Debian Linux vulnerabilities

CVE-2025-39806 [HIGH] CWE-125 CVE-2025-39806: In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-o In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x2

CVE-2025-39826 [HIGH] CWE-416 CVE-2025-39826: In the Linux kernel, the following vulnerability has been resolved: net: rose: convert 'use' field In the Linux kernel, the following vulnerability has been resolved: net: rose: convert 'use' field to refcount_t The 'use' field in struct rose_neigh is used as a reference counter but lacks atomicity. This can lead to race conditions where a rose_neigh structure is freed while still being referenced by other code paths. For example, when rose_neigh

CVE-2025-39823 [HIGH] CWE-129 CVE-2025-39823: In the Linux kernel, the following vulnerability has been resolved: KVM: x86: use array_index_nospe In the Linux kernel, the following vulnerability has been resolved: KVM: x86: use array_index_nospec with indices that come from guest min and dest_id are guest-controlled indices. Using array_index_nospec() after the bounds checks clamps these values to mitigate speculative execution side-channels.

CVE-2025-39824 [HIGH] CWE-416 CVE-2025-39824: In the Linux kernel, the following vulnerability has been resolved: HID: asus: fix UAF via HID_CLAI In the Linux kernel, the following vulnerability has been resolved: HID: asus: fix UAF via HID_CLAIMED_INPUT validation After hid_hw_start() is called hidinput_connect() will eventually be called to set up the device with the input layer since the HID_CONNECT_DEFAULT connect mask is used. During hidinput_connect() all input and output reports are pr

CVE-2025-39828 [HIGH] CVE-2025-39828: In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Prevent arbitrary In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). syzbot reported the splat below. [0] When atmtcp_v_open() or atmtcp_v_close() is called via connect() or close(), atmtcp_send_control() is called to send an in-kernel special message. The message has ATMTCP_HDR_MAGIC in atmtcp_

CVE-2025-39819 [MEDIUM] CVE-2025-39819: In the Linux kernel, the following vulnerability has been resolved: fs/smb: Fix inconsistent refcnt In the Linux kernel, the following vulnerability has been resolved: fs/smb: Fix inconsistent refcnt update A possible inconsistent update of refcount was identified in `smb2_compound_op`. Such inconsistent update could lead to possible resource leaks. Why it is a possible bug: 1. In the comment section of the function, it clearly states that the referenc

CVE-2025-39812 [MEDIUM] CWE-908 CVE-2025-39812: In the Linux kernel, the following vulnerability has been resolved: sctp: initialize more fields in In the Linux kernel, the following vulnerability has been resolved: sctp: initialize more fields in sctp_v6_from_sk() syzbot found that sin6_scope_id was not properly initialized, leading to undefined behavior. Clear sin6_scope_id and sin6_flowinfo. BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649 __sctp_v6_cmp_addr

CVE-2025-39825 [MEDIUM] CWE-362 CVE-2025-39825: In the Linux kernel, the following vulnerability has been resolved: smb: client: fix race with conc In the Linux kernel, the following vulnerability has been resolved: smb: client: fix race with concurrent opens in rename(2) Besides sending the rename request to the server, the rename process also involves closing any deferred close, waiting for outstanding I/O to complete as well as marking all existing open handles as deleted to prevent them f

CVE-2025-39808 [MEDIUM] CVE-2025-39808: In the Linux kernel, the following vulnerability has been resolved: HID: hid-ntrig: fix unable to h In the Linux kernel, the following vulnerability has been resolved: HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() in ntrig_report_version(), hdev parameter passed from hid_probe(). sending descriptor to /dev/uhid can make hdev->dev.parent->parent to null if hdev->dev.parent->parent is null, usb_dev has invalid address(0xfffffff

CVE-2025-39813 [MEDIUM] CWE-362 CVE-2025-39813: In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix potential warning i In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix potential warning in trace_printk_seq during ftrace_dump When calling ftrace_dump_one() concurrently with reading trace_pipe, a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race condition. The issue occurs because: CPU0 (ftrace_dump) CPU1 (reader) e

CVE-2025-39827 [MEDIUM] CVE-2025-39827: In the Linux kernel, the following vulnerability has been resolved: net: rose: include node referen In the Linux kernel, the following vulnerability has been resolved: net: rose: include node references in rose_neigh refcount Current implementation maintains two separate reference counting mechanisms: the 'count' field in struct rose_neigh tracks references from rose_node structures, while the 'use' field (now refcount_t) tracks references from rose_soc

CVE-2023-53259 [HIGH] CWE-125 CVE-2023-53259: In the Linux kernel, the following vulnerability has been resolved: VMCI: check context->notify_pag In the Linux kernel, the following vulnerability has been resolved: VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF The call to get_user_pages_fast() in vmci_host_setup_notify() can return NULL context->notify_page causing a GPF. To avoid GPF check if context->notify_page == NULL and return error if so. general pro

CVE-2025-39801 [MEDIUM] CWE-617 CVE-2025-39801: In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Remove WARN_ON for d In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Remove WARN_ON for device endpoint command timeouts This commit addresses a rarely observed endpoint command timeout which causes kernel panic due to warn when 'panic_on_warn' is enabled and unnecessary call trace prints when 'panic_on_warn' is disabled. It is seen duri

CVE-2022-50327 [MEDIUM] CWE-476 CVE-2022-50327: In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: idle: Check ac In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value The return value of acpi_fetch_acpi_dev() could be NULL, which would cause a NULL pointer dereference to occur in acpi_device_hid(). [ rjw: Subject and changelog edits, added empty line after if () ]

CVE-2025-39800 [MEDIUM] CVE-2025-39800: In the Linux kernel, the following vulnerability has been resolved: btrfs: abort transaction on une In the Linux kernel, the following vulnerability has been resolved: btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() If we find an unexpected generation for the extent buffer we are cloning at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the transaction, meaning we allow to persist metadata with an unexpected

CVE-2025-9086 [HIGH] CWE-125 CVE-2025-9086: 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or oth 1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\"/\",`). Since this site is not secure, the cookie *should* just be ignored

CVE-2025-39798 [MEDIUM] CVE-2025-39798: In the Linux kernel, the following vulnerability has been resolved: NFS: Fix the setting of capabil In the Linux kernel, the following vulnerability has been resolved: NFS: Fix the setting of capabilities when automounting a new filesystem Capabilities cannot be inherited when we cross into a new filesystem. They need to be reset to the minimal defaults, and then probed for again.

CVE-2025-39795 [MEDIUM] CWE-674 CVE-2025-39795: In the Linux kernel, the following vulnerability has been resolved: block: avoid possible overflow In the Linux kernel, the following vulnerability has been resolved: block: avoid possible overflow for chunk_sectors check in blk_stack_limits() In blk_stack_limits(), we check that the t->chunk_sectors value is a multiple of the t->physical_block_size value. However, by finding the chunk_sectors value in bytes, we may overflow the unsigned int wh

CVE-2025-39794 [MEDIUM] CVE-2025-39794: In the Linux kernel, the following vulnerability has been resolved: ARM: tegra: Use I/O memcpy to w In the Linux kernel, the following vulnerability has been resolved: ARM: tegra: Use I/O memcpy to write to IRAM Kasan crashes the kernel trying to check boundaries when using the normal memcpy.

CVE-2025-39790 [HIGH] CWE-415 CVE-2025-39790: In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Detect events p In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Detect events pointing to unexpected TREs When a remote device sends a completion event to the host, it contains a pointer to the consumed TRE. The host uses this pointer to process all of the TREs between it and the host's local copy of the ring's read pointer. This