vulnerability

Oracle Linux: CVE-2025-68242: ELSA-2026-50006: Unbreakable Enterprise kernel security update (IMPORTANT)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:L/AC:M/Au:S/C:P/I:P/A:P)	Dec 16, 2025	Jan 15, 2026	Jan 15, 2026

Severity

CVSS

(AV:L/AC:M/Au:S/C:P/I:P/A:P)

Published

Dec 16, 2025

Added

Jan 15, 2026

Modified

Jan 15, 2026

Description

In the Linux kernel, the following vulnerability has been resolved:
NFS: Fix LTP test failures when timestamps are delegated
The utimes01 and utime06 tests fail when delegated timestamps are
enabled, specifically in subtests that modify the atime and mtime
fields using the 'nobody' user ID.
The problem can be reproduced as follow:
# echo "/media *(rw,no_root_squash,sync)" >> /etc/exports
# export -ra
# mount -o rw,nfsvers=4.2 127.0.0.1:/media /tmpdir
# cd /opt/ltp
# ./runltp -d /tmpdir -s utimes01
# ./runltp -d /tmpdir -s utime06
This issue occurs because nfs_setattr does not verify the inode's
UID against the caller's fsuid when delegated timestamps are
permitted for the inode.
This patch adds the UID check and if it does not match then the
request is sent to the server for permission checking.

Solution

oracle-linux-upgrade-kernel-uek

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today