Debian Linux vulnerabilities

CVE-2025-38401 [HIGH] CWE-787 CVE-2025-38401: In the Linux kernel, the following vulnerability has been resolved: mtk-sd: Prevent memory corrupti In the Linux kernel, the following vulnerability has been resolved: mtk-sd: Prevent memory corruption from DMA map failure If msdc_prepare_data() fails to map the DMA region, the request is not prepared for data receiving, but msdc_start_data() proceeds the DMA with previous setting. Since this will lead a memory corruption, we have to stop the requ

CVE-2025-38389 [HIGH] CVE-2025-38389: In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix timeline left In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix timeline left held on VMA alloc error The following error has been reported sporadically by CI when a test unbinds the i915 driver on a ring submission platform: [239.330153] ------------[ cut here ]------------ [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv->mm

CVE-2025-38464 [HIGH] CWE-416 CVE-2025-38464: In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tip In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is cal

CVE-2025-38396 [HIGH] CVE-2025-38396: In the Linux kernel, the following vulnerability has been resolved: fs: export anon_inode_make_secu In the Linux kernel, the following vulnerability has been resolved: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create anonymous inodes with proper security context. This replaces the current pattern of calling alloc_anon_inode() followed by inode_init_security_anon

CVE-2025-38422 [HIGH] CVE-2025-38422: In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Modify the EEPROM In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices Maximum OTP and EEPROM size for hearthstone PCI1xxxx devices are 8 Kb and 64 Kb respectively. Adjust max size definitions and return correct EEPROM length based on device. Also prevent out-of-bound read/write.

CVE-2025-38375 [HIGH] CWE-125 CVE-2025-38375: In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing che

CVE-2025-38419 [MEDIUM] CWE-401 CVE-2025-38419: In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Cleanup acqui In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach() When rproc->state = RPROC_DETACHED and rproc_attach() is used to attach to the remote processor, if rproc_handle_resources() returns a failure, the resources allocated by imx_rproc_p

CVE-2025-38386 [MEDIUM] CWE-416 CVE-2025-38386: In the Linux kernel, the following vulnerability has been resolved: ACPICA: Refuse to evaluate a me In the Linux kernel, the following vulnerability has been resolved: ACPICA: Refuse to evaluate a method if arguments are missing As reported in [1], a platform firmware update that increased the number of method parameters and forgot to update a least one of its callers, caused ACPICA to crash due to use-after-free. Since this a result of a clear

CVE-2025-38362 [MEDIUM] CWE-476 CVE-2025-38362: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null point In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check for get_first_active_display() The function mod_hdcp_hdcp1_enable_encryption() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lea

CVE-2025-38462 [MEDIUM] CWE-367 CVE-2025-38462: In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} TOCTOU vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload. transport_{g2h,h2g} may become NULL after the NULL check. Introduce vsock_transport_local_cid() to protect from a potential null-ptr-deref. KASAN: null-ptr-deref in range

CVE-2025-38371 [MEDIUM] CWE-476 CVE-2025-38371: In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Disable interrupts bef In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Disable interrupts before resetting the GPU Currently, an interrupt can be triggered during a GPU reset, which can lead to GPU hangs and NULL pointer dereference in an interrupt context as shown in the following trace: [ 314.035040] Unable to handle kernel NULL pointer d

CVE-2025-38465 [MEDIUM] CWE-401 CVE-2025-38465: In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk- In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e ("udp: Fix multiple wraparounds of

CVE-2025-38400 [MEDIUM] CVE-2025-38400: In the Linux kernel, the following vulnerability has been resolved: nfs: Clean up /proc/net/rpc/nfs In the Linux kernel, the following vulnerability has been resolved: nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. syzbot reported a warning below [1] following a fault injection in nfs_fs_proc_net_init(). [0] When nfs_fs_proc_net_init() fails, /proc/net/rpc/nfs is not removed. Later, rpc_proc_exit() tries to remove /proc/net/rpc, an

CVE-2025-38444 [MEDIUM] CWE-401 CVE-2025-38444: In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid10_make_request If raid10_read_request or raid10_write_request registers a new request and the REQ_NOWAIT flag is set, the code does not free the malloc from the mempool. unreferenced object 0xffff8884802c3200 (size 192): comm "fio", pid 9197, jiffi

CVE-2025-38455 [MEDIUM] CWE-476 CVE-2025-38455: In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Reject SEV{-ES} intra In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Reject migration of SEV{-ES} state if either the source or destination VM is actively creating a vCPU, i.e. if kvm_vm_ioctl_create_vcpu() is in the section between incrementing created_vcpus and online_vc

CVE-2025-38460 [MEDIUM] CWE-476 CVE-2025-38460: In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-p In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 ("[ATM]: clip causes unregister hang"). However, it is not enough because to_atmarpd() is called without RTNL, especially clip_neigh_solicit() / neigh_ops->solicit() is

CVE-2025-38410 [MEDIUM] CWE-401 CVE-2025-38410: In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix a fence leak in su In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix a fence leak in submit error path In error paths, we could unref the submit without calling drm_sched_entity_push_job(), so msm_job_free() will never get called. Since drm_sched_job_cleanup() will NULL out the s_fence, we can use that to detect this case. Patchwork:

CVE-2025-38384 [MEDIUM] CWE-401 CVE-2025-38384: In the Linux kernel, the following vulnerability has been resolved: mtd: spinand: fix memory leak o In the Linux kernel, the following vulnerability has been resolved: mtd: spinand: fix memory leak of ECC engine conf Memory allocated for the ECC engine conf is not released during spinand cleanup. Below kmemleak trace is seen for this memory leak: unreferenced object 0xffffff80064f00e0 (size 8): comm "swapper/0", pid 1, jiffies 4294937458 hex du

CVE-2025-38354 [MEDIUM] CVE-2025-38354: In the Linux kernel, the following vulnerability has been resolved: drm/msm/gpu: Fix crash when thr In the Linux kernel, the following vulnerability has been resolved: drm/msm/gpu: Fix crash when throttling GPU immediately during boot There is a small chance that the GPU is already hot during boot. In that case, the call to of_devfreq_cooling_register() will immediately try to apply devfreq cooling, as seen in the following crash: Unable to handle kern

CVE-2025-38404 [MEDIUM] CWE-667 CVE-2025-38404: In the Linux kernel, the following vulnerability has been resolved: usb: typec: displayport: Fix po In the Linux kernel, the following vulnerability has been resolved: usb: typec: displayport: Fix potential deadlock The deadlock can occur due to a recursive lock acquisition of `cros_typec_altmode_data::mutex`. The call chain is as follows: 1. cros_typec_altmode_work() acquires the mutex 2. typec_altmode_vdm() -> dp_altmode_vdm() -> 3. typec_altm