Debian Linux vulnerabilities

CVE-2025-38513 [MEDIUM] CWE-476 CVE-2025-38513: In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential N In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For example, the following is possible: T0 T1 zd_mac_tx_to_dev() /* len == skb_queue_len(q) */ while (len > ZD_MAC_MAX_ACK_WAITERS) {

CVE-2025-38516 [MEDIUM] CWE-476 CVE-2025-38516: In the Linux kernel, the following vulnerability has been resolved: pinctrl: qcom: msm: mark certai In the Linux kernel, the following vulnerability has been resolved: pinctrl: qcom: msm: mark certain pins as invalid for interrupts On some platforms, the UFS-reset pin has no interrupt logic in TLMM but is nevertheless registered as a GPIO in the kernel. This enables the user-space to trigger a BUG() in the pinctrl-msm driver by running, for exam

CVE-2025-38503 [MEDIUM] CWE-617 CVE-2025-38503: In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion when build In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion when building free space tree When building the free space tree with the block group tree feature enabled, we can hit an assertion failure like this: BTRFS info (device loop0 state M): rebuilding free space tree assertion failed: ret == 0, in fs/btrfs/free-sp

CVE-2025-38539 [MEDIUM] CVE-2025-38539: In the Linux kernel, the following vulnerability has been resolved: tracing: Add down_write(trace_e In the Linux kernel, the following vulnerability has been resolved: tracing: Add down_write(trace_event_sem) when adding trace event When a module is loaded, it adds trace events defined by the module. It may also need to modify the modules trace printk formats to replace enum names with their values. If two modules are loaded at the same time, the addin

CVE-2025-38540 [MEDIUM] CVE-2025-38540: In the Linux kernel, the following vulnerability has been resolved: HID: quirks: Add quirk for 2 Ch In the Linux kernel, the following vulnerability has been resolved: HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras The Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 & 04F2:B82C) report a HID sensor interface that is not actually implemented. Attempting to access this non-functional sensor via iio_info causes system hangs as runtime

CVE-2025-38528 [MEDIUM] CVE-2025-38528: In the Linux kernel, the following vulnerability has been resolved: bpf: Reject %p% format string i In the Linux kernel, the following vulnerability has been resolved: bpf: Reject %p% format string in bprintf-like helpers static const char fmt[] = "%p%"; bpf_trace_printk(fmt, sizeof(fmt)); The above BPF program isn't rejected and causes a kernel warning at runtime: Please remove unsupported %\x00 in format string WARNING: CPU: 1 PID: 7244 at lib/vspri

CVE-2025-38520 [MEDIUM] CWE-667 CVE-2025-38520: In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Don't call mmput fr In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Don't call mmput from MMU notifier callback If the process is exiting, the mmput inside mmu notifier callback from compactd or fork or numa balancing could release the last reference of mm struct to call exit_mmap and free_pgtable, this triggers deadlock with below bac

CVE-2025-38515 [MEDIUM] CVE-2025-38515: In the Linux kernel, the following vulnerability has been resolved: drm/sched: Increment job count In the Linux kernel, the following vulnerability has been resolved: drm/sched: Increment job count before swapping tail spsc queue A small race exists between spsc_queue_push and the run-job worker, in which spsc_queue_push may return not-first while the run-job worker has already idled due to the job count being zero. If this race occurs, job scheduling s

CVE-2025-38510 [MEDIUM] CWE-476 CVE-2025-38510: In the Linux kernel, the following vulnerability has been resolved: kasan: remove kasan_find_vm_are In the Linux kernel, the following vulnerability has been resolved: kasan: remove kasan_find_vm_area() to prevent possible deadlock find_vm_area() couldn't be called in atomic_context. If find_vm_area() is called to reports vm area information, kasan can trigger deadlock like: CPU0 CPU1 vmalloc(); alloc_vmap_area(); spin_lock(&vn->busy.lock) spin

CVE-2025-38500 [HIGH] CWE-416 CVE-2025-38500: In the Linux kernel, the following vulnerability has been resolved: xfrm: interface: fix use-after- In the Linux kernel, the following vulnerability has been resolved: xfrm: interface: fix use-after-free after changing collect_md xfrm interface collect_md property on xfrm interfaces can only be set on device creation, thus xfrmi_changelink() should fail when called on such interfaces. The check to enforce this was done only in the case where the

CVE-2025-38499 [MEDIUM] CVE-2025-38499: In the Linux kernel, the following vulnerability has been resolved: clone_private_mnt(): make sure In the Linux kernel, the following vulnerability has been resolved: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns What we want is to verify there is that clone won't expose something hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo" may be a result of MNT_LOCKED on a child, but it may also come fro

CVE-2025-38498 [MEDIUM] CVE-2025-38498: In the Linux kernel, the following vulnerability has been resolved: do_change_type(): refuse to ope In the Linux kernel, the following vulnerability has been resolved: do_change_type(): refuse to operate on unmounted/not ours mounts Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2).

CVE-2025-38476 [HIGH] CWE-416 CVE-2025-38476: In the Linux kernel, the following vulnerability has been resolved: rpl: Fix use-after-free in rpl_ In the Linux kernel, the following vulnerability has been resolved: rpl: Fix use-after-free in rpl_do_srh_inline(). Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers the splat below [0]. rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after skb_cow_head(), which is illegal as the header could be freed then. Let's fix it b

CVE-2025-38485 [HIGH] CWE-416 CVE-2025-38485: In the Linux kernel, the following vulnerability has been resolved: iio: accel: fxls8962af: Fix use In the Linux kernel, the following vulnerability has been resolved: iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush fxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with iio_for_each_active_channel()) without making sure the indio_dev stays in buffer mode. There is a race if indio_dev exits buffer mode in the middle of t

CVE-2025-38483 [HIGH] CWE-125 CVE-2025-38483: In the Linux kernel, the following vulnerability has been resolved: comedi: das16m1: Fix bit shift In the Linux kernel, the following vulnerability has been resolved: comedi: das16m1: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ if ((1 options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace,

CVE-2025-38494 [HIGH] CVE-2025-38494: In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw_raw_request hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used.

CVE-2025-38482 [HIGH] CWE-125 CVE-2025-38482: In the Linux kernel, the following vulnerability has been resolved: comedi: das6402: Fix bit shift In the Linux kernel, the following vulnerability has been resolved: comedi: das6402: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ if ((1 options[1]) & 0x8cec) { However, `it->options[i]` is an unchecked `int` value from userspace, so th

CVE-2025-38488 [HIGH] CVE-2025-38488: In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in crypt_message when using async crypto The CVE-2024-50047 fix removed asynchronous crypto handling from crypt_message(), assuming all crypto operations are synchronous. However, when hardware crypto accelerators are used, this can cause use-after-free crash

CVE-2025-38471 [HIGH] CWE-416 CVE-2025-38471: In the Linux kernel, the following vulnerability has been resolved: tls: always refresh the queue w In the Linux kernel, the following vulnerability has been resolved: tls: always refresh the queue when reading sock After recent changes in net-next TCP compacts skbs much more aggressively. This unearthed a bug in TLS where we may try to operate on an old skb when checking if all skbs in the queue have matching decrypt state and geometry. BUG: KAS

CVE-2025-38497 [HIGH] CWE-125 CVE-2025-38497: In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Fix OOB In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Fix OOB read on empty string write When writing an empty string to either 'qw_sign' or 'landingPage' sysfs attributes, the store functions attempt to access page[l - 1] before validating that the length 'l' is greater than zero. This patch fixes the vulnerabil