Debian Linux vulnerabilities

CVE-2025-37997 [MEDIUM] CWE-667 CVE-2025-37997: In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix region lo In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix region locking in hash types Region locking introduced in v5.6-rc4 contained three macros to handle the region locks: ahash_bucket_start(), ahash_bucket_end() which gave back the start and end hash bucket values belonging to a given region lock and ahash_regi

CVE-2025-37992 [MEDIUM] CWE-476 CVE-2025-37992: In the Linux kernel, the following vulnerability has been resolved: net_sched: Flush gso_skb list t In the Linux kernel, the following vulnerability has been resolved: net_sched: Flush gso_skb list too during ->change() Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->l

CVE-2025-3887 [HIGH] CWE-121 CVE-2025-3887: GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This v GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw

CVE-2025-37903 [HIGH] CWE-416 CVE-2025-37903: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-a In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free in hdcp The HDCP code in amdgpu_dm_hdcp.c copies pointers to amdgpu_dm_connector objects without incrementing the kref reference counts. When using a USB-C dock, and the dock is unplugged, the corresponding amdgpu_dm_connector objects are fre

CVE-2025-37892 [HIGH] CVE-2025-37892: In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check for inftl_read_oob() In INFTL_findwriteunit(), the return value of inftl_read_oob() need to be checked. A proper implementation can be found in INFTL_deleteblock(). The status will be set as SECTOR_IGNORE to break from the while-loop correctly if the inftl_re

CVE-2025-37921 [HIGH] CVE-2025-37921: In the Linux kernel, the following vulnerability has been resolved: vxlan: vnifilter: Fix unlocked In the Linux kernel, the following vulnerability has been resolved: vxlan: vnifilter: Fix unlocked deletion of default FDB entry When a VNI is deleted from a VXLAN device in 'vnifilter' mode, the FDB entry associated with the default remote (assuming one was configured) is deleted without holding the hash lock. This is wrong and will result in a warning [1]

CVE-2025-37979 [HIGH] CWE-787 CVE-2025-37979: In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: Fix sc7280 lpass po In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: Fix sc7280 lpass potential buffer overflow Case values introduced in commit 5f78e1fb7a3e ("ASoC: qcom: Add driver support for audioreach solution") cause out of bounds access in arrays of sc7280 driver data (e.g. in case of RX_CODEC_DMA_RX_0 in sc7280_snd_hw_params()).

CVE-2025-37928 [HIGH] CVE-2025-37928: In the Linux kernel, the following vulnerability has been resolved: dm-bufio: don't schedule in ato In the Linux kernel, the following vulnerability has been resolved: dm-bufio: don't schedule in atomic context A BUG was reported as below when CONFIG_DEBUG_ATOMIC_SLEEP and try_verify_in_tasklet are enabled. [ 129.444685][ T934] BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2421 [ 129.444723][ T934] in_atomic(): 1, irqs_disabl

CVE-2025-37991 [HIGH] CWE-415 CVE-2025-37991: In the Linux kernel, the following vulnerability has been resolved: parisc: Fix double SIGFPE crash In the Linux kernel, the following vulnerability has been resolved: parisc: Fix double SIGFPE crash Camm noticed that on parisc a SIGFPE exception will crash an application with a second SIGFPE in the signal handler. Dave analyzed it, and it happens because glibc uses a double-word floating-point store to atomically update function descriptors. As a

CVE-2025-37913 [HIGH] CWE-415 CVE-2025-37913: In the Linux kernel, the following vulnerability has been resolved: net_sched: qfq: Fix double list In the Linux kernel, the following vulnerability has been resolved: net_sched: qfq: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of qfq, there won't be a UAF, but the code will add the sam

CVE-2025-37923 [HIGH] CWE-787 CVE-2025-37923: In the Linux kernel, the following vulnerability has been resolved: tracing: Fix oob write in trace In the Linux kernel, the following vulnerability has been resolved: tracing: Fix oob write in trace_seq_to_buffer() syzbot reported this bug: BUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline] BUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822 Write of size 4507 at a

CVE-2025-37927 [HIGH] CWE-787 CVE-2025-37927: In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix potential buffer In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid There is a string parsing logic error which can lead to an overflow of hid or uid buffers. Comparing ACPIID_LEN against a total string length doesn't take into account the lengths of individual hid and uid buffers so the

CVE-2025-37914 [HIGH] CWE-415 CVE-2025-37914: In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: Fix double list In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of ets, there won't be a UAF, but the code will add the sam

CVE-2025-37924 [HIGH] CWE-416 CVE-2025-37924: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ke In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in kerberos authentication Setting sess->user = NULL was introduced to fix the dangling pointer created by ksmbd_free_user. However, it is possible another thread could be operating on the session and make use of sess->user after it has been passed to ksmbd

CVE-2025-37947 [HIGH] CWE-787 CVE-2025-37947: In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent out-of-bounds st In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent out-of-bounds stream writes by validating *pos ksmbd_vfs_stream_write() did not validate whether the write offset (*pos) was within the bounds of the existing stream data length (v_len). If *pos was greater than or equal to v_len, this could lead to an out-of-bounds m

CVE-2025-37930 [MEDIUM] CWE-617 CVE-2025-37930: In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: Fix WARN_ON in nou In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Nouveau is mostly designed in a way that it's expected that fences only ever get signaled through nouveau_fence_signal(). However, in at least one other place, nouveau_fence_done(), can signal fences, too. If that happens (r

CVE-2025-37911 [MEDIUM] CWE-125 CVE-2025-37911: In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix out-of-bound memcp In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix out-of-bound memcpy() during ethtool -w When retrieving the FW coredump using ethtool, it can sometimes cause memory corruption: BUG: KFENCE: memory corruption in __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] Corrupted memory at 0x000000008f0f30e8 [ ! ! ! ! ! ! ! ! ! ! !

CVE-2025-37909 [MEDIUM] CWE-401 CVE-2025-37909: In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Fix memleak issue In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Fix memleak issue when GSO enabled Always map the `skb` to the LS descriptor. Previously skb was mapped to EXT descriptor when the number of fragments is zero with GSO enabled. Mapping the skb to EXT descriptor prevents it from being freed, leading to a memory leak

CVE-2025-37953 [MEDIUM] CWE-476 CVE-2025-37953: In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_deactivate() In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_deactivate() idempotent Alan reported a NULL pointer dereference in htb_next_rb_node() after we made htb_qlen_notify() idempotent. It turns out in the following case it introduced some regression: htb_dequeue_tree(): |-> fq_codel_dequeue() |-> qdisc_tree_reduce_

CVE-2025-37958 [MEDIUM] CWE-476 CVE-2025-37958: In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferenci In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the P