-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-25:12.rtsold Security Advisory
The FreeBSD Project
Topic: Remote code execution via ND6 Router Advertisements
Category: core
Module: rtsold
Announced: 2025-12-16
Credits: Kevin Day
Affects: All supported versions of FreeBSD.
Corrected: 2025-12-16 23:39:32 UTC (stable/15, 15.0-STABLE)
2025-12-16 23:43:01 UTC (releng/15.0, 15.0-RELEASE-p1)
2025-12-16 23:45:05 UTC (stable/14, 14.3-STABLE)
2025-12-16 23:43:25 UTC (releng/14.3, 14.3-RELEASE-p7)
2025-12-16 23:44:10 UTC (stable/13, 13.4-STABLE)
2025-12-16 23:43:33 UTC (releng/13.5, 13.5-RELEASE-p8)
CVE Name: CVE-2025-14558
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
rtsold(8) and rtsol(8) are programs which process router advertisement
packets as part of the IPv6 stateless address autoconfiguration (SLAAC)
mechanism.
II. Problem Description
The rtsol(8) and rtsold(8) programs do not validate the domain search list
options provided in router advertisement messages; the option body is passed
to resolvconf(8) unmodified.
resolvconf(8) is a shell script which does not validate its input. A lack of
quoting meant that shell commands pass as input to resolvconf(8) may be
executed.
III. Impact
Systems running rtsol(8) or rtsold(8) are vulnerable to remote code execution
from systems on the same network segment. In particular, router advertisement
messages are not routable and should be dropped by routers, so the attack does
not cross network boundaries.
IV. Workaround
No workaround is available. Users not using IPv6, and IPv6 users that do not
configure the system to accept router advertisement messages, are not affected.
A network interface listed by ifconfig(8) accepts router advertisement messages
if the string "ACCEPT_RTADV" is present in the nd6 option list.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-25:12/rtsold.patch
# fetch https://security.FreeBSD.org/patches/SA-25:12/rtsold.patch.asc
# gpg --verify rtsold.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 6759fbb1a553 stable/15-n281548
releng/15.0/ 408f5c61821f releng/15.0-n280998
stable/14/ 26702912e857 stable/14-n273051
releng/14.3/ 3c54b204bf86 releng/14.3-n271454
stable/13/ 4fef5819cca9 stable/13-n259643
releng/13.5/ 35cee6a90119 releng/13.5-n259186
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14558>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:12.rtsold.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+cMACgkQbljekB8A
Gu9YXA//UpSYz4dseSTcDElpN6jp/2W0+OKDYVqRkH0PaLwZX8iGugm8QwqCxLoL
m1xK2BJir15wuUYmD++EYbjHajXrKIPaD+sW9KjqxgxDVsQWwfl9ZND743JM5TFE
Y3fx8halkChIwtNGCNDHTu5N2DmEPoTO03jOqKqjH6PZwJ6ycYTw4zJvPdP5eDiT
+zWpTNNm0VCkBQQB7ukJGku3zWAh4swZWylP2GvyzifcYKR3Z4OGhDdwQCBa99cn
jC67D7vURTqlk4pcTFJ6JrIVRIQJdNWQGRou3hAedE59bpAZZc8B/fd//Ganmrit
CBG1kMLYVxtV3/12+maEt/DLEMM7isGJPQiSWYe+qseBcdakmuJ8hdR8HKTqrK40
57ZO59CnzEFr49DrrTD4B97cJwtrXLWtUp4LiXxuYy0CkCl8CiXvcgovCBusQpx+
r68dgbfcH0UY/ryQp0ZWTI1y3NKmOSuPVpkW4Ss0BeGESlA4DJHuEwIs1D4TnOJL
90C5D7v7jeOtdXhZ6BHVLtXB+nn8zMpAO209H/pRQWJdAEpABheKCgisP9C80g6h
kM300GZjH4joYDyFbMYrW6uWfylwDFC1g8MdFi8yjZzEEOfrKNcY63b+Kx+c3xNL
hIa8yUcjLYHvMRnjTQU1bgUVU+SmW6n05HcqtWV7VKh39ATJcX4=
=TK7t
-----END PGP SIGNATURE-----
Tuesday, December 16, 2025
FreeBSD Security Advisory FreeBSD-SA-25:11.ipfw
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-25:11.ipfw Security Advisory
The FreeBSD Project
Topic: ipfw denial of service
Category: core
Module: ipfw
Announced: 2025-12-16
Affects: FreeBSD 13 and 14
Corrected: 2025-11-04 00:52:54 UTC (stable/14, 14.3-STABLE)
2025-12-16 23:43:24 UTC (releng/14.3, 14.3-RELEASE-p7)
2025-11-04 00:52:12 UTC (stable/13, 13.5-STABLE)
2025-12-16 23:43:32 UTC (releng/13.5, 13.5-RELEASE-p8)
CVE Name: CVE-2025-14769
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
ipfw(4) is one of the firewalls provided in the FreeBSD base system. Its
`tcp-setmss` configuration directive allows the system administrator to lower
the Maximum Segment Size of a packet.
II. Problem Description
In some cases, the `tcp-setmss` handler may free the packet data and throw an
error without halting the rule processing engine. A subsequent rule can then
allow the traffic after the packet data is gone, resulting in a NULL pointer
dereference.
III. Impact
Maliciously crafted packets sent from a remote host may result in a Denial of
Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would
allow the traffic to pass.
IV. Workaround
No workaround is available, but systems that do not use ipfw(4) with the
`tcp-setmss` directive are not affected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-14.patch
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-14.patch.asc
# gpg --verify ipfw-14.patch.asc
[FreeBSD 13.5]
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-13.patch
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-13.patch.asc
# gpg --verify ipfw-13.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/14/ deb684f9d1d6 stable/14-n272799
releng/14.3/ c0cb68169beb releng/14.3-n271453
stable/13/ 94360584542a stable/13-n259534
releng/13.5/ 60026b06366f releng/13.5-n259185
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284606>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14769>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:11.ipfw.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+cAACgkQbljekB8A
Gu9XFA//V2aCX1XCn6tCRPR51ixMJ/9rKfpWmYpGruZoB1GaKC0UvkQqDNIkXw8K
r6OY1G2rK36y+AGCrxtXHnUKfDj/hzZkL4lEBr9AjcB6N4czk6q/fSuzcL0FCi9T
CbWjxSEjV2M2IO4nObu8CKB/7cVY6UlIhe2d4iBH+otkzfyBsYHwCSvhDOWxeWFj
f+I9ddOvCFv7lRh74RZk0CdSPe4HyptCSkwERwIn5Cm+fk7PJIFWDM4hF9atP+G8
VT3PUirG1na33vtfRw46c/Qj+L8gybq0pztkTnqsm52WME0n1go3aI7mbPmSWTwe
xSC5totcYxbjQ/lMcXv00kgDzraFuPSzSzej6Z4BYXTHOgNTgHHexa3rqxs8y3i/
IoOWSDZdyd2d3B9r5xAFSzp+HVv+C9UBB/AQ0kQt0gPTX6j9d0WiMninNiedVSWf
BOYCmgvI7+0ybeV54QFrVnEsImEoYu32NlLVVmswSnDOBuBcU2XtHtO7/x5BUcyU
CdOiAZ78TS+007QllROCuidXiQc0FNFqgm+rRFv37Wmmm0LZVkVJ7OVB0vXuk4ps
iNBFmXxHCiKL6zJGvx+OQmAXLE+xf71n9xt0jJIk/NfI1BkHYRrlYnH7JXhfBvAO
SYtM+FXK1Kehj+ltLUO+9WYhkgfAUtlI/+7GKLMDzy76Q+ZMzhk=
=0OhG
-----END PGP SIGNATURE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-25:11.ipfw Security Advisory
The FreeBSD Project
Topic: ipfw denial of service
Category: core
Module: ipfw
Announced: 2025-12-16
Affects: FreeBSD 13 and 14
Corrected: 2025-11-04 00:52:54 UTC (stable/14, 14.3-STABLE)
2025-12-16 23:43:24 UTC (releng/14.3, 14.3-RELEASE-p7)
2025-11-04 00:52:12 UTC (stable/13, 13.5-STABLE)
2025-12-16 23:43:32 UTC (releng/13.5, 13.5-RELEASE-p8)
CVE Name: CVE-2025-14769
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
ipfw(4) is one of the firewalls provided in the FreeBSD base system. Its
`tcp-setmss` configuration directive allows the system administrator to lower
the Maximum Segment Size of a packet.
II. Problem Description
In some cases, the `tcp-setmss` handler may free the packet data and throw an
error without halting the rule processing engine. A subsequent rule can then
allow the traffic after the packet data is gone, resulting in a NULL pointer
dereference.
III. Impact
Maliciously crafted packets sent from a remote host may result in a Denial of
Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would
allow the traffic to pass.
IV. Workaround
No workaround is available, but systems that do not use ipfw(4) with the
`tcp-setmss` directive are not affected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-14.patch
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-14.patch.asc
# gpg --verify ipfw-14.patch.asc
[FreeBSD 13.5]
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-13.patch
# fetch https://security.FreeBSD.org/patches/SA-25:11/ipfw-13.patch.asc
# gpg --verify ipfw-13.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/14/ deb684f9d1d6 stable/14-n272799
releng/14.3/ c0cb68169beb releng/14.3-n271453
stable/13/ 94360584542a stable/13-n259534
releng/13.5/ 60026b06366f releng/13.5-n259185
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284606>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14769>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:11.ipfw.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+cAACgkQbljekB8A
Gu9XFA//V2aCX1XCn6tCRPR51ixMJ/9rKfpWmYpGruZoB1GaKC0UvkQqDNIkXw8K
r6OY1G2rK36y+AGCrxtXHnUKfDj/hzZkL4lEBr9AjcB6N4czk6q/fSuzcL0FCi9T
CbWjxSEjV2M2IO4nObu8CKB/7cVY6UlIhe2d4iBH+otkzfyBsYHwCSvhDOWxeWFj
f+I9ddOvCFv7lRh74RZk0CdSPe4HyptCSkwERwIn5Cm+fk7PJIFWDM4hF9atP+G8
VT3PUirG1na33vtfRw46c/Qj+L8gybq0pztkTnqsm52WME0n1go3aI7mbPmSWTwe
xSC5totcYxbjQ/lMcXv00kgDzraFuPSzSzej6Z4BYXTHOgNTgHHexa3rqxs8y3i/
IoOWSDZdyd2d3B9r5xAFSzp+HVv+C9UBB/AQ0kQt0gPTX6j9d0WiMninNiedVSWf
BOYCmgvI7+0ybeV54QFrVnEsImEoYu32NlLVVmswSnDOBuBcU2XtHtO7/x5BUcyU
CdOiAZ78TS+007QllROCuidXiQc0FNFqgm+rRFv37Wmmm0LZVkVJ7OVB0vXuk4ps
iNBFmXxHCiKL6zJGvx+OQmAXLE+xf71n9xt0jJIk/NfI1BkHYRrlYnH7JXhfBvAO
SYtM+FXK1Kehj+ltLUO+9WYhkgfAUtlI/+7GKLMDzy76Q+ZMzhk=
=0OhG
-----END PGP SIGNATURE-----
FreeBSD Errata Notice FreeBSD-EN-25:20.vmm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-25:20.vmm Errata Notice
The FreeBSD Project
Topic: bhyve(8) PCI passthru regression
Category: core
Module: vmm
Announced: 2025-12-16
Affects: FreeBSD 15.0
Corrected: 2025-12-15 15:47:23 UTC (stable/15, 15.0-STABLE)
2025-12-16 23:43:00 UTC (releng/15.0, 15.0-RELEASE-p1)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
vmm(4) is a kernel module which provides an interface to hardware
virtualization capabilities. It is the kernel-side counterpart to bhyve(8).
