Debian Linux vulnerabilities

CVE-2025-38512 [HIGH] CVE-2025-38512: In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to prevent the A-MSDU spoofing vulnerability for mesh networks. The initial update to the IEEE 802.11 standard, in response to the FragAttacks, missed this case (CVE-2025-27558). It can be considered a variant of CVE-2

CVE-2025-38550 [HIGH] CVE-2025-38550: In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Delay put pmc->ide In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Delay put pmc->idev in mld_del_delrec() pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec() does, the reference should be put after ip6_mc_clear_src() return.

CVE-2025-38530 [HIGH] CWE-125 CVE-2025-38530: In the Linux kernel, the following vulnerability has been resolved: comedi: pcl812: Fix bit shift o In the Linux kernel, the following vulnerability has been resolved: comedi: pcl812: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 options[1]) & board->irq_bits) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. F

CVE-2025-38501 [HIGH] CWE-400 CVE-2025-38501: In the Linux kernel, the following vulnerability has been resolved: ksmbd: limit repeated connectio In the Linux kernel, the following vulnerability has been resolved: ksmbd: limit repeated connections from clients with the same IP Repeated connections from clients with the same IP address may exhaust the max connections and prevent other normal client connections. This patch limit repeated connections from clients with the same IP.

CVE-2025-38502 [HIGH] CWE-125 CVE-2025-38502: In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup l In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup local storage Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size, and one program doing a tail call into the other. The

CVE-2025-38527 [HIGH] CWE-416 CVE-2025-38527: In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in cifs_oplock_break A race condition can occur in cifs_oplock_break() leading to a use-after-free of the cinode structure when unmounting: cifs_oplock_break() _cifsFileInfo_put(cfile) cifsFileInfo_put_final() cifs_sb_deactive() [last ref, start rele

CVE-2025-38552 [HIGH] CVE-2025-38552: In the Linux kernel, the following vulnerability has been resolved: mptcp: plug races between subfl In the Linux kernel, the following vulnerability has been resolved: mptcp: plug races between subflow fail and subflow creation We have races similar to the one addressed by the previous patch between subflow failing and additional subflow creation. They are just harder to trigger. The solution is similar. Use a separate flag to track the condition 'socket

CVE-2025-38535 [HIGH] CVE-2025-38535: In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Fix unbalance In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode When transitioning from USB_ROLE_DEVICE to USB_ROLE_NONE, the code assumed that the regulator should be disabled. However, if the regulator is marked as always-on, regulator_is_enabled() continues to return true, leading to

CVE-2025-38538 [HIGH] CWE-787 CVE-2025-38538: In the Linux kernel, the following vulnerability has been resolved: dmaengine: nbpfaxi: Fix memory In the Linux kernel, the following vulnerability has been resolved: dmaengine: nbpfaxi: Fix memory corruption in probe() The nbpf->chan[] array is allocated earlier in the nbpf_probe() function and it has "num_channels" elements. These three loops iterate one element farther than they should and corrupt memory. The changes to the second loop are mor

CVE-2025-38548 [HIGH] CVE-2025-38548: In the Linux kernel, the following vulnerability has been resolved: hwmon: (corsair-cpro) Validate In the Linux kernel, the following vulnerability has been resolved: hwmon: (corsair-cpro) Validate the size of the received input buffer Add buffer_recv_size to store the size of the received bytes. Validate buffer_recv_size in send_usb_cmd().

CVE-2025-38529 [HIGH] CWE-125 CVE-2025-38529: In the Linux kernel, the following vulnerability has been resolved: comedi: aio_iiro_16: Fix bit sh In the Linux kernel, the following vulnerability has been resolved: comedi: aio_iiro_16: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix t

CVE-2025-38514 [MEDIUM] CVE-2025-38514: In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix oops due to non-exis In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix oops due to non-existence of prealloc backlog struct If an AF_RXRPC service socket is opened and bound, but calls are preallocated, then rxrpc_alloc_incoming_call() will oops because the rxrpc_backlog struct doesn't get allocated until the first preallocation is made. Fix this

CVE-2025-38543 [MEDIUM] CWE-476 CVE-2025-38543: In the Linux kernel, the following vulnerability has been resolved: drm/tegra: nvdec: Fix dma_alloc In the Linux kernel, the following vulnerability has been resolved: drm/tegra: nvdec: Fix dma_alloc_coherent error check Check for NULL return value with dma_alloc_coherent, in line with Robin's fix for vic.c in 'drm/tegra: vic: Fix DMA API misuse'.

CVE-2025-38546 [MEDIUM] CWE-401 CVE-2025-38546: In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix memory leak of s In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix memory leak of struct clip_vcc. ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to vcc->user_back. The code assumes that vcc_destroy_socket() passes NULL skb to vcc->push() when the socket is close()d, and then clip_push() frees clip_vcc. However, ioctl(AT

CVE-2025-38542 [MEDIUM] CVE-2025-38542: In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix device refc In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix device refcount leak in atrtr_create() When updating an existing route entry in atrtr_create(), the old device reference was not being released before assigning the new device, leading to a device refcount leak. Fix this by calling dev_put() to release the old device r

CVE-2025-38513 [MEDIUM] CWE-476 CVE-2025-38513: In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential N In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For example, the following is possible: T0 T1 zd_mac_tx_to_dev() /* len == skb_queue_len(q) */ while (len > ZD_MAC_MAX_ACK_WAITERS) {

CVE-2025-38516 [MEDIUM] CWE-476 CVE-2025-38516: In the Linux kernel, the following vulnerability has been resolved: pinctrl: qcom: msm: mark certai In the Linux kernel, the following vulnerability has been resolved: pinctrl: qcom: msm: mark certain pins as invalid for interrupts On some platforms, the UFS-reset pin has no interrupt logic in TLMM but is nevertheless registered as a GPIO in the kernel. This enables the user-space to trigger a BUG() in the pinctrl-msm driver by running, for exam

CVE-2025-38503 [MEDIUM] CWE-617 CVE-2025-38503: In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion when build In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion when building free space tree When building the free space tree with the block group tree feature enabled, we can hit an assertion failure like this: BTRFS info (device loop0 state M): rebuilding free space tree assertion failed: ret == 0, in fs/btrfs/free-sp

CVE-2025-38539 [MEDIUM] CVE-2025-38539: In the Linux kernel, the following vulnerability has been resolved: tracing: Add down_write(trace_e In the Linux kernel, the following vulnerability has been resolved: tracing: Add down_write(trace_event_sem) when adding trace event When a module is loaded, it adds trace events defined by the module. It may also need to modify the modules trace printk formats to replace enum names with their values. If two modules are loaded at the same time, the addin

CVE-2025-38540 [MEDIUM] CVE-2025-38540: In the Linux kernel, the following vulnerability has been resolved: HID: quirks: Add quirk for 2 Ch In the Linux kernel, the following vulnerability has been resolved: HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras The Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 & 04F2:B82C) report a HID sensor interface that is not actually implemented. Attempting to access this non-functional sensor via iio_info causes system hangs as runtime