Security update for the Linux Kernel (Live Patch 3 for SUSE Linux Enterprise 16) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:20637-1 Final 1 1 2026-03-04T20:07:36Z current 2026-03-04T20:07:36Z 2026-03-04T20:07:36Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 3 for SUSE Linux Enterprise 16) This update for the SUSE Linux Enterprise kernel 6.12.0-160000.8.1 fixes one security issue The following security issue was fixed: - CVE-2025-40130: scsi: ufs: core: Fix data race in CPU latency PM QoS request handling (bsc#1253415). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLES-16.0-355 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-202620637-1/ Link for SUSE-SU-2026:20637-1 https://lists.suse.com/pipermail/sle-security-updates/2026-March/024641.html E-Mail link for SUSE-SU-2026:20637-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1253415 SUSE Bug 1253415 https://www.suse.com/security/cve/CVE-2025-40130/ SUSE CVE CVE-2025-40130 page SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 kernel-livepatch-6_12_0-160000_8-default-2-160000.1.1 kernel-livepatch-6_12_0-160000_8-default-2-160000.1.1 as a component of SUSE Linux Enterprise Server 16.0 kernel-livepatch-6_12_0-160000_8-default-2-160000.1.1 as a component of SUSE Linux Enterprise Server for SAP applications 16.0 In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix data race in CPU latency PM QoS request handling The cpu_latency_qos_add/remove/update_request interfaces lack internal synchronization by design, requiring the caller to ensure thread safety. The current implementation relies on the 'pm_qos_enabled' flag, which is insufficient to prevent concurrent access and cannot serve as a proper synchronization mechanism. This has led to data races and list corruption issues. A typical race condition call trace is: [Thread A] ufshcd_pm_qos_exit() --> cpu_latency_qos_remove_request() --> cpu_latency_qos_apply(); --> pm_qos_update_target() --> plist_del <--(1) delete plist node --> memset(req, 0, sizeof(*req)); --> hba->pm_qos_enabled = false; [Thread B] ufshcd_devfreq_target --> ufshcd_devfreq_scale --> ufshcd_scale_clks --> ufshcd_pm_qos_update <--(2) pm_qos_enabled is true --> cpu_latency_qos_update_request --> pm_qos_update_target --> plist_del <--(3) plist node use-after-free Introduces a dedicated mutex to serialize PM QoS operations, preventing data races and ensuring safe access to PM QoS resources, including sysfs interface reads. CVE-2025-40130 SUSE Linux Enterprise Server 16.0:kernel-livepatch-6_12_0-160000_8-default-2-160000.1.1 SUSE Linux Enterprise Server for SAP applications 16.0:kernel-livepatch-6_12_0-160000_8-default-2-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-202620637-1/ https://www.suse.com/security/cve/CVE-2025-40130.html CVE-2025-40130 https://bugzilla.suse.com/1253414 SUSE Bug 1253414 https://bugzilla.suse.com/1253415 SUSE Bug 1253415