Debian Linux vulnerabilities

CVE-2025-38577 [MEDIUM] CWE-416 CVE-2025-38577: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid panic in f2f In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid panic in f2fs_evict_inode As syzbot [1] reported as below: R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe17473450 R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520 ---[ end trace 0000000000000000 ]--- BUG: KASAN: use-after-free in __

CVE-2025-38581 [MEDIUM] CWE-476 CVE-2025-38581: In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix crash when re In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix crash when rebind ccp device for ccp.ko When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding the ccp device causes the following crash: $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind [ 204.97693

CVE-2025-38576 [MEDIUM] CVE-2025-38576: In the Linux kernel, the following vulnerability has been resolved: powerpc/eeh: Make EEH driver de In the Linux kernel, the following vulnerability has been resolved: powerpc/eeh: Make EEH driver device hotplug safe Multiple race conditions existed between the PCIe hotplug driver and the EEH driver, leading to a variety of kernel oopses of the same general nature: A second class of oops is also seen when the underlying bus disappears during device re

CVE-2025-38601 [MEDIUM] CWE-909 CVE-2025-38601: In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: clear initialized In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: clear initialized flag for deinit-ed srng lists In a number of cases we see kernel panics on resume due to ath11k kernel page fault, which happens under the following circumstances: 1) First ath11k_hal_dump_srng_stats() call Last interrupt received for each group:

CVE-2025-38578 [MEDIUM] CWE-416 CVE-2025-38578: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_ In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_sync_inode_meta() syzbot reported an UAF issue as below: [1] [2] [1] https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000 BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 Read of size 8 at addr ffff

CVE-2025-38604 [MEDIUM] CWE-476 CVE-2025-38604: In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Kill URBs before In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Kill URBs before clearing tx status queue In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing b_tx_status.queue. This change prevents callbacks from using already freed skb due to anchor was not killed before freeing such skb. BUG: kernel NU

CVE-2025-38602 [MEDIUM] CWE-252 CVE-2025-38602: In the Linux kernel, the following vulnerability has been resolved: iwlwifi: Add missing check for In the Linux kernel, the following vulnerability has been resolved: iwlwifi: Add missing check for alloc_ordered_workqueue Add check for the return value of alloc_ordered_workqueue since it may return NULL pointer.

CVE-2025-38610 [MEDIUM] CWE-476 CVE-2025-38610: In the Linux kernel, the following vulnerability has been resolved: powercap: dtpm_cpu: Fix NULL po In the Linux kernel, the following vulnerability has been resolved: powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() The get_pd_power_uw() function can crash with a NULL pointer dereference when em_cpu_get() returns NULL. This occurs when a CPU becomes impossible during runtime, causing get_cpu_device() to return NULL, which p

CVE-2025-38588 [MEDIUM] CWE-835 CVE-2025-38588: In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent infinite loop in In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent infinite loop in rt6_nlmsg_size() While testing prior patch, I was able to trigger an infinite loop in rt6_nlmsg_size() in the following place: list_for_each_entry_rcu(sibling, &f6i->fib6_siblings, fib6_siblings) { rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len); }

CVE-2025-38614 [MEDIUM] CWE-674 CVE-2025-38614: In the Linux kernel, the following vulnerability has been resolved: eventpoll: Fix semi-unbounded r In the Linux kernel, the following vulnerability has been resolved: eventpoll: Fix semi-unbounded recursion Ensure that epoll instances can never form a graph deeper than EP_MAX_NESTS+1 links. Currently, ep_loop_check_proc() ensures that the graph is loop-free and does some recursion depth checks, but those recursion depth checks don't limit the

CVE-2025-38583 [MEDIUM] CWE-476 CVE-2025-38583: In the Linux kernel, the following vulnerability has been resolved: clk: xilinx: vcu: unregister pl In the Linux kernel, the following vulnerability has been resolved: clk: xilinx: vcu: unregister pll_post only if registered correctly If registration of pll_post is failed, it will be set to NULL or ERR, unregistering same will fail with following call trace: Unable to handle kernel NULL pointer dereference at virtual address 008 pc : clk_hw_unr

CVE-2025-38561 [MEDIUM] CWE-362 CVE-2025-38561: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue rac In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination

CVE-2025-38562 [MEDIUM] CWE-476 CVE-2025-38562: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer derefer In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer dereference error in generate_encryptionkey If client send two session setups with krb5 authenticate to ksmbd, null pointer dereference error in generate_encryptionkey could happen. sess->Preauth_HashValue is set to NULL if session is valid. So this patch s

CVE-2025-38612 [MEDIUM] CWE-401 CVE-2025-38612: In the Linux kernel, the following vulnerability has been resolved: staging: fbtft: fix potential m In the Linux kernel, the following vulnerability has been resolved: staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() In the error paths after fb_info structure is successfully allocated, the memory allocated in fb_deferred_io_init() for info->pagerefs is not freed. Fix that by adding the cleanup function on the error path.

CVE-2025-38553 [MEDIUM] CWE-667 CVE-2025-38553: In the Linux kernel, the following vulnerability has been resolved: net/sched: Restrict conditions In the Linux kernel, the following vulnerability has been resolved: net/sched: Restrict conditions for adding duplicating netems to qdisc tree netem_enqueue's duplication prevention logic breaks when a netem resides in a qdisc tree with other netems - this can lead to a soft lockup and OOM loop in netem_dequeue, as seen in [1]. Ensure that a duplic

CVE-2025-38569 [MEDIUM] CWE-476 CVE-2025-38569: In the Linux kernel, the following vulnerability has been resolved: benet: fix BUG when creating VF In the Linux kernel, the following vulnerability has been resolved: benet: fix BUG when creating VFs benet crashes as soon as SRIOV VFs are created: kernel BUG at mm/vmalloc.c:3457! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 4 UID: 0 PID: 7408 Comm: test.sh Kdump: loaded Not tainted 6.16.0+ #1 PREEMPT(voluntary) [...] RIP: 0010:vunmap+0

CVE-2025-38587 [MEDIUM] CWE-835 CVE-2025-38587: In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible infinite loo In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible infinite loop in fib6_info_uses_dev() fib6_info_uses_dev() seems to rely on RCU without an explicit protection. Like the prior fix in rt6_nlmsg_size(), we need to make sure fib6_del_route() or fib6_add_rt2node() have not removed the anchor from the list, or we

CVE-2025-38609 [MEDIUM] CWE-476 CVE-2025-38609: In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Check governor be In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Check governor before using governor->name Commit 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from struct devfreq") removes governor_name and uses governor->name to replace it. But devfreq->governor may be NULL and directly using devfreq->governor->na

CVE-2025-38560 [MEDIUM] CVE-2025-38560: In the Linux kernel, the following vulnerability has been resolved: x86/sev: Evict cache lines duri In the Linux kernel, the following vulnerability has been resolved: x86/sev: Evict cache lines during SNP memory validation An SNP cache coherency vulnerability requires a cache line eviction mitigation when validating memory after a page state change to private. The specific mitigation is to touch the first and last byte of each 4K page that is being val

CVE-2025-38608 [MEDIUM] CWE-908 CVE-2025-38608: In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: Fix data corruption In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls When sending plaintext data, we initially calculated the corresponding ciphertext length. However, if we later reduced the plaintext data length via socket policy, we failed to recalculate the ciphertext length.