LSN-0116-1 is a Kernel Live Patch Security Notice issued by LSN-0116-1 is a Kernel Live Patch Security Notice issued by Canonical, addressing multiple critical vulnerabilities in the Linux kernel. These flaws primarily include privilege escalation, allowing unauthorized root access, and denial of service issues that could disrupt system availability. The notice impacts various Ubuntu kernel versions, including 5.4, 5.15, and 6.2.

The significance of LSN-0116-1 lies in its delivery via the Ubuntu Livepatch service. This allows the crucial security fixes to be applied *without requiring a system reboot*, ensuring continuous uptime for servers and critical infrastructure. Users are strongly advised to verify their Livepatch service is active and up-to-date to automatically receive these patches, mitigating potential exploitation without service interruption.

Linux kernel vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software Description

- linux - Linux kernel
- linux-aws - Linux kernel for Amazon Web Services (AWS) systems
- linux-azure - Linux kernel for Microsoft Azure Cloud systems
- linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
- linux-gke - Linux kernel for Google Container Engine (GKE) systems
- linux-ibm - Linux kernel for IBM cloud systems
- linux-oracle - Linux kernel for Oracle Cloud systems

Details

In the Linux kernel, the following vulnerability has been resolved: net:
atlantic: eliminate double free in error handling logic Driver has a
logic leak in ring data allocation/free, where aq_ring_free could be
called multiple times on same ring, if system is under stress and got
memory allocation error. (CVE-2023-52664)

In the Linux kernel, the following vulnerability has been resolved:
sctp: properly validate chunk size in sctp_sf_ootb() A size validation
fix similar to that in Commit 50619dbf8db7 (?sctp: add size validation
when walking chunks?) is also required in sctp_sf_ootb() to address a
crash reported by syzbot: BUG: KMSAN: uninit-value in
sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166
sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407
sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88 sctp_rcv+0x3831/0x3b20
net/sctp/input.c:243 sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159
ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233.
(CVE-2024-50299)

In the Linux kernel, the following vulnerability has been resolved:
ALSA: usb-audio: Fix out of bounds reads when finding clock sources The
current USB-audio driver code doesn?t check bLength of each descriptor
at traversing for clock descriptors. (CVE-2024-53150)

In the Linux kernel, the following vulnerability has been resolved:
ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit After
an insertion in TNC, the tree might split and cause a node to change its
znode->parent. (CVE-2024-53171)

In the Linux kernel, the following vulnerability has been resolved:
NFSD: Prevent NULL dereference in nfsd4_process_cb_update() @ses is
initialized to NULL. (CVE-2024-53217)

In the Linux kernel, the following vulnerability has been resolved:
padata: fix UAF in padata_reorder A bug was found when run ltp test:
BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of
size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0
PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+
Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace:
dump_stack_lvl+0x32/0x50
print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0
kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0
padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0
process_one_work+0x2ec/0x5a0 If ?mdelay(10)? is added before calling
?padata_find_next? in the ?padata_reorder? function, this issue could be
reproduced easily with ltp test (pcrypt_aead01). (CVE-2025-21727)

In the Linux kernel, the following vulnerability has been resolved:
posix-cpu-timers: fix race between handle_posix_cpu_timers() and
posix_cpu_timer_del() If an exiting non-autoreaping task has already
passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it
can be reaped by its parent or debugger right after
unlock_task_sighand(). (CVE-2025-38352)

Update instructions

The problem can be corrected by updating your kernel livepatch to the
following versions:

Ubuntu 20.04 LTS
aws - 116.1
azure - 116.1
gcp - 116.1
generic - 116.1
ibm - 116.1
lowlatency - 116.1
oracle - 116.1

Ubuntu 18.04 LTS
aws - 116.1
gcp - 116.1
generic - 116.1
lowlatency - 116.1
oracle - 116.1

Ubuntu 24.04 LTS
aws - 116.1
azure - 116.1
gcp - 116.1
generic - 116.1
ibm - 116.1
oracle - 116.1

Ubuntu 16.04 LTS
aws - 116.1
gcp - 116.1
generic - 116.1
lowlatency - 116.1

Ubuntu 22.04 LTS
aws - 116.1
azure - 116.1
gcp - 116.1
generic - 116.1
gke - 116.1
ibm - 116.1
oracle - 116.1

Ubuntu 14.04 LTS
generic - 116.1
lowlatency - 116.1

Support Information

Livepatches for supported LTS kernels will receive upgrades for a period
of up to 13 months after the build date of the kernel.

Livepatches for supported HWE kernels which are not based on an LTS
kernel version will receive upgrades for a period of up to 9 months
after the build date of the kernel, or until the end of support for that
kernel?s non-LTS distro release version, whichever is sooner.

References

- CVE-2023-52664
- CVE-2024-50299
- CVE-2024-53150
- CVE-2024-53171
- CVE-2024-53217
- CVE-2025-21727
- CVE-2025-38352