PCI passthru is a feature of bhyve(8) on amd64 which allows a PCIe device, such
as a network interface or GPU, to be effectively detached from the host system
and passed directly into a guest virtual machine, allowing the guest to control
the physical hardware.
II. Problem Description
Some refactoring of the vmm(4) code introduced a regression in the portion
of the module which creates IOMMU mappings of guest memory.
III. Impact
The bug could cause PCI passthrough to not work as expected.
IV. Workaround
No workaround is available. Users not using bhyve(8) with PCI passthrough are
unaffected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r now
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-25:20/vmm.patch
# fetch https://security.FreeBSD.org/patches/EN-25:20/vmm.patch.asc
# gpg --verify vmm.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 4f7436bf297b stable/15-n281529
releng/15.0/ 04e9f1aab83a releng/15.0-n280997
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290920>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:20.vmm.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+b0ACgkQbljekB8A
Gu94Og//V+/8PQJEF9OxtyaDRsgoC2NmHDDdYW4RnwG6uxSCHhSLO8LUH1XjmWWb
c54Miuk6Xqh1D54D3Ppmr62nFKEhhqihDIZ28JTp67pvrJIFFUC5DXGTVcAUKzOG
O/6jNJST82SFmfUHu6ntHWwRkaOW7LjUdBnH8pj3JetlseRtYghiWX6Y2Ql5XDfB
AQF18mnxicXAg/PkI00iLqqkXaolAM29G2Io/KsdwMZZtL9RrFHKOlekX5iIyIBz
TOm+7hpLznKbNEpybdknphc3VpjG9aaJyoDMqjkuZ/wJSUusFDMNpO3vpggnTS5D
Yiu9yOGZb1nFEorfRco25Lh06FURaMb6t2lQFdmBg2ade1tiqR8E0CNdEBJIgjU+
v6qZw7ayLTnfExvHyeHYxgVWpHp9eUpxMITiO7wt03BiEQvmmsnAMFSx2f5+Cvcy
Q3eddVsJ0S4pS9mhUBAfrUxvDikXj2sQ2fKs3niB5xzk3z6XzC1Ukf6XlGtOyH0J
PnMwZXRBChgaFwCzMwTdZpw2pZiVcWdsuLy24ecUWp9OUDGlfUG3heIbZBfSrdjz
VeUo8Mv+gmwVAeOcYZxJLbNftNwjtKIVvjbs/Dx30g8hiGck7QpdBLTOmLQouUx+
1GcguiXe6fhsf15aywvEM/Okt+g2X4jDArhYM3xF4dZGSoX7RpY=
=8iiC
-----END PGP SIGNATURE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-25:20.vmm Errata Notice
The FreeBSD Project
Topic: bhyve(8) PCI passthru regression
Category: core
Module: vmm
Announced: 2025-12-16
Affects: FreeBSD 15.0
Corrected: 2025-12-15 15:47:23 UTC (stable/15, 15.0-STABLE)
2025-12-16 23:43:00 UTC (releng/15.0, 15.0-RELEASE-p1)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
vmm(4) is a kernel module which provides an interface to hardware
virtualization capabilities. It is the kernel-side counterpart to bhyve(8).
PCI passthru is a feature of bhyve(8) on amd64 which allows a PCIe device, such
as a network interface or GPU, to be effectively detached from the host system
and passed directly into a guest virtual machine, allowing the guest to control
the physical hardware.
II. Problem Description
Some refactoring of the vmm(4) code introduced a regression in the portion
of the module which creates IOMMU mappings of guest memory.
III. Impact
The bug could cause PCI passthrough to not work as expected.
IV. Workaround
No workaround is available. Users not using bhyve(8) with PCI passthrough are
unaffected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r now
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-25:20/vmm.patch
# fetch https://security.FreeBSD.org/patches/EN-25:20/vmm.patch.asc
# gpg --verify vmm.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 4f7436bf297b stable/15-n281529
releng/15.0/ 04e9f1aab83a releng/15.0-n280997
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290920>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:20.vmm.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+b0ACgkQbljekB8A
Gu94Og//V+/8PQJEF9OxtyaDRsgoC2NmHDDdYW4RnwG6uxSCHhSLO8LUH1XjmWWb
c54Miuk6Xqh1D54D3Ppmr62nFKEhhqihDIZ28JTp67pvrJIFFUC5DXGTVcAUKzOG
O/6jNJST82SFmfUHu6ntHWwRkaOW7LjUdBnH8pj3JetlseRtYghiWX6Y2Ql5XDfB
AQF18mnxicXAg/PkI00iLqqkXaolAM29G2Io/KsdwMZZtL9RrFHKOlekX5iIyIBz
TOm+7hpLznKbNEpybdknphc3VpjG9aaJyoDMqjkuZ/wJSUusFDMNpO3vpggnTS5D
Yiu9yOGZb1nFEorfRco25Lh06FURaMb6t2lQFdmBg2ade1tiqR8E0CNdEBJIgjU+
v6qZw7ayLTnfExvHyeHYxgVWpHp9eUpxMITiO7wt03BiEQvmmsnAMFSx2f5+Cvcy
Q3eddVsJ0S4pS9mhUBAfrUxvDikXj2sQ2fKs3niB5xzk3z6XzC1Ukf6XlGtOyH0J
PnMwZXRBChgaFwCzMwTdZpw2pZiVcWdsuLy24ecUWp9OUDGlfUG3heIbZBfSrdjz
VeUo8Mv+gmwVAeOcYZxJLbNftNwjtKIVvjbs/Dx30g8hiGck7QpdBLTOmLQouUx+
1GcguiXe6fhsf15aywvEM/Okt+g2X4jDArhYM3xF4dZGSoX7RpY=
=8iiC
-----END PGP SIGNATURE-----
FreeBSD Errata Notice FreeBSD-EN-25:19.zfs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-25:19.zfs Errata Notice
The FreeBSD Project
Topic: Unprivileged kernel NULL pointer dereference
Category: contrib
Module: openzfs
Announced: 2025-12-16
Credits: Collin Funk
Affects: FreeBSD 15.0
Corrected: 2025-12-15 14:16:12 UTC (stable/15, 15.0-STABLE)
2025-12-16 23:42:59 UTC (releng/15.0, 15.0-RELEASE-p1)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
ZFS is an advanced and scalable file system that is commonly used on FreeBSD.
II. Problem Description
Invoking the fsync(2) system call on a named pipe will trigger a NULL pointer
dereference in the kernel, causing a system panic.
III. Impact
A malicious, unprivileged user may be able to panic the system.
Software which attempts to fsync a named pipe may inadvertently panic the
system.
IV. Workaround
No workaround is available. Systems not using ZFS are unaffected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r now
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-25:19/zfs.patch
# fetch https://security.FreeBSD.org/patches/EN-25:19/zfs.patch.asc
# gpg --verify zfs.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ d988a0c1fc4c stable/15-n281511
releng/15.0/ ff6b9c7c1c34 releng/15.0-n280996
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:19.zfs.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+bIACgkQbljekB8A
Gu8e+hAA1P5avUtCSkV+8EtFRP06yMwe/Lq79Q/pKZPPznhweJYx2tiEey7qfUEA
7QT8aE8EgOCaaVs159Jn5c3RmQUeV9k+CKWxGbMuThfQJTX/ytmVdQX9tbTyfet1
o6zZmvRViWR+GpArtCDrjapV5luvvW4DqFN0wBhqAN4PK4GUG/77kbWeeRGGNcNF
2hzjrqUsi7vQ4CrhYYJH01PKIOW7V4HySzodPKSD24/LxILRY/XAA5y3n1gLeZ/i
G8JWIjX3bhKrmyHlL+bOCPcUpJEC3CD//CtisGQX0UsOrRbR6nZrDVpIXGnrW9kM
qUZvwjd731sTmab/ZyKcqoJ5cOwe1fBHgB/uK7H8DLzUCijiUS2+m+X5U6ncggFW
qsFpdW2rEUWDoc1n1qkFpIbkQqXZKiEaX5C1MFcQvRv/5nkXszHMVSKuhuamC6xc
Or7GXnxSVsTLS0H5ASg5aY65KsiJdDJI/4I6VSv7BIzJrZGXA/eH0G5+lAyU7rfd
vZ67vtT+Gvz2Hof8oFwUL/6ID2v/RLKG9+wIx5m2HB6DsdxqB/UCpAVV5yh2FIt9
OUODbFKIGQMtBL1pUhqxAIOzbJfAxcZfR11+2MuQWIkEXVMHWu86mRjxrQd33c10
HET/1kMnGTZBbi77QM9eQvLqxfXRhRslquITHWz6XE+QN4hu44o=
=o0ys
-----END PGP SIGNATURE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-25:19.zfs Errata Notice
The FreeBSD Project
Topic: Unprivileged kernel NULL pointer dereference
Category: contrib
Module: openzfs
Announced: 2025-12-16
Credits: Collin Funk
Affects: FreeBSD 15.0
Corrected: 2025-12-15 14:16:12 UTC (stable/15, 15.0-STABLE)
2025-12-16 23:42:59 UTC (releng/15.0, 15.0-RELEASE-p1)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.
I. Background
ZFS is an advanced and scalable file system that is commonly used on FreeBSD.
II. Problem Description
Invoking the fsync(2) system call on a named pipe will trigger a NULL pointer
dereference in the kernel, causing a system panic.
III. Impact
A malicious, unprivileged user may be able to panic the system.
Software which attempts to fsync a named pipe may inadvertently panic the
system.
