Debian Linux vulnerabilities

CVE-2025-38528 [MEDIUM] CVE-2025-38528: In the Linux kernel, the following vulnerability has been resolved: bpf: Reject %p% format string i In the Linux kernel, the following vulnerability has been resolved: bpf: Reject %p% format string in bprintf-like helpers static const char fmt[] = "%p%"; bpf_trace_printk(fmt, sizeof(fmt)); The above BPF program isn't rejected and causes a kernel warning at runtime: Please remove unsupported %\x00 in format string WARNING: CPU: 1 PID: 7244 at lib/vspri

CVE-2025-38520 [MEDIUM] CWE-667 CVE-2025-38520: In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Don't call mmput fr In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Don't call mmput from MMU notifier callback If the process is exiting, the mmput inside mmu notifier callback from compactd or fork or numa balancing could release the last reference of mm struct to call exit_mmap and free_pgtable, this triggers deadlock with below bac

CVE-2025-38515 [MEDIUM] CVE-2025-38515: In the Linux kernel, the following vulnerability has been resolved: drm/sched: Increment job count In the Linux kernel, the following vulnerability has been resolved: drm/sched: Increment job count before swapping tail spsc queue A small race exists between spsc_queue_push and the run-job worker, in which spsc_queue_push may return not-first while the run-job worker has already idled due to the job count being zero. If this race occurs, job scheduling s

CVE-2025-38510 [MEDIUM] CWE-476 CVE-2025-38510: In the Linux kernel, the following vulnerability has been resolved: kasan: remove kasan_find_vm_are In the Linux kernel, the following vulnerability has been resolved: kasan: remove kasan_find_vm_area() to prevent possible deadlock find_vm_area() couldn't be called in atomic_context. If find_vm_area() is called to reports vm area information, kasan can trigger deadlock like: CPU0 CPU1 vmalloc(); alloc_vmap_area(); spin_lock(&vn->busy.lock) spin

CVE-2025-38500 [HIGH] CWE-416 CVE-2025-38500: In the Linux kernel, the following vulnerability has been resolved: xfrm: interface: fix use-after- In the Linux kernel, the following vulnerability has been resolved: xfrm: interface: fix use-after-free after changing collect_md xfrm interface collect_md property on xfrm interfaces can only be set on device creation, thus xfrmi_changelink() should fail when called on such interfaces. The check to enforce this was done only in the case where the

CVE-2025-38499 [MEDIUM] CVE-2025-38499: In the Linux kernel, the following vulnerability has been resolved: clone_private_mnt(): make sure In the Linux kernel, the following vulnerability has been resolved: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns What we want is to verify there is that clone won't expose something hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo" may be a result of MNT_LOCKED on a child, but it may also come fro

CVE-2025-38498 [MEDIUM] CVE-2025-38498: In the Linux kernel, the following vulnerability has been resolved: do_change_type(): refuse to ope In the Linux kernel, the following vulnerability has been resolved: do_change_type(): refuse to operate on unmounted/not ours mounts Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2).

CVE-2025-38476 [HIGH] CWE-416 CVE-2025-38476: In the Linux kernel, the following vulnerability has been resolved: rpl: Fix use-after-free in rpl_ In the Linux kernel, the following vulnerability has been resolved: rpl: Fix use-after-free in rpl_do_srh_inline(). Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers the splat below [0]. rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after skb_cow_head(), which is illegal as the header could be freed then. Let's fix it b

CVE-2025-38485 [HIGH] CWE-416 CVE-2025-38485: In the Linux kernel, the following vulnerability has been resolved: iio: accel: fxls8962af: Fix use In the Linux kernel, the following vulnerability has been resolved: iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush fxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with iio_for_each_active_channel()) without making sure the indio_dev stays in buffer mode. There is a race if indio_dev exits buffer mode in the middle of t

CVE-2025-38483 [HIGH] CWE-125 CVE-2025-38483: In the Linux kernel, the following vulnerability has been resolved: comedi: das16m1: Fix bit shift In the Linux kernel, the following vulnerability has been resolved: comedi: das16m1: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ if ((1 options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace,

CVE-2025-38494 [HIGH] CVE-2025-38494: In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw_raw_request hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used.

CVE-2025-38482 [HIGH] CWE-125 CVE-2025-38482: In the Linux kernel, the following vulnerability has been resolved: comedi: das6402: Fix bit shift In the Linux kernel, the following vulnerability has been resolved: comedi: das6402: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ if ((1 options[1]) & 0x8cec) { However, `it->options[i]` is an unchecked `int` value from userspace, so th

CVE-2025-38488 [HIGH] CVE-2025-38488: In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in crypt_message when using async crypto The CVE-2024-50047 fix removed asynchronous crypto handling from crypt_message(), assuming all crypto operations are synchronous. However, when hardware crypto accelerators are used, this can cause use-after-free crash

CVE-2025-38471 [HIGH] CWE-416 CVE-2025-38471: In the Linux kernel, the following vulnerability has been resolved: tls: always refresh the queue w In the Linux kernel, the following vulnerability has been resolved: tls: always refresh the queue when reading sock After recent changes in net-next TCP compacts skbs much more aggressively. This unearthed a bug in TLS where we may try to operate on an old skb when checking if all skbs in the queue have matching decrypt state and geometry. BUG: KAS

CVE-2025-38497 [HIGH] CWE-125 CVE-2025-38497: In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Fix OOB In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Fix OOB read on empty string write When writing an empty string to either 'qw_sign' or 'landingPage' sysfs attributes, the store functions attempt to access page[l - 1] before validating that the length 'l' is greater than zero. This patch fixes the vulnerabil

CVE-2025-38472 [MEDIUM] CWE-908 CVE-2025-38472: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack: fix cr In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack: fix crash due to removal of uninitialised entry A crash in conntrack was reported while trying to unlink the conntrack entry from the hash bucket list: [exception RIP: __nf_ct_delete_from_lists+172] [..] #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d4

CVE-2025-38487 [MEDIUM] CWE-476 CVE-2025-38487: In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: lpc-snoop: Don't d In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Mitigate e.g. the following: # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind ... [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write

CVE-2025-38480 [MEDIUM] CWE-908 CVE-2025-38480: In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialize In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` a

CVE-2025-38468 [MEDIUM] CWE-476 CVE-2025-38468: In the Linux kernel, the following vulnerability has been resolved: net/sched: Return NULL when htb In the Linux kernel, the following vulnerability has been resolved: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree htb_lookup_leaf has a BUG_ON that can trigger with the following: tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add

CVE-2025-38474 [MEDIUM] CVE-2025-38474: In the Linux kernel, the following vulnerability has been resolved: usb: net: sierra: check for no In the Linux kernel, the following vulnerability has been resolved: usb: net: sierra: check for no status endpoint The driver checks for having three endpoints and having bulk in and out endpoints, but not that the third endpoint is interrupt input. Rectify the omission.