Debian Linux vulnerabilities

CVE-2025-38305 [MEDIUM] CVE-2025-38305: In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks chec In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() There is no disagreement that we should check both ptp->is_virtual_clock and ptp->n_vclocks to check if the ptp virtual clock is in use. However, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in ptp_vclock_in_use()

CVE-2025-38335 [MEDIUM] CWE-667 CVE-2025-38335: In the Linux kernel, the following vulnerability has been resolved: Input: gpio-keys - fix a sleep In the Linux kernel, the following vulnerability has been resolved: Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT When enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in hard irq context, but the input_event() takes a spin_lock, which isn't allowed there as it is converted to a rt_spin_lock(). [ 4054.289999] BUG: sleepin

CVE-2025-38277 [MEDIUM] CWE-908 CVE-2025-38277: In the Linux kernel, the following vulnerability has been resolved: mtd: nand: ecc-mxic: Fix use of In the Linux kernel, the following vulnerability has been resolved: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret If ctx->steps is zero, the loop processing ECC steps is skipped, and the variable ret remains uninitialized. It is later checked and returned, which leads to undefined behavior and may cause unpredictable results in user s

CVE-2025-38332 [MEDIUM] CVE-2025-38332: In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Use memcpy() for BI In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Use memcpy() for BIOS version The strlcat() with FORTIFY support is triggering a panic because it thinks the target buffer will overflow although the correct target buffer size is passed in. Anyway, instead of memset() with 0 followed by a strlcat(), just use memcpy() and ens

CVE-2025-38282 [MEDIUM] CVE-2025-38282: In the Linux kernel, the following vulnerability has been resolved: kernfs: Relax constraint in dra In the Linux kernel, the following vulnerability has been resolved: kernfs: Relax constraint in draining guard The active reference lifecycle provides the break/unbreak mechanism but the active reference is not truly active after unbreak -- callers don't use it afterwards but it's important for proper pairing of kn->active counting. Assuming this mechanis

CVE-2025-38312 [MEDIUM] CWE-369 CVE-2025-38312: In the Linux kernel, the following vulnerability has been resolved: fbdev: core: fbcvt: avoid divis In the Linux kernel, the following vulnerability has been resolved: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's then passed to fb_cvt_hperiod(), where it's used as a divider -- divisi

CVE-2025-38259 [HIGH] CWE-416 CVE-2025-38259: In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd9335: Fix miss In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd9335: Fix missing free of regulator supplies Driver gets and enables all regulator supplies in probe path (wcd9335_parse_dt() and wcd9335_power_on_reset()), but does not cleanup in final error paths and in unbind (missing remove() callback). This leads to leaked mem

CVE-2025-38249 [HIGH] CWE-125 CVE-2025-38249: In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bou In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer

CVE-2025-38257 [HIGH] CVE-2025-38257: In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actua

CVE-2025-38245 [HIGH] CVE-2025-38245: In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex afte In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). syzbot reported a warning below during atm_dev_register(). [0] Before creating a new device and procfs/sysfs for it, atm_dev_register() looks up a duplicated device by __atm_dev_lookup(). These operations are done un

CVE-2025-38239 [HIGH] CWE-129 CVE-2025-38239: In the Linux kernel, the following vulnerability has been resolved: scsi: megaraid_sas: Fix invalid In the Linux kernel, the following vulnerability has been resolved: scsi: megaraid_sas: Fix invalid node index On a system with DRAM interleave enabled, out-of-bound access is detected: megaraid_sas 0000:3f:00.0: requested/available msix 128/128 poll_queue 0 ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in ./arch/x86/include

CVE-2025-38263 [MEDIUM] CWE-476 CVE-2025-38263: In the Linux kernel, the following vulnerability has been resolved: bcache: fix NULL pointer in cac In the Linux kernel, the following vulnerability has been resolved: bcache: fix NULL pointer in cache_set_flush() 1. LINE#1794 - LINE#1887 is some codes about function of bch_cache_set_alloc(). 2. LINE#2078 - LINE#2142 is some codes about function of register_cache_set(). 3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098. 1794

CVE-2025-38251 [MEDIUM] CWE-476 CVE-2025-38251: In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref i In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() calls clip_push() with a NULL skb. If clip_devs is NULL, clip_push() then crashes when reading skb->truesize.

CVE-2025-38260 [MEDIUM] CWE-476 CVE-2025-38260: In the Linux kernel, the following vulnerability has been resolved: btrfs: handle csum tree error w In the Linux kernel, the following vulnerability has been resolved: btrfs: handle csum tree error with rescue=ibadroots correctly [BUG] There is syzbot based reproducer that can crash the kernel, with the following call trace: (With some debug output added) DEBUG: rescue=ibadroots parsed BTRFS: device fsid 14d642db-7b15-43e4-81e6-4b8fac6a25f8 dev

CVE-2025-38262 [MEDIUM] CWE-476 CVE-2025-38262: In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register uart driver in init When two instances of uart devices are probing, a concurrency race can occur. If one thread calls uart_register_driver function, which first allocates and assigns memory to 'uart_state' member of uart_driver structure, the other

CVE-2025-38236 [HIGH] CWE-416 CVE-2025-38236: In the Linux kernel, the following vulnerability has been resolved: af_unix: Don't leave consecutiv In the Linux kernel, the following vulnerability has been resolved: af_unix: Don't leave consecutive consumed OOB skbs. Jann Horn reported a use-after-free in unix_stream_read_generic(). The following sequences reproduce the issue: $ python3 from socket import * s1, s2 = socketpair(AF_UNIX, SOCK_STREAM) s1.send(b'x', MSG_OOB) s2.recv(1, MSG_OOB) #

CVE-2025-48384 [HIGH] CWE-59 CVE-2025-48384: Git is a fast, scalable, distributed revision control system with an unusually rich command set that Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost

CVE-2025-38237 [MEDIUM] CVE-2025-38237: In the Linux kernel, the following vulnerability has been resolved: media: platform: exynos4-is: Ad In the Linux kernel, the following vulnerability has been resolved: media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() In fimc_is_hw_change_mode(), the function changes camera modes without waiting for hardware completion, risking corrupted data or system hangs if subsequent operations proceed before the hardware is ready. Ad

CVE-2025-38204 [HIGH] CWE-125 CVE-2025-38204: In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bou In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds read in add_missing_indices stbl is s8 but it must contain offsets into slot which can go from 0 to 127. Added a bound check for that error and return -EIO if the check fails. Also make jfs_readdir return with error if add_missing_indices returns

CVE-2025-38227 [HIGH] CWE-416 CVE-2025-38227: In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Terminating the s In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Terminating the subsequent process of initialization failure syzbot reported a slab-use-after-free Read in vidtv_mux_init. [1] After PSI initialization fails, the si member is accessed again, resulting in this uaf. After si initialization fails, the subsequent proces