Debian Linux vulnerabilities

CVE-2025-38395 [HIGH] CWE-125 CVE-2025-38395: In the Linux kernel, the following vulnerability has been resolved: regulator: gpio: Fix the out-of In the Linux kernel, the following vulnerability has been resolved: regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. But the memory is allocated for only one pointer. This will lead to out-of-bounds access later in the code if 'config::ngpios' is > 1. So fix the co

CVE-2025-38428 [HIGH] CWE-787 CVE-2025-38428: In the Linux kernel, the following vulnerability has been resolved: Input: ims-pcu - check record s In the Linux kernel, the following vulnerability has been resolved: Input: ims-pcu - check record size in ims_pcu_flash_firmware() The "len" variable comes from the firmware and we generally do trust firmware, but it's always better to double check. If the "len" is too large it could result in memory corruption when we do "memcpy(fragment->data, rec

CVE-2025-38456 [HIGH] CWE-787 CVE-2025-38456: In the Linux kernel, the following vulnerability has been resolved: ipmi:msghandler: Fix potential In the Linux kernel, the following vulnerability has been resolved: ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() The "intf" list iterator is an invalid pointer if the correct "intf->intf_num" is not found. Calling atomic_dec(&intf->nr_users) on and invalid pointer will lead to memory corruption. We don't really need to call

CVE-2025-38459 [HIGH] CWE-674 CVE-2025-38459: In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursi In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later,

CVE-2025-38385 [HIGH] CWE-404 CVE-2025-38385: In the Linux kernel, the following vulnerability has been resolved: net: usb: lan78xx: fix WARN in In the Linux kernel, the following vulnerability has been resolved: net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect Remove redundant netif_napi_del() call from disconnect path. A WARN may be triggered in __netif_napi_del_locked() during USB device disconnect: WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locke

CVE-2025-38401 [HIGH] CWE-787 CVE-2025-38401: In the Linux kernel, the following vulnerability has been resolved: mtk-sd: Prevent memory corrupti In the Linux kernel, the following vulnerability has been resolved: mtk-sd: Prevent memory corruption from DMA map failure If msdc_prepare_data() fails to map the DMA region, the request is not prepared for data receiving, but msdc_start_data() proceeds the DMA with previous setting. Since this will lead a memory corruption, we have to stop the requ

CVE-2025-38389 [HIGH] CVE-2025-38389: In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix timeline left In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix timeline left held on VMA alloc error The following error has been reported sporadically by CI when a test unbinds the i915 driver on a ring submission platform: [239.330153] ------------[ cut here ]------------ [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv->mm

CVE-2025-38464 [HIGH] CWE-416 CVE-2025-38464: In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tip In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is cal

CVE-2025-38396 [HIGH] CVE-2025-38396: In the Linux kernel, the following vulnerability has been resolved: fs: export anon_inode_make_secu In the Linux kernel, the following vulnerability has been resolved: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create anonymous inodes with proper security context. This replaces the current pattern of calling alloc_anon_inode() followed by inode_init_security_anon

CVE-2025-38422 [HIGH] CVE-2025-38422: In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Modify the EEPROM In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices Maximum OTP and EEPROM size for hearthstone PCI1xxxx devices are 8 Kb and 64 Kb respectively. Adjust max size definitions and return correct EEPROM length based on device. Also prevent out-of-bound read/write.

CVE-2025-38375 [HIGH] CWE-125 CVE-2025-38375: In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing che

CVE-2025-38419 [MEDIUM] CWE-401 CVE-2025-38419: In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Cleanup acqui In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach() When rproc->state = RPROC_DETACHED and rproc_attach() is used to attach to the remote processor, if rproc_handle_resources() returns a failure, the resources allocated by imx_rproc_p

CVE-2025-38386 [MEDIUM] CWE-416 CVE-2025-38386: In the Linux kernel, the following vulnerability has been resolved: ACPICA: Refuse to evaluate a me In the Linux kernel, the following vulnerability has been resolved: ACPICA: Refuse to evaluate a method if arguments are missing As reported in [1], a platform firmware update that increased the number of method parameters and forgot to update a least one of its callers, caused ACPICA to crash due to use-after-free. Since this a result of a clear

CVE-2025-38362 [MEDIUM] CWE-476 CVE-2025-38362: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null point In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check for get_first_active_display() The function mod_hdcp_hdcp1_enable_encryption() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lea

CVE-2025-38462 [MEDIUM] CWE-367 CVE-2025-38462: In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} TOCTOU vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload. transport_{g2h,h2g} may become NULL after the NULL check. Introduce vsock_transport_local_cid() to protect from a potential null-ptr-deref. KASAN: null-ptr-deref in range

CVE-2025-38371 [MEDIUM] CWE-476 CVE-2025-38371: In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Disable interrupts bef In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Disable interrupts before resetting the GPU Currently, an interrupt can be triggered during a GPU reset, which can lead to GPU hangs and NULL pointer dereference in an interrupt context as shown in the following trace: [ 314.035040] Unable to handle kernel NULL pointer d

CVE-2025-38465 [MEDIUM] CWE-401 CVE-2025-38465: In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk- In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e ("udp: Fix multiple wraparounds of

CVE-2025-38400 [MEDIUM] CVE-2025-38400: In the Linux kernel, the following vulnerability has been resolved: nfs: Clean up /proc/net/rpc/nfs In the Linux kernel, the following vulnerability has been resolved: nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. syzbot reported a warning below [1] following a fault injection in nfs_fs_proc_net_init(). [0] When nfs_fs_proc_net_init() fails, /proc/net/rpc/nfs is not removed. Later, rpc_proc_exit() tries to remove /proc/net/rpc, an

CVE-2025-38444 [MEDIUM] CWE-401 CVE-2025-38444: In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid10_make_request If raid10_read_request or raid10_write_request registers a new request and the REQ_NOWAIT flag is set, the code does not free the malloc from the mempool. unreferenced object 0xffff8884802c3200 (size 192): comm "fio", pid 9197, jiffi

CVE-2025-38455 [MEDIUM] CWE-476 CVE-2025-38455: In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Reject SEV{-ES} intra In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Reject migration of SEV{-ES} state if either the source or destination VM is actively creating a vCPU, i.e. if kvm_vm_ioctl_create_vcpu() is in the section between incrementing created_vcpus and online_vc