SB2025080130 - Anolis OS update for kernel:4.18

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) NULL pointer dereference (CVE-ID: CVE-2022-49977)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the ftrace_startup() function in kernel/trace/ftrace.c. A local user can perform a denial of service (DoS) attack.

2) Buffer overflow (CVE-ID: CVE-2025-21905)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the iwl_parse_tlv_firmware() function in drivers/net/wireless/intel/iwlwifi/iwl-drv.c. A local user can perform a denial of service (DoS) attack.

3) Input validation error (CVE-ID: CVE-2025-21919)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the child_cfs_rq_on_list() function in kernel/sched/fair.c. A local user can perform a denial of service (DoS) attack.

4) Improper locking (CVE-ID: CVE-2025-38234)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the find_lowest_rq() and find_lock_lowest_rq() functions in kernel/sched/rt.c. A local user can perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://anas.openanolis.cn/errata/detail/ANSA-2025:0488