: xsvnic_main: Remove unused variable 'xsvnic_ethtool_ops' (Siddh Raman Pant) [Orabug: 38418469] - infiniband/xsigo: xscore_impl: Remove unused label 'err_pd' (Siddh Raman Pant) [Orabug: 38418469] - rds: Fix jiffies type in struct rds_conn_path (Siddh Raman Pant) [Orabug: 38418727] - kernel: sysctl: Remove unused variable 'zero' (Siddh Raman Pant) [Orabug: 38418727] - crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg (Herbert Xu) [Orabug: 38537469] {CVE-2025-39964} - RDMA/cm: Base cm_id destruction timeout on CMA values (Håkon Bugge) [Orabug: 38753622] - x86/its: Build fails with CONFIG_MITIGATION_ITS=n (Alexandre Chartre) [Orabug: 38756954] [5.4.17-2136.352.2] - LTS tag: v5.4.302 (Sherry Yang) - Input: pegasus-notetaker - fix potential out-of-bounds access (Seungjin Bae) - Input: remove third argument of usb_maxpacket() (Vincent Mailhol) - usb: deprecate the third argument of usb_maxpacket() (Vincent Mailhol) - fs/proc: fix uaf in proc_readdir_de() (Wei Yang) [Orabug: 38737034,38786776,38787139] {CVE-2025-40271} - pmdomain: imx: Fix reference count leak in imx_gpc_remove (Miaoqian Lin) - pmdomain: arm: scmi: Fix genpd leak on provider registration failure (Sudeep Holla) - net: netpoll: fix incorrect refcount handling causing incorrect cleanup (Breno Leitao) [Orabug: 38773510] {CVE-2025-68245} - net: qede: Initialize qede_ll_ops with designated initializer (Nathan Chancellor) - net: ethernet: ti: netcp: Standardize knav_dma_open_channel to return NULL on error (Nishanth Menon) - ALSA: usb-audio: fix uac2 clock source at terminal parser (René Rebe) - mm/page_alloc: fix hash table order logging in alloc_large_system_hash() (Isaac J. Manjarres) - kconfig/nconf: Initialize the default locale at startup (Jakub Horký) - kconfig/mconf: Initialize the default locale at startup (Jakub Horký) - vsock: Ignore signal/timeout on connect() if already established (Michal Luczaj) [Orabug: 38730612] {CVE-2025-40248} - s390/ctcm: Fix double-kfree (Aleksei Nikiforov) - net: openvswitch: remove never-working support for setting nsh fields (Ilya Maximets) [Orabug: 38730650] {CVE-2025-40254} - mlxsw: spectrum: Fix memory leak in mlxsw_sp_flower_stats() (Zilin Guan) - MIPS: Malta: Fix !EVA SOC-it PCI MMIO (Maciej W. Rozycki) - scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() (Hamza Mahfooz) [Orabug: 38773441] {CVE-2025-68229} - scsi: sg: Do not sleep in atomic context (Bart Van Assche) [Orabug: 38730664] {CVE-2025-40259} - Input: cros_ec_keyb - fix an invalid memory access (Tzung-Bi Shih) [Orabug: 38730681] {CVE-2025-40263} - be2net: pass wrb_params in case of OS2BMC (Andrey Vatoropin) [Orabug: 38730691] {CVE-2025-40264} - isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() (Abdun Nihaal) [Orabug: 38798908] {CVE-2025-68734} - EDAC/altera: Use INTTEST register for Ethernet and USB SBE injection (Niravkumar L Rabara) - EDAC/altera: Handle OCRAM ECC enable after warm reset (Niravkumar L Rabara) - spi: Try to get ACPI GPIO IRQ earlier (Hans de Goede) - ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe (Chuang Wang) [Orabug: 38773496] {CVE-2025-68241} - strparser: Fix signed/unsigned mismatch bug (Nate Karstens) - gcov: add support for GCC 15 (Peter Oberparleiter) - mm/ksm: fix flag-dropping behavior in ksm_madvise (Jakub Acs) - ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd (Haein Lee) [Orabug: 38737052] {CVE-2025-40275} - drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (Ian Forbes) [Orabug: 38737061] {CVE-2025-40277} - ASoC: cs4271: Fix regulator leak on probe failure (Xu Wang) - regulator: fixed: fix GPIO descriptor leak on register failure (Xu Wang) - regulator: fixed: use dev_err_probe for register (Chris Morgan) - Bluetooth: L2CAP: export l2cap_chan_hold for modules (Pauli Virtanen) - net_sched: limit try_bulk_dequeue_skb() batches (Eric Dumazet) - net_sched: remove need_resched() from qdisc_run() (Eric Dumazet) - net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps (Gal Pressman) - net/mlx5e: Fix maxrate wraparound in threshold between units (Gal Pressman) - net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak (Ranganath V N) - wifi: mac80211: skip rate verification for not captured PSDUs (Benjamin Berg) - net: mdio: fix resource leak in mdiobus_register_device() (Csaba Buday) - tipc: Fix use-after-free in tipc_mon_reinit_self(). (Kuniyuki Iwashima) [Orabug: 38737084] {CVE-2025-40280} - tipc: simplify the finalize work queue (Xin Long) - sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto (Eric Dumazet) [Orabug: 38737091] {CVE-2025-40281} - sctp: get netns from asoc and ep base (Xin Long) - Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions (Pauli Virtanen) - Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion (Pauli Virtanen) - Bluetooth: 6lowpan: reset link-local header on ipv6 recv path (Pauli Virtanen) - Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF (Raphael Pinsonneault-Thibeault) [Orabug: 38737104] {CVE-2025-40283} - net: fec: correct rx_bytes statistic for the case SHIFT16 is set (Wei Fang) - ASoC: max98090/91: fixed max98091 ALSA widget powering up/down (Sharique Mohammad) - HID: quirks: avoid Cooler Master MM712 dongle wakeup bug (Tristan Lobb) - NFS4: Fix state renewals missing after boot (Joshua Watt) - compiler_types: Move unused static inline functions warning to W=2 (Peter Zijlstra) - extcon: adc-jack: Cleanup wakeup source only if it was enabled (Krzysztof Kozlowski) - tracing: Fix memory leaks in create_field_var() (Zilin Guan) - net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup (Qendrim Maxhuni) [Orabug: 38773283] {CVE-2025-68192} - sctp: Prevent TOCTOU out-of-bounds write (Stefan Wiehler) [Orabug: 38747447] {CVE-2025-40331} - sctp: Hold RCU read lock while iterating over address list (Stefan Wiehler) - net: dsa: b53: stop reading ARL entries if search is done (Jonas Gorski) - net: dsa: b53: fix enabling ip multicast (Jonas Gorski) - net: dsa: b53: fix resetting speed and pause on forced link (Jonas Gorski) - net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 (Álvaro Fernández Rojas) - net: dsa/b53: change b53_force_port_config() pause argument (Russell King) - net: vlan: sync VLAN features with lower device (Hangbin Liu) - ceph: add checking of wait_for_completion_killable() return value (Viacheslav Dubeyko) - fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds (Albin Babu Varghese) [Orabug: 38737182] {CVE-2025-40304} - ACPI: property: Return present device nodes only on fwnode interface (Sakari Ailus) - 9p: sysfs_init: don't hardcode error to ENOMEM (Randall P. Embry) - 9p: fix /sys/fs/9p/caches overwriting itself (Randall P. Embry) - fs/hpfs: Fix error code for new_inode() failure in mkdir/create/mknod/symlink (Yikang Yue) - ACPICA: Update dsmethod.c to get rid of unused variable warning (Saket Dumbre) - orangefs: fix xattr related buffer overflow... (Mike Marshall) - page_pool: Clamp pool size to max 16K pages (Dragos Tatulea) - Bluetooth: bcsp: receive data only if registered (Ivan Pravdin) [Orabug: 38737213] {CVE-2025-40308} - Bluetooth: SCO: Fix UAF on sco_conn_free (Luiz Augusto von Dentz) [Orabug: 38737224] {CVE-2025-40309} - net: macb: avoid dealing with endianness in macb_set_hwaddr() (Théo Lebrun) - nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing (Al Viro) [Orabug: 38773245] {CVE-2025-68185} - NFSv4.1: fix mount hang after CREATE_SESSION failure (Anthony Iliopoulos) - NFSv4: handle ERR_GRACE on delegation recalls (Olga Kornievskaia) - remoteproc: qcom: q6v5: Avoid handling handover twice (Stephan Gerhold) - sparc/module: Add R_SPARC_UA64 relocation handling (Koakuma) - net: intel: fm10k: Fix parameter idx set but not used (Brahmajit Das) - jfs: fix uninitialized waitqueue in transaction manager (Shaurya Rane) - jfs: Verify inode mode when loading from disk (Tetsuo Handa) - ipv6: np->rxpmtu race annotation (Eric Dumazet) - usb: xhci: plat: Facilitate using autosuspend for xhci plat devices (Krishna Kurapati) - usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs (Forest Crossman) - allow finish_no_open(file, ERR_PTR(-E...)) (Al Viro) - scsi: lpfc: Define size of debugfs entry for xri rebalancing (Justin Tee) - scsi: lpfc: Check return status of lpfc_reset_flush_io_context during TGT_RESET (Justin Tee) - selftests/Makefile: include $(INSTALL_DEP_TARGETS) in clean target to clean net/lib dependency (Nai-Chen Cheng) - net/cls_cgroup: Fix task_get_classid() during qdisc run (Yafang Shao) - selftests: Replace sleep with slowwait (David Ahern) - selftests: Disable dad for ipv6 in fcnal-test.sh (David Ahern) - media: redrat3: use int type to store negative error codes (Rong Qianfeng) - net: sh_eth: Disable WoL if system can not suspend (Niklas Söderlund) - phy: cadence: cdns-dphy: Enable lower resolutions in dphy (Harikrishna Shenoy) - usb: gadget: f_hid: Fix zero length packet transfer (William Wu) - net: call cond_resched() less often in __release_sock() (Eric Dumazet) - ALSA: usb-audio: apply quirk for MOONDROP Quark2 (Cryolitia Pukngae) - net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms (Juraj Šarinay) - dmaengine: dw-edma: Set status for callback_result (Devendra K Verma) - dmaengine: mv_xor: match alloc_wc and free_wc (Rosen Penev) - dmaengine: sh: setup_xref error handling (Thomas Andreatta) - scsi: pm8001: Use int instead of u32 to store error codes (Rong Qianfeng) - mips: lantiq: xway: sysctrl: rename stp clock (Aleksander Jan Bajkowski) - mips: lantiq: danube: add missing device_type in pci node (Aleksander Jan Bajkowski) - mips: lantiq: danube: add missing properties to cpu node (Aleksander Jan Bajkowski) - media: fix uninitialized symbol warnings (Chelsy Ratnawat) - drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption (Amber Lin) - extcon: adc-jack: Fix wakeup source leaks on device unbind (Krzysztof Kozlowski) - PCI/P2PDMA: Fix incorrect pointer usage in devm_kfree() call (Sungho Kim) - net: Call trace_sock_exceed_buf_limit() for memcg failure with SK_MEM_RECV. (Kuniyuki Iwashima) - net: When removing nexthops, don't call synchronize_net if it is not necessary (Christoph Paasch) - char: misc: Does not request module for miscdevice with dynamic minor (Zijun Hu) - usb: gadget: f_ncm: Fix MAC assignment NCM ethernet (Raub Camaioni) - iio: adc: spear_adc: mask SPEAR_ADC_STATUS channel and avg sample before setting register (Rodrigo Gobbi) - media: imon: make send_packet() more robust (Tetsuo Handa) [Orabug: 38773298] {CVE-2025-68194} - net: ipv6: fix field-spanning memcpy warning in AH output (Charalampos Mitrodimas) [Orabug: 38773141] {CVE-2025-40363} - bridge: Redirect to backup port when port is administratively down (Ido Schimmel) - powerpc/eeh: Use result of error_detected() in uevent (Niklas Schnelle) - x86/vsyscall: Do not require X86_PF_INSTR to emulate vsyscall (Kirill A. Shutemov) - media: pci: ivtv: Don't create fake v4l2_fh (Laurent Pinchart) - drm/amdkfd: return -ENOTTY for unsupported IOCTLs (Geoffrey Mcrae) - selftests/net: Ensure assert() triggers in psock_tpacket.c (Wake Liu) - selftests/net: Replace non-standard __WORDSIZE with sizeof(long) * 8 (Wake Liu) - PCI: Disable MSI on RDC PCI to PCIe bridges (Marcos Del Sol Vives) - drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf() (Seyediman Seyedarab) - mfd: madera: Work around false-positive -Wininitialized warning (Arnd Bergmann) - mfd: stmpe-i2c: Add missing MODULE_LICENSE (Alexander Stein) - mfd: stmpe: Remove IRQ domain upon removal (Alexander Stein) - tools/power x86_energy_perf_policy: Prefer driver HWP limits (Len Brown) - tools/power x86_energy_perf_policy: Enhance HWP enable (Len Brown) - tools/cpupower: