Debian Linux vulnerabilities

CVE-2025-39873 [HIGH] CWE-416 CVE-2025-39873: In the Linux kernel, the following vulnerability has been resolved: can: xilinx_can: xcan_write_fra In the Linux kernel, the following vulnerability has been resolved: can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB can_put_echo_skb() takes ownership of the SKB and it may be freed during or after the call. However, xilinx_can xcan_write_frame() keeps using SKB after the call. Fix that by only calling can_put_echo_skb()

CVE-2025-39877 [HIGH] CWE-416 CVE-2025-39877: In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: fix use-after-f In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: fix use-after-free in state_show() state_show() reads kdamond->damon_ctx without holding damon_sysfs_lock. This allows a use-after-free race: CPU 0 CPU 1 ----- ----- state_show() damon_sysfs_turn_damon_on() ctx = kdamond->damon_ctx; mutex_lock(&damon_sysfs_lock); da

CVE-2025-39881 [HIGH] CWE-416 CVE-2025-39881: In the Linux kernel, the following vulnerability has been resolved: kernfs: Fix UAF in polling when In the Linux kernel, the following vulnerability has been resolved: kernfs: Fix UAF in polling when open file is released A use-after-free (UAF) vulnerability was identified in the PSI (Pressure Stall Information) monitoring mechanism: BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140 Read of size 8 at addr ffff3de3d50bd308 by task sys

CVE-2025-39883 [HIGH] CWE-125 CVE-2025-39883: In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix VM_BUG_O In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory When I did memory failure tests, below panic occurs: page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page)) kernel BUG at include/linux/page-flags.h:616! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPT

CVE-2025-39885 [MEDIUM] CWE-667 CVE-2025-39885: In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix recursive semaphore In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix recursive semaphore deadlock in fiemap call syzbot detected a OCFS2 hang due to a recursive semaphore on a FS_IOC_FIEMAP of the extent list on a specially crafted mmap file. context_switch kernel/sched/core.c:5357 [inline] __schedule+0x1798/0x4cc0 kernel/sched/core.c:69

CVE-2025-39876 [MEDIUM] CWE-476 CVE-2025-39876: In the Linux kernel, the following vulnerability has been resolved: net: fec: Fix possible NPD in f In the Linux kernel, the following vulnerability has been resolved: net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() The function of_phy_find_device may return NULL, so we need to take care before dereferencing phy_dev.

CVE-2025-39849 [HIGH] CWE-787 CVE-2025-39849: In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: sme: cap SSID l In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would lead to memory corruption so add some bounds checking.

CVE-2025-39853 [HIGH] CWE-125 CVE-2025-39853: In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid acc In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid access when MAC list is empty list_first_entry() never returns NULL - if the list is empty, it still returns a pointer to an invalid object, leading to potential invalid memory access when dereferenced. Fix this by using list_first_entry_or_null instead

CVE-2025-39839 [HIGH] CWE-125 CVE-2025-39839: In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix OOB read/write In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix OOB read/write in network-coding decode batadv_nc_skb_decode_packet() trusts coded_len and checks only against skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing payload headroom, and the source skb length is not verified, allowing an out-of-bounds

CVE-2025-39841 [HIGH] CWE-787 CVE-2025-39841: In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/cle In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/clear order in deferred receive path Fix a use-after-free window by correcting the buffer release sequence in the deferred receive path. The code freed the RQ buffer first and only then cleared the context pointer under the lock. Concurrent paths (e.g., A

CVE-2025-39864 [HIGH] CWE-416 CVE-2025-39864: In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-f In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_free() quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding

CVE-2025-39866 [HIGH] CWE-416 CVE-2025-39866: In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-fr In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-free in __mark_inode_dirty() An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching. CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv

CVE-2025-39860 [HIGH] CWE-416 CVE-2025-39860: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free i In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() syzbot reported the splat below without a repro. In the splat, a single thread calling bt_accept_dequeue() freed sk and touched it after that. The root cause would be the racy l2cap_sock_cleanup_listen() call added by th

CVE-2025-39844 [MEDIUM] CVE-2025-39844: In the Linux kernel, the following vulnerability has been resolved: mm: move page table sync declar In the Linux kernel, the following vulnerability has been resolved: mm: move page table sync declarations to linux/pgtable.h During our internal testing, we started observing intermittent boot failures when the machine uses 4-level paging and has a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supe

CVE-2025-39842 [MEDIUM] CVE-2025-39842: In the Linux kernel, the following vulnerability has been resolved: ocfs2: prevent release journal In the Linux kernel, the following vulnerability has been resolved: ocfs2: prevent release journal inode after journal shutdown Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already been executed in ocfs2_dismount_volume(), so osb->journal must be NULL. Therefore, the following calltrace will inevitably fail when it reaches jbd2_journal_r

CVE-2025-39865 [MEDIUM] CWE-476 CVE-2025-39865: In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereferen In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereference in tee_shm_put tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to

CVE-2025-39843 [MEDIUM] CWE-667 CVE-2025-39843: In the Linux kernel, the following vulnerability has been resolved: mm: slub: avoid wake up kswapd In the Linux kernel, the following vulnerability has been resolved: mm: slub: avoid wake up kswapd in set_track_prepare set_track_prepare() can incur lock recursion. The issue is that it is called from hrtimer_start_range_ns holding the per_cpu(hrtimer_bases)[n].lock, but when enabled CONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_pre

CVE-2025-39857 [MEDIUM] CWE-476 CVE-2025-39857: In the Linux kernel, the following vulnerability has been resolved: net/smc: fix one NULL pointer d In the Linux kernel, the following vulnerability has been resolved: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() BUG: kernel NULL pointer dereference, address: 00000000000002ec PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE Tainted: [O]=O

CVE-2025-39848 [MEDIUM] CWE-401 CVE-2025-39848: In the Linux kernel, the following vulnerability has been resolved: ax25: properly unshare skbs in In the Linux kernel, the following vulnerability has been resolved: ax25: properly unshare skbs in ax25_kiss_rcv() Bernard Pidoux reported a regression apparently caused by commit c353e8983e0d ("net: introduce per netns packet chains"). skb->dev becomes NULL and we crash in __netif_receive_skb_core(). Before above commit, different kind of bugs o

CVE-2025-39846 [MEDIUM] CWE-476 CVE-2025-39846: In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix a NULL pointer dere In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() In __iodyn_find_io_region(), pcmcia_make_resource() is assigned to res and used in pci_bus_alloc_resource(). There is a dereference of res in pci_bus_alloc_resource(), which could lead to a NULL pointer dereference