Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2025:0784-1
Release Date:	2025-03-05T13:04:51Z
Rating:	important
References:	bsc#1012628 bsc#1215199 bsc#1219367 bsc#1222672 bsc#1222803 bsc#1225742 bsc#1225981 bsc#1228521 bsc#1230235 bsc#1230438 bsc#1230439 bsc#1231920 bsc#1232159 bsc#1232198 bsc#1232201 bsc#1232508 bsc#1232520 bsc#1232919 bsc#1233109 bsc#1234853 bsc#1234857 bsc#1234891 bsc#1234963 bsc#1235032 bsc#1235054 bsc#1235061 bsc#1235073 bsc#1235435 bsc#1235592 bsc#1235609 bsc#1235932 bsc#1235933 bsc#1236113 bsc#1236114 bsc#1236115 bsc#1236122 bsc#1236123 bsc#1236133 bsc#1236138 bsc#1236199 bsc#1236200 bsc#1236203 bsc#1236205 bsc#1236573 bsc#1236575 bsc#1236576 bsc#1236591 bsc#1236661 bsc#1236677 bsc#1236700 bsc#1236752 bsc#1236821 bsc#1236822 bsc#1236896 bsc#1236897 bsc#1236952 bsc#1236967 bsc#1236994 bsc#1237007 bsc#1237017 bsc#1237025 bsc#1237028 bsc#1237045 bsc#1237126 bsc#1237132 bsc#1237139 bsc#1237155 bsc#1237158 bsc#1237159 bsc#1237232 bsc#1237234 bsc#1237325 bsc#1237415 bsc#1237452 bsc#1237558 bsc#1237562 bsc#1237563 jsc#PED-10028 jsc#PED-12094 jsc#PED-348 jsc#PED-6143
Cross-References:	CVE-2023-52924 CVE-2023-52925 CVE-2024-26708 CVE-2024-26810 CVE-2024-41055 CVE-2024-44974 CVE-2024-45009 CVE-2024-45010 CVE-2024-47701 CVE-2024-49884 CVE-2024-49950 CVE-2024-50073 CVE-2024-50085 CVE-2024-50115 CVE-2024-50185 CVE-2024-53147 CVE-2024-53173 CVE-2024-53226 CVE-2024-53239 CVE-2024-56539 CVE-2024-56548 CVE-2024-56568 CVE-2024-56579 CVE-2024-56605 CVE-2024-56647 CVE-2024-56720 CVE-2024-57889 CVE-2024-57948 CVE-2025-21636 CVE-2025-21637 CVE-2025-21638 CVE-2025-21639 CVE-2025-21640 CVE-2025-21647 CVE-2025-21680 CVE-2025-21684 CVE-2025-21687 CVE-2025-21688 CVE-2025-21689 CVE-2025-21690 CVE-2025-21692 CVE-2025-21697 CVE-2025-21699 CVE-2025-21700
CVSS scores:	CVE-2023-52924 ( SUSE ): 1.8 CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2023-52924 ( SUSE ): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L CVE-2023-52925 ( SUSE ): 5.6 CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2023-52925 ( SUSE ): 4.1 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2023-52925 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2024-26708 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-26708 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-26810 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2024-26810 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2024-41055 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-41055 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-44974 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L CVE-2024-44974 ( SUSE ): 5.6 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2024-44974 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-45009 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2024-45009 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-45010 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2024-45010 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-47701 ( SUSE ): 5.8 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2024-47701 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2024-47701 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-49884 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-49884 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-49950 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-49950 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-50073 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2024-50073 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2024-50073 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-50073 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-50085 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-50085 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-50085 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-50115 ( SUSE ): 4.5 CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:H CVE-2024-50115 ( SUSE ): 7.2 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:H CVE-2024-50115 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2024-50185 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-50185 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-53147 ( SUSE ): 5.8 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2024-53147 ( SUSE ): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H CVE-2024-53173 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2024-53173 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-53173 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-53173 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-53226 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2024-53226 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-53226 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-53239 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2024-53239 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-53239 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-53239 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-56539 ( SUSE ): 8.6 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2024-56539 ( SUSE ): 8.0 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2024-56548 ( SUSE ): 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2024-56548 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2024-56568 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2024-56568 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-56568 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-56579 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2024-56579 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-56579 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-56605 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2024-56605 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-56605 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-56605 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-56647 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2024-56647 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-56647 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-56720 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2024-56720 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-56720 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-57889 ( SUSE ): 5.9 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2024-57889 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-57948 ( SUSE ): 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2024-57948 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2025-21636 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-21636 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21636 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21637 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-21637 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21637 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21638 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-21638 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21638 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21639 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-21639 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21639 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21640 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-21640 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21640 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21647 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-21647 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-21680 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-21680 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-21680 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-21684 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-21684 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21684 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21687 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-21687 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-21687 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-21688 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21688 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21689 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-21689 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21689 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21690 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-21690 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21690 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21692 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-21692 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVE-2025-21692 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-21697 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2025-21697 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21699 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2025-21699 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21699 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2025-21700 ( SUSE ): 7.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-21700 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2025-21700 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	Confidential Computing Module 15-SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6

An update that solves 44 vulnerabilities, contains four features and has 33 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 15 SP6 Confidential Computing kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

• CVE-2024-26708: mptcp: fastopen and PM-trigger subflow shutdown can race (bsc#1222672).
• CVE-2024-44974: mptcp: pm: avoid possible UaF when selecting endp (bsc#1230235).
• CVE-2024-45009: mptcp: pm: only decrement add_addr_accepted for MPJ req (bsc#1230438).
• CVE-2024-45010: mptcp: pm: only mark 'subflow' endp as available (bsc#1230439).
• CVE-2024-50085: mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow (bsc#1232508).
• CVE-2024-50185: mptcp: handle consistently DSS corruption (bsc#1233109).
• CVE-2024-53147: exfat: fix out-of-bounds access of directory entries (bsc#1234857).
• CVE-2024-56568: iommu/arm-smmu: Defer probe of clients after smmu device bound (bsc#1235032).