IV. Workaround
No workaround is available. Systems not using ZFS are unaffected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r now
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-25:19/zfs.patch
# fetch https://security.FreeBSD.org/patches/EN-25:19/zfs.patch.asc
# gpg --verify zfs.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ d988a0c1fc4c stable/15-n281511
releng/15.0/ ff6b9c7c1c34 releng/15.0-n280996
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:19.zfs.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+bIACgkQbljekB8A
Gu8e+hAA1P5avUtCSkV+8EtFRP06yMwe/Lq79Q/pKZPPznhweJYx2tiEey7qfUEA
7QT8aE8EgOCaaVs159Jn5c3RmQUeV9k+CKWxGbMuThfQJTX/ytmVdQX9tbTyfet1
o6zZmvRViWR+GpArtCDrjapV5luvvW4DqFN0wBhqAN4PK4GUG/77kbWeeRGGNcNF
2hzjrqUsi7vQ4CrhYYJH01PKIOW7V4HySzodPKSD24/LxILRY/XAA5y3n1gLeZ/i
G8JWIjX3bhKrmyHlL+bOCPcUpJEC3CD//CtisGQX0UsOrRbR6nZrDVpIXGnrW9kM
qUZvwjd731sTmab/ZyKcqoJ5cOwe1fBHgB/uK7H8DLzUCijiUS2+m+X5U6ncggFW
qsFpdW2rEUWDoc1n1qkFpIbkQqXZKiEaX5C1MFcQvRv/5nkXszHMVSKuhuamC6xc
Or7GXnxSVsTLS0H5ASg5aY65KsiJdDJI/4I6VSv7BIzJrZGXA/eH0G5+lAyU7rfd
vZ67vtT+Gvz2Hof8oFwUL/6ID2v/RLKG9+wIx5m2HB6DsdxqB/UCpAVV5yh2FIt9
OUODbFKIGQMtBL1pUhqxAIOzbJfAxcZfR11+2MuQWIkEXVMHWu86mRjxrQd33c10
HET/1kMnGTZBbi77QM9eQvLqxfXRhRslquITHWz6XE+QN4hu44o=
=o0ys
-----END PGP SIGNATURE-----
[USN-7939-2] Linux kernel (Azure FIPS) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlB8u4FAwAAAAAACgkQZ0GeRcM5nt1L
1Qf/WWKy/dXuP5EqyQay7jrm0H8qJJPKZWIcDFyBGVBfpPNIN05rXgvxmlOaSDRunrA5b4tXFwvV
XLKBgtXoXhTLWjXgWfEx+c6Za4XapMLtP7XPGG5SqoUfl9Q6rcrXuFbJYMm1PCqofX+iHVMPC7WA
O3v038Y6GRwv6L0Z6FOvnWE90yjTzXtT16hjgioTQ5MGvyGvFwdcETLBgHTQD17zYoD7vOASw3Nd
FZ3vaTz4xA/WO5wX5S4S/fYH4sIZa0x+FsKbK9llRwNGSZd9i6AjUeOM8OED6ZdCKldbhZh6WeYe
tAPpwcpUDaN3VMREEMoZ5FcwvKSajKDx00pfvZRIUQ==
=sY/U
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7939-2
December 16, 2025
linux-azure-fips vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure-fips: Linux kernel for Microsoft Azure Cloud systems with FIPS
Details:
Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered
that the Linux kernel contained insufficient branch predictor isolation
between a guest and a userspace hypervisor for certain processors. This
flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this
to expose sensitive information from the host OS. (CVE-2025-40300)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- HSI subsystem;
- I3C subsystem;
- InfiniBand drivers;
- Media drivers;
- Network drivers;
- Pin controllers subsystem;
- AFS file system;
- F2FS file system;
- SMB network file system;
- Padata parallel execution mechanism;
- Timer subsystem;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- Networking core;
- Netfilter;
(CVE-2022-49026, CVE-2022-49390, CVE-2023-52854, CVE-2024-35867,
CVE-2024-47691, CVE-2024-49935, CVE-2024-50061, CVE-2024-50067,
CVE-2024-50095, CVE-2024-50196, CVE-2024-53090, CVE-2024-53218,
CVE-2024-56664, CVE-2025-21727, CVE-2025-21855, CVE-2025-37838,
CVE-2025-37958, CVE-2025-38352, CVE-2025-38666, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
linux-image-5.4.0-1157-azure-fips 5.4.0-1157.164+fips1
Available with Ubuntu Pro
linux-image-azure-fips 5.4.0.1157.94
Available with Ubuntu Pro
linux-image-azure-fips-5.4 5.4.0.1157.94
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7939-2
https://ubuntu.com/security/notices/USN-7939-1
CVE-2022-49026, CVE-2022-49390, CVE-2023-52854, CVE-2024-35867,
CVE-2024-47691, CVE-2024-49935, CVE-2024-50061, CVE-2024-50067,
CVE-2024-50095, CVE-2024-50196, CVE-2024-53090, CVE-2024-53218,
CVE-2024-56664, CVE-2025-21727, CVE-2025-21855, CVE-2025-37838,
CVE-2025-37958, CVE-2025-38352, CVE-2025-38666, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018, CVE-2025-40300
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure-fips/5.4.0-1157.164+fips1
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlB8u4FAwAAAAAACgkQZ0GeRcM5nt1L
1Qf/WWKy/dXuP5EqyQay7jrm0H8qJJPKZWIcDFyBGVBfpPNIN05rXgvxmlOaSDRunrA5b4tXFwvV
XLKBgtXoXhTLWjXgWfEx+c6Za4XapMLtP7XPGG5SqoUfl9Q6rcrXuFbJYMm1PCqofX+iHVMPC7WA
O3v038Y6GRwv6L0Z6FOvnWE90yjTzXtT16hjgioTQ5MGvyGvFwdcETLBgHTQD17zYoD7vOASw3Nd
FZ3vaTz4xA/WO5wX5S4S/fYH4sIZa0x+FsKbK9llRwNGSZd9i6AjUeOM8OED6ZdCKldbhZh6WeYe
tAPpwcpUDaN3VMREEMoZ5FcwvKSajKDx00pfvZRIUQ==
=sY/U
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7939-2
December 16, 2025
linux-azure-fips vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure-fips: Linux kernel for Microsoft Azure Cloud systems with FIPS
Details:
Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered
that the Linux kernel contained insufficient branch predictor isolation
between a guest and a userspace hypervisor for certain processors. This
flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this
to expose sensitive information from the host OS. (CVE-2025-40300)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- HSI subsystem;
- I3C subsystem;
- InfiniBand drivers;
- Media drivers;
- Network drivers;
- Pin controllers subsystem;
- AFS file system;
- F2FS file system;
- SMB network file system;
- Padata parallel execution mechanism;
- Timer subsystem;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- Networking core;
- Netfilter;
(CVE-2022-49026, CVE-2022-49390, CVE-2023-52854, CVE-2024-35867,
CVE-2024-47691, CVE-2024-49935, CVE-2024-50061, CVE-2024-50067,
CVE-2024-50095, CVE-2024-50196, CVE-2024-53090, CVE-2024-53218,
CVE-2024-56664, CVE-2025-21727, CVE-2025-21855, CVE-2025-37838,
CVE-2025-37958, CVE-2025-38352, CVE-2025-38666, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
linux-image-5.4.0-1157-azure-fips 5.4.0-1157.164+fips1
Available with Ubuntu Pro
linux-image-azure-fips 5.4.0.1157.94
Available with Ubuntu Pro
linux-image-azure-fips-5.4 5.4.0.1157.94
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7939-2
https://ubuntu.com/security/notices/USN-7939-1
CVE-2022-49026, CVE-2022-49390, CVE-2023-52854, CVE-2024-35867,
CVE-2024-47691, CVE-2024-49935, CVE-2024-50061, CVE-2024-50067,
CVE-2024-50095, CVE-2024-50196, CVE-2024-53090, CVE-2024-53218,
CVE-2024-56664, CVE-2025-21727, CVE-2025-21855, CVE-2025-37838,
CVE-2025-37958, CVE-2025-38352, CVE-2025-38666, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018, CVE-2025-40300
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure-fips/5.4.0-1157.164+fips1
[USN-7939-1] Linux kernel (Azure) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlB1zAFAwAAAAAACgkQZ0GeRcM5nt3m
5gf+KN07ha7qftc6z4flaqbeUoZ9YnAM18GKLFiJhYynb4OejkI+J1szvTblUr42UYKcjNRmk2nN
uC2xwM0Shzt1vZmFSoxudxdJo/lRhLupmta1rdLGTpQ1R4nz+noscvnz369F9t15ysCHKu3B/zLt
GNp28XF+xMFu5u09PuOJoTZjaH7M/yKb8O3FomYwH0FcnRkTJh0dLNczWMd3FfHVOe/ZufzmbH2w
QVcj5U/yPm5t6hN+qmCjqKqBhOkJ+DPdr/vVchET82l6pK2iSJ2pyr2JhDwDuZm1spmOyp+WdEnk
lv1CevdpIH384A2rFBp8RAs3NkFnfxkCtM5pR1xE2Q==
=oXqi
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7939-1
December 16, 2025
linux-azure, linux-azure-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems
Details:
Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered
that the Linux kernel contained insufficient branch predictor isolation
between a guest and a userspace hypervisor for certain processors. This
flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this
to expose sensitive information from the host OS. (CVE-2025-40300)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- HSI subsystem;
- I3C subsystem;
- InfiniBand drivers;
- Media drivers;
- Network drivers;
- Pin controllers subsystem;
- AFS file system;
- F2FS file system;
- SMB network file system;
- Padata parallel execution mechanism;
- Timer subsystem;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- Networking core;
- Netfilter;
(CVE-2022-49026, CVE-2022-49390, CVE-2023-52854, CVE-2024-35867,
CVE-2024-47691, CVE-2024-49935, CVE-2024-50061, CVE-2024-50067,
CVE-2024-50095, CVE-2024-50196, CVE-2024-53090, CVE-2024-53218,
CVE-2024-56664, CVE-2025-21727, CVE-2025-21855, CVE-2025-37838,
CVE-2025-37958, CVE-2025-38352, CVE-2025-38666, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
linux-image-5.4.0-1156-azure 5.4.0-1156.163
Available with Ubuntu Pro
linux-image-azure-5.4 5.4.0.1156.150
Available with Ubuntu Pro
linux-image-azure-lts-20.04 5.4.0.1156.150
Available with Ubuntu Pro
Ubuntu 18.04 LTS
linux-image-5.4.0-1156-azure 5.4.0-1156.163~18.04.1
Available with Ubuntu Pro
linux-image-azure 5.4.0.1156.163~18.04.1
Available with Ubuntu Pro
linux-image-azure-5.4 5.4.0.1156.163~18.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7939-1
CVE-2022-49026, CVE-2022-49390, CVE-2023-52854, CVE-2024-35867,
CVE-2024-47691, CVE-2024-49935, CVE-2024-50061, CVE-2024-50067,
CVE-2024-50095, CVE-2024-50196, CVE-2024-53090, CVE-2024-53218,
CVE-2024-56664, CVE-2025-21727, CVE-2025-21855, CVE-2025-37838,
CVE-2025-37958, CVE-2025-38352, CVE-2025-38666, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018, CVE-2025-40300
