Debian Linux vulnerabilities

CVE-2025-38478 [MEDIUM] CWE-908 CVE-2025-38478: In the Linux kernel, the following vulnerability has been resolved: comedi: Fix initialization of d In the Linux kernel, the following vulnerability has been resolved: comedi: Fix initialization of data for instructions that write to subdevice Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocat

CVE-2025-38470 [MEDIUM] CVE-2025-38470: In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix VLAN 0 refcount In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Assuming the "rx-vlan-filter" feature is enabled on a net device, the 8021q module will automatically add or remove VLAN 0 when the net device is put administratively up or down, respectively. There are a couple

CVE-2025-38473 [MEDIUM] CWE-476 CVE-2025-38473: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix null-ptr-deref i In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0] l2cap_sock_resume_cb() has a similar problem that was fixed by commit 1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()"). Since both l2ca

CVE-2025-38491 [MEDIUM] CWE-667 CVE-2025-38491: In the Linux kernel, the following vulnerability has been resolved: mptcp: make fallback action and In the Linux kernel, the following vulnerability has been resolved: mptcp: make fallback action and fallback decision atomic Syzkaller reported the following splat: WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback

CVE-2025-38481 [MEDIUM] CVE-2025-38481: In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST io In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation wil

CVE-2025-38495 [MEDIUM] CVE-2025-38495: In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated report buffer can contain the reserved report ID When the report ID is not used, the low level transport drivers expect the first byte to be 0. However, currently the allocated buffer not account for that extra byte, meaning that instead of having 8 guarant

CVE-2025-38477 [MEDIUM] CWE-362 CVE-2025-38477: In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race co In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may

CVE-2025-38377 [HIGH] CWE-416 CVE-2025-38377: In the Linux kernel, the following vulnerability has been resolved: rose: fix dangling neighbour po In the Linux kernel, the following vulnerability has been resolved: rose: fix dangling neighbour pointers in rose_rt_device_down() There are two bugs in rose_rt_device_down() that can cause use-after-free: 1. The loop bound `t->count` is modified within the loop, which can cause the loop to terminate early and miss some entries. 2. When removing a

CVE-2025-38437 [HIGH] CWE-416 CVE-2025-38437: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potential use-after- In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potential use-after-free in oplock/lease break ack If ksmbd_iov_pin_rsp return error, use-after-free can happen by accessing opinfo->state and opinfo_put and ksmbd_fd_put could called twice.

CVE-2025-38443 [HIGH] CWE-416 CVE-2025-38443: In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connec In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104) block nbd6: shutting down sockets BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022 Write of size 4 at addr ffff888

CVE-2025-38445 [HIGH] CWE-125 CVE-2025-38445: In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel pa

CVE-2025-38415 [HIGH] CWE-787 CVE-2025-38415: In the Linux kernel, the following vulnerability has been resolved: Squashfs: check return result o In the Linux kernel, the following vulnerability has been resolved: Squashfs: check return result of sb_min_blocksize Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug. Syzkaller forks multiple processes which after mounting the Squashfs filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000). Now if this ioc

CVE-2025-38403 [HIGH] CVE-2025-38403: In the Linux kernel, the following vulnerability has been resolved: vsock/vmci: Clear the vmci tran In the Linux kernel, the following vulnerability has been resolved: vsock/vmci: Clear the vmci transport packet properly when initializing it In vmci_transport_packet_init memset the vmci_transport_packet before populating the fields to avoid any uninitialised data being left in the structure.

CVE-2025-38416 [HIGH] CVE-2025-38416: In the Linux kernel, the following vulnerability has been resolved: NFC: nci: uart: Set tty->disc_d In the Linux kernel, the following vulnerability has been resolved: NFC: nci: uart: Set tty->disc_data only in success path Setting tty->disc_data before opening the NCI device means we need to clean it up on error paths. This also opens some short window if device starts sending data, even before NCIUARTSETDRIVER IOCTL succeeded (broken hardware?). Close t

CVE-2025-38425 [HIGH] CVE-2025-38425: In the Linux kernel, the following vulnerability has been resolved: i2c: tegra: check msg length in In the Linux kernel, the following vulnerability has been resolved: i2c: tegra: check msg length in SMBUS block read For SMBUS block read, do not continue to read if the message length passed from the device is '0' or greater than the maximum allowed bytes.

CVE-2025-38395 [HIGH] CWE-125 CVE-2025-38395: In the Linux kernel, the following vulnerability has been resolved: regulator: gpio: Fix the out-of In the Linux kernel, the following vulnerability has been resolved: regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. But the memory is allocated for only one pointer. This will lead to out-of-bounds access later in the code if 'config::ngpios' is > 1. So fix the co

CVE-2025-38428 [HIGH] CWE-787 CVE-2025-38428: In the Linux kernel, the following vulnerability has been resolved: Input: ims-pcu - check record s In the Linux kernel, the following vulnerability has been resolved: Input: ims-pcu - check record size in ims_pcu_flash_firmware() The "len" variable comes from the firmware and we generally do trust firmware, but it's always better to double check. If the "len" is too large it could result in memory corruption when we do "memcpy(fragment->data, rec

CVE-2025-38456 [HIGH] CWE-787 CVE-2025-38456: In the Linux kernel, the following vulnerability has been resolved: ipmi:msghandler: Fix potential In the Linux kernel, the following vulnerability has been resolved: ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() The "intf" list iterator is an invalid pointer if the correct "intf->intf_num" is not found. Calling atomic_dec(&intf->nr_users) on and invalid pointer will lead to memory corruption. We don't really need to call

CVE-2025-38459 [HIGH] CWE-674 CVE-2025-38459: In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursi In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later,

CVE-2025-38385 [HIGH] CWE-404 CVE-2025-38385: In the Linux kernel, the following vulnerability has been resolved: net: usb: lan78xx: fix WARN in In the Linux kernel, the following vulnerability has been resolved: net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect Remove redundant netif_napi_del() call from disconnect path. A WARN may be triggered in __netif_napi_del_locked() during USB device disconnect: WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locke