• CVE-2024-56647: net: Fix icmp host relookup triggering ip_rt_bug (bsc#1235435).
• CVE-2024-56720: bpf, sockmap: Several fixes to bpf_msg_pop_data (bsc#1235592).
• CVE-2025-21636: sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy (bsc#1236113).
• CVE-2025-21637: sctp: sysctl: udp_port: avoid using current->nsproxy (bsc#1236114).
• CVE-2025-21638: sctp: sysctl: auth_enable: avoid using current->nsproxy (bsc#1236115).
• CVE-2025-21639: sctp: sysctl: rto_min/max: avoid using current->nsproxy (bsc#1236122).
• CVE-2025-21640: sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy (bsc#1236123).
• CVE-2025-21647: sched: sch_cake: add bounds checks to host bulk flow fairness counts (bsc#1236133).
• CVE-2025-21680: pktgen: Avoid out-of-bounds access in get_imix_entries (bsc#1236700).
• CVE-2025-21687: vfio/platform: check the bounds of read/write syscalls (bsc#1237045).
• CVE-2025-21692: net: sched: fix ets qdisc OOB Indexing (bsc#1237028).
• CVE-2025-21700: net: sched: Disallow replacing of child qdisc from one parent to another (bsc#1237159).

The following non-security bugs were fixed:

• ACPI: x86: Add skip i2c clients quirk for Vexia EDU ATLA 10 tablet 5V (stable-fixes).
• ALSA: hda/cirrus: Correct the full scale volume set logic (git-fixes).
• ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED (stable-fixes).
• ALSA: hda/realtek: Fixup ALC225 depop procedure (git-fixes).
• ALSA: hda: Add error check for snd_ctl_rename_id() in snd_hda_create_dig_out_ctls() (git-fixes).
• ALSA: seq: Drop UMP events when no UMP-conversion is set (git-fixes).
• APEI: GHES: Have GHES honor the panic= setting (stable-fixes).
• ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet 5V (stable-fixes).
• ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close (git-fixes).
• ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() (git-fixes).
• ASoC: amd: Add ACPI dependency to fix build error (stable-fixes).
• ASoC: fsl_micfil: Enable default case in micfil_set_quality() (git-fixes).
• ASoC: rockchip: i2s-tdm: fix shift config for SND_SOC_DAIFMT_DSP_[AB] (git-fixes).
• Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync (stable-fixes).
• HID: Wacom: Add PCI Wacom device support (stable-fixes).
• HID: hid-steam: Add Deck IMU support (stable-fixes).
• HID: hid-steam: Add gamepad-only mode switched to by holding options (stable-fixes).
• HID: hid-steam: Avoid overwriting smoothing parameter (stable-fixes).
• HID: hid-steam: Clean up locking (stable-fixes).
• HID: hid-steam: Disable watchdog instead of using a heartbeat (stable-fixes).
• HID: hid-steam: Do not use cancel_delayed_work_sync in IRQ context (git-fixes).
• HID: hid-steam: Fix cleanup in probe() (git-fixes).
• HID: hid-steam: Make sure rumble work is canceled on removal (stable-fixes).
• HID: hid-steam: Move hidraw input (un)registering to work (git-fixes).
• HID: hid-steam: Update list of identifiers from SDL (stable-fixes).
• HID: hid-steam: remove pointless error message (stable-fixes).
• HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints() (git-fixes).
• HID: multitouch: Add NULL check in mt_input_configured (git-fixes).
• Input: allocate keycode for phone linking (stable-fixes).
• KVM: SVM: Propagate error from snp_guest_req_init() to userspace (jsc#PED-348).
• KVM: VMX: Allow toggling bits in MSR_IA32_RTIT_CTL when enable bit is cleared (git-fixes).
• KVM: VMX: Fix comment of handle_vmx_instruction() (git-fixes).
• KVM: VMX: reset the segment cache after segment init in vmx_vcpu_reset() (jsc#PED-348 git-fixes).
• KVM: arm64: Do not eagerly teardown the vgic on init error (git-fixes).
• KVM: arm64: Ensure vgic_ready() is ordered against MMIO registration (git-fixes).
• KVM: arm64: Fix alignment of kvm_hyp_memcache allocations (git-fixes).
• KVM: arm64: Flush hyp bss section after initialization of variables in bss (git-fixes).
• KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state (git-fixes)
• KVM: arm64: vgic-v3: Sanitise guest writes to GICR_INVLPIR (git-fixes).
• KVM: nSVM: Enter guest mode before initializing nested NPT MMU (git-fixes).
• KVM: nVMX: Treat vpid01 as current if L2 is active, but with VPID disabled (jsc#PED-348 git-fixes).
• KVM: s390: vsie: fix some corner-cases when grabbing vsie pages (git-fixes bsc#1237155).
• KVM: x86/mmu: Process atomically-zapped SPTEs after TLB flush (jsc#PED-6143).
• KVM: x86/mmu: Skip the "try unsync" path iff the old SPTE was a leaf SPTE (git-fixes).
• KVM: x86: AMD's IBPB is not equivalent to Intel's IBPB (git-fixes).
• KVM: x86: Account for KVM-reserved CR4 bits when passing through CR4 on VMX (git-fixes).
• KVM: x86: Advertise SRSO_USER_KERNEL_NO to userspace (git-fixes).
• KVM: x86: Avoid double RDPKRU when loading host/guest PKRU (git-fixes).
• KVM: x86: Cache CPUID.0xD XSTATE offsets+sizes during module init (git-fixes).
• KVM: x86: Fix a comment inside __kvm_set_or_clear_apicv_inhibit() (git-fixes).
• KVM: x86: Unconditionally set irr_pending when updating APICv state (jsc#PED-348).
• KVM: x86: Zero out PV features cache when the CPUID leaf is not present (git-fixes).
• PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P (stable-fixes).
• PCI: Use downstream bridges for distributing resources (bsc#1237325).
• PCI: hookup irq_get_affinity callback (bsc#1236896).