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlB1zAFAwAAAAAACgkQZ0GeRcM5nt3m
5gf+KN07ha7qftc6z4flaqbeUoZ9YnAM18GKLFiJhYynb4OejkI+J1szvTblUr42UYKcjNRmk2nN
uC2xwM0Shzt1vZmFSoxudxdJo/lRhLupmta1rdLGTpQ1R4nz+noscvnz369F9t15ysCHKu3B/zLt
GNp28XF+xMFu5u09PuOJoTZjaH7M/yKb8O3FomYwH0FcnRkTJh0dLNczWMd3FfHVOe/ZufzmbH2w
QVcj5U/yPm5t6hN+qmCjqKqBhOkJ+DPdr/vVchET82l6pK2iSJ2pyr2JhDwDuZm1spmOyp+WdEnk
lv1CevdpIH384A2rFBp8RAs3NkFnfxkCtM5pR1xE2Q==
=oXqi
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7939-1
December 16, 2025
linux-azure, linux-azure-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems
Details:
Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered
that the Linux kernel contained insufficient branch predictor isolation
between a guest and a userspace hypervisor for certain processors. This
flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this
to expose sensitive information from the host OS. (CVE-2025-40300)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- HSI subsystem;
- I3C subsystem;
- InfiniBand drivers;
- Media drivers;
- Network drivers;
- Pin controllers subsystem;
- AFS file system;
- F2FS file system;
- SMB network file system;
- Padata parallel execution mechanism;
- Timer subsystem;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- Networking core;
- Netfilter;
(CVE-2022-49026, CVE-2022-49390, CVE-2023-52854, CVE-2024-35867,
CVE-2024-47691, CVE-2024-49935, CVE-2024-50061, CVE-2024-50067,
CVE-2024-50095, CVE-2024-50196, CVE-2024-53090, CVE-2024-53218,
CVE-2024-56664, CVE-2025-21727, CVE-2025-21855, CVE-2025-37838,
CVE-2025-37958, CVE-2025-38352, CVE-2025-38666, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
linux-image-5.4.0-1156-azure 5.4.0-1156.163
Available with Ubuntu Pro
linux-image-azure-5.4 5.4.0.1156.150
Available with Ubuntu Pro
linux-image-azure-lts-20.04 5.4.0.1156.150
Available with Ubuntu Pro
Ubuntu 18.04 LTS
linux-image-5.4.0-1156-azure 5.4.0-1156.163~18.04.1
Available with Ubuntu Pro
linux-image-azure 5.4.0.1156.163~18.04.1
Available with Ubuntu Pro
linux-image-azure-5.4 5.4.0.1156.163~18.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7939-1
CVE-2022-49026, CVE-2022-49390, CVE-2023-52854, CVE-2024-35867,
CVE-2024-47691, CVE-2024-49935, CVE-2024-50061, CVE-2024-50067,
CVE-2024-50095, CVE-2024-50196, CVE-2024-53090, CVE-2024-53218,
CVE-2024-56664, CVE-2025-21727, CVE-2025-21855, CVE-2025-37838,
CVE-2025-37958, CVE-2025-38352, CVE-2025-38666, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018, CVE-2025-40300
[USN-7939-1] Linux kernel (Azure) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlByXUFAwAAAAAACgkQZ0GeRcM5nt1l
Tgf9HNdQVpCVvJNki4RjJIwoyp7AvzpurTfrZbDihDMiPTESmAxdpZ/xLcx53+DD1kQpfku96ws+
7GagofSNGVk3lPHQ5+X4qYONCSemHxZKgU0g7hytGxHhFdsmURFe1y8uXUs6apKu455lwJ6CCS9n
7EzWOJWCczPMZM8/n4j5tR6TB4jC/j0DmdoqD2yLXWqOLhdZ9Y87eGt/CV3yq4oDv/rWITRTZV18
+3rVUMnJu4IzkIRvJF7XEz+eKDoZEW+ITfzsVZ8xzVM83jRVyVvdkeRoKrp0o8llEgOI0CbGrR+w
NbBTzxXFayqehAU4eKdfzGYKyY8wwWHMSA4QzWeslQ==
=FIam
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7939-1
December 16, 2025
linux-azure, linux-azure-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems
Details:
Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered
that the Linux kernel contained insufficient branch predictor isolation
between a guest and a userspace hypervisor for certain processors. This
flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this
to expose sensitive information from the host OS. (CVE-2025-40300)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- HSI subsystem;
- I3C subsystem;
- InfiniBand drivers;
- Media drivers;
- Network drivers;
- Pin controllers subsystem;
- AFS file system;
- F2FS file system;
- SMB network file system;
- Padata parallel execution mechanism;
- Timer subsystem;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- Networking core;
- Netfilter;
(CVE-2022-49026, CVE-2022-49390, CVE-2023-52854, CVE-2024-35867,
CVE-2024-47691, CVE-2024-49935, CVE-2024-50061, CVE-2024-50067,
CVE-2024-50095, CVE-2024-50196, CVE-2024-53090, CVE-2024-53218,
CVE-2024-56664, CVE-2025-21727, CVE-2025-21855, CVE-2025-37838,
CVE-2025-37958, CVE-2025-38352, CVE-2025-38666, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
linux-image-5.4.0-1156-azure 5.4.0-1156.163
Available with Ubuntu Pro
linux-image-azure-5.4 5.4.0.1156.150
Available with Ubuntu Pro
linux-image-azure-lts-20.04 5.4.0.1156.150
Available with Ubuntu Pro
Ubuntu 18.04 LTS
linux-image-5.4.0-1156-azure 5.4.0-1156.163~18.04.1
Available with Ubuntu Pro
linux-image-azure 5.4.0.1156.163~18.04.1
Available with Ubuntu Pro
linux-image-azure-5.4 5.4.0.1156.163~18.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7939-1
CVE-2022-49026, CVE-2022-49390, CVE-2023-52854, CVE-2024-35867,
CVE-2024-47691, CVE-2024-49935, CVE-2024-50061, CVE-2024-50067,
CVE-2024-50095, CVE-2024-50196, CVE-2024-53090, CVE-2024-53218,
CVE-2024-56664, CVE-2025-21727, CVE-2025-21855, CVE-2025-37838,
CVE-2025-37958, CVE-2025-38352, CVE-2025-38666, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018, CVE-2025-40300
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlByXUFAwAAAAAACgkQZ0GeRcM5nt1l
Tgf9HNdQVpCVvJNki4RjJIwoyp7AvzpurTfrZbDihDMiPTESmAxdpZ/xLcx53+DD1kQpfku96ws+
7GagofSNGVk3lPHQ5+X4qYONCSemHxZKgU0g7hytGxHhFdsmURFe1y8uXUs6apKu455lwJ6CCS9n
7EzWOJWCczPMZM8/n4j5tR6TB4jC/j0DmdoqD2yLXWqOLhdZ9Y87eGt/CV3yq4oDv/rWITRTZV18
+3rVUMnJu4IzkIRvJF7XEz+eKDoZEW+ITfzsVZ8xzVM83jRVyVvdkeRoKrp0o8llEgOI0CbGrR+w
NbBTzxXFayqehAU4eKdfzGYKyY8wwWHMSA4QzWeslQ==
=FIam
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7939-1
December 16, 2025
linux-azure, linux-azure-5.4 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems
Details:
Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered
that the Linux kernel contained insufficient branch predictor isolation
between a guest and a userspace hypervisor for certain processors. This
flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this
to expose sensitive information from the host OS. (CVE-2025-40300)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- HSI subsystem;
- I3C subsystem;
- InfiniBand drivers;
- Media drivers;
- Network drivers;
- Pin controllers subsystem;
- AFS file system;
- F2FS file system;
- SMB network file system;
- Padata parallel execution mechanism;
- Timer subsystem;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- Networking core;
- Netfilter;
(CVE-2022-49026, CVE-2022-49390, CVE-2023-52854, CVE-2024-35867,
CVE-2024-47691, CVE-2024-49935, CVE-2024-50061, CVE-2024-50067,
CVE-2024-50095, CVE-2024-50196, CVE-2024-53090, CVE-2024-53218,
CVE-2024-56664, CVE-2025-21727, CVE-2025-21855, CVE-2025-37838,
CVE-2025-37958, CVE-2025-38352, CVE-2025-38666, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
linux-image-5.4.0-1156-azure 5.4.0-1156.163
Available with Ubuntu Pro
linux-image-azure-5.4 5.4.0.1156.150
Available with Ubuntu Pro
linux-image-azure-lts-20.04 5.4.0.1156.150
Available with Ubuntu Pro
Ubuntu 18.04 LTS
linux-image-5.4.0-1156-azure 5.4.0-1156.163~18.04.1
Available with Ubuntu Pro
linux-image-azure 5.4.0.1156.163~18.04.1
Available with Ubuntu Pro
linux-image-azure-5.4 5.4.0.1156.163~18.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7939-1
CVE-2022-49026, CVE-2022-49390, CVE-2023-52854, CVE-2024-35867,
CVE-2024-47691, CVE-2024-49935, CVE-2024-50061, CVE-2024-50067,
CVE-2024-50095, CVE-2024-50196, CVE-2024-53090, CVE-2024-53218,
CVE-2024-56664, CVE-2025-21727, CVE-2025-21855, CVE-2025-37838,
CVE-2025-37958, CVE-2025-38352, CVE-2025-38666, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018, CVE-2025-40300
[USN-7938-1] Linux kernel (Azure) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlBcuIFAwAAAAAACgkQZ0GeRcM5nt2s
dwgAjCkUt3gyeTUhqFNxmd87mKOq4sQ7mB/fFA8YWQ/nVrVmE48RIKZJUzuQS8lhy/kfLhP/eV6L
NEquoQsAN4L/jgamOygWO9e4EkG7y6duRsEMoep/h0mr5aCTuJwqOlnPg0bLAxBgFZy0w869gODW
oItpaxj9hP3LXufUiJ/y4Ln27Akk/bv0TQIIcynjl1EPGz+qTNBEHgcFw6CYu0P6c/4e7rqE3/Mj
S7eqC1qqHec3vXvedaKyYJDIwAz0qeQgNcXWeoiZBSINhrOfxraw5wTcFv9Plgxa3eFT1WEnRgZN
hodsQmgnh5LbuH2plZ0YAItCP+QV/JK2GAVOHkWpzg==
=DSFY
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7938-1
December 16, 2025
linux-azure-5.15 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems
Details:
Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered
that the Linux kernel contained insufficient branch predictor isolation
between a guest and a userspace hypervisor for certain processors. This
flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this
to expose sensitive information from the host OS. (CVE-2025-40300)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM32 architecture;
- ARM64 architecture;
- MIPS architecture;
- PowerPC architecture;
- RISC-V architecture;
- S390 architecture;
- x86 architecture;
- Block layer subsystem;
- Cryptographic API;
- ACPI drivers;
- ATM drivers;
