Debian Linux vulnerabilities

CVE-2025-39876 [MEDIUM] CWE-476 CVE-2025-39876: In the Linux kernel, the following vulnerability has been resolved: net: fec: Fix possible NPD in f In the Linux kernel, the following vulnerability has been resolved: net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() The function of_phy_find_device may return NULL, so we need to take care before dereferencing phy_dev.

CVE-2025-39849 [HIGH] CWE-787 CVE-2025-39849: In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: sme: cap SSID l In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would lead to memory corruption so add some bounds checking.

CVE-2025-39853 [HIGH] CWE-125 CVE-2025-39853: In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid acc In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid access when MAC list is empty list_first_entry() never returns NULL - if the list is empty, it still returns a pointer to an invalid object, leading to potential invalid memory access when dereferenced. Fix this by using list_first_entry_or_null instead

CVE-2025-39839 [HIGH] CWE-125 CVE-2025-39839: In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix OOB read/write In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix OOB read/write in network-coding decode batadv_nc_skb_decode_packet() trusts coded_len and checks only against skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing payload headroom, and the source skb length is not verified, allowing an out-of-bounds

CVE-2025-39841 [HIGH] CWE-787 CVE-2025-39841: In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/cle In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/clear order in deferred receive path Fix a use-after-free window by correcting the buffer release sequence in the deferred receive path. The code freed the RQ buffer first and only then cleared the context pointer under the lock. Concurrent paths (e.g., A

CVE-2025-39864 [HIGH] CWE-416 CVE-2025-39864: In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-f In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_free() quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding

CVE-2025-39866 [HIGH] CWE-416 CVE-2025-39866: In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-fr In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-free in __mark_inode_dirty() An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching. CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv

CVE-2025-39860 [HIGH] CWE-416 CVE-2025-39860: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free i In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() syzbot reported the splat below without a repro. In the splat, a single thread calling bt_accept_dequeue() freed sk and touched it after that. The root cause would be the racy l2cap_sock_cleanup_listen() call added by th

CVE-2025-39844 [MEDIUM] CVE-2025-39844: In the Linux kernel, the following vulnerability has been resolved: mm: move page table sync declar In the Linux kernel, the following vulnerability has been resolved: mm: move page table sync declarations to linux/pgtable.h During our internal testing, we started observing intermittent boot failures when the machine uses 4-level paging and has a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supe

CVE-2025-39842 [MEDIUM] CVE-2025-39842: In the Linux kernel, the following vulnerability has been resolved: ocfs2: prevent release journal In the Linux kernel, the following vulnerability has been resolved: ocfs2: prevent release journal inode after journal shutdown Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already been executed in ocfs2_dismount_volume(), so osb->journal must be NULL. Therefore, the following calltrace will inevitably fail when it reaches jbd2_journal_r

CVE-2025-39865 [MEDIUM] CWE-476 CVE-2025-39865: In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereferen In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereference in tee_shm_put tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to

CVE-2025-39843 [MEDIUM] CWE-667 CVE-2025-39843: In the Linux kernel, the following vulnerability has been resolved: mm: slub: avoid wake up kswapd In the Linux kernel, the following vulnerability has been resolved: mm: slub: avoid wake up kswapd in set_track_prepare set_track_prepare() can incur lock recursion. The issue is that it is called from hrtimer_start_range_ns holding the per_cpu(hrtimer_bases)[n].lock, but when enabled CONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_pre

CVE-2025-39857 [MEDIUM] CWE-476 CVE-2025-39857: In the Linux kernel, the following vulnerability has been resolved: net/smc: fix one NULL pointer d In the Linux kernel, the following vulnerability has been resolved: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() BUG: kernel NULL pointer dereference, address: 00000000000002ec PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE Tainted: [O]=O

CVE-2025-39848 [MEDIUM] CWE-401 CVE-2025-39848: In the Linux kernel, the following vulnerability has been resolved: ax25: properly unshare skbs in In the Linux kernel, the following vulnerability has been resolved: ax25: properly unshare skbs in ax25_kiss_rcv() Bernard Pidoux reported a regression apparently caused by commit c353e8983e0d ("net: introduce per netns packet chains"). skb->dev becomes NULL and we crash in __netif_receive_skb_core(). Before above commit, different kind of bugs o

CVE-2025-39846 [MEDIUM] CWE-476 CVE-2025-39846: In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix a NULL pointer dere In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() In __iodyn_find_io_region(), pcmcia_make_resource() is assigned to res and used in pci_bus_alloc_resource(). There is a dereference of res in pci_bus_alloc_resource(), which could lead to a NULL pointer dereference

CVE-2025-39847 [MEDIUM] CWE-401 CVE-2025-39847: In the Linux kernel, the following vulnerability has been resolved: ppp: fix memory leak in pad_com In the Linux kernel, the following vulnerability has been resolved: ppp: fix memory leak in pad_compress_skb If alloc_skb() fails in pad_compress_skb(), it returns NULL without releasing the old skb. The caller does: skb = pad_compress_skb(ppp, skb); if (!skb) goto drop; drop: kfree_skb(skb); When pad_compress_skb() returns NULL, the reference

CVE-2025-39838 [MEDIUM] CWE-476 CVE-2025-39838: In the Linux kernel, the following vulnerability has been resolved: cifs: prevent NULL pointer dere In the Linux kernel, the following vulnerability has been resolved: cifs: prevent NULL pointer dereference in UTF16 conversion There can be a NULL pointer dereference bug here. NULL is passed to __cifs_sfu_make_node without checks, which passes it unchecked to cifs_strndup_to_utf16, which in turn passes it to cifs_local_to_utf16_bytes where '*from

CVE-2025-39845 [MEDIUM] CWE-401 CVE-2025-39845: In the Linux kernel, the following vulnerability has been resolved: x86/mm/64: define ARCH_PAGE_TAB In the Linux kernel, the following vulnerability has been resolved: x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure page tables are properly synchronized when calling p*d_populate_kernel(). For 5-level paging, synchronization is performed via pg

CVE-2025-39835 [HIGH] CVE-2025-39835: In the Linux kernel, the following vulnerability has been resolved: xfs: do not propagate ENODATA d In the Linux kernel, the following vulnerability has been resolved: xfs: do not propagate ENODATA disk errors into xattr code ENODATA (aka ENOATTR) has a very specific meaning in the xfs xattr code; namely, that the requested attribute name could not be found. However, a medium error from disk may also return ENODATA. At best, this medium error may escape

CVE-2025-39817 [HIGH] CWE-125 CVE-2025-39817: In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix slab-out-of-bound In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Observed on kernel 6.6 (present on master as well): BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasan_check_range+0xe8/0x190 __asan_loadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfs_d_compare+0x68/0xd8 __d_lookup_rcu