• PCI: imx6: Simplify clock handling by using clk_bulk*() function (git-fixes).
• PCI: switchtec: Add Microchip PCI100X device IDs (stable-fixes).
• Pickup RXE code change introduced by upstream.
• RDMA/efa: Reset device on probe failure (git-fixes)
• RDMA/rxe: Improve newline in printing messages (git-fixes)
• Revert "blk-throttle: Fix IO hang for a corner case" (git-fixes).
• Revert "drm/amd/display: Use HW lock mgr for PSR1" (stable-fixes).
• USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone (stable-fixes).
• USB: Fix the issue of task recovery failure caused by USB status when S4 wakes up (git-fixes).
• USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk (git-fixes).
• USB: gadget: f_midi: f_midi_complete to call queue_work (git-fixes).
• USB: hub: Ignore non-compliant devices with too many configs or interfaces (stable-fixes).
• USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI (stable-fixes).
• USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist (stable-fixes).
• USB: serial: option: add MeiG Smart SLM828 (stable-fixes).
• USB: serial: option: add Telit Cinterion FN990B compositions (stable-fixes).
• USB: serial: option: drop MeiG Smart defines (stable-fixes).
• USB: serial: option: fix Telit Cinterion FN990A name (stable-fixes).
• Use gcc-13 for build on SLE16 (jsc#PED-10028).
• acct: block access to kernel internal filesystems (git-fixes).
• acct: perform last write from workqueue (git-fixes).
• arm64/mm: Ensure adequate HUGE_MAX_HSTATE (git-fixes)
• arm64: Handle .ARM.attributes section in linker scripts (git-fixes)
• arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (git-fixes)
• ata: libata-sff: Ensure that we cannot write outside the allocated buffer (stable-fixes).
• batman-adv: Drop unmanaged ELP metric worker (git-fixes).
• batman-adv: Ignore neighbor throughput metrics in error case (stable-fixes).
• batman-adv: fix panic during interface removal (git-fixes).
• bio-integrity: do not restrict the size of integrity metadata (git-fixes).
• blk-cgroup: Fix class @block_class's subsystem refcount leakage (bsc#1237558).
• blk-iocost: Avoid using clamp() on inuse in __propagate_weights() (git-fixes).
• blk-mq: Make blk_mq_quiesce_tagset() hold the tag list mutex less long (git-fixes).
• blk-mq: add number of queue calc helper (bsc#1236897).
• blk-mq: create correct map for fallback case (bsc#1236896).
• blk-mq: do not count completed flush data request as inflight in case of quiesce (git-fixes).
• blk-mq: introduce blk_mq_map_hw_queues (bsc#1236896).
• blk-mq: issue warning when offlining hctx with online isolcpus (bsc#1236897).
• blk-mq: move cpuhp callback registering out of q->sysfs_lock (git-fixes).
• blk-mq: register cpuhp callback after hctx is added to xarray table (git-fixes).
• blk-mq: use hk cpus only when isolcpus=managed_irq is enabled (bsc#1236897).
• blk_iocost: remove some duplicate irq disable/enables (git-fixes).
• block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() (git-fixes).
• block: Clear zone limits for a non-zoned stacked queue (git-fixes).
• block: Fix elevator_get_default() checking for NULL q->tag_set (git-fixes).
• block: Fix lockdep warning in blk_mq_mark_tag_wait (git-fixes).
• block: Fix page refcounts for unaligned buffers in __bio_release_pages() (git-fixes).
• block: Provide bdev_open_* functions (git-fixes).
• block: Remove special-casing of compound pages (git-fixes).
• block: Set memalloc_noio to false on device_add_disk() error path (git-fixes).
• block: add a disk_has_partscan helper (git-fixes).
• block: add a partscan sysfs attribute for disks (git-fixes).
• block: add check of 'minors' and 'first_minor' in device_add_disk() (git-fixes).
• block: avoid to reuse hctx not removed from cpuhp callback list (git-fixes).
• block: change rq_integrity_vec to respect the iterator (git-fixes).
• block: copy back bounce buffer to user-space correctly in case of split (git-fixes).
• block: ensure we hold a queue reference when using queue limits (git-fixes).
• block: fix and simplify blkdevparts= cmdline parsing (git-fixes).
• block: fix bio_split_rw_at to take zone_write_granularity into account (git-fixes).
• block: fix integer overflow in BLKSECDISCARD (git-fixes).
• block: fix missing dispatching request when queue is started or unquiesced (git-fixes).
• block: fix ordering between checking BLK_MQ_S_STOPPED request adding (git-fixes).
• block: fix ordering between checking QUEUE_FLAG_QUIESCED request adding (git-fixes).
• block: fix sanity checks in blk_rq_map_user_bvec (git-fixes).
• block: propagate partition scanning errors to the BLKRRPART ioctl (git-fixes).
• block: remove the blk_flush_integrity call in blk_integrity_unregister (git-fixes).
• block: retry call probe after request_module in blk_request_module (git-fixes).
• block: return unsigned int from bdev_io_min (git-fixes).
• block: sed-opal: avoid possible wrong address reference in read_sed_opal_key() (git-fixes).
• block: support to account io_ticks precisely (git-fixes).
• block: use the right type for stub rq_integrity_vec() (git-fixes).
• bnxt_en: Fix possible memory leak when hwrm_req_replace fails (git-fixes).
• bnxt_en: Refactor bnxt_ptp_init() (git-fixes).
• bnxt_en: Unregister PTP during PCI shutdown and suspend (git-fixes).
• btrfs: fix defrag not merging contiguous extents due to merged extent maps (bsc#1237232).
• btrfs: fix extent map merging not happening for adjacent extents (bsc#1237232).
• can: c_can: fix unbalanced runtime PM disable in error path (git-fixes).
• can: ctucanfd: handle skb allocation failure (git-fixes).
• can: etas_es58x: fix potential NULL pointer dereference on udev->serial (git-fixes).
• can: j1939: j1939_sk_send_loop(): fix unable to send messages with data length zero (git-fixes).
• chelsio/chtls: prevent potential integer overflow on 32bit (git-fixes).
