Debian Linux vulnerabilities

CVE-2025-38067 [MEDIUM] CVE-2025-38067: In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registrat In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs

CVE-2025-38074 [MEDIUM] CVE-2025-38074: In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_use In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables v

CVE-2025-38072 [MEDIUM] CWE-908 CVE-2025-38072: In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide er In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide error in nd_label_data_init() If a faulty CXL memory device returns a broken zero LSA size in its memory device information (Identify Memory Device (Opcode 4000h), CXL spec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm driver: Oops: divid

CVE-2025-38044 [MEDIUM] CVE-2025-38044: In the Linux kernel, the following vulnerability has been resolved: media: cx231xx: set device_caps In the Linux kernel, the following vulnerability has been resolved: media: cx231xx: set device_caps for 417 The video_device for the MPEG encoder did not set device_caps. Add this, otherwise the video device can't be registered (you get a WARN_ON instead). Not seen before since currently 417 support is disabled, but I found this while experimenting with

CVE-2025-38071 [MEDIUM] CVE-2025-38071: In the Linux kernel, the following vulnerability has been resolved: x86/mm: Check return value from In the Linux kernel, the following vulnerability has been resolved: x86/mm: Check return value from memblock_phys_alloc_range() At least with CONFIG_PHYSICAL_START=0x100000, if there is < 4 MiB of contiguous free memory available at this point, the kernel will crash and burn because memblock_phys_alloc_range() returns 0 on failure, which leads memblock_ph

CVE-2025-38034 [MEDIUM] CWE-476 CVE-2025-38034: In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of pre In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref btrfs_prelim_ref() calls the old and new reference variables in the incorrect order. This causes a NULL pointer dereference because oldref is passed as NULL to trace_btrfs_prelim_ref_insert(). Note, trace_btrfs

CVE-2025-38018 [MEDIUM] CWE-476 CVE-2025-38018: In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so t

CVE-2025-38063 [MEDIUM] CVE-2025-38063: In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO thrott In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO throttle caused by REQ_PREFLUSH When a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush() generates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC, which causes the flush_bio to be throttled by wbt_wait(). An example from v5.4, similar proble

CVE-2025-38004 [HIGH] CWE-125 CVE-2025-38004: In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_o In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_op runtime updates The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via hrtimer. The content and also the length of the sequence can be changed resp reduced at runtime where the 'currframe' counter is then set to zero. Although thi

CVE-2025-38003 [MEDIUM] CVE-2025-38003: In the Linux kernel, the following vulnerability has been resolved: can: bcm: add missing rcu read In the Linux kernel, the following vulnerability has been resolved: can: bcm: add missing rcu read protection for procfs content When the procfs content is generated for a bcm_op which is in the process to be removed the procfs output might show unreliable data (UAF). As the removal of bcm_op's is already implemented with rcu handling this patch adds the

CVE-2025-38000 [HIGH] CWE-416 CVE-2025-38000: In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting b In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the child qdisc's peek() operation before incrementing sch->q.qlen and sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this

CVE-2025-38001 [MEDIUM] CWE-835 CVE-2025-38001: In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentr In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks

CVE-2025-48432 [MEDIUM] CWE-117 CVE-2025-48432: An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Intern An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.

CVE-2025-49113 [HIGH] CWE-502 CVE-2025-49113: Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticate Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

CVE-2024-54028 [HIGH] CWE-191 CVE-2024-54028: An integer underflow vulnerability exists in the OLE Document DIFAT Parser functionality of catdoc 0 An integer underflow vulnerability exists in the OLE Document DIFAT Parser functionality of catdoc 0.95. A specially crafted malformed file can lead to heap-based memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2024-52035 [HIGH] CWE-190 CVE-2024-52035: An integer overflow vulnerability exists in the OLE Document File Allocation Table Parser functional An integer overflow vulnerability exists in the OLE Document File Allocation Table Parser functionality of catdoc 0.95. A specially crafted malformed file can lead to heap-based memory corruption. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2025-4598 [MEDIUM] CWE-364 CVE-2025-4598: A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type o

CVE-2025-37998 [MEDIUM] CVE-2025-37998: In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribu In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribute parsing in output_userspace() This patch replaces the manual Netlink attribute iteration in output_userspace() with nla_for_each_nested(), which ensures that only well-formed attributes are processed.

CVE-2025-37994 [MEDIUM] CWE-476 CVE-2025-37994: In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix NULL pointer access This patch ensures that the UCSI driver waits for all pending tasks in the ucsi_displayport_work workqueue to finish executing before proceeding with the partner removal.

CVE-2025-37995 [MEDIUM] CWE-824 CVE-2025-37995: In the Linux kernel, the following vulnerability has been resolved: module: ensure that kobject_put In the Linux kernel, the following vulnerability has been resolved: module: ensure that kobject_put() is safe for module type kobjects In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module