ELSA-2025-21112

ULN >
Oracle Linux Errata repository >
ELSA-2025-21112

ELSA-2025-21112 - kernel security update

Type:	SECURITY
Impact:	MODERATE
Release Date:	2025-11-26

Description

[5.14.0-611.7.1]
- Disable UKI signing [Orabug: 36571828]
- Update Oracle Linux certificates (Kevin Lyons)
- Disable signing for aarch64 (Ilya Okomin)
- Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list (olkmod_signing_key.pem) [Orabug: 29539237]
- Update x509.genkey [Orabug: 24817676]
- Conflict with shim-ia32 and shim-x64 <= 15.3-1.0.5]
- Remove upstream reference during boot (Kevin Lyons) [Orabug: 34729535]
- Add Oracle Linux IMA certificates
- Add new Oracle Linux Driver Signing (key 1) certificate [Orabug: 37985764]

[5.14.0-611.7.1]
- The rpminspect.yaml emptyrpm list needs to be expanded (Alexandra Hajkova)
- crypto: xts - Handle EBUSY correctly (Vladis Dronov) [RHEL-119236] {CVE-2023-53494}
- ice: fix NULL access of tx->in_use in ice_ll_ts_intr (Petr Oros) [RHEL-112874]
- ice: fix NULL access of tx->in_use in ice_ptp_ts_irq (Petr Oros) [RHEL-112874]
- ice: fix Rx page leak on multi-buffer frames (Petr Oros) [RHEL-116540]
- xfs: do not propagate ENODATA disk errors into xattr code (Carlos Maiolino) [RHEL-115730]
- ipv6: sr: Fix MAC comparison to be constant-time (CKI Backport Bot) [RHEL-116383] {CVE-2025-39702}
- s390/hypfs: Enable limited access during lockdown (CKI Backport Bot) [RHEL-114434]
- s390/hypfs: Avoid unnecessary ioctl registration in debugfs (CKI Backport Bot) [RHEL-114434]
- vsock/virtio: Validate length in packet header before skb_put() (Jon Maloy) [RHEL-114298] {CVE-2025-39718}