• clk: mediatek: mt2701-aud: fix conversion to mtk_clk_simple_probe (git-fixes).
• clk: mediatek: mt2701-bdp: add missing dummy clk (git-fixes).
• clk: mediatek: mt2701-img: add missing dummy clk (git-fixes).
• clk: mediatek: mt2701-mm: add missing dummy clk (git-fixes).
• clk: mediatek: mt2701-vdec: fix conversion to mtk_clk_simple_probe (git-fixes).
• clk: qcom: clk-alpha-pll: fix alpha mode configuration (git-fixes).
• clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate (git-fixes).
• clk: qcom: dispcc-sm6350: Add missing parent_map for a clock (git-fixes).
• clk: qcom: gcc-mdm9607: Fix cmd_rcgr offset for blsp1_uart6 rcg (git-fixes).
• clk: qcom: gcc-sm6350: Add missing parent_map for two clocks (git-fixes).
• clk: qcom: gcc-sm8550: Do not turn off PCIe GDSCs during gdsc_disable() (git-fixes).
• clk: sunxi-ng: a100: enable MMC clock reparenting (git-fixes).
• cpu/hotplug: Do not offline the last non-isolated CPU (bsc#1237562).
• cpu/hotplug: Prevent self deadlock on CPU hot-unplug (bsc#1237562).
• cpufreq: s3c64xx: Fix compilation warning (stable-fixes).
• cxgb4: Avoid removal of uninserted tid (git-fixes).
• cxgb4: use port number to set mac addr (git-fixes).
• devlink: avoid potential loop in devlink_rel_nested_in_notify_work() (bsc#1237234).
• dlm: fix srcu_read_lock() return type to int (git-fixes).
• doc: update managed_irq documentation (bsc#1236897).
• driver core: bus: add irq_get_affinity callback to bus_type (bsc#1236896).
• drm/amd/display: Fix Mode Cutoff in DSC Passthrough to DP2.1 Monitor (stable-fixes).
• drm/amd/pm: Mark MM activity as unsupported (stable-fixes).
• drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() (stable-fixes).
• drm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode() (git-fixes).
• drm/amdkfd: only flush the validate MES contex (stable-fixes).
• drm/bridge: it6505: Change definition MAX_HDCP_DOWN_STREAM_COUNT (stable-fixes).
• drm/bridge: it6505: fix HDCP Bstatus check (stable-fixes).
• drm/bridge: it6505: fix HDCP CTS KSV list wait timer (stable-fixes).
• drm/bridge: it6505: fix HDCP CTS compare V matching (stable-fixes).
• drm/bridge: it6505: fix HDCP encryption when R0 ready (stable-fixes).
• drm/i915/selftests: avoid using uninitialized context (git-fixes).
• drm/i915: Drop 64bpp YUV formats from ICL+ SDR planes (stable-fixes).
• drm/i915: Fix page cleanup on DMA remap failure (git-fixes).
• drm/modeset: Handle tiled displays in pan_display_atomic (stable-fixes).
• drm/msm/dpu: Disable dither in phys encoder cleanup (git-fixes).
• drm/msm/dpu: Do not leak bits_per_component into random DSC_ENC fields (git-fixes).
• drm/msm: Avoid rounding up to one jiffy (git-fixes).
• drm/nouveau/pmu: Fix gp10b firmware guard (git-fixes).
• drm/virtio: New fence for every plane update (stable-fixes).
• efi: Avoid cold plugged memory for placing the kernel (stable-fixes).
• efi: libstub: Use '-std=gnu11' to fix build with GCC 15 (stable-fixes).
• eth: gve: use appropriate helper to set xdp_features (git-fixes).
• exfat: convert to ctime accessor functions (git-fixes).
• exfat: fix file being changed by unaligned direct write (git-fixes).
• exfat: fix zero the unwritten part for dio read (git-fixes).
• fbdev: omap: use threaded IRQ for LCD DMA (stable-fixes).
• gpio: bcm-kona: Add missing newline to dev_err format string (git-fixes).
• gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0 (git-fixes).
• gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ (git-fixes).
• gpio: stmpe: Check return value of stmpe_reg_read in stmpe_gpio_irq_sync_unlock (git-fixes).
• gpiolib: acpi: Add a quirk for Acer Nitro ANV14 (stable-fixes).
• hfs: Sanity check the root record (git-fixes).
• i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz (stable-fixes).
• iavf: allow changing VLAN state without calling PF (git-fixes).
• ice: Skip PTP HW writes during PTP reset procedure (git-fixes).
• ice: add ice_adapter for shared data across PFs on the same NIC (bsc#1237415).
• ice: avoid the PTP hardware semaphore in gettimex64 path (bsc#1237415).
• ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset (git-fixes).
• ice: fix incorrect PHY settings for 100 GB/s (git-fixes).
• ice: fix max values for dpll pin phase adjust (git-fixes).
• ice: fold ice_ptp_read_time into ice_ptp_gettimex64 (bsc#1237415).
• ice: gather page_count()'s of each frag right before XDP prog call (git-fixes).
• ice: put Rx buffers after being done with current frame (git-fixes).
• ice: stop storing XDP verdict within ice_rx_buf (git-fixes).
• ice: use internal pf id instead of function number (git-fixes).
• idpf: add read memory barrier when checking descriptor done bit (git-fixes).
• idpf: call set_real_num_queues in idpf_open (bsc#1236661).
• idpf: convert workqueues to unbound (git-fixes).
• idpf: fix VF dynamic interrupt ctl register initialization (git-fixes).
• idpf: fix handling rsc packet with a single segment (git-fixes).
• igc: Fix HW RX timestamp when passed by ZC XDP (git-fixes).
• igc: Set buffer type for empty frames in igc_init_empty_frame (git-fixes).
• igc: return early when failing to read EECD register (git-fixes).
• iommu/arm-smmu-v3: Clean up more on probe failure (stable-fixes).
• kabi: fix bus type (bsc#1236896).
• kabi: fix group_cpus_evenly (bsc#1236897).