- DRBD Distributed Replicated Block Device drivers;
- Bus devices;
- Clock framework and drivers;
- Data acquisition framework and drivers;
- Hardware crypto device drivers;
- Device frequency scaling framework;
- Buffer Sharing and Synchronization framework;
- DMA engine subsystem;
- ARM SCMI message protocol;
- GPU drivers;
- HID subsystem;
- Hardware monitoring drivers;
- I2C subsystem;
- I3C subsystem;
- IIO subsystem;
- InfiniBand drivers;
- Input Device core drivers;
- IOMMU subsystem;
- Media drivers;
- Network drivers;
- Mellanox network drivers;
- PCI subsystem;
- PCCARD (PCMCIA/CardBus) bus subsystem;
- PHY drivers;
- Power supply drivers;
- Voltage and Current Regulator drivers;
- SCSI subsystem;
- ASPEED SoC drivers;
- QCOM SoC drivers;
- small TFT LCD display modules;
- Trusted Execution Environment drivers;
- TTY drivers;
- UFS subsystem;
- USB core drivers;
- DesignWare USB3 driver;
- USB Gadget drivers;
- Framebuffer layer;
- AFS file system;
- BTRFS file system;
- File systems infrastructure;
- EFI Variable file system;
- Ext4 file system;
- F2FS file system;
- JFS file system;
- Network file system (NFS) client;
- Network file system (NFS) server daemon;
- NILFS2 file system;
- NTFS3 file system;
- SMB network file system;
- Asynchronous Transfer Mode (ATM) subsystem;
- BPF subsystem;
- NFS page cache wrapper;
- Memory management;
- Networking subsytem;
- UDP network protocol;
- Perf events;
- RCU subsystem;
- Tracing infrastructure;
- 802.1Q VLAN protocol;
- Appletalk network protocol;
- Amateur Radio drivers;
- B.A.T.M.A.N. meshing protocol;
- Bluetooth subsystem;
- Ethernet bridge;
- Networking core;
- HSR network protocol;
- IPv4 networking;
- IPv6 networking;
- Multipath TCP;
- Netfilter;
- Network traffic control;
- SCTP protocol;
- TLS protocol;
- Wireless networking;
- SoC audio core drivers;
- USB sound devices;
(CVE-2022-49390, CVE-2022-50070, CVE-2022-50327, CVE-2023-52935,
CVE-2023-53074, CVE-2024-47691, CVE-2024-50061, CVE-2024-50067,
CVE-2024-53068, CVE-2024-53090, CVE-2024-53218, CVE-2025-21855,
CVE-2025-37925, CVE-2025-37968, CVE-2025-38095, CVE-2025-38148,
CVE-2025-38165, CVE-2025-38335, CVE-2025-38347, CVE-2025-38468,
CVE-2025-38470, CVE-2025-38473, CVE-2025-38474, CVE-2025-38476,
CVE-2025-38478, CVE-2025-38480, CVE-2025-38481, CVE-2025-38482,
CVE-2025-38483, CVE-2025-38487, CVE-2025-38488, CVE-2025-38494,
CVE-2025-38495, CVE-2025-38497, CVE-2025-38499, CVE-2025-38502,
CVE-2025-38527, CVE-2025-38528, CVE-2025-38529, CVE-2025-38530,
CVE-2025-38535, CVE-2025-38538, CVE-2025-38539, CVE-2025-38548,
CVE-2025-38550, CVE-2025-38553, CVE-2025-38555, CVE-2025-38563,
CVE-2025-38565, CVE-2025-38569, CVE-2025-38572, CVE-2025-38574,
CVE-2025-38576, CVE-2025-38577, CVE-2025-38578, CVE-2025-38579,
CVE-2025-38581, CVE-2025-38583, CVE-2025-38601, CVE-2025-38602,
CVE-2025-38604, CVE-2025-38608, CVE-2025-38609, CVE-2025-38612,
CVE-2025-38614, CVE-2025-38622, CVE-2025-38623, CVE-2025-38624,
CVE-2025-38630, CVE-2025-38634, CVE-2025-38635, CVE-2025-38639,
CVE-2025-38645, CVE-2025-38650, CVE-2025-38652, CVE-2025-38663,
CVE-2025-38664, CVE-2025-38666, CVE-2025-38668, CVE-2025-38670,
CVE-2025-38671, CVE-2025-38676, CVE-2025-38677, CVE-2025-38678,
CVE-2025-38680, CVE-2025-38681, CVE-2025-38684, CVE-2025-38685,
CVE-2025-38687, CVE-2025-38691, CVE-2025-38693, CVE-2025-38694,
CVE-2025-38695, CVE-2025-38696, CVE-2025-38697, CVE-2025-38698,
CVE-2025-38699, CVE-2025-38700, CVE-2025-38701, CVE-2025-38706,
CVE-2025-38707, CVE-2025-38708, CVE-2025-38711, CVE-2025-38712,
CVE-2025-38713, CVE-2025-38714, CVE-2025-38715, CVE-2025-38718,
CVE-2025-38721, CVE-2025-38724, CVE-2025-38725, CVE-2025-38729,
CVE-2025-38732, CVE-2025-39673, CVE-2025-39675, CVE-2025-39676,
CVE-2025-39681, CVE-2025-39683, CVE-2025-39684, CVE-2025-39685,
CVE-2025-39686, CVE-2025-39687, CVE-2025-39689, CVE-2025-39691,
CVE-2025-39693, CVE-2025-39697, CVE-2025-39702, CVE-2025-39703,
CVE-2025-39709, CVE-2025-39710, CVE-2025-39713, CVE-2025-39714,
CVE-2025-39724, CVE-2025-39730, CVE-2025-39734, CVE-2025-39736,
CVE-2025-39737, CVE-2025-39738, CVE-2025-39742, CVE-2025-39743,
CVE-2025-39749, CVE-2025-39752, CVE-2025-39756, CVE-2025-39757,
CVE-2025-39760, CVE-2025-39766, CVE-2025-39772, CVE-2025-39773,
CVE-2025-39776, CVE-2025-39782, CVE-2025-39783, CVE-2025-39787,
CVE-2025-39788, CVE-2025-39790, CVE-2025-39794, CVE-2025-39795,
CVE-2025-39798, CVE-2025-39801, CVE-2025-39806, CVE-2025-39808,
CVE-2025-39812, CVE-2025-39813, CVE-2025-39817, CVE-2025-39823,
CVE-2025-39824, CVE-2025-39828, CVE-2025-39835, CVE-2025-39839,
CVE-2025-39841, CVE-2025-39844, CVE-2025-39845, CVE-2025-39846,
CVE-2025-39847, CVE-2025-39848, CVE-2025-39853, CVE-2025-39860,
CVE-2025-39864, CVE-2025-39865, CVE-2025-39866, CVE-2025-39891,
CVE-2025-39894, CVE-2025-39902, CVE-2025-39920, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
linux-image-5.15.0-1102-azure 5.15.0-1102.111~20.04.1
Available with Ubuntu Pro
linux-image-azure 5.15.0.1102.111~20.04.1
Available with Ubuntu Pro
linux-image-azure-5.15 5.15.0.1102.111~20.04.1
Available with Ubuntu Pro
linux-image-azure-cvm 5.15.0.1102.111~20.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7938-1
CVE-2022-49390, CVE-2022-50070, CVE-2022-50327, CVE-2023-52935,
CVE-2023-53074, CVE-2024-47691, CVE-2024-50061, CVE-2024-50067,
CVE-2024-53068, CVE-2024-53090, CVE-2024-53218, CVE-2025-21855,
CVE-2025-37925, CVE-2025-37968, CVE-2025-38095, CVE-2025-38148,
CVE-2025-38165, CVE-2025-38335, CVE-2025-38347, CVE-2025-38468,
CVE-2025-38470, CVE-2025-38473, CVE-2025-38474, CVE-2025-38476,
CVE-2025-38478, CVE-2025-38480, CVE-2025-38481, CVE-2025-38482,
CVE-2025-38483, CVE-2025-38487, CVE-2025-38488, CVE-2025-38494,
CVE-2025-38495, CVE-2025-38497, CVE-2025-38499, CVE-2025-38502,
CVE-2025-38527, CVE-2025-38528, CVE-2025-38529, CVE-2025-38530,
CVE-2025-38535, CVE-2025-38538, CVE-2025-38539, CVE-2025-38548,
CVE-2025-38550, CVE-2025-38553, CVE-2025-38555, CVE-2025-38563,
CVE-2025-38565, CVE-2025-38569, CVE-2025-38572, CVE-2025-38574,
CVE-2025-38576, CVE-2025-38577, CVE-2025-38578, CVE-2025-38579,
CVE-2025-38581, CVE-2025-38583, CVE-2025-38601, CVE-2025-38602,
CVE-2025-38604, CVE-2025-38608, CVE-2025-38609, CVE-2025-38612,
CVE-2025-38614, CVE-2025-38622, CVE-2025-38623, CVE-2025-38624,
CVE-2025-38630, CVE-2025-38634, CVE-2025-38635, CVE-2025-38639,
CVE-2025-38645, CVE-2025-38650, CVE-2025-38652, CVE-2025-38663,
CVE-2025-38664, CVE-2025-38666, CVE-2025-38668, CVE-2025-38670,
CVE-2025-38671, CVE-2025-38676, CVE-2025-38677, CVE-2025-38678,
CVE-2025-38680, CVE-2025-38681, CVE-2025-38684, CVE-2025-38685,
CVE-2025-38687, CVE-2025-38691, CVE-2025-38693, CVE-2025-38694,
CVE-2025-38695, CVE-2025-38696, CVE-2025-38697, CVE-2025-38698,
CVE-2025-38699, CVE-2025-38700, CVE-2025-38701, CVE-2025-38706,
CVE-2025-38707, CVE-2025-38708, CVE-2025-38711, CVE-2025-38712,
CVE-2025-38713, CVE-2025-38714, CVE-2025-38715, CVE-2025-38718,
CVE-2025-38721, CVE-2025-38724, CVE-2025-38725, CVE-2025-38729,
CVE-2025-38732, CVE-2025-39673, CVE-2025-39675, CVE-2025-39676,
CVE-2025-39681, CVE-2025-39683, CVE-2025-39684, CVE-2025-39685,
CVE-2025-39686, CVE-2025-39687, CVE-2025-39689, CVE-2025-39691,
CVE-2025-39693, CVE-2025-39697, CVE-2025-39702, CVE-2025-39703,
CVE-2025-39709, CVE-2025-39710, CVE-2025-39713, CVE-2025-39714,
CVE-2025-39724, CVE-2025-39730, CVE-2025-39734, CVE-2025-39736,
CVE-2025-39737, CVE-2025-39738, CVE-2025-39742, CVE-2025-39743,
CVE-2025-39749, CVE-2025-39752, CVE-2025-39756, CVE-2025-39757,
CVE-2025-39760, CVE-2025-39766, CVE-2025-39772, CVE-2025-39773,
CVE-2025-39776, CVE-2025-39782, CVE-2025-39783, CVE-2025-39787,
CVE-2025-39788, CVE-2025-39790, CVE-2025-39794, CVE-2025-39795,
CVE-2025-39798, CVE-2025-39801, CVE-2025-39806, CVE-2025-39808,
CVE-2025-39812, CVE-2025-39813, CVE-2025-39817, CVE-2025-39823,
CVE-2025-39824, CVE-2025-39828, CVE-2025-39835, CVE-2025-39839,
CVE-2025-39841, CVE-2025-39844, CVE-2025-39845, CVE-2025-39846,
CVE-2025-39847, CVE-2025-39848, CVE-2025-39853, CVE-2025-39860,
CVE-2025-39864, CVE-2025-39865, CVE-2025-39866, CVE-2025-39891,
CVE-2025-39894, CVE-2025-39902, CVE-2025-39920, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018, CVE-2025-40300
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlBcuIFAwAAAAAACgkQZ0GeRcM5nt2s
dwgAjCkUt3gyeTUhqFNxmd87mKOq4sQ7mB/fFA8YWQ/nVrVmE48RIKZJUzuQS8lhy/kfLhP/eV6L
NEquoQsAN4L/jgamOygWO9e4EkG7y6duRsEMoep/h0mr5aCTuJwqOlnPg0bLAxBgFZy0w869gODW
oItpaxj9hP3LXufUiJ/y4Ln27Akk/bv0TQIIcynjl1EPGz+qTNBEHgcFw6CYu0P6c/4e7rqE3/Mj
S7eqC1qqHec3vXvedaKyYJDIwAz0qeQgNcXWeoiZBSINhrOfxraw5wTcFv9Plgxa3eFT1WEnRgZN
hodsQmgnh5LbuH2plZ0YAItCP+QV/JK2GAVOHkWpzg==
=DSFY
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7938-1
December 16, 2025
linux-azure-5.15 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems
Details:
Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered
that the Linux kernel contained insufficient branch predictor isolation