[5.14.0-611.6.1]
- pstore/ram: Check start of empty przs during init (CKI Backport Bot) [RHEL-122068] {CVE-2023-53331}
- ixgbe: fix ixgbe_orom_civd_info struct layout (Michal Schmidt) [RHEL-119074]
- scsi: lpfc: Fix buffer free/clear order in deferred receive path (CKI Backport Bot) [RHEL-119130] {CVE-2025-39841}
- efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare (CKI Backport Bot) [RHEL-118257] {CVE-2025-39817}
- SUNRPC: call xs_sock_process_cmsg for all cmsg (Olga Kornievskaia) [RHEL-110810]
- sunrpc: fix client side handling of tls alerts (Olga Kornievskaia) [RHEL-110810] {CVE-2025-38571}
- smb: client: fix wrong index reference in smb2_compound_op() (Paulo Alcantara) [RHEL-117880]
- smb: client: handle unlink(2) of files open by different clients (Paulo Alcantara) [RHEL-117880]
- smb: client: fix file open check in __cifs_unlink() (Paulo Alcantara) [RHEL-117880]
- smb: client: fix filename matching of deferred files (Paulo Alcantara) [RHEL-117880]
- smb: client: fix data loss due to broken rename(2) (Paulo Alcantara) [RHEL-117880]
- smb: client: fix compound alignment with encryption (Paulo Alcantara) [RHEL-117880]
- fs/smb: Fix inconsistent refcnt update (Paulo Alcantara) [RHEL-117880] {CVE-2025-39819}
- sunrpc: fix handling of server side tls alerts (Steve Dickson) [RHEL-111069] {CVE-2025-38566}
- wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() (CKI Backport Bot) [RHEL-117580] {CVE-2025-39849}
- crypto: seqiv - Handle EBUSY correctly (CKI Backport Bot) [RHEL-117235] {CVE-2023-53373}
- ibmvnic: Increase max subcrq indirect entries with fallback (Mamatha Inamdar) [RHEL-116187]
- fs: fix UAF/GPF bug in nilfs_mdt_destroy (CKI Backport Bot) [RHEL-116662] {CVE-2022-50367}
- firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails (Charles Mirabile) [RHEL-113837] {CVE-2022-50087}
- hv_netvsc: Fix panic during namespace deletion with VF (Maxim Levitsky) [RHEL-115070]
- RDMA/mana_ib: Fix DSCP value in modify QP (Maxim Levitsky) [RHEL-115070]
- net: mana: Handle Reset Request from MANA NIC (Maxim Levitsky) [RHEL-115070]
- net: mana: Set tx_packets to post gso processing packet count (Maxim Levitsky) [RHEL-115070]
- net: mana: Handle unsupported HWC commands (Maxim Levitsky) [RHEL-115070]
- net: mana: Add handler for hardware servicing events (Maxim Levitsky) [RHEL-115070]
- RDMA/mana_ib: Add device statistics support (Maxim Levitsky) [RHEL-115070]
- net: mana: Expose additional hardware counters for drop and TC via ethtool. (Maxim Levitsky) [RHEL-115070]
- net: mana: Fix warnings for missing export.h header inclusion (Maxim Levitsky) [RHEL-115070]
- net: mana: Record doorbell physical address in PF mode (Maxim Levitsky) [RHEL-115070]
- s390/pci: Do not try re-enabling load/store if device is disabled (CKI Backport Bot) [RHEL-114451]
- s390/pci: Fix stale function handles in error handling (CKI Backport Bot) [RHEL-114451]
- redhat: enable TDX host config (Paolo Bonzini) [RHEL-27146]
- KVM: TDX: Explicitly do WBINVD when no more TDX SEAMCALLs (Paolo Bonzini) [RHEL-27146]
- x86/virt/tdx: Update the kexec section in the TDX documentation (Paolo Bonzini) [RHEL-27146]
- x86/virt/tdx: Remove the !KEXEC_CORE dependency (Paolo Bonzini) [RHEL-27146]
- x86/kexec: Disable kexec/kdump on platforms with TDX partial write erratum (Paolo Bonzini) [RHEL-27146]
- x86/virt/tdx: Mark memory cache state incoherent when making SEAMCALL (Paolo Bonzini) [RHEL-27146]
- x86/sme: Use percpu boolean to control WBINVD during kexec (Paolo Bonzini) [RHEL-27146]
- x86/virt/tdx: Avoid indirect calls to TDX assembly functions (Paolo Bonzini) [RHEL-27146]
- ibmvnic: Use ndo_get_stats64 to fix inaccurate SAR reporting (Mamatha Inamdar) [RHEL-114437]
- ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof (Mamatha Inamdar) [RHEL-114437]
- ibmvnic: Add stat for tx direct vs tx batched (Mamatha Inamdar) [RHEL-114437]
- redhat/configs: Enable CONFIG_MITIGATION_VMSCAPE for x86 (Waiman Long) [RHEL-114272]
- x86/vmscape: Add old Intel CPUs to affected list (Waiman Long) [RHEL-114272] {CVE-2025-40300}
- x86/vmscape: Warn when STIBP is disabled with SMT (Waiman Long) [RHEL-114272] {CVE-2025-40300}
- x86/bugs: Move cpu_bugs_smt_update() down (Waiman Long) [RHEL-114272] {CVE-2025-40300}
- x86/vmscape: Enable the mitigation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
- x86/vmscape: Add conditional IBPB mitigation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
- x86/vmscape: Enumerate VMSCAPE bug (Waiman Long) [RHEL-114272] {CVE-2025-40300}
- Documentation/hw-vuln: Add VMSCAPE documentation (Waiman Long) [RHEL-114272] {CVE-2025-40300}
- randomize_kstack: Remove non-functional per-arch entropy filtering (Waiman Long) [RHEL-114272]
- tunnels: reset the GSO metadata before reusing the skb (Antoine Tenart) [RHEL-113917]