• kasan: do not call find_vm_area() in a PREEMPT_RT kernel (git-fixes).
• kbuild: userprogs: fix bitsize and target detection on clang (git-fixes).
• kvm: svm: Fix gctx page leak on invalid inputs (jsc#PED-348).
• lib/group_cpus: honor housekeeping config when grouping CPUs (bsc#1236897).
• lib/group_cpus: let group_cpu_evenly return number initialized masks (bsc#1236897).
• lib/iov_iter: fix import_iovec_ubuf iovec management (git-fixes).
• lib: stackinit: hide never-taken branch from compiler (stable-fixes).
• lockdep: Fix upper limit for LOCKDEP_*_BITS configs (stable-fixes).
• loop: do not set QUEUE_FLAG_NOMERGES (git-fixes).
• media: cxd2841er: fix 64-bit division on gcc-9 (stable-fixes).
• media: uvcvideo: Add Kurokesu C1 PRO camera (stable-fixes).
• media: uvcvideo: Add new quirk definition for the Sonix Technology Co. 292a camera (stable-fixes).
• media: uvcvideo: Implement dual stream quirk to fix loss of usb packets (stable-fixes).
• media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread (stable-fixes).
• mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id (stable-fixes).
• mmc: core: Respect quirk_max_rate for non-UHS SDIO card (stable-fixes).
• mmc: mtk-sd: Fix register settings for hs400(es) mode (git-fixes).
• mmc: sdhci-msm: Correctly set the load for the regulator (stable-fixes).
• mptcp: export local_address (git-fixes)
• mptcp: fix NL PM announced address accounting (git-fixes)
• mptcp: fix data races on local_id (git-fixes)
• mptcp: fix inconsistent state on fastopen race (bsc#1222672).
• mptcp: fully established after ADD_ADDR echo on MPJ (git-fixes)
• mptcp: pass addr to mptcp_pm_alloc_anno_list (git-fixes)
• mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR (git-fixes)
• mptcp: pm: deny endp with signal + subflow + port (git-fixes)
• mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set (git-fixes)
• mptcp: pm: do not try to create sf if alloc failed (git-fixes)
• mptcp: pm: fullmesh: select the right ID later (git-fixes)
• mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID (git-fixes)
• mptcp: pm: only in-kernel cannot have entries with ID 0 (git-fixes)
• mptcp: pm: re-using ID of unused flushed subflows (git-fixes)
• mptcp: pm: re-using ID of unused removed ADD_ADDR (git-fixes)
• mptcp: pm: re-using ID of unused removed subflows (git-fixes)
• mptcp: pm: reduce indentation blocks (git-fixes)
• mptcp: pm: remove mptcp_pm_remove_subflow (git-fixes)
• mptcp: unify pm get_flags_and_ifindex_by_id (git-fixes)
• mptcp: unify pm get_local_id interfaces (git-fixes)
• mptcp: unify pm set_flags interfaces (git-fixes)
• mtd: rawnand: cadence: fix error code in cadence_nand_init() (git-fixes).
• mtd: rawnand: cadence: fix incorrect device in dma_unmap_single (git-fixes).
• mtd: rawnand: cadence: fix unchecked dereference (git-fixes).
• mtd: rawnand: cadence: use dma_map_resource for sdma address (git-fixes).
• nbd: Fix signal handling (git-fixes).
• nbd: Improve the documentation of the locking assumptions (git-fixes).
• nbd: do not allow reconnect after disconnect (git-fixes).
• net/mlx5: Correct TASR typo into TSAR (git-fixes).
• net/mlx5: Fix RDMA TX steering prio (git-fixes).
• net/mlx5: Fix msix vectors to respect platform limit (bsc#1225981).
• net/mlx5: SF, Fix add port error handling (git-fixes).
• net/mlx5: Verify support for scheduling element and TSAR type (git-fixes).
• net/mlx5e: Always start IPsec sequence number from 1 (git-fixes).
• net/mlx5e: Rely on reqid in IPsec tunnel mode (git-fixes).
• net/mlx5e: macsec: Maintain TX SA from encoding_sa (git-fixes).
• net/smc: support ipv4 mapped ipv6 addr client for smc-r v2 (bsc#1236994).
• net: rose: lock the socket in rose_bind() (git-fixes).
• net: sfc: Correct key_len for efx_tc_ct_zone_ht_params (git-fixes).
• net: smc: fix spurious error message from __sock_release() (bsc#1237126).
• net: wwan: iosm: Fix hibernation by re-binding the driver around it (stable-fixes).
• nouveau/svm: fix missing folio unlock + put after make_device_exclusive_range() (git-fixes).
• null_blk: Do not allow runt zone with zone capacity smaller then zone size (git-fixes).
• null_blk: Fix missing mutex_destroy() at module removal (git-fixes).
• null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION() (git-fixes).
• null_blk: Print correct max open zones limit in null_init_zoned_dev() (git-fixes).
• null_blk: Remove usage of the deprecated ida_simple_xx() API (git-fixes).
• null_blk: do not cap max_hw_sectors to BLK_DEF_MAX_SECTORS (git-fixes).
• null_blk: fix validation of block size (git-fixes).
• nvme-pci: use block layer helpers to calculate num of queues (bsc#1236897).
• nvme: replace blk_mq_pci_map_queues with blk_mq_map_hw_queues (bsc#1236896).
• ocfs2: fix incorrect CPU endianness conversion causing mount failure (bsc#1236138).
• padata: Clean up in padata_do_multithreaded() (bsc#1237563).
• padata: Honor the caller's alignment in case of chunk_size 0 (bsc#1237563).
• partitions: ldm: remove the initial kernel-doc notation (git-fixes).
• pinctrl: cy8c95x0: Respect IRQ trigger settings from firmware (git-fixes).
• platform/x86/intel-uncore-freq: Ignore minor version change (bsc#1237452).
• platform/x86/intel-uncore-freq: Increase minor number support (bsc#1237452).
• platform/x86/intel/tpmi: Add defines to get version information (bsc#1237452).
