Debian Linux vulnerabilities

CVE-2025-38219 [MEDIUM] CVE-2025-38219: In the Linux kernel, the following vulnerability has been resolved: f2fs: prevent kernel warning du In the Linux kernel, the following vulnerability has been resolved: f2fs: prevent kernel warning due to negative i_nlink from corrupted image WARNING: CPU: 1 PID: 9426 at fs/inode.c:417 drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417 Modules linked in: CPU: 1 UID: 0 PID: 9426 Comm: syz-executor568 Not tainted 6.14.0-12627-g94d471a4f428 #2 PREEMPT(full)

CVE-2025-38185 [MEDIUM] CWE-401 CVE-2025-38185: In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Free invalid lengt In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Free invalid length skb in atmtcp_c_send(). syzbot reported the splat below. [0] vcc_sendmsg() copies data passed from userspace to skb and passes it to vcc->dev->ops->send(). atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after checking if skb->len is 0, b

CVE-2025-38174 [MEDIUM] CVE-2025-38174: In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequ In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequeue a configuration request Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tb_cfg_request_dequeue+0x

CVE-2025-38214 [MEDIUM] CWE-476 CVE-2025-38214: In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix fb_set_var to preven In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in fb_set_var() fails to allocate memory for fb_videomode, later it may lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered while not having the mode in m

CVE-2025-38181 [MEDIUM] CWE-476 CVE-2025-38181: In the Linux kernel, the following vulnerability has been resolved: calipso: Fix null-ptr-deref in In the Linux kernel, the following vulnerability has been resolved: calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). syzkaller reported a null-ptr-deref in sock_omalloc() while allocating a CALIPSO option. [0] The NULL is of struct sock, which was fetched by sk_to_full_sk() in calipso_req_setattr(). Since commit a1a5344ddbe8 ("tcp: avo

CVE-2025-38194 [MEDIUM] CVE-2025-38194: In the Linux kernel, the following vulnerability has been resolved: jffs2: check that raw node were In the Linux kernel, the following vulnerability has been resolved: jffs2: check that raw node were preallocated before writing summary Syzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault injection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't check return value of jffs2_prealloc_raw_node_refs and simply lets any err

CVE-2025-38225 [MEDIUM] CWE-908 CVE-2025-38225: In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Cleanup after In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Cleanup after an allocation error When allocation failures are not cleaned up by the driver, further allocation errors will be false-positives, which will cause buffers to remain uninitialized and cause NULL pointer dereferences. Ensure proper cleanup of failed all

CVE-2025-38200 [MEDIUM] CWE-191 CVE-2025-38200: In the Linux kernel, the following vulnerability has been resolved: i40e: fix MMIO write access to In the Linux kernel, the following vulnerability has been resolved: i40e: fix MMIO write access to an invalid page in i40e_clear_hw When the device sends a specific input, an integer underflow can occur, leading to MMIO write access to an invalid page. Prevent the integer underflow by changing the type of related variables.

CVE-2025-38184 [MEDIUM] CWE-476 CVE-2025-38184: In the Linux kernel, the following vulnerability has been resolved: tipc: fix null-ptr-deref when a In the Linux kernel, the following vulnerability has been resolved: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer The reproduction steps: 1. create a tun interface 2. enable l2 bearer 3. TIPC_NL_UDP_GET_REMOTEIP with media name set to tun tipc: Started in network mode tipc: Node identity 8af312d38a21, cluster identity 4711

CVE-2025-38103 [HIGH] CWE-125 CVE-2025-38103: In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurren In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors,

CVE-2025-38157 [HIGH] CWE-787 CVE-2025-38157: In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software beacon handling if disabled A malicious USB device can send a WMI_SWBA_EVENTID event from an ath9k_htc-managed device before beaconing has been enabled. This causes a device-by-zero error in the driver, leading to either a crash or an out of bounds re

CVE-2025-38159 [HIGH] CWE-125 CVE-2025-38159: In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buf In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds Set the size to 6 instead of 2, since 'para' array is passed to 'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads 5 bytes: void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) { .

CVE-2025-38107 [HIGH] CWE-362 CVE-2025-38107: In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in e In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash |

CVE-2025-38154 [HIGH] CWE-416 CVE-2025-38154: In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Avoid using sk_so In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Avoid using sk_socket after free when sending The sk->sk_socket is not locked or referenced in backlog thread, and during the call to skb_send_sock(), there is a race condition with the release of sk_socket. All types of sockets(tcp/udp/unix/vsock) will be affected. R

CVE-2025-38146 [HIGH] CWE-129 CVE-2025-38146: In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Fix the dead In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Fix the dead loop of MPLS parse The unexpected MPLS packet may not end with the bottom label stack. When there are many stacks, The label count value has wrapped around. A dead loop occurs, soft lockup/CPU stuck finally. stack backtrace: UBSAN: array-index-out-of-b

CVE-2025-38131 [HIGH] CWE-416 CVE-2025-38131: In the Linux kernel, the following vulnerability has been resolved: coresight: prevent deactivate a In the Linux kernel, the following vulnerability has been resolved: coresight: prevent deactivate active config while enabling the config While enable active config via cscfg_csdev_enable_active_config(), active config could be deactivated via configfs' sysfs interface. This could make UAF issue in below scenario: CPU0 CPU1 (sysfs enable) load modu

CVE-2025-38118 [HIGH] CWE-416 CVE-2025-38118: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgm In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at

CVE-2025-38153 [HIGH] CWE-125 CVE-2025-38153: In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: fix error han In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: fix error handling of usbnet read calls Syzkaller, courtesy of syzbot, identified an error (see report [1]) in aqc111 driver, caused by incomplete sanitation of usb read calls' results. This problem is quite similar to the one fixed in commit 920a9fa27e78 ("net: as

CVE-2025-38111 [HIGH] CWE-125 CVE-2025-38111: In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out- In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currentl

CVE-2025-38108 [HIGH] CWE-362 CVE-2025-38108: In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in _ In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in __red_change() Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]