Related CVEs

Updated Packages

Release/Architecture	Filename	sha256	Superseded By Advisory	Channel Label

Oracle Linux 9 (aarch64)	kernel-5.14.0-611.7.1.el9_7.src.rpm	2353146641ac88029cab24a29156191d579bf7974275e64d0bb8719adbbd14f5	-	ol9_aarch64_appstream
	kernel-5.14.0-611.7.1.el9_7.src.rpm	2353146641ac88029cab24a29156191d579bf7974275e64d0bb8719adbbd14f5	-	ol9_aarch64_baseos_latest
	kernel-5.14.0-611.7.1.el9_7.src.rpm	2353146641ac88029cab24a29156191d579bf7974275e64d0bb8719adbbd14f5	-	ol9_aarch64_codeready_builder
	kernel-5.14.0-611.7.1.el9_7.src.rpm	2353146641ac88029cab24a29156191d579bf7974275e64d0bb8719adbbd14f5	-	ol9_aarch64_u7_baseos_patch
	kernel-cross-headers-5.14.0-611.7.1.el9_7.aarch64.rpm	eb79fa5ca6b617b24418c82278a08e1c7415d771d691a1752fdd3325c57e8182	-	ol9_aarch64_codeready_builder
	kernel-headers-5.14.0-611.7.1.el9_7.aarch64.rpm	2faa6d41b412946753c7c8b4abccc132d0980e1028876a1e052144326b7f5aec	-	ol9_aarch64_appstream
	kernel-tools-5.14.0-611.7.1.el9_7.aarch64.rpm	84a6d06b1e160a4aae321f680b0672d74cfb76c39d13d4dc2ba5a0c435ddffd3	-	ol9_aarch64_baseos_latest
	kernel-tools-5.14.0-611.7.1.el9_7.aarch64.rpm	84a6d06b1e160a4aae321f680b0672d74cfb76c39d13d4dc2ba5a0c435ddffd3	-	ol9_aarch64_u7_baseos_patch
	kernel-tools-libs-5.14.0-611.7.1.el9_7.aarch64.rpm	30d4faf3ee0a9e75b1e7b2374008623205f240ed22d87db96ee45cfa2ff9ad8d	-	ol9_aarch64_baseos_latest
	kernel-tools-libs-5.14.0-611.7.1.el9_7.aarch64.rpm	30d4faf3ee0a9e75b1e7b2374008623205f240ed22d87db96ee45cfa2ff9ad8d	-	ol9_aarch64_u7_baseos_patch
	kernel-tools-libs-devel-5.14.0-611.7.1.el9_7.aarch64.rpm	36281250d7eb821a466b9758520a32359400eaf469c3af2d216a01413b44fd82	-	ol9_aarch64_codeready_builder
	libperf-5.14.0-611.7.1.el9_7.aarch64.rpm	563b1de1fe932e0e3ecb12c9a57a53e0919481124dfadd30b7de047419f27e58	-	ol9_aarch64_codeready_builder
	perf-5.14.0-611.7.1.el9_7.aarch64.rpm	c9cd4cc26b3a5155a4c56902492485d9ab7447e6ad7dc89ca9cf03402aaf4893	-	ol9_aarch64_appstream
	python3-perf-5.14.0-611.7.1.el9_7.aarch64.rpm	6cedd82d8aaabc9a8121e883a4b4ba4981e8c7736474647405e9d9899697a4c1	-	ol9_aarch64_appstream
	rtla-5.14.0-611.7.1.el9_7.aarch64.rpm	6f64c16428a21d83c133d98109fd4c586fa6470cf95da145d454858ab077c57d	-	ol9_aarch64_appstream
	rv-5.14.0-611.7.1.el9_7.aarch64.rpm	ccc77f804e7211c03d42b864dc4e62faf73cf4f90d43ce4c8b8958cc3bd7dbfa	-	ol9_aarch64_appstream