• platform/x86: ISST: Ignore minor version change (bsc#1237452).
• platform/x86: acer-wmi: Ignore AC events (stable-fixes).
• platform/x86: int3472: Check for adev == NULL (stable-fixes).
• power: supply: da9150-fg: fix potential overflow (git-fixes).
• powerpc/64s/mm: Move __real_pte stubs into hash-4k.h (bsc#1215199).
• powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static inline (bsc#1215199).
• powerpc/code-patching: Disable KASAN report during patching via temporary mm (bsc#1215199).
• powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC (bsc#1215199).
• powerpc/pseries/iommu: Split Dynamic DMA Window to be used in Hybrid mode (bsc#1235933 bsc#1235932).
• powerpc/trace: Add support for HAVE_FUNCTION_ARG_ACCESS_API (bsc#1236967).
• rbd: do not assume RBD_LOCK_STATE_LOCKED for exclusive mappings (git-fixes).
• rbd: do not assume rbd_is_lock_owner() for exclusive mappings (git-fixes).
• rbd: do not move requests to the running list on errors (git-fixes).
• rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait (git-fixes).
• regmap-irq: Add missing kfree() (git-fixes).
• s390/cio: rename bitmap_size() -> idset_bitmap_size() (git-fixes bsc#1236205).
• s390/futex: Fix FUTEX_OP_ANDN implementation (git-fixes bsc#1237158).
• s390/iucv: fix receive buffer virtual vs physical address confusion (git-fixes bsc#1236200).
• s390/pci: Fix SR-IOV for PFs initially in standby (git-fixes bsc#1236752).
• s390/pci: Fix leak of struct zpci_dev when zpci_add_device() fails (bsc#1236752).
• s390/pci: Ignore RID for isolated VFs (bsc#1236752).
• s390/pci: Sort PCI functions prior to creating virtual busses (bsc#1236752).
• s390/pci: Use topology ID for multi-function devices (bsc#1236752).
• s390/smp,mcck: fix early IPI handling (git-fixes bsc#1236199).
• s390/topology: Improve topology detection (bsc#1236591).
• s390/vfio-ap: Remove gmap_convert_to_secure() from vfio_ap_ops (git-fixes bsc#1236203).
• scripts/gdb: fix aarch64 userspace detection in get_current_task (stable-fixes).
• scsi: replace blk_mq_pci_map_queues with blk_mq_map_hw_queues (bsc#1236896).
• scsi: storvsc: Set correct data length for sending SCSI command without payload (git-fixes).
• scsi: use block layer helpers to calculate num of queues (bsc#1236897).
• selftest: hugetlb_dio: fix test naming (git-fixes).
• selftest: mm: Test if hugepage does not get leaked during __bio_release_pages() (git-fixes).
• selftests/net/ipsec: Fix Null pointer dereference in rtattr_pack() (stable-fixes).
• selftests: gpio: gpio-sim: Fix missing chip disablements (stable-fixes).
• selftests: hugetlb_dio: check for initial conditions to skip in the start (git-fixes).
• selftests: hugetlb_dio: fixup check for initial conditions to skip in the start (git-fixes).
• selftests: mptcp: connect: -f: no reconnect (git-fixes).
• selftests: rtnetlink: update netdevsim ipsec output format (stable-fixes).
• serial: 8250: Fix fifo underflow on flush (git-fixes).
• smb: client: fix corruption in cifs_extend_writeback (bsc#1235609).
• soc/tegra: fuse: Update Tegra234 nvmem keepout list (stable-fixes).
• spi: atmel-qspi: Memory barriers after memory-mapped I/O (git-fixes).
• spi: atmel-quadspi: Create atmel_qspi_ops to support newer SoC families (stable-fixes).
• spi: sn-f-ospi: Fix division by zero (git-fixes).
• tg3: Disable tg3 PCIe AER on system reboot (bsc#1219367).
• tomoyo: do not emit warning in tomoyo_write_control() (stable-fixes).
• tools: fix annoying "mkdir -p ..." logs when building tools in parallel (git-fixes).
• ublk: fix error code for unsupported command (git-fixes).
• ublk: fix ublk_ch_mmap() for 64K page size (git-fixes).
• ublk: move ublk_cancel_dev() out of ub->mutex (git-fixes).
• ublk: move zone report data out of request pdu (git-fixes).
• usb: cdc-acm: Check control transfer buffer size before access (git-fixes).
• usb: cdc-acm: Fix handling of oversized fragments (git-fixes).
• usb: core: fix pipe creation for get_bMaxPacketSize0 (git-fixes).
• usb: dwc2: gadget: remove of_node reference upon udc_stop (git-fixes).
• usb: dwc3: Fix timeout issue during controller enter/exit from halt state (git-fixes).
• usb: dwc3: core: Defer the probe until USB power supply ready (git-fixes).
• usb: gadget: core: flush gadget workqueue after device removal (git-fixes).
• usb: gadget: f_midi: Fixing wMaxPacketSize exceeded issue during MIDI bind retries (git-fixes).
• usb: gadget: f_midi: fix MIDI Streaming descriptor lengths (git-fixes).
• usb: gadget: udc: renesas_usb3: Fix compiler warning (git-fixes).
• usb: quirks: Add NO_LPM quirk for TOSHIBA TransMemory-Mx device (git-fixes).
• usb: roles: set switch registered flag early on (git-fixes).
• usb: xhci: Fix NULL pointer dereference on certain command aborts (git-fixes).
• usbnet: ipheth: document scope of NCM implementation (stable-fixes).
• util_macros.h: fix/rework find_closest() macros (git-fixes).
• vhost/net: Set num_buffers for virtio 1.0 (git-fixes).
• virtio: blk/scsi: replace blk_mq_virtio_map_queues with blk_mq_map_hw_queues (bsc#1236896).
• virtio: blk/scsi: use block layer helpers to calculate num of queues (bsc#1236897).
• virtio: hookup irq_get_affinity callback (bsc#1236896).
• virtio_blk: reverse request order in virtio_queue_rqs (git-fixes).
