Debian Linux vulnerabilities

CVE-2025-38194 [MEDIUM] CVE-2025-38194: In the Linux kernel, the following vulnerability has been resolved: jffs2: check that raw node were In the Linux kernel, the following vulnerability has been resolved: jffs2: check that raw node were preallocated before writing summary Syzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault injection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't check return value of jffs2_prealloc_raw_node_refs and simply lets any err

CVE-2025-38225 [MEDIUM] CWE-908 CVE-2025-38225: In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Cleanup after In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Cleanup after an allocation error When allocation failures are not cleaned up by the driver, further allocation errors will be false-positives, which will cause buffers to remain uninitialized and cause NULL pointer dereferences. Ensure proper cleanup of failed all

CVE-2025-38200 [MEDIUM] CWE-191 CVE-2025-38200: In the Linux kernel, the following vulnerability has been resolved: i40e: fix MMIO write access to In the Linux kernel, the following vulnerability has been resolved: i40e: fix MMIO write access to an invalid page in i40e_clear_hw When the device sends a specific input, an integer underflow can occur, leading to MMIO write access to an invalid page. Prevent the integer underflow by changing the type of related variables.

CVE-2025-38184 [MEDIUM] CWE-476 CVE-2025-38184: In the Linux kernel, the following vulnerability has been resolved: tipc: fix null-ptr-deref when a In the Linux kernel, the following vulnerability has been resolved: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer The reproduction steps: 1. create a tun interface 2. enable l2 bearer 3. TIPC_NL_UDP_GET_REMOTEIP with media name set to tun tipc: Started in network mode tipc: Node identity 8af312d38a21, cluster identity 4711

CVE-2025-38103 [HIGH] CWE-125 CVE-2025-38103: In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurren In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors,

CVE-2025-38157 [HIGH] CWE-787 CVE-2025-38157: In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software beacon handling if disabled A malicious USB device can send a WMI_SWBA_EVENTID event from an ath9k_htc-managed device before beaconing has been enabled. This causes a device-by-zero error in the driver, leading to either a crash or an out of bounds re

CVE-2025-38159 [HIGH] CWE-125 CVE-2025-38159: In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buf In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds Set the size to 6 instead of 2, since 'para' array is passed to 'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads 5 bytes: void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) { .

CVE-2025-38107 [HIGH] CWE-362 CVE-2025-38107: In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in e In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash |

CVE-2025-38154 [HIGH] CWE-416 CVE-2025-38154: In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Avoid using sk_so In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Avoid using sk_socket after free when sending The sk->sk_socket is not locked or referenced in backlog thread, and during the call to skb_send_sock(), there is a race condition with the release of sk_socket. All types of sockets(tcp/udp/unix/vsock) will be affected. R

CVE-2025-38146 [HIGH] CWE-129 CVE-2025-38146: In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Fix the dead In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Fix the dead loop of MPLS parse The unexpected MPLS packet may not end with the bottom label stack. When there are many stacks, The label count value has wrapped around. A dead loop occurs, soft lockup/CPU stuck finally. stack backtrace: UBSAN: array-index-out-of-b

CVE-2025-38131 [HIGH] CWE-416 CVE-2025-38131: In the Linux kernel, the following vulnerability has been resolved: coresight: prevent deactivate a In the Linux kernel, the following vulnerability has been resolved: coresight: prevent deactivate active config while enabling the config While enable active config via cscfg_csdev_enable_active_config(), active config could be deactivated via configfs' sysfs interface. This could make UAF issue in below scenario: CPU0 CPU1 (sysfs enable) load modu

CVE-2025-38118 [HIGH] CWE-416 CVE-2025-38118: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgm In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at

CVE-2025-38153 [HIGH] CWE-125 CVE-2025-38153: In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: fix error han In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: fix error handling of usbnet read calls Syzkaller, courtesy of syzbot, identified an error (see report [1]) in aqc111 driver, caused by incomplete sanitation of usb read calls' results. This problem is quite similar to the one fixed in commit 920a9fa27e78 ("net: as

CVE-2025-38111 [HIGH] CWE-125 CVE-2025-38111: In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out- In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currentl

CVE-2025-38108 [HIGH] CWE-362 CVE-2025-38108: In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in _ In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in __red_change() Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]

CVE-2025-38102 [HIGH] CWE-362 CVE-2025-38102: In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_hos In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify During our test, it is found that a warning can be trigger in try_grab_folio as follow: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 Modules linked i

CVE-2025-38135 [MEDIUM] CWE-476 CVE-2025-38135: In the Linux kernel, the following vulnerability has been resolved: serial: Fix potential null-ptr- In the Linux kernel, the following vulnerability has been resolved: serial: Fix potential null-ptr-deref in mlb_usio_probe() devm_ioremap() can return NULL on error. Currently, mlb_usio_probe() does not check for this case, which could result in a NULL pointer dereference. Add NULL check after devm_ioremap() to prevent this issue.

CVE-2025-38167 [MEDIUM] CWE-476 CVE-2025-38167: In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: handle hdr_first_de() In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: handle hdr_first_de() return value The hdr_first_de() function returns a pointer to a struct NTFS_DE. This pointer may be NULL. To handle the NULL error effectively, it is important to implement an error handler. This will help manage potential errors consistently. Addi

CVE-2025-38151 [MEDIUM] CVE-2025-38151: In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix hang when cma_net In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work The cited commit fixed a crash when cma_netevent_callback was called for a cma_id while work on that id from a previous call had not yet started. The work item was re-initialized in the second call, which corrupted the work

CVE-2025-38166 [MEDIUM] CVE-2025-38166: In the Linux kernel, the following vulnerability has been resolved: bpf: fix ktls panic with sockma In the Linux kernel, the following vulnerability has been resolved: bpf: fix ktls panic with sockmap [ 2172.936997] ------------[ cut here ]------------ [ 2172.936999] kernel BUG at lib/iov_iter.c:629! ...... [ 2172.944996] PKRU: 55555554 [ 2172.945155] Call Trace: [ 2172.945299] [ 2172.945428] ? die+0x36/0x90 [ 2172.945601] ? do_trap+0xdd/0x100 [ 2172.94