Oracle Linux 9 (x86_64)	kernel-5.14.0-611.7.1.el9_7.src.rpm	2353146641ac88029cab24a29156191d579bf7974275e64d0bb8719adbbd14f5	-	ol9_x86_64_appstream
	kernel-5.14.0-611.7.1.el9_7.src.rpm	2353146641ac88029cab24a29156191d579bf7974275e64d0bb8719adbbd14f5	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-611.7.1.el9_7.src.rpm	2353146641ac88029cab24a29156191d579bf7974275e64d0bb8719adbbd14f5	-	ol9_x86_64_codeready_builder
	kernel-5.14.0-611.7.1.el9_7.src.rpm	2353146641ac88029cab24a29156191d579bf7974275e64d0bb8719adbbd14f5	-	ol9_x86_64_u7_baseos_patch
	kernel-5.14.0-611.7.1.el9_7.x86_64.rpm	6f7c44de94c4bd6f4e8d6836d63e5bf9c3af7a098bbdc081038a27d59a721f30	-	ol9_x86_64_baseos_latest
	kernel-5.14.0-611.7.1.el9_7.x86_64.rpm	6f7c44de94c4bd6f4e8d6836d63e5bf9c3af7a098bbdc081038a27d59a721f30	-	ol9_x86_64_u7_baseos_patch
	kernel-abi-stablelists-5.14.0-611.7.1.el9_7.noarch.rpm	fb6620c6e11a78016015b79ec1bc5f6ccf2f23004776c93d00525b89902d86a2	-	ol9_x86_64_baseos_latest
	kernel-abi-stablelists-5.14.0-611.7.1.el9_7.noarch.rpm	fb6620c6e11a78016015b79ec1bc5f6ccf2f23004776c93d00525b89902d86a2	-	ol9_x86_64_u7_baseos_patch
	kernel-core-5.14.0-611.7.1.el9_7.x86_64.rpm	b3f7d3f652fcd55c535334c58af77c4a39f6b0f3c3df1b903da68fa620094a88	-	ol9_x86_64_baseos_latest
	kernel-core-5.14.0-611.7.1.el9_7.x86_64.rpm	b3f7d3f652fcd55c535334c58af77c4a39f6b0f3c3df1b903da68fa620094a88	-	ol9_x86_64_u7_baseos_patch
	kernel-cross-headers-5.14.0-611.7.1.el9_7.x86_64.rpm	53bc5750a0a982298790841e149cb6bc92ac58d86d8e187a03d52b87fe78a60d	-	ol9_x86_64_codeready_builder
	kernel-debug-5.14.0-611.7.1.el9_7.x86_64.rpm	374105b17817f41fecc39e0292d2785bd6e9997403100f69a0bb1daf8c7e6580	-	ol9_x86_64_baseos_latest
	kernel-debug-5.14.0-611.7.1.el9_7.x86_64.rpm	374105b17817f41fecc39e0292d2785bd6e9997403100f69a0bb1daf8c7e6580	-	ol9_x86_64_u7_baseos_patch
	kernel-debug-core-5.14.0-611.7.1.el9_7.x86_64.rpm	8bc863ed8b816498c6e715095097313548041ee82fb4c7e28e60afea91d6a72d	-	ol9_x86_64_baseos_latest
	kernel-debug-core-5.14.0-611.7.1.el9_7.x86_64.rpm	8bc863ed8b816498c6e715095097313548041ee82fb4c7e28e60afea91d6a72d	-	ol9_x86_64_u7_baseos_patch
	kernel-debug-devel-5.14.0-611.7.1.el9_7.x86_64.rpm	3154ca00336658033df4dfac14a5037da4da90e44d045a7a1abab9161d4aac83	-	ol9_x86_64_appstream
	kernel-debug-devel-matched-5.14.0-611.7.1.el9_7.x86_64.rpm	85a409910925679371c71f6b2eac67528901253bfa3fa52ae43b5ac3686160fa	-	ol9_x86_64_appstream