• wifi: ath12k: fix handling of 6 GHz rules (git-fixes).
• wifi: brcmfmac: Check the return value of of_property_read_string_index() (stable-fixes).
• wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() (stable-fixes).
• wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() (stable-fixes).
• wifi: iwlwifi: avoid memory leak (stable-fixes).
• wifi: mt76: mt7921u: Add VID/PID for TP-Link TXE50UH (stable-fixes).
• wifi: rtw88: sdio: Fix disconnection after beacon loss (stable-fixes).
• wifi: rtw89: add crystal_cap check to avoid setting as overflow value (stable-fixes).
• x86/amd_nb: Fix compile-testing without CONFIG_AMD_NB (git-fixes).
• x86/asm: Make serialize() always_inline (git-fixes).
• x86/bugs: Add SRSO_USER_KERNEL_NO support (git-fixes).
• x86/cpu/kvm: SRSO: Fix possible missing IBPB on VM-Exit (git-fixes).
• x86/cpu: Add Lunar Lake to list of CPUs with a broken MONITOR implementation (git-fixes).
• x86/mm: Carve out INVLPG inline asm for use by others (git-fixes).
• x86/xen: add FRAME_END to xen_hypercall_hvm() (git-fixes).
• x86/xen: allow larger contiguous memory regions in PV guests (git-fixes).
• x86/xen: fix xen_hypercall_hvm() to not clobber %rbx (git-fixes).
• x86/xen: Grab mm lock before grabbing pt lock (git-fixes).
• xen/swiotlb: relax alignment requirements (git-fixes).
• xhci: dbgtty: remove kfifo_out() wrapper (git-fixes).

Special Instructions and Notes:

• Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Confidential Computing Module 15-SP6
  zypper in -t patch SUSE-SLE-Module-Confidential-Computing-15-SP6-2025-784=1

Package List:

• Confidential Computing Module 15-SP6 (nosrc x86_64)
  • kernel-coco-6.4.0-15061.18.coco15sp6.1
  • kernel-coco_debug-6.4.0-15061.18.coco15sp6.1
• Confidential Computing Module 15-SP6 (x86_64)
  • reiserfs-kmp-coco-debuginfo-6.4.0-15061.18.coco15sp6.1
  • kernel-coco_debug-devel-6.4.0-15061.18.coco15sp6.1
  • kernel-syms-coco-6.4.0-15061.18.coco15sp6.1
  • kernel-coco_debug-debuginfo-6.4.0-15061.18.coco15sp6.1
  • kernel-coco-vdso-debuginfo-6.4.0-15061.18.coco15sp6.1
  • kernel-coco-devel-6.4.0-15061.18.coco15sp6.1
  • kernel-coco_debug-devel-debuginfo-6.4.0-15061.18.coco15sp6.1
  • kernel-coco_debug-debugsource-6.4.0-15061.18.coco15sp6.1
  • reiserfs-kmp-coco-6.4.0-15061.18.coco15sp6.1
  • kernel-coco-debugsource-6.4.0-15061.18.coco15sp6.1
  • kernel-coco-debuginfo-6.4.0-15061.18.coco15sp6.1
• Confidential Computing Module 15-SP6 (noarch)
  • kernel-devel-coco-6.4.0-15061.18.coco15sp6.1
  • kernel-source-coco-6.4.0-15061.18.coco15sp6.1

References:

• https://www.suse.com/security/cve/CVE-2023-52924.html
• https://www.suse.com/security/cve/CVE-2023-52925.html
• https://www.suse.com/security/cve/CVE-2024-26708.html
• https://www.suse.com/security/cve/CVE-2024-26810.html
• https://www.suse.com/security/cve/CVE-2024-41055.html
• https://www.suse.com/security/cve/CVE-2024-44974.html
• https://www.suse.com/security/cve/CVE-2024-45009.html
• https://www.suse.com/security/cve/CVE-2024-45010.html
• https://www.suse.com/security/cve/CVE-2024-47701.html
• https://www.suse.com/security/cve/CVE-2024-49884.html
• https://www.suse.com/security/cve/CVE-2024-49950.html
• https://www.suse.com/security/cve/CVE-2024-50073.html
• https://www.suse.com/security/cve/CVE-2024-50085.html
• https://www.suse.com/security/cve/CVE-2024-50115.html
• https://www.suse.com/security/cve/CVE-2024-50185.html
• https://www.suse.com/security/cve/CVE-2024-53147.html
• https://www.suse.com/security/cve/CVE-2024-53173.html
• https://www.suse.com/security/cve/CVE-2024-53226.html
• https://www.suse.com/security/cve/CVE-2024-53239.html
• https://www.suse.com/security/cve/CVE-2024-56539.html
• https://www.suse.com/security/cve/CVE-2024-56548.html
• https://www.suse.com/security/cve/CVE-2024-56568.html
• https://www.suse.com/security/cve/CVE-2024-56579.html
• https://www.suse.com/security/cve/CVE-2024-56605.html
• https://www.suse.com/security/cve/CVE-2024-56647.html
• https://www.suse.com/security/cve/CVE-2024-56720.html
• https://www.suse.com/security/cve/CVE-2024-57889.html
• https://www.suse.com/security/cve/CVE-2024-57948.html
• https://www.suse.com/security/cve/CVE-2025-21636.html
• https://www.suse.com/security/cve/CVE-2025-21637.html
• https://www.suse.com/security/cve/CVE-2025-21638.html
• https://www.suse.com/security/cve/CVE-2025-21639.html
• https://www.suse.com/security/cve/CVE-2025-21640.html
• https://www.suse.com/security/cve/CVE-2025-21647.html
• https://www.suse.com/security/cve/CVE-2025-21680.html
• https://www.suse.com/security/cve/CVE-2025-21684.html
