Debian Linux vulnerabilities

CVE-2025-38078 [MEDIUM] CWE-362 CVE-2025-38078: In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer a In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data at initialization (or reconfiguration) of a stream with the explicit call of snd_pcm_format_set_silence() with runtime->dma_area. But this may lead to a UAF becau

CVE-2025-38035 [MEDIUM] CWE-476 CVE-2025-38035: In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: don't restore null s In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: don't restore null sk_state_change queue->state_change is set as part of nvmet_tcp_set_queue_sock(), but if the TCP connection isn't established when nvmet_tcp_set_queue_sock() is called then queue->state_change isn't set and sock->sk->sk_state_change isn't replaced. As

CVE-2025-38062 [MEDIUM] CVE-2025-38062: In the Linux kernel, the following vulnerability has been resolved: genirq/msi: Store the IOMMU IOV In the Linux kernel, the following vulnerability has been resolved: genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie The IOMMU translation for MSI message addresses has been a 2-step process, separated in time: 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address is stored in the MSI descriptor when an MSI

CVE-2025-38023 [MEDIUM] CWE-476 CVE-2025-38023: In the Linux kernel, the following vulnerability has been resolved: nfs: handle failure of nfs_get_ In the Linux kernel, the following vulnerability has been resolved: nfs: handle failure of nfs_get_lock_context in unlock path When memory is insufficient, the allocation of nfs_lock_context in nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM) as valid

CVE-2025-38007 [MEDIUM] CWE-476 CVE-2025-38007: In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Add NULL check in In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Add NULL check in uclogic_input_configured() devm_kasprintf() returns NULL when memory allocation fails. Currently, uclogic_input_configured() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent

CVE-2025-38067 [MEDIUM] CVE-2025-38067: In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registrat In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs

CVE-2025-38074 [MEDIUM] CVE-2025-38074: In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_use In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables v

CVE-2025-38072 [MEDIUM] CWE-908 CVE-2025-38072: In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide er In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide error in nd_label_data_init() If a faulty CXL memory device returns a broken zero LSA size in its memory device information (Identify Memory Device (Opcode 4000h), CXL spec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm driver: Oops: divid

CVE-2025-38044 [MEDIUM] CVE-2025-38044: In the Linux kernel, the following vulnerability has been resolved: media: cx231xx: set device_caps In the Linux kernel, the following vulnerability has been resolved: media: cx231xx: set device_caps for 417 The video_device for the MPEG encoder did not set device_caps. Add this, otherwise the video device can't be registered (you get a WARN_ON instead). Not seen before since currently 417 support is disabled, but I found this while experimenting with

CVE-2025-38071 [MEDIUM] CVE-2025-38071: In the Linux kernel, the following vulnerability has been resolved: x86/mm: Check return value from In the Linux kernel, the following vulnerability has been resolved: x86/mm: Check return value from memblock_phys_alloc_range() At least with CONFIG_PHYSICAL_START=0x100000, if there is < 4 MiB of contiguous free memory available at this point, the kernel will crash and burn because memblock_phys_alloc_range() returns 0 on failure, which leads memblock_ph

CVE-2025-38034 [MEDIUM] CWE-476 CVE-2025-38034: In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of pre In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref btrfs_prelim_ref() calls the old and new reference variables in the incorrect order. This causes a NULL pointer dereference because oldref is passed as NULL to trace_btrfs_prelim_ref_insert(). Note, trace_btrfs

CVE-2025-38018 [MEDIUM] CWE-476 CVE-2025-38018: In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so t

CVE-2025-38063 [MEDIUM] CVE-2025-38063: In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO thrott In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO throttle caused by REQ_PREFLUSH When a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush() generates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC, which causes the flush_bio to be throttled by wbt_wait(). An example from v5.4, similar proble

CVE-2025-38004 [HIGH] CWE-125 CVE-2025-38004: In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_o In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_op runtime updates The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via hrtimer. The content and also the length of the sequence can be changed resp reduced at runtime where the 'currframe' counter is then set to zero. Although thi

CVE-2025-38003 [MEDIUM] CVE-2025-38003: In the Linux kernel, the following vulnerability has been resolved: can: bcm: add missing rcu read In the Linux kernel, the following vulnerability has been resolved: can: bcm: add missing rcu read protection for procfs content When the procfs content is generated for a bcm_op which is in the process to be removed the procfs output might show unreliable data (UAF). As the removal of bcm_op's is already implemented with rcu handling this patch adds the

CVE-2025-38000 [HIGH] CWE-416 CVE-2025-38000: In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting b In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the child qdisc's peek() operation before incrementing sch->q.qlen and sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this

CVE-2025-38001 [MEDIUM] CWE-835 CVE-2025-38001: In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentr In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks

CVE-2025-48432 [MEDIUM] CWE-117 CVE-2025-48432: An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Intern An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

CVE-2025-49113 [HIGH] CWE-502 CVE-2025-49113: Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticate Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

CVE-2024-54028 [HIGH] CWE-191 CVE-2024-54028: An integer underflow vulnerability exists in the OLE Document DIFAT Parser functionality of catdoc 0 An integer underflow vulnerability exists in the OLE Document DIFAT Parser functionality of catdoc 0.95. A specially crafted malformed file can lead to heap-based memory corruption. An attacker can provide a malicious file to trigger this vulnerability.