between a guest and a userspace hypervisor for certain processors. This
flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this
to expose sensitive information from the host OS. (CVE-2025-40300)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- ARM32 architecture;
- ARM64 architecture;
- MIPS architecture;
- PowerPC architecture;
- RISC-V architecture;
- S390 architecture;
- x86 architecture;
- Block layer subsystem;
- Cryptographic API;
- ACPI drivers;
- ATM drivers;
- DRBD Distributed Replicated Block Device drivers;
- Bus devices;
- Clock framework and drivers;
- Data acquisition framework and drivers;
- Hardware crypto device drivers;
- Device frequency scaling framework;
- Buffer Sharing and Synchronization framework;
- DMA engine subsystem;
- ARM SCMI message protocol;
- GPU drivers;
- HID subsystem;
- Hardware monitoring drivers;
- I2C subsystem;
- I3C subsystem;
- IIO subsystem;
- InfiniBand drivers;
- Input Device core drivers;
- IOMMU subsystem;
- Media drivers;
- Network drivers;
- Mellanox network drivers;
- PCI subsystem;
- PCCARD (PCMCIA/CardBus) bus subsystem;
- PHY drivers;
- Power supply drivers;
- Voltage and Current Regulator drivers;
- SCSI subsystem;
- ASPEED SoC drivers;
- QCOM SoC drivers;
- small TFT LCD display modules;
- Trusted Execution Environment drivers;
- TTY drivers;
- UFS subsystem;
- USB core drivers;
- DesignWare USB3 driver;
- USB Gadget drivers;
- Framebuffer layer;
- AFS file system;
- BTRFS file system;
- File systems infrastructure;
- EFI Variable file system;
- Ext4 file system;
- F2FS file system;
- JFS file system;
- Network file system (NFS) client;
- Network file system (NFS) server daemon;
- NILFS2 file system;
- NTFS3 file system;
- SMB network file system;
- Asynchronous Transfer Mode (ATM) subsystem;
- BPF subsystem;
- NFS page cache wrapper;
- Memory management;
- Networking subsytem;
- UDP network protocol;
- Perf events;
- RCU subsystem;
- Tracing infrastructure;
- 802.1Q VLAN protocol;
- Appletalk network protocol;
- Amateur Radio drivers;
- B.A.T.M.A.N. meshing protocol;
- Bluetooth subsystem;
- Ethernet bridge;
- Networking core;
- HSR network protocol;
- IPv4 networking;
- IPv6 networking;
- Multipath TCP;
- Netfilter;
- Network traffic control;
- SCTP protocol;
- TLS protocol;
- Wireless networking;
- SoC audio core drivers;
- USB sound devices;
(CVE-2022-49390, CVE-2022-50070, CVE-2022-50327, CVE-2023-52935,
CVE-2023-53074, CVE-2024-47691, CVE-2024-50061, CVE-2024-50067,
CVE-2024-53068, CVE-2024-53090, CVE-2024-53218, CVE-2025-21855,
CVE-2025-37925, CVE-2025-37968, CVE-2025-38095, CVE-2025-38148,
CVE-2025-38165, CVE-2025-38335, CVE-2025-38347, CVE-2025-38468,
CVE-2025-38470, CVE-2025-38473, CVE-2025-38474, CVE-2025-38476,
CVE-2025-38478, CVE-2025-38480, CVE-2025-38481, CVE-2025-38482,
CVE-2025-38483, CVE-2025-38487, CVE-2025-38488, CVE-2025-38494,
CVE-2025-38495, CVE-2025-38497, CVE-2025-38499, CVE-2025-38502,
CVE-2025-38527, CVE-2025-38528, CVE-2025-38529, CVE-2025-38530,
CVE-2025-38535, CVE-2025-38538, CVE-2025-38539, CVE-2025-38548,
CVE-2025-38550, CVE-2025-38553, CVE-2025-38555, CVE-2025-38563,
CVE-2025-38565, CVE-2025-38569, CVE-2025-38572, CVE-2025-38574,
CVE-2025-38576, CVE-2025-38577, CVE-2025-38578, CVE-2025-38579,
CVE-2025-38581, CVE-2025-38583, CVE-2025-38601, CVE-2025-38602,
CVE-2025-38604, CVE-2025-38608, CVE-2025-38609, CVE-2025-38612,
CVE-2025-38614, CVE-2025-38622, CVE-2025-38623, CVE-2025-38624,
CVE-2025-38630, CVE-2025-38634, CVE-2025-38635, CVE-2025-38639,
CVE-2025-38645, CVE-2025-38650, CVE-2025-38652, CVE-2025-38663,
CVE-2025-38664, CVE-2025-38666, CVE-2025-38668, CVE-2025-38670,
CVE-2025-38671, CVE-2025-38676, CVE-2025-38677, CVE-2025-38678,
CVE-2025-38680, CVE-2025-38681, CVE-2025-38684, CVE-2025-38685,
CVE-2025-38687, CVE-2025-38691, CVE-2025-38693, CVE-2025-38694,
CVE-2025-38695, CVE-2025-38696, CVE-2025-38697, CVE-2025-38698,
CVE-2025-38699, CVE-2025-38700, CVE-2025-38701, CVE-2025-38706,
CVE-2025-38707, CVE-2025-38708, CVE-2025-38711, CVE-2025-38712,
CVE-2025-38713, CVE-2025-38714, CVE-2025-38715, CVE-2025-38718,
CVE-2025-38721, CVE-2025-38724, CVE-2025-38725, CVE-2025-38729,
CVE-2025-38732, CVE-2025-39673, CVE-2025-39675, CVE-2025-39676,
CVE-2025-39681, CVE-2025-39683, CVE-2025-39684, CVE-2025-39685,
CVE-2025-39686, CVE-2025-39687, CVE-2025-39689, CVE-2025-39691,
CVE-2025-39693, CVE-2025-39697, CVE-2025-39702, CVE-2025-39703,
CVE-2025-39709, CVE-2025-39710, CVE-2025-39713, CVE-2025-39714,
CVE-2025-39724, CVE-2025-39730, CVE-2025-39734, CVE-2025-39736,
CVE-2025-39737, CVE-2025-39738, CVE-2025-39742, CVE-2025-39743,
CVE-2025-39749, CVE-2025-39752, CVE-2025-39756, CVE-2025-39757,
CVE-2025-39760, CVE-2025-39766, CVE-2025-39772, CVE-2025-39773,
CVE-2025-39776, CVE-2025-39782, CVE-2025-39783, CVE-2025-39787,
CVE-2025-39788, CVE-2025-39790, CVE-2025-39794, CVE-2025-39795,
CVE-2025-39798, CVE-2025-39801, CVE-2025-39806, CVE-2025-39808,
CVE-2025-39812, CVE-2025-39813, CVE-2025-39817, CVE-2025-39823,
CVE-2025-39824, CVE-2025-39828, CVE-2025-39835, CVE-2025-39839,
CVE-2025-39841, CVE-2025-39844, CVE-2025-39845, CVE-2025-39846,
CVE-2025-39847, CVE-2025-39848, CVE-2025-39853, CVE-2025-39860,
CVE-2025-39864, CVE-2025-39865, CVE-2025-39866, CVE-2025-39891,
CVE-2025-39894, CVE-2025-39902, CVE-2025-39920, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS
linux-image-5.15.0-1102-azure 5.15.0-1102.111~20.04.1
Available with Ubuntu Pro
linux-image-azure 5.15.0.1102.111~20.04.1
Available with Ubuntu Pro
linux-image-azure-5.15 5.15.0.1102.111~20.04.1
Available with Ubuntu Pro
linux-image-azure-cvm 5.15.0.1102.111~20.04.1
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7938-1
CVE-2022-49390, CVE-2022-50070, CVE-2022-50327, CVE-2023-52935,
CVE-2023-53074, CVE-2024-47691, CVE-2024-50061, CVE-2024-50067,
CVE-2024-53068, CVE-2024-53090, CVE-2024-53218, CVE-2025-21855,
CVE-2025-37925, CVE-2025-37968, CVE-2025-38095, CVE-2025-38148,
CVE-2025-38165, CVE-2025-38335, CVE-2025-38347, CVE-2025-38468,
CVE-2025-38470, CVE-2025-38473, CVE-2025-38474, CVE-2025-38476,
CVE-2025-38478, CVE-2025-38480, CVE-2025-38481, CVE-2025-38482,
CVE-2025-38483, CVE-2025-38487, CVE-2025-38488, CVE-2025-38494,
CVE-2025-38495, CVE-2025-38497, CVE-2025-38499, CVE-2025-38502,
CVE-2025-38527, CVE-2025-38528, CVE-2025-38529, CVE-2025-38530,
CVE-2025-38535, CVE-2025-38538, CVE-2025-38539, CVE-2025-38548,
CVE-2025-38550, CVE-2025-38553, CVE-2025-38555, CVE-2025-38563,
CVE-2025-38565, CVE-2025-38569, CVE-2025-38572, CVE-2025-38574,
CVE-2025-38576, CVE-2025-38577, CVE-2025-38578, CVE-2025-38579,
CVE-2025-38581, CVE-2025-38583, CVE-2025-38601, CVE-2025-38602,
CVE-2025-38604, CVE-2025-38608, CVE-2025-38609, CVE-2025-38612,
CVE-2025-38614, CVE-2025-38622, CVE-2025-38623, CVE-2025-38624,
CVE-2025-38630, CVE-2025-38634, CVE-2025-38635, CVE-2025-38639,
CVE-2025-38645, CVE-2025-38650, CVE-2025-38652, CVE-2025-38663,
CVE-2025-38664, CVE-2025-38666, CVE-2025-38668, CVE-2025-38670,
CVE-2025-38671, CVE-2025-38676, CVE-2025-38677, CVE-2025-38678,
CVE-2025-38680, CVE-2025-38681, CVE-2025-38684, CVE-2025-38685,
CVE-2025-38687, CVE-2025-38691, CVE-2025-38693, CVE-2025-38694,
CVE-2025-38695, CVE-2025-38696, CVE-2025-38697, CVE-2025-38698,
CVE-2025-38699, CVE-2025-38700, CVE-2025-38701, CVE-2025-38706,
CVE-2025-38707, CVE-2025-38708, CVE-2025-38711, CVE-2025-38712,
CVE-2025-38713, CVE-2025-38714, CVE-2025-38715, CVE-2025-38718,
CVE-2025-38721, CVE-2025-38724, CVE-2025-38725, CVE-2025-38729,
CVE-2025-38732, CVE-2025-39673, CVE-2025-39675, CVE-2025-39676,
CVE-2025-39681, CVE-2025-39683, CVE-2025-39684, CVE-2025-39685,
CVE-2025-39686, CVE-2025-39687, CVE-2025-39689, CVE-2025-39691,
CVE-2025-39693, CVE-2025-39697, CVE-2025-39702, CVE-2025-39703,
CVE-2025-39709, CVE-2025-39710, CVE-2025-39713, CVE-2025-39714,
CVE-2025-39724, CVE-2025-39730, CVE-2025-39734, CVE-2025-39736,
CVE-2025-39737, CVE-2025-39738, CVE-2025-39742, CVE-2025-39743,
CVE-2025-39749, CVE-2025-39752, CVE-2025-39756, CVE-2025-39757,
CVE-2025-39760, CVE-2025-39766, CVE-2025-39772, CVE-2025-39773,
CVE-2025-39776, CVE-2025-39782, CVE-2025-39783, CVE-2025-39787,
CVE-2025-39788, CVE-2025-39790, CVE-2025-39794, CVE-2025-39795,
CVE-2025-39798, CVE-2025-39801, CVE-2025-39806, CVE-2025-39808,
CVE-2025-39812, CVE-2025-39813, CVE-2025-39817, CVE-2025-39823,
CVE-2025-39824, CVE-2025-39828, CVE-2025-39835, CVE-2025-39839,
CVE-2025-39841, CVE-2025-39844, CVE-2025-39845, CVE-2025-39846,
CVE-2025-39847, CVE-2025-39848, CVE-2025-39853, CVE-2025-39860,
CVE-2025-39864, CVE-2025-39865, CVE-2025-39866, CVE-2025-39891,
CVE-2025-39894, CVE-2025-39902, CVE-2025-39920, CVE-2025-39964,
CVE-2025-39993, CVE-2025-40018, CVE-2025-40300
[USN-7889-7] Linux kernel vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlBaX8FAwAAAAAACgkQZ0GeRcM5nt2Z
EQf+PXko2tPqFU2g6E6uYHivIp6mcM3ncY2MTkG2z64AkrZIOZT12oDZ8x9BWkFVXgNA7yhuO3M2
