Debian Linux vulnerabilities

CVE-2025-38363 [MEDIUM] CWE-476 CVE-2025-38363: In the Linux kernel, the following vulnerability has been resolved: drm/tegra: Fix a possible null In the Linux kernel, the following vulnerability has been resolved: drm/tegra: Fix a possible null pointer dereference In tegra_crtc_reset(), new memory is allocated with kzalloc(), but no check is performed. Before calling __drm_atomic_helper_crtc_reset, state should be checked to prevent possible null pointer dereference.

CVE-2025-38406 [MEDIUM] CVE-2025-38406: In the Linux kernel, the following vulnerability has been resolved: wifi: ath6kl: remove WARN on ba In the Linux kernel, the following vulnerability has been resolved: wifi: ath6kl: remove WARN on bad firmware input If the firmware gives bad input, that's nothing to do with the driver's stack at this point etc., so the WARN_ON() doesn't add any value. Additionally, this is one of the top syzbot reports now. Just print a message, and as an added bonus, p

CVE-2025-38457 [MEDIUM] CVE-2025-38457: In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qd In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to

CVE-2025-38382 [MEDIUM] CWE-908 CVE-2025-38382: In the Linux kernel, the following vulnerability has been resolved: btrfs: fix iteration of extrefs In the Linux kernel, the following vulnerability has been resolved: btrfs: fix iteration of extrefs during log replay At __inode_add_ref() when processing extrefs, if we jump into the next label we have an undefined value of victim_name.len, since we haven't initialized it before we did the goto. This results in an invalid memory access in the nex

CVE-2025-38458 [MEDIUM] CWE-476 CVE-2025-38458: In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix NULL pointer der In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() atmarpd_dev_ops does not implement the send method, which may cause crash as bellow. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0010 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5324

CVE-2025-38424 [MEDIUM] CVE-2025-38424: In the Linux kernel, the following vulnerability has been resolved: perf: Fix sample vs do_exit() In the Linux kernel, the following vulnerability has been resolved: perf: Fix sample vs do_exit() Baisheng Gao reported an ARM64 crash, which Mark decoded as being a synchronous external abort -- most likely due to trying to access MMIO in bad ways. The crash further shows perf trying to do a user stack sample while in exit_mmap()'s tlb_finish_mmu() -- i.e

CVE-2025-38448 [MEDIUM] CWE-362 CVE-2025-38448: In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and p

CVE-2025-38430 [MEDIUM] CVE-2025-38430: In the Linux kernel, the following vulnerability has been resolved: nfsd: nfsd4_spo_must_allow() mu In the Linux kernel, the following vulnerability has been resolved: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request If the request being processed is not a v4 compound request, then examining the cstate can have undefined results. This patch adds a check that the rpc procedure being executed (rq_procinfo) is the NFSPROC4_COMPOUND pr

CVE-2025-38409 [MEDIUM] CWE-401 CVE-2025-38409: In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix another leak in th In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix another leak in the submit error path put_unused_fd() doesn't free the installed file, if we've already done fd_install(). So we need to also free the sync_file. Patchwork: https://patchwork.freedesktop.org/patch/653583/

CVE-2025-38461 [MEDIUM] CWE-367 CVE-2025-38461: In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_* TOCTOU In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_* TOCTOU Transport assignment may race with module unload. Protect new_transport from becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport(); add a lockdep assert. BUG: unable to handle page fault for address: fffffbf

CVE-2025-38451 [MEDIUM] CVE-2025-38451: In the Linux kernel, the following vulnerability has been resolved: md/md-bitmap: fix GPF in bitmap In the Linux kernel, the following vulnerability has been resolved: md/md-bitmap: fix GPF in bitmap_get_stats() The commit message of commit 6ec1f0239485 ("md/md-bitmap: fix stats collection for external bitmaps") states: Remove the external bitmap check as the statistics should be available regardless of bitmap storage location. Return -EINVAL only for

CVE-2025-38364 [MEDIUM] CWE-476 CVE-2025-38364: In the Linux kernel, the following vulnerability has been resolved: maple_tree: fix MA_STATE_PREALL In the Linux kernel, the following vulnerability has been resolved: maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Temporarily clear the preallocation flag when explicitly requesting allocations. Pre-existing allocations are already counted against the request through mas_node_count_gfp(), but the allocations will not happen if the MA

CVE-2025-38399 [MEDIUM] CWE-476 CVE-2025-38399: In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix NULL pointer In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() The function core_scsi3_decode_spec_i_port(), in its error code path, unconditionally calls core_scsi3_lunacl_undepend_item() passing the dest_se_deve pointer, which may be NULL. This can lead to a NULL

CVE-2025-38466 [MEDIUM] CVE-2025-38466: In the Linux kernel, the following vulnerability has been resolved: perf: Revert to requiring CAP_S In the Linux kernel, the following vulnerability has been resolved: perf: Revert to requiring CAP_SYS_ADMIN for uprobes Jann reports that uprobes can be used destructively when used in the middle of an instruction. The kernel only verifies there is a valid instruction at the requested offset, but due to variable instruction length cannot determine if this

CVE-2025-38365 [MEDIUM] CWE-362 CVE-2025-38365: In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a race between renam In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a race between renames and directory logging We have a race between a rename and directory inode logging that if it happens and we crash/power fail before the rename completes, the next time the filesystem is mounted, the log replay code will end up deleting the file th

CVE-2025-38441 [MEDIUM] CWE-908 CVE-2025-38441: In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account f In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() Blamed commit forgot the Ethernet header. BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_t

CVE-2025-38391 [MEDIUM] CWE-125 CVE-2025-38391: In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmodes/displaypor In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmodes/displayport: do not index invalid pin_assignments A poorly implemented DisplayPort Alt Mode port partner can indicate that its pin assignment capabilities are greater than the maximum value, DP_PIN_ASSIGN_F. In this case, calls to pin_assignment_show will caus

CVE-2025-38418 [MEDIUM] CWE-401 CVE-2025-38418: In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Release rproc In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Release rproc->clean_table after rproc_attach() fails When rproc->state = RPROC_DETACHED is attached to remote processor through rproc_attach(), if rproc_handle_resources() returns failure, then the clean table should be released, otherwise the following memory l

CVE-2025-38439 [MEDIUM] CVE-2025-38439: In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len corr In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dm

CVE-2025-38387 [MEDIUM] CWE-476 CVE-2025-38387: In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Initialize obj_event In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert The obj_event may be loaded immediately after inserted, then if the list_head is not initialized then we may get a poisonous pointer. This fixes the crash below: mlx5_core 0000:03:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz