Debian Linux vulnerabilities

CVE-2025-38345 [MEDIUM] CWE-401 CVE-2025-38345: In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi operand cache In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi operand cache leak in dswstate.c ACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 I found an ACPI cache leak in ACPI early termination and boot continuing case. When early termination occurs due to malicious ACPI table, Linux kernel terminates ACPI function

CVE-2025-38324 [MEDIUM] CVE-2025-38324: In the Linux kernel, the following vulnerability has been resolved: mpls: Use rcu_dereference_rtnl( In the Linux kernel, the following vulnerability has been resolved: mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). As syzbot reported [0], mpls_route_input_rcu() can be called from mpls_getroute(), where is under RTNL. net->mpls.platform_label is only updated under RTNL. Let's use rcu_dereference_rtnl() in mpls_route_input_rcu() to silence

CVE-2025-38334 [MEDIUM] CWE-754 CVE-2025-38334: In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Prevent attempts to re In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Prevent attempts to reclaim poisoned pages TL;DR: SGX page reclaim touches the page to copy its contents to secondary storage. SGX instructions do not gracefully handle machine checks. Despite this, the existing SGX code will try to reclaim pages that it _knows_ are poiso

CVE-2025-38347 [MEDIUM] CVE-2025-38347: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on ino and xnid syzbot reported a f2fs bug as below: INFO: task syz-executor140:5308 blocked for more than 143 seconds. Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-

CVE-2025-38293 [MEDIUM] CVE-2025-38293: In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix node corrupti In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath11k_core_halt() only reinitializes the "arvifs" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still poin

CVE-2025-38310 [MEDIUM] CVE-2025-38310: In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop addresses The kernel currently validates that the length of the provided nexthop address does not exceed the specified length. This can lead to the kernel reading uninitialized memory if user space provided a shorter length than the specified one. Fix by v

CVE-2025-38326 [MEDIUM] CVE-2025-38326: In the Linux kernel, the following vulnerability has been resolved: aoe: clean device rq_list in ao In the Linux kernel, the following vulnerability has been resolved: aoe: clean device rq_list in aoedev_downdev() An aoe device's rq_list contains accepted block requests that are waiting to be transmitted to the aoe target. This queue was added as part of the conversion to blk_mq. However, the queue was not cleaned out when an aoe device is downed which

CVE-2025-38285 [MEDIUM] CWE-617 CVE-2025-38285: In the Linux kernel, the following vulnerability has been resolved: bpf: Fix WARN() in get_bpf_raw_ In the Linux kernel, the following vulnerability has been resolved: bpf: Fix WARN() in get_bpf_raw_tp_regs syzkaller reported an issue: WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 Modules linked in: CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzk

CVE-2025-38275 [MEDIUM] CWE-476 CVE-2025-38275: In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qmp-usb: Fix an NULL In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug The qmp_usb_iomap() helper function currently returns the raw result of devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return a NULL pointer and the caller only checks error pointers with IS_ERR(), NULL could bypas

CVE-2025-38304 [MEDIUM] CWE-476 CVE-2025-38304: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer def In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer deference on eir_get_service_data The len parameter is considered optional so it can be NULL so it cannot be used for skipping to next entry of EIR_SERVICE_DATA.

CVE-2025-38337 [MEDIUM] CWE-476 CVE-2025-38337: In the Linux kernel, the following vulnerability has been resolved: jbd2: fix data-race and null-pt In the Linux kernel, the following vulnerability has been resolved: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Since handle->h_transaction may be a NULL pointer, so we should change it to call is_handle_aborted(handle) first before dereferencing it. And the following data-race was reported in my fuzzer: BUG: KCSAN: d

CVE-2025-38331 [MEDIUM] CVE-2025-38331: In the Linux kernel, the following vulnerability has been resolved: net: ethernet: cortina: Use TOE In the Linux kernel, the following vulnerability has been resolved: net: ethernet: cortina: Use TOE/TSO on all TCP It is desireable to push the hardware accelerator to also process non-segmented TCP frames: we pass the skb->len to the "TOE/TSO" offloader and it will handle them. Without this quirk the driver becomes unstable and lock up and and crash. I

CVE-2025-38300 [MEDIUM] CWE-401 CVE-2025-38300: In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce-cipher - fix e In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare(): 1] If dma_map_sg() fails for areq->dst, the device driver would try to free DMA memory it has not allocated in the first place. To

CVE-2025-38322 [MEDIUM] CVE-2025-38322: In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix crash in ic In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix crash in icl_update_topdown_event() The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 CPU: 23 UID: 0 PID: 0 Comm: swapper/23 Tainted: [W]=WARN Hardware name: Dell Inc. Precision

CVE-2025-38344 [MEDIUM] CWE-401 CVE-2025-38344: In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi parse and pars In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi parse and parseext cache leaks ACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5 I'm Seunghun Han, and I work for National Security Research Institute of South Korea. I have been doing a research on ACPI and found an ACPI cache leak in ACPI early abort case

CVE-2025-38305 [MEDIUM] CVE-2025-38305: In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks chec In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() There is no disagreement that we should check both ptp->is_virtual_clock and ptp->n_vclocks to check if the ptp virtual clock is in use. However, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in ptp_vclock_in_use()

CVE-2025-38335 [MEDIUM] CWE-667 CVE-2025-38335: In the Linux kernel, the following vulnerability has been resolved: Input: gpio-keys - fix a sleep In the Linux kernel, the following vulnerability has been resolved: Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT When enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in hard irq context, but the input_event() takes a spin_lock, which isn't allowed there as it is converted to a rt_spin_lock(). [ 4054.289999] BUG: sleepin

CVE-2025-38277 [MEDIUM] CWE-908 CVE-2025-38277: In the Linux kernel, the following vulnerability has been resolved: mtd: nand: ecc-mxic: Fix use of In the Linux kernel, the following vulnerability has been resolved: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret If ctx->steps is zero, the loop processing ECC steps is skipped, and the variable ret remains uninitialized. It is later checked and returned, which leads to undefined behavior and may cause unpredictable results in user s

CVE-2025-38332 [MEDIUM] CVE-2025-38332: In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Use memcpy() for BI In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Use memcpy() for BIOS version The strlcat() with FORTIFY support is triggering a panic because it thinks the target buffer will overflow although the correct target buffer size is passed in. Anyway, instead of memset() with 0 followed by a strlcat(), just use memcpy() and ens

CVE-2025-38282 [MEDIUM] CVE-2025-38282: In the Linux kernel, the following vulnerability has been resolved: kernfs: Relax constraint in dra In the Linux kernel, the following vulnerability has been resolved: kernfs: Relax constraint in draining guard The active reference lifecycle provides the break/unbreak mechanism but the active reference is not truly active after unbreak -- callers don't use it afterwards but it's important for proper pairing of kn->active counting. Assuming this mechanis