Debian Linux vulnerabilities

CVE-2025-38230 [HIGH] CVE-2025-38230: In the Linux kernel, the following vulnerability has been resolved: jfs: validate AG parameters in In the Linux kernel, the following vulnerability has been resolved: jfs: validate AG parameters in dbMount() to prevent crashes Validate db_agheight, db_agwidth, and db_agstart in dbMount to catch corrupted metadata early and avoid undefined behavior in dbAllocAG. Limits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE: - agheight: 0 to L2LPERCTL/

CVE-2025-38198 [HIGH] CWE-129 CVE-2025-38198: In the Linux kernel, the following vulnerability has been resolved: fbcon: Make sure modelist not s In the Linux kernel, the following vulnerability has been resolved: fbcon: Make sure modelist not set on unregistered console It looks like attempting to write to the "store_modes" sysfs node will run afoul of unregistered consoles: UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28 index -1 is out of range for type 'fb_inf

CVE-2025-38206 [HIGH] CWE-415 CVE-2025-38206: In the Linux kernel, the following vulnerability has been resolved: exfat: fix double free in delay In the Linux kernel, the following vulnerability has been resolved: exfat: fix double free in delayed_free The double free could happen in the following path. exfat_create_upcase_table() exfat_create_upcase_table() : return error exfat_free_upcase_table() : free ->vol_utbl exfat_load_default_upcase_table : return error exfat_kill_sb() delayed_free(

CVE-2025-38229 [MEDIUM] CWE-908 CVE-2025-38229: In the Linux kernel, the following vulnerability has been resolved: media: cxusb: no longer judge r In the Linux kernel, the following vulnerability has been resolved: media: cxusb: no longer judge rbuf when the write fails syzbot reported a uninit-value in cxusb_i2c_xfer. [1] Only when the write operation of usb_bulk_msg() in dvb_usb_generic_rw() succeeds and rlen is greater than 0, the read operation of usb_bulk_msg() will be executed to read

CVE-2025-38193 [MEDIUM] CWE-190 CVE-2025-38193: In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: reject inva In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: reject invalid perturb period Gerrard Tai reported that SFQ perturb_period has no range check yet, and this can be used to trigger a race condition fixed in a separate patch. We want to make sure ctl->perturb_period * HZ will not overflow and is positive. tc

CVE-2025-38215 [MEDIUM] CWE-476 CVE-2025-38215: In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix do_register_framebuf In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in do_register_framebuffer() fails to allocate memory for fb_videomode, it will later lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered whi

CVE-2025-38218 [MEDIUM] CVE-2025-38218: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sit_bitmap_size w/ below testcase, resize will generate a corrupted image which contains inconsistent metadata, so when mounting such image, it will trigger kernel panic: touch img truncate -s $((512*1024*1024*1024)) img mkfs.f2fs -f img $((256*1024*1024))

CVE-2025-38203 [MEDIUM] CWE-476 CVE-2025-38203: In the Linux kernel, the following vulnerability has been resolved: jfs: Fix null-ptr-deref in jfs_ In the Linux kernel, the following vulnerability has been resolved: jfs: Fix null-ptr-deref in jfs_ioc_trim [ Syzkaller Report ] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000087: 0000 [#1 KASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f] CPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not ta

CVE-2025-38202 [MEDIUM] CVE-2025-38202: In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_ In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() bpf_map_lookup_percpu_elem() helper is also available for sleepable bpf program. When BPF JIT is disabled or under 32-bit host, bpf_map_lookup_percpu_elem() will not be inlined. Using it in a sleepable bpf program will

CVE-2025-38191 [MEDIUM] CWE-476 CVE-2025-38191: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer derefer In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer dereference in destroy_previous_session If client set ->PreviousSessionId on kerberos session setup stage, NULL pointer dereference error will happen. Since sess->user is not set yet, It can pass the user argument as NULL to destroy_previous_session. sess->

