Debian Linux vulnerabilities

CVE-2025-38472 [MEDIUM] CWE-908 CVE-2025-38472: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack: fix cr In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack: fix crash due to removal of uninitialised entry A crash in conntrack was reported while trying to unlink the conntrack entry from the hash bucket list: [exception RIP: __nf_ct_delete_from_lists+172] [..] #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d4

CVE-2025-38487 [MEDIUM] CWE-476 CVE-2025-38487: In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: lpc-snoop: Don't d In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Mitigate e.g. the following: # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind ... [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write

CVE-2025-38480 [MEDIUM] CWE-908 CVE-2025-38480: In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialize In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` a

CVE-2025-38468 [MEDIUM] CWE-476 CVE-2025-38468: In the Linux kernel, the following vulnerability has been resolved: net/sched: Return NULL when htb In the Linux kernel, the following vulnerability has been resolved: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree htb_lookup_leaf has a BUG_ON that can trigger with the following: tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add

CVE-2025-38474 [MEDIUM] CVE-2025-38474: In the Linux kernel, the following vulnerability has been resolved: usb: net: sierra: check for no In the Linux kernel, the following vulnerability has been resolved: usb: net: sierra: check for no status endpoint The driver checks for having three endpoints and having bulk in and out endpoints, but not that the third endpoint is interrupt input. Rectify the omission.

CVE-2025-38478 [MEDIUM] CWE-908 CVE-2025-38478: In the Linux kernel, the following vulnerability has been resolved: comedi: Fix initialization of d In the Linux kernel, the following vulnerability has been resolved: comedi: Fix initialization of data for instructions that write to subdevice Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocat

CVE-2025-38470 [MEDIUM] CVE-2025-38470: In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix VLAN 0 refcount In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Assuming the "rx-vlan-filter" feature is enabled on a net device, the 8021q module will automatically add or remove VLAN 0 when the net device is put administratively up or down, respectively. There are a couple

CVE-2025-38473 [MEDIUM] CWE-476 CVE-2025-38473: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix null-ptr-deref i In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0] l2cap_sock_resume_cb() has a similar problem that was fixed by commit 1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()"). Since both l2ca

CVE-2025-38491 [MEDIUM] CWE-667 CVE-2025-38491: In the Linux kernel, the following vulnerability has been resolved: mptcp: make fallback action and In the Linux kernel, the following vulnerability has been resolved: mptcp: make fallback action and fallback decision atomic Syzkaller reported the following splat: WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback

CVE-2025-38481 [MEDIUM] CVE-2025-38481: In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST io In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation wil

CVE-2025-38495 [MEDIUM] CVE-2025-38495: In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated report buffer can contain the reserved report ID When the report ID is not used, the low level transport drivers expect the first byte to be 0. However, currently the allocated buffer not account for that extra byte, meaning that instead of having 8 guarant

CVE-2025-38477 [MEDIUM] CWE-362 CVE-2025-38477: In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race co In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may

CVE-2025-38377 [HIGH] CWE-416 CVE-2025-38377: In the Linux kernel, the following vulnerability has been resolved: rose: fix dangling neighbour po In the Linux kernel, the following vulnerability has been resolved: rose: fix dangling neighbour pointers in rose_rt_device_down() There are two bugs in rose_rt_device_down() that can cause use-after-free: 1. The loop bound `t->count` is modified within the loop, which can cause the loop to terminate early and miss some entries. 2. When removing a

CVE-2025-38437 [HIGH] CWE-416 CVE-2025-38437: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potential use-after- In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potential use-after-free in oplock/lease break ack If ksmbd_iov_pin_rsp return error, use-after-free can happen by accessing opinfo->state and opinfo_put and ksmbd_fd_put could called twice.

CVE-2025-38443 [HIGH] CWE-416 CVE-2025-38443: In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connec In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104) block nbd6: shutting down sockets BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022 Write of size 4 at addr ffff888

CVE-2025-38445 [HIGH] CWE-125 CVE-2025-38445: In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel pa

CVE-2025-38415 [HIGH] CWE-787 CVE-2025-38415: In the Linux kernel, the following vulnerability has been resolved: Squashfs: check return result o In the Linux kernel, the following vulnerability has been resolved: Squashfs: check return result of sb_min_blocksize Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug. Syzkaller forks multiple processes which after mounting the Squashfs filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000). Now if this ioc

CVE-2025-38403 [HIGH] CVE-2025-38403: In the Linux kernel, the following vulnerability has been resolved: vsock/vmci: Clear the vmci tran In the Linux kernel, the following vulnerability has been resolved: vsock/vmci: Clear the vmci transport packet properly when initializing it In vmci_transport_packet_init memset the vmci_transport_packet before populating the fields to avoid any uninitialised data being left in the structure.

CVE-2025-38416 [HIGH] CVE-2025-38416: In the Linux kernel, the following vulnerability has been resolved: NFC: nci: uart: Set tty->disc_d In the Linux kernel, the following vulnerability has been resolved: NFC: nci: uart: Set tty->disc_data only in success path Setting tty->disc_data before opening the NCI device means we need to clean it up on error paths. This also opens some short window if device starts sending data, even before NCIUARTSETDRIVER IOCTL succeeded (broken hardware?). Close t

CVE-2025-38425 [HIGH] CVE-2025-38425: In the Linux kernel, the following vulnerability has been resolved: i2c: tegra: check msg length in In the Linux kernel, the following vulnerability has been resolved: i2c: tegra: check msg length in SMBUS block read For SMBUS block read, do not continue to read if the message length passed from the device is '0' or greater than the maximum allowed bytes.