Debian Linux vulnerabilities

CVE-2025-38639 [MEDIUM] CVE-2025-38639: In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_nfacct: don't ass In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_nfacct: don't assume acct name is null-terminated BUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721 Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851 [..] string+0x231/0x2b0 lib/vsprintf.c:721 vsnprintf+0x739/0xf00 lib/vsprintf.c:2874 [..] nfacct_mt_

CVE-2025-38664 [MEDIUM] CWE-476 CVE-2025-38664: In the Linux kernel, the following vulnerability has been resolved: ice: Fix a null pointer derefer In the Linux kernel, the following vulnerability has been resolved: ice: Fix a null pointer dereference in ice_copy_and_init_pkg() Add check for the return value of devm_kmemdup() to prevent potential null pointer dereference.

CVE-2025-38635 [MEDIUM] CWE-476 CVE-2025-38635: In the Linux kernel, the following vulnerability has been resolved: clk: davinci: Add NULL check in In the Linux kernel, the following vulnerability has been resolved: clk: davinci: Add NULL check in davinci_lpsc_clk_register() devm_kasprintf() returns NULL when memory allocation fails. Currently, davinci_lpsc_clk_register() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to preve

CVE-2025-38650 [MEDIUM] CWE-667 CVE-2025-38650: In the Linux kernel, the following vulnerability has been resolved: hfsplus: remove mutex_lock chec In the Linux kernel, the following vulnerability has been resolved: hfsplus: remove mutex_lock check in hfsplus_free_extents Syzbot reported an issue in hfsplus filesystem: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346 hfsplus_free_extents+0x700/0xad0 Call Trace: hfsplus_file_truncate+0x768/0xbb0 fs/h

CVE-2025-38634 [MEDIUM] CWE-476 CVE-2025-38634: In the Linux kernel, the following vulnerability has been resolved: power: supply: cpcap-charger: F In the Linux kernel, the following vulnerability has been resolved: power: supply: cpcap-charger: Fix null check for power_supply_get_by_name In the cpcap_usb_detect() function, the power_supply_get_by_name() function may return `NULL` instead of an error pointer. To prevent potential null pointer dereferences, Added a null check.

CVE-2025-38671 [MEDIUM] CVE-2025-38671: In the Linux kernel, the following vulnerability has been resolved: i2c: qup: jump out of the loop In the Linux kernel, the following vulnerability has been resolved: i2c: qup: jump out of the loop in case of timeout Original logic only sets the return value but doesn't jump out of the loop if the bus is kept active by a client. This is not expected. A malicious or buggy i2c client can hang the kernel in this case and should be avoided. This is observed

CVE-2025-38645 [MEDIUM] CWE-476 CVE-2025-38645: In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Check device memory p In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Check device memory pointer before usage Add a NULL check before accessing device memory to prevent a crash if dev->dm allocation in mlx5_init_once() fails.

CVE-2025-38622 [MEDIUM] CVE-2025-38622: In the Linux kernel, the following vulnerability has been resolved: net: drop UFO packets in udp_rc In the Linux kernel, the following vulnerability has been resolved: net: drop UFO packets in udp_rcv_segment() When sending a packet with virtio_net_hdr to tun device, if the gso_type in virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr size, below crash may happen. ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:457

CVE-2025-38663 [MEDIUM] CVE-2025-38663: In the Linux kernel, the following vulnerability has been resolved: nilfs2: reject invalid file typ In the Linux kernel, the following vulnerability has been resolved: nilfs2: reject invalid file types when reading inodes To prevent inodes with invalid file types from tripping through the vfs and causing malfunctions or assertion failures, add a missing sanity check when reading an inode from a block device. If the file type is not valid, treat it as a

CVE-2025-38665 [MEDIUM] CWE-476 CVE-2025-38665: In the Linux kernel, the following vulnerability has been resolved: can: netlink: can_changelink(): In the Linux kernel, the following vulnerability has been resolved: can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Andrei Lalaev reported a NULL pointer deref when a CAN device is restarted from Bus Off and the driver does not implement the struct can_priv::do_set_mode callback. There are 2 code path that c