	kernel-debug-modules-5.14.0-611.7.1.el9_7.x86_64.rpm	f770bf6e218c88a16dc8e38094d432b1e5d55fd92d20b6df7f737d82e5ce8e17	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-5.14.0-611.7.1.el9_7.x86_64.rpm	f770bf6e218c88a16dc8e38094d432b1e5d55fd92d20b6df7f737d82e5ce8e17	-	ol9_x86_64_u7_baseos_patch
	kernel-debug-modules-core-5.14.0-611.7.1.el9_7.x86_64.rpm	a25d601ea6aec2cd27b703b153ef056919b55f21924775172741259526cda434	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-core-5.14.0-611.7.1.el9_7.x86_64.rpm	a25d601ea6aec2cd27b703b153ef056919b55f21924775172741259526cda434	-	ol9_x86_64_u7_baseos_patch
	kernel-debug-modules-extra-5.14.0-611.7.1.el9_7.x86_64.rpm	b2d8cd11521700bb64fc5f9ea2b8f252df1cc888a62a1a6f8d54a95550dece54	-	ol9_x86_64_baseos_latest
	kernel-debug-modules-extra-5.14.0-611.7.1.el9_7.x86_64.rpm	b2d8cd11521700bb64fc5f9ea2b8f252df1cc888a62a1a6f8d54a95550dece54	-	ol9_x86_64_u7_baseos_patch
	kernel-debug-uki-virt-5.14.0-611.7.1.el9_7.x86_64.rpm	4713e3a1768f1f4bee6fd00e4778c29eadc2130c98a4ad9ecd2274c653da95a4	-	ol9_x86_64_baseos_latest
	kernel-debug-uki-virt-5.14.0-611.7.1.el9_7.x86_64.rpm	4713e3a1768f1f4bee6fd00e4778c29eadc2130c98a4ad9ecd2274c653da95a4	-	ol9_x86_64_u7_baseos_patch
	kernel-devel-5.14.0-611.7.1.el9_7.x86_64.rpm	8921aee312a309e10272c08cb7d5cbc12a0ae05043af1f1e281518f6682f2409	-	ol9_x86_64_appstream
	kernel-devel-matched-5.14.0-611.7.1.el9_7.x86_64.rpm	1297ccbcad7520824b2fa9ba968805400cb30fe4a8ab8880aad9b688ea52fc40	-	ol9_x86_64_appstream
	kernel-doc-5.14.0-611.7.1.el9_7.noarch.rpm	ddac0a3678ad43d56b15f735eed88bdc00eeba0eed675e1fb6c4c0dbab2f224a	-	ol9_x86_64_appstream
	kernel-headers-5.14.0-611.7.1.el9_7.x86_64.rpm	f3dbf292608eb59e2072c5baf971f1d15dc294f3f2a9be067d1945e7a049bc12	-	ol9_x86_64_appstream
	kernel-modules-5.14.0-611.7.1.el9_7.x86_64.rpm	6e83ed63ed85d92431cb3eb344c1364a80c4b1763bf8df2a664817974e6e219a	-	ol9_x86_64_baseos_latest
	kernel-modules-5.14.0-611.7.1.el9_7.x86_64.rpm	6e83ed63ed85d92431cb3eb344c1364a80c4b1763bf8df2a664817974e6e219a	-	ol9_x86_64_u7_baseos_patch
	kernel-modules-core-5.14.0-611.7.1.el9_7.x86_64.rpm	24d8b359a6c12a5901bcc824548fa533183b7d26378f9cfbb50c715ac268d0c3	-	ol9_x86_64_baseos_latest
	kernel-modules-core-5.14.0-611.7.1.el9_7.x86_64.rpm	24d8b359a6c12a5901bcc824548fa533183b7d26378f9cfbb50c715ac268d0c3	-	ol9_x86_64_u7_baseos_patch
