Debian Linux vulnerabilities

CVE-2025-38313 [HIGH] CWE-415 CVE-2025-38313: In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix double-free on In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix double-free on mc_dev The blamed commit tried to simplify how the deallocations are done but, in the process, introduced a double-free on the mc_dev variable. In case the MC device is a DPRC, a new mc_bus is allocated and the mc_dev variable is just a reference to

CVE-2025-38336 [MEDIUM] CVE-2025-38336: In the Linux kernel, the following vulnerability has been resolved: ata: pata_via: Force PIO for AT In the Linux kernel, the following vulnerability has been resolved: ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 The controller has a hardware bug that can hard hang the system when doing ATAPI DMAs without any trace of what happened. Depending on the device attached, it can also prevent the system from booting. In this case, the system ha

CVE-2025-38328 [MEDIUM] CWE-476 CVE-2025-38328: In the Linux kernel, the following vulnerability has been resolved: jffs2: check jffs2_prealloc_raw In the Linux kernel, the following vulnerability has been resolved: jffs2: check jffs2_prealloc_raw_node_refs() result in few other places Fuzzing hit another invalid pointer dereference due to the lack of checking whether jffs2_prealloc_raw_node_refs() completed successfully. Subsequent logic implies that the node refs have been allocated. Handl

CVE-2025-38273 [MEDIUM] CVE-2025-38273: In the Linux kernel, the following vulnerability has been resolved: net: tipc: fix refcount warning In the Linux kernel, the following vulnerability has been resolved: net: tipc: fix refcount warning in tipc_aead_encrypt syzbot reported a refcount warning [1] caused by calling get_net() on a network namespace that is being destroyed (refcount=0). This happens when a TIPC discovery timer fires during network namespace cleanup. The recently added get_net

CVE-2025-38319 [MEDIUM] CWE-476 CVE-2025-38319: In the Linux kernel, the following vulnerability has been resolved: drm/amd/pp: Fix potential NULL In the Linux kernel, the following vulnerability has been resolved: drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table The function atomctrl_initialize_mc_reg_table() and atomctrl_initialize_mc_reg_table_v2_2() does not check the return value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to ret

CVE-2025-38345 [MEDIUM] CWE-401 CVE-2025-38345: In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi operand cache In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi operand cache leak in dswstate.c ACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 I found an ACPI cache leak in ACPI early termination and boot continuing case. When early termination occurs due to malicious ACPI table, Linux kernel terminates ACPI function

CVE-2025-38324 [MEDIUM] CVE-2025-38324: In the Linux kernel, the following vulnerability has been resolved: mpls: Use rcu_dereference_rtnl( In the Linux kernel, the following vulnerability has been resolved: mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). As syzbot reported [0], mpls_route_input_rcu() can be called from mpls_getroute(), where is under RTNL. net->mpls.platform_label is only updated under RTNL. Let's use rcu_dereference_rtnl() in mpls_route_input_rcu() to silence

CVE-2025-38334 [MEDIUM] CWE-754 CVE-2025-38334: In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Prevent attempts to re In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Prevent attempts to reclaim poisoned pages TL;DR: SGX page reclaim touches the page to copy its contents to secondary storage. SGX instructions do not gracefully handle machine checks. Despite this, the existing SGX code will try to reclaim pages that it _knows_ are poiso

CVE-2025-38347 [MEDIUM] CVE-2025-38347: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on ino and xnid syzbot reported a f2fs bug as below: INFO: task syz-executor140:5308 blocked for more than 143 seconds. Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-

CVE-2025-38293 [MEDIUM] CVE-2025-38293: In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix node corrupti In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath11k_core_halt() only reinitializes the "arvifs" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still poin

CVE-2025-38310 [MEDIUM] CVE-2025-38310: In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop addresses The kernel currently validates that the length of the provided nexthop address does not exceed the specified length. This can lead to the kernel reading uninitialized memory if user space provided a shorter length than the specified one. Fix by v

CVE-2025-38326 [MEDIUM] CVE-2025-38326: In the Linux kernel, the following vulnerability has been resolved: aoe: clean device rq_list in ao In the Linux kernel, the following vulnerability has been resolved: aoe: clean device rq_list in aoedev_downdev() An aoe device's rq_list contains accepted block requests that are waiting to be transmitted to the aoe target. This queue was added as part of the conversion to blk_mq. However, the queue was not cleaned out when an aoe device is downed which

CVE-2025-38285 [MEDIUM] CWE-617 CVE-2025-38285: In the Linux kernel, the following vulnerability has been resolved: bpf: Fix WARN() in get_bpf_raw_ In the Linux kernel, the following vulnerability has been resolved: bpf: Fix WARN() in get_bpf_raw_tp_regs syzkaller reported an issue: WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 Modules linked in: CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzk

CVE-2025-38275 [MEDIUM] CWE-476 CVE-2025-38275: In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qmp-usb: Fix an NULL In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug The qmp_usb_iomap() helper function currently returns the raw result of devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return a NULL pointer and the caller only checks error pointers with IS_ERR(), NULL could bypas

CVE-2025-38304 [MEDIUM] CWE-476 CVE-2025-38304: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer def In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer deference on eir_get_service_data The len parameter is considered optional so it can be NULL so it cannot be used for skipping to next entry of EIR_SERVICE_DATA.

CVE-2025-38337 [MEDIUM] CWE-476 CVE-2025-38337: In the Linux kernel, the following vulnerability has been resolved: jbd2: fix data-race and null-pt In the Linux kernel, the following vulnerability has been resolved: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Since handle->h_transaction may be a NULL pointer, so we should change it to call is_handle_aborted(handle) first before dereferencing it. And the following data-race was reported in my fuzzer: BUG: KCSAN: d

CVE-2025-38331 [MEDIUM] CVE-2025-38331: In the Linux kernel, the following vulnerability has been resolved: net: ethernet: cortina: Use TOE In the Linux kernel, the following vulnerability has been resolved: net: ethernet: cortina: Use TOE/TSO on all TCP It is desireable to push the hardware accelerator to also process non-segmented TCP frames: we pass the skb->len to the "TOE/TSO" offloader and it will handle them. Without this quirk the driver becomes unstable and lock up and and crash. I

CVE-2025-38300 [MEDIUM] CWE-401 CVE-2025-38300: In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce-cipher - fix e In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare(): 1] If dma_map_sg() fails for areq->dst, the device driver would try to free DMA memory it has not allocated in the first place. To

CVE-2025-38322 [MEDIUM] CVE-2025-38322: In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix crash in ic In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix crash in icl_update_topdown_event() The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 CPU: 23 UID: 0 PID: 0 Comm: swapper/23 Tainted: [W]=WARN Hardware name: Dell Inc. Precision

CVE-2025-38344 [MEDIUM] CWE-401 CVE-2025-38344: In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi parse and pars In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi parse and parseext cache leaks ACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5 I'm Seunghun Han, and I work for National Security Research Institute of South Korea. I have been doing a research on ACPI and found an ACPI cache leak in ACPI early abort case