• https://www.suse.com/security/cve/CVE-2025-21687.html
• https://www.suse.com/security/cve/CVE-2025-21688.html
• https://www.suse.com/security/cve/CVE-2025-21689.html
• https://www.suse.com/security/cve/CVE-2025-21690.html
• https://www.suse.com/security/cve/CVE-2025-21692.html
• https://www.suse.com/security/cve/CVE-2025-21697.html
• https://www.suse.com/security/cve/CVE-2025-21699.html
• https://www.suse.com/security/cve/CVE-2025-21700.html
• https://bugzilla.suse.com/show_bug.cgi?id=1012628
• https://bugzilla.suse.com/show_bug.cgi?id=1215199
• https://bugzilla.suse.com/show_bug.cgi?id=1219367
• https://bugzilla.suse.com/show_bug.cgi?id=1222672
• https://bugzilla.suse.com/show_bug.cgi?id=1222803
• https://bugzilla.suse.com/show_bug.cgi?id=1225742
• https://bugzilla.suse.com/show_bug.cgi?id=1225981
• https://bugzilla.suse.com/show_bug.cgi?id=1228521
• https://bugzilla.suse.com/show_bug.cgi?id=1230235
• https://bugzilla.suse.com/show_bug.cgi?id=1230438
• https://bugzilla.suse.com/show_bug.cgi?id=1230439
• https://bugzilla.suse.com/show_bug.cgi?id=1231920
• https://bugzilla.suse.com/show_bug.cgi?id=1232159
• https://bugzilla.suse.com/show_bug.cgi?id=1232198
• https://bugzilla.suse.com/show_bug.cgi?id=1232201
• https://bugzilla.suse.com/show_bug.cgi?id=1232508
• https://bugzilla.suse.com/show_bug.cgi?id=1232520
• https://bugzilla.suse.com/show_bug.cgi?id=1232919
• https://bugzilla.suse.com/show_bug.cgi?id=1233109
• https://bugzilla.suse.com/show_bug.cgi?id=1234853
• https://bugzilla.suse.com/show_bug.cgi?id=1234857
• https://bugzilla.suse.com/show_bug.cgi?id=1234891
• https://bugzilla.suse.com/show_bug.cgi?id=1234963
• https://bugzilla.suse.com/show_bug.cgi?id=1235032
• https://bugzilla.suse.com/show_bug.cgi?id=1235054
• https://bugzilla.suse.com/show_bug.cgi?id=1235061
• https://bugzilla.suse.com/show_bug.cgi?id=1235073
• https://bugzilla.suse.com/show_bug.cgi?id=1235435
• https://bugzilla.suse.com/show_bug.cgi?id=1235592
• https://bugzilla.suse.com/show_bug.cgi?id=1235609
• https://bugzilla.suse.com/show_bug.cgi?id=1235932
• https://bugzilla.suse.com/show_bug.cgi?id=1235933
• https://bugzilla.suse.com/show_bug.cgi?id=1236113
• https://bugzilla.suse.com/show_bug.cgi?id=1236114
• https://bugzilla.suse.com/show_bug.cgi?id=1236115
• https://bugzilla.suse.com/show_bug.cgi?id=1236122
• https://bugzilla.suse.com/show_bug.cgi?id=1236123
• https://bugzilla.suse.com/show_bug.cgi?id=1236133
• https://bugzilla.suse.com/show_bug.cgi?id=1236138
• https://bugzilla.suse.com/show_bug.cgi?id=1236199
• https://bugzilla.suse.com/show_bug.cgi?id=1236200
• https://bugzilla.suse.com/show_bug.cgi?id=1236203
• https://bugzilla.suse.com/show_bug.cgi?id=1236205
• https://bugzilla.suse.com/show_bug.cgi?id=1236573
• https://bugzilla.suse.com/show_bug.cgi?id=1236575
• https://bugzilla.suse.com/show_bug.cgi?id=1236576
• https://bugzilla.suse.com/show_bug.cgi?id=1236591
• https://bugzilla.suse.com/show_bug.cgi?id=1236661
• https://bugzilla.suse.com/show_bug.cgi?id=1236677
• https://bugzilla.suse.com/show_bug.cgi?id=1236700
• https://bugzilla.suse.com/show_bug.cgi?id=1236752
• https://bugzilla.suse.com/show_bug.cgi?id=1236821
• https://bugzilla.suse.com/show_bug.cgi?id=1236822
• https://bugzilla.suse.com/show_bug.cgi?id=1236896
• https://bugzilla.suse.com/show_bug.cgi?id=1236897
• https://bugzilla.suse.com/show_bug.cgi?id=1236952
• https://bugzilla.suse.com/show_bug.cgi?id=1236967
• https://bugzilla.suse.com/show_bug.cgi?id=1236994
• https://bugzilla.suse.com/show_bug.cgi?id=1237007
• https://bugzilla.suse.com/show_bug.cgi?id=1237017
• https://bugzilla.suse.com/show_bug.cgi?id=1237025
• https://bugzilla.suse.com/show_bug.cgi?id=1237028
• https://bugzilla.suse.com/show_bug.cgi?id=1237045
• https://bugzilla.suse.com/show_bug.cgi?id=1237126
• https://bugzilla.suse.com/show_bug.cgi?id=1237132
• https://bugzilla.suse.com/show_bug.cgi?id=1237139
• https://bugzilla.suse.com/show_bug.cgi?id=1237155
• https://bugzilla.suse.com/show_bug.cgi?id=1237158
• https://bugzilla.suse.com/show_bug.cgi?id=1237159
• https://bugzilla.suse.com/show_bug.cgi?id=1237232
• https://bugzilla.suse.com/show_bug.cgi?id=1237234
• https://bugzilla.suse.com/show_bug.cgi?id=1237325
• https://bugzilla.suse.com/show_bug.cgi?id=1237415
• https://bugzilla.suse.com/show_bug.cgi?id=1237452
• https://bugzilla.suse.com/show_bug.cgi?id=1237558
• https://bugzilla.suse.com/show_bug.cgi?id=1237562
• https://bugzilla.suse.com/show_bug.cgi?id=1237563
• https://jira.suse.com/browse/PED-10028
• https://jira.suse.com/browse/PED-12094
• https://jira.suse.com/browse/PED-348
• https://jira.suse.com/browse/PED-6143