Debian Linux vulnerabilities

CVE-2025-39847 [MEDIUM] CWE-401 CVE-2025-39847: In the Linux kernel, the following vulnerability has been resolved: ppp: fix memory leak in pad_com In the Linux kernel, the following vulnerability has been resolved: ppp: fix memory leak in pad_compress_skb If alloc_skb() fails in pad_compress_skb(), it returns NULL without releasing the old skb. The caller does: skb = pad_compress_skb(ppp, skb); if (!skb) goto drop; drop: kfree_skb(skb); When pad_compress_skb() returns NULL, the reference

CVE-2025-39838 [MEDIUM] CWE-476 CVE-2025-39838: In the Linux kernel, the following vulnerability has been resolved: cifs: prevent NULL pointer dere In the Linux kernel, the following vulnerability has been resolved: cifs: prevent NULL pointer dereference in UTF16 conversion There can be a NULL pointer dereference bug here. NULL is passed to __cifs_sfu_make_node without checks, which passes it unchecked to cifs_strndup_to_utf16, which in turn passes it to cifs_local_to_utf16_bytes where '*from

CVE-2025-39845 [MEDIUM] CWE-401 CVE-2025-39845: In the Linux kernel, the following vulnerability has been resolved: x86/mm/64: define ARCH_PAGE_TAB In the Linux kernel, the following vulnerability has been resolved: x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure page tables are properly synchronized when calling p*d_populate_kernel(). For 5-level paging, synchronization is performed via pg

CVE-2025-39835 [HIGH] CVE-2025-39835: In the Linux kernel, the following vulnerability has been resolved: xfs: do not propagate ENODATA d In the Linux kernel, the following vulnerability has been resolved: xfs: do not propagate ENODATA disk errors into xattr code ENODATA (aka ENOATTR) has a very specific meaning in the xfs xattr code; namely, that the requested attribute name could not be found. However, a medium error from disk may also return ENODATA. At best, this medium error may escape

CVE-2025-39817 [HIGH] CWE-125 CVE-2025-39817: In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix slab-out-of-bound In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Observed on kernel 6.6 (present on master as well): BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasan_check_range+0xe8/0x190 __asan_loadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfs_d_compare+0x68/0xd8 __d_lookup_rcu

CVE-2025-39806 [HIGH] CWE-125 CVE-2025-39806: In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-o In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x2

CVE-2025-39826 [HIGH] CWE-416 CVE-2025-39826: In the Linux kernel, the following vulnerability has been resolved: net: rose: convert 'use' field In the Linux kernel, the following vulnerability has been resolved: net: rose: convert 'use' field to refcount_t The 'use' field in struct rose_neigh is used as a reference counter but lacks atomicity. This can lead to race conditions where a rose_neigh structure is freed while still being referenced by other code paths. For example, when rose_neigh

CVE-2025-39823 [HIGH] CWE-129 CVE-2025-39823: In the Linux kernel, the following vulnerability has been resolved: KVM: x86: use array_index_nospe In the Linux kernel, the following vulnerability has been resolved: KVM: x86: use array_index_nospec with indices that come from guest min and dest_id are guest-controlled indices. Using array_index_nospec() after the bounds checks clamps these values to mitigate speculative execution side-channels.

CVE-2025-39824 [HIGH] CWE-416 CVE-2025-39824: In the Linux kernel, the following vulnerability has been resolved: HID: asus: fix UAF via HID_CLAI In the Linux kernel, the following vulnerability has been resolved: HID: asus: fix UAF via HID_CLAIMED_INPUT validation After hid_hw_start() is called hidinput_connect() will eventually be called to set up the device with the input layer since the HID_CONNECT_DEFAULT connect mask is used. During hidinput_connect() all input and output reports are pr

CVE-2025-39828 [HIGH] CVE-2025-39828: In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Prevent arbitrary In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). syzbot reported the splat below. [0] When atmtcp_v_open() or atmtcp_v_close() is called via connect() or close(), atmtcp_send_control() is called to send an in-kernel special message. The message has ATMTCP_HDR_MAGIC in atmtcp_