CVE-2025-38644 [MEDIUM] CWE-908 CVE-2025-38644: In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: reject TDLS ope In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: reject TDLS operations when station is not associated syzbot triggered a WARN in ieee80211_tdls_oper() by sending NL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT, before association completed and without prior TDLS setup. This left internal state li

CVE-2025-38623 [MEDIUM] CVE-2025-38623: In the Linux kernel, the following vulnerability has been resolved: PCI: pnv_php: Fix surprise plug In the Linux kernel, the following vulnerability has been resolved: PCI: pnv_php: Fix surprise plug detection and recovery The existing PowerNV hotplug code did not handle surprise plug events correctly, leading to a complete failure of the hotplug system after device removal and a required reboot to detect new devices. This comes down to two issues: 1)

CVE-2025-38630 [MEDIUM] CWE-476 CVE-2025-38630: In the Linux kernel, the following vulnerability has been resolved: fbdev: imxfb: Check fb_add_vide In the Linux kernel, the following vulnerability has been resolved: fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref fb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot allocate a struct fb_modelist. If that happens, the modelist stays empty but the driver continues to register. Add a check for its return valu

CVE-2025-38668 [MEDIUM] CWE-476 CVE-2025-38668: In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix NULL deref In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix NULL dereference on unbind due to stale coupling data Failing to reset coupling_desc.n_coupled after freeing coupled_rdevs can lead to NULL pointer dereference when regulators are accessed post-unbind. This can happen during runtime PM or other regulator oper

CVE-2025-38563 [HIGH] CVE-2025-38563: In the Linux kernel, the following vulnerability has been resolved: perf/core: Prevent VMA split of In the Linux kernel, the following vulnerability has been resolved: perf/core: Prevent VMA split of buffer mappings The perf mmap code is careful about mmap()'ing the user page with the ringbuffer and additionally the auxiliary buffer, when the event supports it. Once the first mapping is established, subsequent mapping have to use the same offset and the s

CVE-2025-38565 [HIGH] CVE-2025-38565: In the Linux kernel, the following vulnerability has been resolved: perf/core: Exit early on perf_m In the Linux kernel, the following vulnerability has been resolved: perf/core: Exit early on perf_mmap() fail When perf_mmap() fails to allocate a buffer, it still invokes the event_mapped() callback of the related event. On X86 this might increase the perf_rdpmc_allowed reference counter. But nothing undoes this as perf_mmap_close() is never called in this

CVE-2025-38579 [HIGH] CWE-908 CVE-2025-38579: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix KMSAN uninit-value in In the Linux kernel, the following vulnerability has been resolved: f2fs: fix KMSAN uninit-value in extent_info usage KMSAN reported a use of uninitialized value in `__is_extent_mergeable()` and `__is_back_mergeable()` via the read extent tree path. The root cause is that `get_read_extent_info()` only initializes three fields (`fofs`, `blk`, `len`)

CVE-2025-38574 [HIGH] CWE-908 CVE-2025-38574: In the Linux kernel, the following vulnerability has been resolved: pptp: ensure minimal skb length In the Linux kernel, the following vulnerability has been resolved: pptp: ensure minimal skb length in pptp_xmit() Commit aabc6596ffb3 ("net: ppp: Add bound checking for skb data on ppp_sync_txmung") fixed ppp_sync_txmunge() We need a similar fix in pptp_xmit(), otherwise we might read uninit data as reported by syzbot. BUG: KMSAN: uninit-value in

CVE-2025-38572 [HIGH] CVE-2025-38572: In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets in ipv6_gso_segment() syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_transport_header_careful() helper and use it from ipv6_gso_segme

CVE-2025-38555 [HIGH] CWE-416 CVE-2025-38555: In the Linux kernel, the following vulnerability has been resolved: usb: gadget : fix use-after-fre In the Linux kernel, the following vulnerability has been resolved: usb: gadget : fix use-after-free in composite_dev_cleanup() 1. In func configfs_composite_bind() -> composite_os_desc_req_prepare(): if kmalloc fails, the pointer cdev->os_desc_req will be freed but not set to NULL. Then it will return a failure to the upper-level function. 2. in fu