D6Wyp0AgYwpb574tTTgIUPvnmkHSH1O1wfc2WaB5FnGfmq04xyQghJVv4M34zTelg/YOJlgOJZ9j
vWTQha2EwtSnNIvcvDYA+QUTLA8Q9cubxhJVZWM02ctWzCa52jXt4GzZMWVQJu7Ebs5GsspgcMIv
XhQ0wu/Oo+i1fM+SDkr2TgYNBHNOLt/qhiylX7Xli+TxHOo6s4lQg6WbZfw/rxV8g/YUpa7a91Rm
OL/DI9NF8IzW7escRuzj8RPzQQ2whnv6QLXrbeQNWQ==
=Y17w
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7889-7
December 16, 2025
linux-raspi, linux-raspi-realtime, linux-xilinx vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-raspi: Linux kernel for Raspberry Pi systems
- linux-raspi-realtime: Linux kernel for Raspberry Pi Real-time systems
- linux-xilinx: Linux kernel for Xilinx systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Media drivers;
- Network drivers;
- Netfilter;
- TLS protocol;
(CVE-2025-21729, CVE-2025-38227, CVE-2025-38616, CVE-2025-38678)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
linux-image-6.8.0-1020-xilinx 6.8.0-1020.21
linux-image-6.8.0-1043-raspi 6.8.0-1043.47
linux-image-6.8.0-2034-raspi-realtime 6.8.0-2034.35
Available with Ubuntu Pro
linux-image-raspi 6.8.0-1043.47
linux-image-raspi-6.8 6.8.0-1043.47
linux-image-raspi-realtime 6.8.0-2034.35
Available with Ubuntu Pro
linux-image-raspi-realtime-6.8 6.8.0-2034.35
Available with Ubuntu Pro
linux-image-xilinx 6.8.0.1020.21
linux-image-xilinx-6.8 6.8.0.1020.21
linux-image-xilinx-zynqmp 6.8.0.1020.21
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7889-7
https://ubuntu.com/security/notices/USN-7889-6
https://ubuntu.com/security/notices/USN-7889-5
https://ubuntu.com/security/notices/USN-7889-4
https://ubuntu.com/security/notices/USN-7889-3
https://ubuntu.com/security/notices/USN-7889-2
https://ubuntu.com/security/notices/USN-7889-1
CVE-2025-21729, CVE-2025-38227, CVE-2025-38616, CVE-2025-38678
Package Information:
https://launchpad.net/ubuntu/+source/linux-raspi/6.8.0-1043.47
https://launchpad.net/ubuntu/+source/linux-raspi-realtime/6.8.0-2034.35
https://launchpad.net/ubuntu/+source/linux-xilinx/6.8.0-1020.21
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlBaX8FAwAAAAAACgkQZ0GeRcM5nt2Z
EQf+PXko2tPqFU2g6E6uYHivIp6mcM3ncY2MTkG2z64AkrZIOZT12oDZ8x9BWkFVXgNA7yhuO3M2
D6Wyp0AgYwpb574tTTgIUPvnmkHSH1O1wfc2WaB5FnGfmq04xyQghJVv4M34zTelg/YOJlgOJZ9j
vWTQha2EwtSnNIvcvDYA+QUTLA8Q9cubxhJVZWM02ctWzCa52jXt4GzZMWVQJu7Ebs5GsspgcMIv
XhQ0wu/Oo+i1fM+SDkr2TgYNBHNOLt/qhiylX7Xli+TxHOo6s4lQg6WbZfw/rxV8g/YUpa7a91Rm
OL/DI9NF8IzW7escRuzj8RPzQQ2whnv6QLXrbeQNWQ==
=Y17w
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7889-7
December 16, 2025
linux-raspi, linux-raspi-realtime, linux-xilinx vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-raspi: Linux kernel for Raspberry Pi systems
- linux-raspi-realtime: Linux kernel for Raspberry Pi Real-time systems
- linux-xilinx: Linux kernel for Xilinx systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Media drivers;
- Network drivers;
- Netfilter;
- TLS protocol;
(CVE-2025-21729, CVE-2025-38227, CVE-2025-38616, CVE-2025-38678)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
linux-image-6.8.0-1020-xilinx 6.8.0-1020.21
linux-image-6.8.0-1043-raspi 6.8.0-1043.47
linux-image-6.8.0-2034-raspi-realtime 6.8.0-2034.35
Available with Ubuntu Pro
linux-image-raspi 6.8.0-1043.47
linux-image-raspi-6.8 6.8.0-1043.47
linux-image-raspi-realtime 6.8.0-2034.35
Available with Ubuntu Pro
linux-image-raspi-realtime-6.8 6.8.0-2034.35
Available with Ubuntu Pro
linux-image-xilinx 6.8.0.1020.21
linux-image-xilinx-6.8 6.8.0.1020.21
linux-image-xilinx-zynqmp 6.8.0.1020.21
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7889-7
https://ubuntu.com/security/notices/USN-7889-6
https://ubuntu.com/security/notices/USN-7889-5
https://ubuntu.com/security/notices/USN-7889-4
https://ubuntu.com/security/notices/USN-7889-3
https://ubuntu.com/security/notices/USN-7889-2
https://ubuntu.com/security/notices/USN-7889-1
CVE-2025-21729, CVE-2025-38227, CVE-2025-38616, CVE-2025-38678
Package Information:
https://launchpad.net/ubuntu/+source/linux-raspi/6.8.0-1043.47
https://launchpad.net/ubuntu/+source/linux-raspi-realtime/6.8.0-2034.35
https://launchpad.net/ubuntu/+source/linux-xilinx/6.8.0-1020.21
Monday, December 15, 2025
[USN-7937-1] Linux kernel (Azure FIPS) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlApoEFAwAAAAAACgkQZ0GeRcM5nt0V
Jwf/VUTAUv8pnZvTtOUvF80VYwPtAev6LX683QRqJAfmsHrbe6AQBnzRUNNtXg/ITyxqRwKdM8Np
4Rx/WlOjhvPZsbY1wKIkBGm6but1t9UmL71+yE7b5VEKAby1tc8tJ4WvU9ay8Ka7Pe9FUHrjM0H2
OPxCTO8neP14/CJU9/XlLzgxF1sh934Hco4vr5RluERb8KXBEN2j0s4ZaP6HGakM7fAieadO8HLr
6we9d/VnFEGrekYjcQw3SUlDsTYu8q8odC+pitMt12Ppaku4A9S3BrCGUdf/pUBu+GGuDfsCBSly
F+tDoMQny9bNraPXbe6WlgfCSzqGRUmihsy5Z5uPHA==
=l3gd
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7937-1
December 16, 2025
linux-azure-fips vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure-fips: Linux kernel for Microsoft Azure Cloud systems with FIPS
Details:
Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered
that the Linux kernel contained insufficient branch predictor isolation
between a guest and a userspace hypervisor for certain processors. This
flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this
to expose sensitive information from the host OS. (CVE-2025-40300)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- DMA engine subsystem;
- GPU drivers;
- HSI subsystem;
- Hardware monitoring drivers;
- InfiniBand drivers;
- Mailbox framework;
- Network drivers;
- Ethernet team driver;
- AFS file system;
- Ceph distributed file system;
- Ext4 file system;
- Network file system (NFS) server daemon;
- NILFS2 file system;
- File systems infrastructure;
- KVM subsystem;
- L3 Master device support module;
- Timer subsystem;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- DCCP (Datagram Congestion Control Protocol);
- IPv6 networking;
- Netfilter;
- NET/ROM layer;
- Open vSwitch;
- SCTP protocol;
- USB sound devices;
(CVE-2021-47385, CVE-2022-49026, CVE-2022-49390, CVE-2023-52574,
CVE-2023-52650, CVE-2024-41006, CVE-2024-49935, CVE-2024-49963,
CVE-2024-50006, CVE-2024-50067, CVE-2024-50095, CVE-2024-50179,
CVE-2024-50299, CVE-2024-53090, CVE-2024-53112, CVE-2024-53124,
CVE-2024-53150, CVE-2024-53217, CVE-2024-56767, CVE-2024-58083,
CVE-2025-21715, CVE-2025-21722, CVE-2025-21761, CVE-2025-21791,
CVE-2025-21811, CVE-2025-21855, CVE-2025-37838, CVE-2025-37958,
CVE-2025-38352, CVE-2025-38666, CVE-2025-39964, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
linux-image-4.15.0-2104-azure-fips 4.15.0-2104.110
Available with Ubuntu Pro
linux-image-azure-fips 4.15.0.2104.100
Available with Ubuntu Pro
linux-image-azure-fips-4.15 4.15.0.2104.100
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7937-1
CVE-2021-47385, CVE-2022-49026, CVE-2022-49390, CVE-2023-52574,
CVE-2023-52650, CVE-2024-41006, CVE-2024-49935, CVE-2024-49963,
CVE-2024-50006, CVE-2024-50067, CVE-2024-50095, CVE-2024-50179,
CVE-2024-50299, CVE-2024-53090, CVE-2024-53112, CVE-2024-53124,
CVE-2024-53150, CVE-2024-53217, CVE-2024-56767, CVE-2024-58083,
CVE-2025-21715, CVE-2025-21722, CVE-2025-21761, CVE-2025-21791,
CVE-2025-21811, CVE-2025-21855, CVE-2025-37838, CVE-2025-37958,
CVE-2025-38352, CVE-2025-38666, CVE-2025-39964, CVE-2025-40018,
CVE-2025-40300
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure-fips/4.15.0-2104.110
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlApoEFAwAAAAAACgkQZ0GeRcM5nt0V
Jwf/VUTAUv8pnZvTtOUvF80VYwPtAev6LX683QRqJAfmsHrbe6AQBnzRUNNtXg/ITyxqRwKdM8Np
4Rx/WlOjhvPZsbY1wKIkBGm6but1t9UmL71+yE7b5VEKAby1tc8tJ4WvU9ay8Ka7Pe9FUHrjM0H2
OPxCTO8neP14/CJU9/XlLzgxF1sh934Hco4vr5RluERb8KXBEN2j0s4ZaP6HGakM7fAieadO8HLr
6we9d/VnFEGrekYjcQw3SUlDsTYu8q8odC+pitMt12Ppaku4A9S3BrCGUdf/pUBu+GGuDfsCBSly
F+tDoMQny9bNraPXbe6WlgfCSzqGRUmihsy5Z5uPHA==
=l3gd
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7937-1
December 16, 2025
linux-azure-fips vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure-fips: Linux kernel for Microsoft Azure Cloud systems with FIPS
Details:
Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered
that the Linux kernel contained insufficient branch predictor isolation
between a guest and a userspace hypervisor for certain processors. This
flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this
to expose sensitive information from the host OS. (CVE-2025-40300)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- ACPI drivers;
- DMA engine subsystem;
- GPU drivers;
- HSI subsystem;
- Hardware monitoring drivers;
- InfiniBand drivers;
- Mailbox framework;
- Network drivers;
- Ethernet team driver;
- AFS file system;
- Ceph distributed file system;
- Ext4 file system;
- Network file system (NFS) server daemon;
- NILFS2 file system;
- File systems infrastructure;
- KVM subsystem;
- L3 Master device support module;
- Timer subsystem;
- Tracing infrastructure;
- Memory management;
- Appletalk network protocol;
- DCCP (Datagram Congestion Control Protocol);
- IPv6 networking;
