Debian Linux vulnerabilities

CVE-2025-38226 [HIGH] CWE-787 CVE-2025-38226: In the Linux kernel, the following vulnerability has been resolved: media: vivid: Change the siize In the Linux kernel, the following vulnerability has been resolved: media: vivid: Change the siize of the composing syzkaller found a bug: BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/commo

CVE-2025-38212 [HIGH] CWE-416 CVE-2025-38212: In the Linux kernel, the following vulnerability has been resolved: ipc: fix to protect IPCS lookup In the Linux kernel, the following vulnerability has been resolved: ipc: fix to protect IPCS lookups using RCU syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/[email protected]/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by R

CVE-2025-38180 [HIGH] CWE-416 CVE-2025-38180: In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbalance and UAF.

CVE-2025-38211 [HIGH] CWE-416 CVE-2025-38211: In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix use-after-free o In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref") simplified cm_id resource management by freeing cm_id once all references to the cm_id were removed. The references are removed either upon

CVE-2025-38183 [HIGH] CWE-787 CVE-2025-38183: In the Linux kernel, the following vulnerability has been resolved: net: lan743x: fix potential out In the Linux kernel, the following vulnerability has been resolved: net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() Before calling lan743x_ptp_io_event_clock_get(), the 'channel' value is checked against the maximum value of PCI11X1X_PTP_IO_MAX_CHANNELS(8). This seems correct and aligns with the PTP interrupt stat

CVE-2025-38230 [HIGH] CVE-2025-38230: In the Linux kernel, the following vulnerability has been resolved: jfs: validate AG parameters in In the Linux kernel, the following vulnerability has been resolved: jfs: validate AG parameters in dbMount() to prevent crashes Validate db_agheight, db_agwidth, and db_agstart in dbMount to catch corrupted metadata early and avoid undefined behavior in dbAllocAG. Limits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE: - agheight: 0 to L2LPERCTL/

CVE-2025-38198 [HIGH] CWE-129 CVE-2025-38198: In the Linux kernel, the following vulnerability has been resolved: fbcon: Make sure modelist not s In the Linux kernel, the following vulnerability has been resolved: fbcon: Make sure modelist not set on unregistered console It looks like attempting to write to the "store_modes" sysfs node will run afoul of unregistered consoles: UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28 index -1 is out of range for type 'fb_inf

CVE-2025-38206 [HIGH] CWE-415 CVE-2025-38206: In the Linux kernel, the following vulnerability has been resolved: exfat: fix double free in delay In the Linux kernel, the following vulnerability has been resolved: exfat: fix double free in delayed_free The double free could happen in the following path. exfat_create_upcase_table() exfat_create_upcase_table() : return error exfat_free_upcase_table() : free ->vol_utbl exfat_load_default_upcase_table : return error exfat_kill_sb() delayed_free(

CVE-2025-38229 [MEDIUM] CWE-908 CVE-2025-38229: In the Linux kernel, the following vulnerability has been resolved: media: cxusb: no longer judge r In the Linux kernel, the following vulnerability has been resolved: media: cxusb: no longer judge rbuf when the write fails syzbot reported a uninit-value in cxusb_i2c_xfer. [1] Only when the write operation of usb_bulk_msg() in dvb_usb_generic_rw() succeeds and rlen is greater than 0, the read operation of usb_bulk_msg() will be executed to read

CVE-2025-38193 [MEDIUM] CWE-190 CVE-2025-38193: In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: reject inva In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: reject invalid perturb period Gerrard Tai reported that SFQ perturb_period has no range check yet, and this can be used to trigger a race condition fixed in a separate patch. We want to make sure ctl->perturb_period * HZ will not overflow and is positive. tc

CVE-2025-38215 [MEDIUM] CWE-476 CVE-2025-38215: In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix do_register_framebuf In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in do_register_framebuffer() fails to allocate memory for fb_videomode, it will later lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered whi

CVE-2025-38218 [MEDIUM] CVE-2025-38218: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sit_bitmap_size w/ below testcase, resize will generate a corrupted image which contains inconsistent metadata, so when mounting such image, it will trigger kernel panic: touch img truncate -s $((512*1024*1024*1024)) img mkfs.f2fs -f img $((256*1024*1024))

CVE-2025-38203 [MEDIUM] CWE-476 CVE-2025-38203: In the Linux kernel, the following vulnerability has been resolved: jfs: Fix null-ptr-deref in jfs_ In the Linux kernel, the following vulnerability has been resolved: jfs: Fix null-ptr-deref in jfs_ioc_trim [ Syzkaller Report ] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000087: 0000 [#1 KASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f] CPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not ta

CVE-2025-38202 [MEDIUM] CVE-2025-38202: In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_ In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() bpf_map_lookup_percpu_elem() helper is also available for sleepable bpf program. When BPF JIT is disabled or under 32-bit host, bpf_map_lookup_percpu_elem() will not be inlined. Using it in a sleepable bpf program will

CVE-2025-38191 [MEDIUM] CWE-476 CVE-2025-38191: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer derefer In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer dereference in destroy_previous_session If client set ->PreviousSessionId on kerberos session setup stage, NULL pointer dereference error will happen. Since sess->user is not set yet, It can pass the user argument as NULL to destroy_previous_session. sess->

CVE-2025-38222 [MEDIUM] CWE-190 CVE-2025-38222: In the Linux kernel, the following vulnerability has been resolved: ext4: inline: fix len overflow In the Linux kernel, the following vulnerability has been resolved: ext4: inline: fix len overflow in ext4_prepare_inline_data When running the following code on an ext4 filesystem with inline_data feature enabled, it will lead to the bug below. fd = open("file1", O_RDWR | O_CREAT | O_TRUNC, 0666); ftruncate(fd, 30); pwrite(fd, "a", 1, (1UL EXT4_I

CVE-2025-38231 [MEDIUM] CWE-476 CVE-2025-38231: In the Linux kernel, the following vulnerability has been resolved: nfsd: Initialize ssc before lau In the Linux kernel, the following vulnerability has been resolved: nfsd: Initialize ssc before laundromat_work to prevent NULL dereference In nfs4_state_start_net(), laundromat_work may access nfsd_ssc through nfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized, this can cause NULL pointer dereference. Normally the delayed

CVE-2025-38177 [MEDIUM] CWE-459 CVE-2025-38177: In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: make hfsc_qlen_notify In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: make hfsc_qlen_notify() idempotent hfsc_qlen_notify() is not idempotent either and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers' life: 1. update_vf() decreases cl->cl_nactive, so we can check

CVE-2025-38197 [MEDIUM] CWE-476 CVE-2025-38197: In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell_rbu: Fix lis In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell_rbu: Fix list usage Pass the correct list head to list_for_each_entry*() when looping through the packet list. Without this patch, reading the packet data via sysfs will show the data incorrectly (because it starts at the wrong packet), and clearing the packet

CVE-2025-38190 [MEDIUM] CVE-2025-38190: In the Linux kernel, the following vulnerability has been resolved: atm: Revert atm_account_tx() if In the Linux kernel, the following vulnerability has been resolved: atm: Revert atm_account_tx() if copy_from_iter_full() fails. In vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by atm_account_tx(). It is expected to be reverted by atm_pop_raw() later called by vcc->dev->ops->send(vcc, skb). However, vcc_sendmsg() misses the same revert w