Debian Linux vulnerabilities

CVE-2025-38569 [MEDIUM] CWE-476 CVE-2025-38569: In the Linux kernel, the following vulnerability has been resolved: benet: fix BUG when creating VF In the Linux kernel, the following vulnerability has been resolved: benet: fix BUG when creating VFs benet crashes as soon as SRIOV VFs are created: kernel BUG at mm/vmalloc.c:3457! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 4 UID: 0 PID: 7408 Comm: test.sh Kdump: loaded Not tainted 6.16.0+ #1 PREEMPT(voluntary) [...] RIP: 0010:vunmap+0

CVE-2025-38587 [MEDIUM] CWE-835 CVE-2025-38587: In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible infinite loo In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible infinite loop in fib6_info_uses_dev() fib6_info_uses_dev() seems to rely on RCU without an explicit protection. Like the prior fix in rt6_nlmsg_size(), we need to make sure fib6_del_route() or fib6_add_rt2node() have not removed the anchor from the list, or we

CVE-2025-38609 [MEDIUM] CWE-476 CVE-2025-38609: In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Check governor be In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Check governor before using governor->name Commit 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from struct devfreq") removes governor_name and uses governor->name to replace it. But devfreq->governor may be NULL and directly using devfreq->governor->na

CVE-2025-38560 [MEDIUM] CVE-2025-38560: In the Linux kernel, the following vulnerability has been resolved: x86/sev: Evict cache lines duri In the Linux kernel, the following vulnerability has been resolved: x86/sev: Evict cache lines during SNP memory validation An SNP cache coherency vulnerability requires a cache line eviction mitigation when validating memory after a page state change to private. The specific mitigation is to touch the first and last byte of each 4K page that is being val

CVE-2025-38608 [MEDIUM] CWE-908 CVE-2025-38608: In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: Fix data corruption In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls When sending plaintext data, we initially calculated the corresponding ciphertext length. However, if we later reduced the plaintext data length via socket policy, we failed to recalculate the ciphertext length.

CVE-2025-38512 [HIGH] CVE-2025-38512: In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to prevent the A-MSDU spoofing vulnerability for mesh networks. The initial update to the IEEE 802.11 standard, in response to the FragAttacks, missed this case (CVE-2025-27558). It can be considered a variant of CVE-2

CVE-2025-38550 [HIGH] CVE-2025-38550: In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Delay put pmc->ide In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Delay put pmc->idev in mld_del_delrec() pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec() does, the reference should be put after ip6_mc_clear_src() return.

CVE-2025-38530 [HIGH] CWE-125 CVE-2025-38530: In the Linux kernel, the following vulnerability has been resolved: comedi: pcl812: Fix bit shift o In the Linux kernel, the following vulnerability has been resolved: comedi: pcl812: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 options[1]) & board->irq_bits) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. F

CVE-2025-38501 [HIGH] CWE-400 CVE-2025-38501: In the Linux kernel, the following vulnerability has been resolved: ksmbd: limit repeated connectio In the Linux kernel, the following vulnerability has been resolved: ksmbd: limit repeated connections from clients with the same IP Repeated connections from clients with the same IP address may exhaust the max connections and prevent other normal client connections. This patch limit repeated connections from clients with the same IP.

CVE-2025-38502 [HIGH] CWE-125 CVE-2025-38502: In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup l In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup local storage Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size, and one program doing a tail call into the other. The

CVE-2025-38527 [HIGH] CWE-416 CVE-2025-38527: In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in cifs_oplock_break A race condition can occur in cifs_oplock_break() leading to a use-after-free of the cinode structure when unmounting: cifs_oplock_break() _cifsFileInfo_put(cfile) cifsFileInfo_put_final() cifs_sb_deactive() [last ref, start rele

CVE-2025-38552 [HIGH] CVE-2025-38552: In the Linux kernel, the following vulnerability has been resolved: mptcp: plug races between subfl In the Linux kernel, the following vulnerability has been resolved: mptcp: plug races between subflow fail and subflow creation We have races similar to the one addressed by the previous patch between subflow failing and additional subflow creation. They are just harder to trigger. The solution is similar. Use a separate flag to track the condition 'socket

CVE-2025-38535 [HIGH] CVE-2025-38535: In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Fix unbalance In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode When transitioning from USB_ROLE_DEVICE to USB_ROLE_NONE, the code assumed that the regulator should be disabled. However, if the regulator is marked as always-on, regulator_is_enabled() continues to return true, leading to

CVE-2025-38538 [HIGH] CWE-787 CVE-2025-38538: In the Linux kernel, the following vulnerability has been resolved: dmaengine: nbpfaxi: Fix memory In the Linux kernel, the following vulnerability has been resolved: dmaengine: nbpfaxi: Fix memory corruption in probe() The nbpf->chan[] array is allocated earlier in the nbpf_probe() function and it has "num_channels" elements. These three loops iterate one element farther than they should and corrupt memory. The changes to the second loop are mor

CVE-2025-38548 [HIGH] CVE-2025-38548: In the Linux kernel, the following vulnerability has been resolved: hwmon: (corsair-cpro) Validate In the Linux kernel, the following vulnerability has been resolved: hwmon: (corsair-cpro) Validate the size of the received input buffer Add buffer_recv_size to store the size of the received bytes. Validate buffer_recv_size in send_usb_cmd().

CVE-2025-38529 [HIGH] CWE-125 CVE-2025-38529: In the Linux kernel, the following vulnerability has been resolved: comedi: aio_iiro_16: Fix bit sh In the Linux kernel, the following vulnerability has been resolved: comedi: aio_iiro_16: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix t

CVE-2025-38514 [MEDIUM] CVE-2025-38514: In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix oops due to non-exis In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix oops due to non-existence of prealloc backlog struct If an AF_RXRPC service socket is opened and bound, but calls are preallocated, then rxrpc_alloc_incoming_call() will oops because the rxrpc_backlog struct doesn't get allocated until the first preallocation is made. Fix this

CVE-2025-38543 [MEDIUM] CWE-476 CVE-2025-38543: In the Linux kernel, the following vulnerability has been resolved: drm/tegra: nvdec: Fix dma_alloc In the Linux kernel, the following vulnerability has been resolved: drm/tegra: nvdec: Fix dma_alloc_coherent error check Check for NULL return value with dma_alloc_coherent, in line with Robin's fix for vic.c in 'drm/tegra: vic: Fix DMA API misuse'.

CVE-2025-38546 [MEDIUM] CWE-401 CVE-2025-38546: In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix memory leak of s In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix memory leak of struct clip_vcc. ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to vcc->user_back. The code assumes that vcc_destroy_socket() passes NULL skb to vcc->push() when the socket is close()d, and then clip_push() frees clip_vcc. However, ioctl(AT

CVE-2025-38542 [MEDIUM] CVE-2025-38542: In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix device refc In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix device refcount leak in atrtr_create() When updating an existing route entry in atrtr_create(), the old device reference was not being released before assigning the new device, leading to a device refcount leak. Fix this by calling dev_put() to release the old device r