- Netfilter;
- NET/ROM layer;
- Open vSwitch;
- SCTP protocol;
- USB sound devices;
(CVE-2021-47385, CVE-2022-49026, CVE-2022-49390, CVE-2023-52574,
CVE-2023-52650, CVE-2024-41006, CVE-2024-49935, CVE-2024-49963,
CVE-2024-50006, CVE-2024-50067, CVE-2024-50095, CVE-2024-50179,
CVE-2024-50299, CVE-2024-53090, CVE-2024-53112, CVE-2024-53124,
CVE-2024-53150, CVE-2024-53217, CVE-2024-56767, CVE-2024-58083,
CVE-2025-21715, CVE-2025-21722, CVE-2025-21761, CVE-2025-21791,
CVE-2025-21811, CVE-2025-21855, CVE-2025-37838, CVE-2025-37958,
CVE-2025-38352, CVE-2025-38666, CVE-2025-39964, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
linux-image-4.15.0-2104-azure-fips 4.15.0-2104.110
Available with Ubuntu Pro
linux-image-azure-fips 4.15.0.2104.100
Available with Ubuntu Pro
linux-image-azure-fips-4.15 4.15.0.2104.100
Available with Ubuntu Pro
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7937-1
CVE-2021-47385, CVE-2022-49026, CVE-2022-49390, CVE-2023-52574,
CVE-2023-52650, CVE-2024-41006, CVE-2024-49935, CVE-2024-49963,
CVE-2024-50006, CVE-2024-50067, CVE-2024-50095, CVE-2024-50179,
CVE-2024-50299, CVE-2024-53090, CVE-2024-53112, CVE-2024-53124,
CVE-2024-53150, CVE-2024-53217, CVE-2024-56767, CVE-2024-58083,
CVE-2025-21715, CVE-2025-21722, CVE-2025-21761, CVE-2025-21791,
CVE-2025-21811, CVE-2025-21855, CVE-2025-37838, CVE-2025-37958,
CVE-2025-38352, CVE-2025-38666, CVE-2025-39964, CVE-2025-40018,
CVE-2025-40300
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure-fips/4.15.0-2104.110
[USN-7936-1] Linux kernel (OEM) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlAnCwFAwAAAAAACgkQZ0GeRcM5nt0r
Iwf/a9Bjd/SrJ+N5+U0wHamY9c+H9tKjbXqewPBINT7FdyD3RDDiERYGfUK8MPUFaaZqWlFFjvNO
FXE+GBv3esKBCaG/6N7v48Sr9t94fcLUZG5lYsF/cpJzerl8leB6t2M6aWQoHsUChnFFqJxKS3fE
Oel5LKY9ltxyDRYoorY7wUJh4NlJNKitRXpS1d0z+YYp7CZtZippchWPV7CyKXJclAuqGZli/XOh
+EVA9YlcjIH4txK61dgvBTZZzlMXhp8cDXEfUBK0fva2amJtIk7MOXHJ26x6/mGP01WGOHtPML/i
qnkICfhHpSXnncwUhuWpcDbzOs9V7ZipT5KZNfgqCQ==
=Hrz+
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7936-1
December 15, 2025
linux-oem-6.14 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oem-6.14: Linux kernel for OEM systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- Compute Acceleration Framework;
- Media drivers;
- Netfilter;
- TLS protocol;
(CVE-2025-39946, CVE-2025-39964, CVE-2025-39993, CVE-2025-40018,
CVE-2025-40172, CVE-2025-40177)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
linux-image-6.14.0-1017-oem 6.14.0-1017.17
linux-image-oem-24.04 6.14.0-1018.18
linux-image-oem-24.04a 6.14.0-1018.18
linux-image-oem-24.04b 6.14.0-1018.18
linux-image-oem-24.04c 6.14.0-1018.18
linux-image-oem-6.14 6.14.0-1018.18
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7936-1
CVE-2025-39946, CVE-2025-39964, CVE-2025-39993, CVE-2025-40018,
CVE-2025-40172, CVE-2025-40177
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-6.14/6.14.0-1017.17
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlAnCwFAwAAAAAACgkQZ0GeRcM5nt0r
Iwf/a9Bjd/SrJ+N5+U0wHamY9c+H9tKjbXqewPBINT7FdyD3RDDiERYGfUK8MPUFaaZqWlFFjvNO
FXE+GBv3esKBCaG/6N7v48Sr9t94fcLUZG5lYsF/cpJzerl8leB6t2M6aWQoHsUChnFFqJxKS3fE
Oel5LKY9ltxyDRYoorY7wUJh4NlJNKitRXpS1d0z+YYp7CZtZippchWPV7CyKXJclAuqGZli/XOh
+EVA9YlcjIH4txK61dgvBTZZzlMXhp8cDXEfUBK0fva2amJtIk7MOXHJ26x6/mGP01WGOHtPML/i
qnkICfhHpSXnncwUhuWpcDbzOs9V7ZipT5KZNfgqCQ==
=Hrz+
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7936-1
December 15, 2025
linux-oem-6.14 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-oem-6.14: Linux kernel for OEM systems
Details:
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- Compute Acceleration Framework;
- Media drivers;
- Netfilter;
- TLS protocol;
(CVE-2025-39946, CVE-2025-39964, CVE-2025-39993, CVE-2025-40018,
CVE-2025-40172, CVE-2025-40177)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
linux-image-6.14.0-1017-oem 6.14.0-1017.17
linux-image-oem-24.04 6.14.0-1018.18
linux-image-oem-24.04a 6.14.0-1018.18
linux-image-oem-24.04b 6.14.0-1018.18
linux-image-oem-24.04c 6.14.0-1018.18
linux-image-oem-6.14 6.14.0-1018.18
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7936-1
CVE-2025-39946, CVE-2025-39964, CVE-2025-39993, CVE-2025-40018,
CVE-2025-40172, CVE-2025-40177
Package Information:
https://launchpad.net/ubuntu/+source/linux-oem-6.14/6.14.0-1017.17
[USN-7935-1] Linux kernel (Azure) vulnerabilities
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlAnBsFAwAAAAAACgkQZ0GeRcM5nt0+
fwf+LsUfLUiVvsUzP4r3QEHVJAsE6tgzOGui5VLYsRNYPAxuQwPyYIfKkPJ23dlLfJdF1dP7Mui5
qLHOriQiAsAhX3NwIaP4lBHlEFkHpyFjY8tqmVooXS36DmSH7TD3eab+9TyIoGeE1FJs2knPlf5N
6ev4hq4lxRpjhupySjFMzv+HGcxeHRLlqIXPUAcEdPd/gvQ3nViyw6h4shNLWf6fR0eTezkhPLNA
YlRcZObwpEkEiKXSg8Izo9qVyd3jHmy05ze2oqUzcWxTEToE0hZTYrPjT3TR8G3IP+kIhHws6dKY
N/Msuz0Yysnc0ulGJwzxgiAQLCSB1j7vGdIhLCZX7A==
=+YeO
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7935-1
December 15, 2025
linux-azure, linux-azure-6.8 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-azure-6.8: Linux kernel for Microsoft Azure cloud systems
Details:
Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered
that the Linux kernel contained insufficient branch predictor isolation
between a guest and a userspace hypervisor for certain processors. This
flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this
to expose sensitive information from the host OS. (CVE-2025-40300)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- HSI subsystem;
- Media drivers;
- Network drivers;
- Bluetooth subsystem;
- Timer subsystem;
- Memory management;
- Appletalk network protocol;
- Netfilter;
- TLS protocol;
(CVE-2025-21729, CVE-2025-37838, CVE-2025-37958, CVE-2025-38118,
CVE-2025-38227, CVE-2025-38352, CVE-2025-38616, CVE-2025-38666,
CVE-2025-38678, CVE-2025-39964, CVE-2025-39993, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
linux-image-6.8.0-1044-azure 6.8.0-1044.50
linux-image-azure-6.8 6.8.0-1044.50
linux-image-azure-lts-24.04 6.8.0-1044.50
Ubuntu 22.04 LTS
linux-image-6.8.0-1044-azure 6.8.0-1044.50~22.04.1
linux-image-azure 6.8.0-1044.50~22.04.1
linux-image-azure-6.8 6.8.0-1044.50~22.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7935-1
CVE-2025-21729, CVE-2025-37838, CVE-2025-37958, CVE-2025-38118,
CVE-2025-38227, CVE-2025-38352, CVE-2025-38616, CVE-2025-38666,
CVE-2025-38678, CVE-2025-39964, CVE-2025-39993, CVE-2025-40018,
CVE-2025-40300
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure/6.8.0-1044.50
https://launchpad.net/ubuntu/+source/linux-azure-6.8/6.8.0-1044.50~22.04.1
wsB5BAABCAAjFiEEYrygdx1GDec9TV8EZ0GeRcM5nt0FAmlAnBsFAwAAAAAACgkQZ0GeRcM5nt0+
fwf+LsUfLUiVvsUzP4r3QEHVJAsE6tgzOGui5VLYsRNYPAxuQwPyYIfKkPJ23dlLfJdF1dP7Mui5
qLHOriQiAsAhX3NwIaP4lBHlEFkHpyFjY8tqmVooXS36DmSH7TD3eab+9TyIoGeE1FJs2knPlf5N
6ev4hq4lxRpjhupySjFMzv+HGcxeHRLlqIXPUAcEdPd/gvQ3nViyw6h4shNLWf6fR0eTezkhPLNA
YlRcZObwpEkEiKXSg8Izo9qVyd3jHmy05ze2oqUzcWxTEToE0hZTYrPjT3TR8G3IP+kIhHws6dKY
N/Msuz0Yysnc0ulGJwzxgiAQLCSB1j7vGdIhLCZX7A==
=+YeO
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7935-1
December 15, 2025
linux-azure, linux-azure-6.8 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in the Linux kernel.
Software Description:
- linux-azure: Linux kernel for Microsoft Azure Cloud systems
- linux-azure-6.8: Linux kernel for Microsoft Azure cloud systems
Details:
Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered
that the Linux kernel contained insufficient branch predictor isolation
between a guest and a userspace hypervisor for certain processors. This
flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this
to expose sensitive information from the host OS. (CVE-2025-40300)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Cryptographic API;
- HSI subsystem;
- Media drivers;
- Network drivers;
- Bluetooth subsystem;
- Timer subsystem;
- Memory management;
- Appletalk network protocol;
- Netfilter;
- TLS protocol;
(CVE-2025-21729, CVE-2025-37838, CVE-2025-37958, CVE-2025-38118,
CVE-2025-38227, CVE-2025-38352, CVE-2025-38616, CVE-2025-38666,
CVE-2025-38678, CVE-2025-39964, CVE-2025-39993, CVE-2025-40018)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
linux-image-6.8.0-1044-azure 6.8.0-1044.50
linux-image-azure-6.8 6.8.0-1044.50
linux-image-azure-lts-24.04 6.8.0-1044.50
Ubuntu 22.04 LTS
linux-image-6.8.0-1044-azure 6.8.0-1044.50~22.04.1
linux-image-azure 6.8.0-1044.50~22.04.1
linux-image-azure-6.8 6.8.0-1044.50~22.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.
References:
https://ubuntu.com/security/notices/USN-7935-1
CVE-2025-21729, CVE-2025-37838, CVE-2025-37958, CVE-2025-38118,
CVE-2025-38227, CVE-2025-38352, CVE-2025-38616, CVE-2025-38666,
CVE-2025-38678, CVE-2025-39964, CVE-2025-39993, CVE-2025-40018,
CVE-2025-40300
Package Information:
https://launchpad.net/ubuntu/+source/linux-azure/6.8.0-1044.50
https://launchpad.net/ubuntu/+source/linux-azure-6.8/6.8.0-1044.50~22.04.1
Subscribe to:
Comments (Atom)