Debian Linux vulnerabilities

CVE-2025-39911 [HIGH] CVE-2025-39911: In the Linux kernel, the following vulnerability has been resolved: i40e: fix IRQ freeing in i40e_v In the Linux kernel, the following vulnerability has been resolved: i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration later than the first, the error path wants to free the IRQs requested so far. However, it uses the wrong dev_id argument for free_irq(), so it does not free th

CVE-2025-39913 [HIGH] CVE-2025-39913: In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: Call sk_msg_free() whe In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. syzbot reported the splat below. [0] The repro does the following: 1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes) 2. Attach the prog to a SOCKMAP 3. Add a socket to the SOCKMAP 4.

CVE-2025-39891 [HIGH] CVE-2025-39891: In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Initialize the c In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Initialize the chan_stats array to zero The adapter->chan_stats[] array is initialized in mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out memory. The array is filled in mwifiex_update_chan_statistics() and then the user can query the data in mwifiex_cfg

CVE-2025-39923 [MEDIUM] CVE-2025-39923: In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom: bam_dma: Fix D In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees When we don't have a clock specified in the device tree, we have no way to ensure the BAM is on. This is often the case for remotely-controlled or remotely-powered BAM instances. In this case, we need to read num-channel

CVE-2025-39920 [MEDIUM] CWE-476 CVE-2025-39920: In the Linux kernel, the following vulnerability has been resolved: pcmcia: Add error handling for In the Linux kernel, the following vulnerability has been resolved: pcmcia: Add error handling for add_interval() in do_validate_mem() In the do_validate_mem(), the call to add_interval() does not handle errors. If kmalloc() fails in add_interval(), it could result in a null pointer being inserted into the linked list, leading to illegal memory acc

CVE-2025-39914 [MEDIUM] CWE-415 CVE-2025-39914: In the Linux kernel, the following vulnerability has been resolved: tracing: Silence warning when c In the Linux kernel, the following vulnerability has been resolved: tracing: Silence warning when chunk allocation fails in trace_pid_write Syzkaller trigger a fault injection warning: WARNING: CPU: 1 PID: 12326 at tracepoint_add_func+0xbfc/0xeb0 Modules linked in: CPU: 1 UID: 0 PID: 12326 Comm: syz.6.10325 Tainted: G U 6.14.0-rc5-syzkaller #0 Ta

CVE-2025-39907 [MEDIUM] CVE-2025-39907: In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: stm32_fmc2: avoid In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer Avoid below overlapping mappings by using a contiguous non-cacheable buffer. [ 4.077708] DMA-API: stm32_fmc2_nfc 48810000.nand-controller: cacheline tracking EEXIST, overlapping mappings aren't supported [ 4.089103] WARNI

CVE-2025-39902 [MEDIUM] CWE-476 CVE-2025-39902: In the Linux kernel, the following vulnerability has been resolved: mm/slub: avoid accessing metada In the Linux kernel, the following vulnerability has been resolved: mm/slub: avoid accessing metadata when pointer is invalid in object_err() object_err() reports details of an object for further debugging, such as the freelist pointer, redzone, etc. However, if the pointer is invalid, attempting to access object metadata can lead to a crash since

CVE-2025-39916 [MEDIUM] CWE-369 CVE-2025-39916: In the Linux kernel, the following vulnerability has been resolved: mm/damon/reclaim: avoid divide- In the Linux kernel, the following vulnerability has been resolved: mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() When creating a new scheme of DAMON_RECLAIM, the calculation of 'min_age_region' uses 'aggr_interval' as the divisor, which may lead to division-by-zero errors. Fix it by directly returning -EINVAL when suc

CVE-2025-39909 [MEDIUM] CWE-369 CVE-2025-39909: In the Linux kernel, the following vulnerability has been resolved: mm/damon/lru_sort: avoid divide In the Linux kernel, the following vulnerability has been resolved: mm/damon/lru_sort: avoid divide-by-zero in damon_lru_sort_apply_parameters() Patch series "mm/damon: avoid divide-by-zero in DAMON module's parameters application". DAMON's RECLAIM and LRU_SORT modules perform no validation on user-configured parameters during application, which

CVE-2025-39894 [MEDIUM] CVE-2025-39894: In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: do not In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm When send a broadcast packet to a tap device, which was added to a bridge, br_nf_local_in() is called to confirm the conntrack. If another conntrack with the same hash value is added to the hash table, w

CVE-2025-41244 [HIGH] CWE-267 CVE-2025-41244: VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malici VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.

CVE-2025-39870 [HIGH] CWE-415 CVE-2025-39870: In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix double fre In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix double free in idxd_setup_wqs() The clean up in idxd_setup_wqs() has had a couple bugs because the error handling is a bit subtle. It's simpler to just re-write it in a cleaner way. The issues here are: 1) If "idxd->max_wqs" is <= 0 then we call put_device(conf

CVE-2025-39869 [HIGH] CWE-125 CVE-2025-39869: In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: edma: Fix memory In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Fix a critical memory allocation bug in edma_setup_from_hw() where queue_priority_map was allocated with insufficient memory. The code declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8), but allo

CVE-2025-39880 [HIGH] CWE-704 CVE-2025-39880: In the Linux kernel, the following vulnerability has been resolved: libceph: fix invalid accesses t In the Linux kernel, the following vulnerability has been resolved: libceph: fix invalid accesses to ceph_connection_v1_info There is a place where generic code in messenger.c is reading and another place where it is writing to con->v1 union member without checking that the union member is active (i.e. msgr1 is in use). On 64-bit systems, con->v1.a

CVE-2025-39873 [HIGH] CWE-416 CVE-2025-39873: In the Linux kernel, the following vulnerability has been resolved: can: xilinx_can: xcan_write_fra In the Linux kernel, the following vulnerability has been resolved: can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB can_put_echo_skb() takes ownership of the SKB and it may be freed during or after the call. However, xilinx_can xcan_write_frame() keeps using SKB after the call. Fix that by only calling can_put_echo_skb()

CVE-2025-39877 [HIGH] CWE-416 CVE-2025-39877: In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: fix use-after-f In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: fix use-after-free in state_show() state_show() reads kdamond->damon_ctx without holding damon_sysfs_lock. This allows a use-after-free race: CPU 0 CPU 1 ----- ----- state_show() damon_sysfs_turn_damon_on() ctx = kdamond->damon_ctx; mutex_lock(&damon_sysfs_lock); da

CVE-2025-39881 [HIGH] CWE-416 CVE-2025-39881: In the Linux kernel, the following vulnerability has been resolved: kernfs: Fix UAF in polling when In the Linux kernel, the following vulnerability has been resolved: kernfs: Fix UAF in polling when open file is released A use-after-free (UAF) vulnerability was identified in the PSI (Pressure Stall Information) monitoring mechanism: BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140 Read of size 8 at addr ffff3de3d50bd308 by task sys

CVE-2025-39883 [HIGH] CWE-125 CVE-2025-39883: In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix VM_BUG_O In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory When I did memory failure tests, below panic occurs: page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page)) kernel BUG at include/linux/page-flags.h:616! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPT

CVE-2025-39885 [MEDIUM] CWE-667 CVE-2025-39885: In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix recursive semaphore In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix recursive semaphore deadlock in fiemap call syzbot detected a OCFS2 hang due to a recursive semaphore on a FS_IOC_FIEMAP of the extent list on a specially crafted mmap file. context_switch kernel/sched/core.c:5357 [inline] __schedule+0x1798/0x4cc0 kernel/sched/core.c:69