	kernel-modules-extra-5.14.0-611.7.1.el9_7.x86_64.rpm	12c775c0606ee9fda392c6b8e6d632b119b909a0cda9ee6137ce8718a2eaa614	-	ol9_x86_64_baseos_latest
	kernel-modules-extra-5.14.0-611.7.1.el9_7.x86_64.rpm	12c775c0606ee9fda392c6b8e6d632b119b909a0cda9ee6137ce8718a2eaa614	-	ol9_x86_64_u7_baseos_patch
	kernel-tools-5.14.0-611.7.1.el9_7.x86_64.rpm	d704c9dc77fa7ef5a381d5dc22209c28ab0b70eaaf3a10aa93984a581a7fc169	-	ol9_x86_64_baseos_latest
	kernel-tools-5.14.0-611.7.1.el9_7.x86_64.rpm	d704c9dc77fa7ef5a381d5dc22209c28ab0b70eaaf3a10aa93984a581a7fc169	-	ol9_x86_64_u7_baseos_patch
	kernel-tools-libs-5.14.0-611.7.1.el9_7.x86_64.rpm	45580f2e390055a03dcf4a3a864a87b9cf2d8d6adf30953fade2f1bf3ddcc298	-	ol9_x86_64_baseos_latest
	kernel-tools-libs-5.14.0-611.7.1.el9_7.x86_64.rpm	45580f2e390055a03dcf4a3a864a87b9cf2d8d6adf30953fade2f1bf3ddcc298	-	ol9_x86_64_u7_baseos_patch
	kernel-tools-libs-devel-5.14.0-611.7.1.el9_7.x86_64.rpm	9c7facff5b24800af64d645f91252d409f9458539d5b8804cd7bd66c45c3fdfe	-	ol9_x86_64_codeready_builder
	kernel-uki-virt-5.14.0-611.7.1.el9_7.x86_64.rpm	7232ab3a86ea943345b1a8330cd9a566bf2eadee9bf0e6a9a4472b2c2cc08082	-	ol9_x86_64_baseos_latest
	kernel-uki-virt-5.14.0-611.7.1.el9_7.x86_64.rpm	7232ab3a86ea943345b1a8330cd9a566bf2eadee9bf0e6a9a4472b2c2cc08082	-	ol9_x86_64_u7_baseos_patch
	kernel-uki-virt-addons-5.14.0-611.7.1.el9_7.x86_64.rpm	a800d8beadc941fa99d973051ba5f115248e5b47c8046d73ccc85037703d93cf	-	ol9_x86_64_baseos_latest
	kernel-uki-virt-addons-5.14.0-611.7.1.el9_7.x86_64.rpm	a800d8beadc941fa99d973051ba5f115248e5b47c8046d73ccc85037703d93cf	-	ol9_x86_64_u7_baseos_patch
	libperf-5.14.0-611.7.1.el9_7.x86_64.rpm	256e9ac71332375f7ec62cd88887cddb10be063a2f4b653d5f00a555dffae3d6	-	ol9_x86_64_codeready_builder
	perf-5.14.0-611.7.1.el9_7.x86_64.rpm	3a15e4b85a14f9e918ce3df96c87e240de438e171cedad1cbaafa8fddce8ba46	-	ol9_x86_64_appstream
	python3-perf-5.14.0-611.7.1.el9_7.x86_64.rpm	0cab2841664569883d4fd5827d21faeb3c3922f69430b6214107e1b6b67fa4b6	-	ol9_x86_64_appstream
	rtla-5.14.0-611.7.1.el9_7.x86_64.rpm	07e30495dbbd1f2af4cbe55a50481b8456793a7f5cd26a47030076d546b1a783	-	ol9_x86_64_appstream
	rv-5.14.0-611.7.1.el9_7.x86_64.rpm	5f2c7ce4ed6b3f21854e3adec3f4738747bdb15bb08fd3c8f7941c7d20411dc3	-	ol9_x86_64_appstream

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

Technical information

Oracle Linux Support

Connect

Contact Us

Global contacts
Oracle 1-800-633-0691