CVE-2025-39819 [MEDIUM] CVE-2025-39819: In the Linux kernel, the following vulnerability has been resolved: fs/smb: Fix inconsistent refcnt In the Linux kernel, the following vulnerability has been resolved: fs/smb: Fix inconsistent refcnt update A possible inconsistent update of refcount was identified in `smb2_compound_op`. Such inconsistent update could lead to possible resource leaks. Why it is a possible bug: 1. In the comment section of the function, it clearly states that the referenc

CVE-2025-39812 [MEDIUM] CWE-908 CVE-2025-39812: In the Linux kernel, the following vulnerability has been resolved: sctp: initialize more fields in In the Linux kernel, the following vulnerability has been resolved: sctp: initialize more fields in sctp_v6_from_sk() syzbot found that sin6_scope_id was not properly initialized, leading to undefined behavior. Clear sin6_scope_id and sin6_flowinfo. BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x887/0x8c0 net/sctp/ipv6.c:649 __sctp_v6_cmp_addr

CVE-2025-39825 [MEDIUM] CWE-362 CVE-2025-39825: In the Linux kernel, the following vulnerability has been resolved: smb: client: fix race with conc In the Linux kernel, the following vulnerability has been resolved: smb: client: fix race with concurrent opens in rename(2) Besides sending the rename request to the server, the rename process also involves closing any deferred close, waiting for outstanding I/O to complete as well as marking all existing open handles as deleted to prevent them f

CVE-2025-39808 [MEDIUM] CVE-2025-39808: In the Linux kernel, the following vulnerability has been resolved: HID: hid-ntrig: fix unable to h In the Linux kernel, the following vulnerability has been resolved: HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() in ntrig_report_version(), hdev parameter passed from hid_probe(). sending descriptor to /dev/uhid can make hdev->dev.parent->parent to null if hdev->dev.parent->parent is null, usb_dev has invalid address(0xfffffff

CVE-2025-39813 [MEDIUM] CWE-362 CVE-2025-39813: In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix potential warning i In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix potential warning in trace_printk_seq during ftrace_dump When calling ftrace_dump_one() concurrently with reading trace_pipe, a WARN_ON_ONCE() in trace_printk_seq() can be triggered due to a race condition. The issue occurs because: CPU0 (ftrace_dump) CPU1 (reader) e

CVE-2025-39827 [MEDIUM] CVE-2025-39827: In the Linux kernel, the following vulnerability has been resolved: net: rose: include node referen In the Linux kernel, the following vulnerability has been resolved: net: rose: include node references in rose_neigh refcount Current implementation maintains two separate reference counting mechanisms: the 'count' field in struct rose_neigh tracks references from rose_node structures, while the 'use' field (now refcount_t) tracks references from rose_soc

CVE-2023-53259 [HIGH] CWE-125 CVE-2023-53259: In the Linux kernel, the following vulnerability has been resolved: VMCI: check context->notify_pag In the Linux kernel, the following vulnerability has been resolved: VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF The call to get_user_pages_fast() in vmci_host_setup_notify() can return NULL context->notify_page causing a GPF. To avoid GPF check if context->notify_page == NULL and return error if so. general pro

CVE-2025-39801 [MEDIUM] CWE-617 CVE-2025-39801: In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Remove WARN_ON for d In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Remove WARN_ON for device endpoint command timeouts This commit addresses a rarely observed endpoint command timeout which causes kernel panic due to warn when 'panic_on_warn' is enabled and unnecessary call trace prints when 'panic_on_warn' is disabled. It is seen duri

CVE-2022-50327 [MEDIUM] CWE-476 CVE-2022-50327: In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: idle: Check ac In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value The return value of acpi_fetch_acpi_dev() could be NULL, which would cause a NULL pointer dereference to occur in acpi_device_hid(). [ rjw: Subject and changelog edits, added empty line after if () ]

CVE-2025-39800 [MEDIUM] CVE-2025-39800: In the Linux kernel, the following vulnerability has been resolved: btrfs: abort transaction on une In the Linux kernel, the following vulnerability has been resolved: btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() If we find an unexpected generation for the extent buffer we are cloning at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the transaction, meaning we allow to persist metadata with an unexpected