Fix incorrect size in cpuidle_state_disable() (Kaushlendra Kumar) - hwmon: (dell-smm) Add support for Dell OptiPlex 7040 (Armin Wolf) - uprobe: Do not emulate/sstep original instruction when ip is changed (Jiri Olsa) - clocksource/drivers/vf-pit: Replace raw_readl/writel to readl/writel (Daniel Lezcano) - video: backlight: lp855x_bl: Set correct EPROM start for LP8556 (Svyatoslav Ryhel) - tee: allow a driver to allocate a tee_device without a pool (Amirreza Zarrabi) - ACPICA: dispatcher: Use acpi_ds_clear_operands() in acpi_ds_call_control_method() (Hans de Goede) - mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card (Sarthak Garg) - irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment (Christian Bruel) - arc: Fix __fls() const-foldability via __builtin_clzl() (Kees Cook) - cpufreq/longhaul: handle NULL policy in longhaul_exit (Dennis Beier) - selftests/bpf: Fix bpf_prog_detach2 usage in test_lirc_mode2 (Ricardo B. Marlière) - ACPI: video: force native for Lenovo 82K8 (Mario Limonciello) - memstick: Add timeout to prevent indefinite waiting (Jiayi Li) - mmc: host: renesas_sdhi: Fix the actual clock (Biju Das) - bpf: Don't use %pK through printk (Thomas Weißschuh) - spi: loopback-test: Don't use %pK through printk (Thomas Weißschuh) - soc: qcom: smem: Fix endian-unaware access of num_entries (Jens Reidel) - usb: gadget: f_fs: Fix epfile null pointer access after ep enable. (Owen Gu) - serial: 8250_dw: handle reset control deassert error (Artem Shimko) - serial: 8250_dw: Use devm_add_action_or_reset() (Andy Shevchenko) - serial: 8250_dw: Use devm_clk_get_optional() to get the input clock (Andy Shevchenko) - can: gs_usb: increase max interface to U8_MAX (Celeste Liu) - devcoredump: Fix circular locking dependency with devcd->mutex. (Maarten Lankhorst) - net: ravb: Enforce descriptor type ordering (Lad Prabhakar) - x86/resctrl: Fix miscount of bandwidth event when reactivating previously unavailable RMID (Babu Moger) - wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode (Gokul Sivakumar) [Orabug: 38737292] {CVE-2025-40321} - net: phy: dp83867: Disable EEE support as not implemented (Emanuele Ghidoli) - regmap: slimbus: fix bus_context pointer in regmap init calls (Alexey Klimov) - drm/etnaviv: fix flush sequence logic (Tomeu Vizoso) - usbnet: Prevents free active kevent (Lizhi Xu) [Orabug: 38773784] {CVE-2025-68312} - wifi: ath10k: Fix memory leak on unsupported WMI command (Loic Poulain) - ASoC: qdsp6: q6asm: do not sleep while atomic (Srinivas Kandagatla) - fbdev: valkyriefb: Fix reference count leak in valkyriefb_init (Miaoqian Lin) - fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS (Florian Fuchs) - fbdev: bitblit: bound-check glyph index in bit_putcs* (Junjie Cao) [Orabug: 38737301] {CVE-2025-40322} - ACPI: video: Fix use-after-free in acpi_video_switch_brightness() (Yuhao Jiang) [Orabug: 38687005] {CVE-2025-40211} - fbdev: atyfb: Check if pll_ops->init_pll failed (Daniel Palmer) - net: usb: asix_devices: Check return value of usbnet_get_endpoints (Miaoqian Lin) - btrfs: use smp_mb__after_atomic() when forcing COW in create_pending_snapshot() (Filipe Manana) - x86/bugs: Fix reporting of LFENCE retpoline (David Kaplan) - net/sched: sch_qfq: Fix null-deref in agg_dequeue (Xiang Mei) [Orabug: 38597085] {CVE-2025-40083} [5.4.17-2136.352.1] - RDMA/cm: Rate limit destroy CM ID timeout error message (Håkon Bugge) [Orabug: 38753401] - soc/pensando: giglio: hack dts to make things right (Rob Gardner) [Orabug: 38688154] - soc/pensando: Add AMD Pensando Giglio SoC support (Brad Larson) [Orabug: 38688154] - soc/pensando: psci support (David Clear) [Orabug: 38688154] - soc/pensando: Giglio SoC eMMC interrupt driver (Brad Larson) [Orabug: 38688154] _______________________________________________ El-errata mailing list [email protected] https://oss.oracle.com/mailman/listinfo/el-errata