CVE-2025-38222 [MEDIUM] CWE-190 CVE-2025-38222: In the Linux kernel, the following vulnerability has been resolved: ext4: inline: fix len overflow In the Linux kernel, the following vulnerability has been resolved: ext4: inline: fix len overflow in ext4_prepare_inline_data When running the following code on an ext4 filesystem with inline_data feature enabled, it will lead to the bug below. fd = open("file1", O_RDWR | O_CREAT | O_TRUNC, 0666); ftruncate(fd, 30); pwrite(fd, "a", 1, (1UL EXT4_I

CVE-2025-38231 [MEDIUM] CWE-476 CVE-2025-38231: In the Linux kernel, the following vulnerability has been resolved: nfsd: Initialize ssc before lau In the Linux kernel, the following vulnerability has been resolved: nfsd: Initialize ssc before laundromat_work to prevent NULL dereference In nfs4_state_start_net(), laundromat_work may access nfsd_ssc through nfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized, this can cause NULL pointer dereference. Normally the delayed

CVE-2025-38177 [MEDIUM] CWE-459 CVE-2025-38177: In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: make hfsc_qlen_notify In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: make hfsc_qlen_notify() idempotent hfsc_qlen_notify() is not idempotent either and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers' life: 1. update_vf() decreases cl->cl_nactive, so we can check

CVE-2025-38197 [MEDIUM] CWE-476 CVE-2025-38197: In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell_rbu: Fix lis In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell_rbu: Fix list usage Pass the correct list head to list_for_each_entry*() when looping through the packet list. Without this patch, reading the packet data via sysfs will show the data incorrectly (because it starts at the wrong packet), and clearing the packet

CVE-2025-38190 [MEDIUM] CVE-2025-38190: In the Linux kernel, the following vulnerability has been resolved: atm: Revert atm_account_tx() if In the Linux kernel, the following vulnerability has been resolved: atm: Revert atm_account_tx() if copy_from_iter_full() fails. In vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by atm_account_tx(). It is expected to be reverted by atm_pop_raw() later called by vcc->dev->ops->send(vcc, skb). However, vcc_sendmsg() misses the same revert w

CVE-2025-38219 [MEDIUM] CVE-2025-38219: In the Linux kernel, the following vulnerability has been resolved: f2fs: prevent kernel warning du In the Linux kernel, the following vulnerability has been resolved: f2fs: prevent kernel warning due to negative i_nlink from corrupted image WARNING: CPU: 1 PID: 9426 at fs/inode.c:417 drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417 Modules linked in: CPU: 1 UID: 0 PID: 9426 Comm: syz-executor568 Not tainted 6.14.0-12627-g94d471a4f428 #2 PREEMPT(full)

CVE-2025-38185 [MEDIUM] CWE-401 CVE-2025-38185: In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Free invalid lengt In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Free invalid length skb in atmtcp_c_send(). syzbot reported the splat below. [0] vcc_sendmsg() copies data passed from userspace to skb and passes it to vcc->dev->ops->send(). atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after checking if skb->len is 0, b

CVE-2025-38174 [MEDIUM] CVE-2025-38174: In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequ In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequeue a configuration request Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tb_cfg_request_dequeue+0x

CVE-2025-38214 [MEDIUM] CWE-476 CVE-2025-38214: In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix fb_set_var to preven In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in fb_set_var() fails to allocate memory for fb_videomode, later it may lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered while not having the mode in m

CVE-2025-38181 [MEDIUM] CWE-476 CVE-2025-38181: In the Linux kernel, the following vulnerability has been resolved: calipso: Fix null-ptr-deref in In the Linux kernel, the following vulnerability has been resolved: calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). syzkaller reported a null-ptr-deref in sock_omalloc() while allocating a CALIPSO option. [0] The NULL is of struct sock, which was fetched by sk_to_full_sk() in calipso_req_setattr(). Since commit a1a5344ddbe8 ("tcp: avo