Debian Linux vulnerabilities

CVE-2025-39759 [HIGH] CWE-362 CVE-2025-39759: In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix race between In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix race between quota disable and quota rescan ioctl There's a race between a task disabling quotas and another running the rescan ioctl that can result in a use-after-free of qgroup records from the fs_info->qgroup_tree rbtree. This happens as follows: 1) Task A e

CVE-2025-39788 [HIGH] CWE-787 CVE-2025-39788: In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: exynos: Fix programm In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE On Google gs101, the number of UTP transfer request slots (nutrs) is 32, and in this case the driver ends up programming the UTRL_NEXUS_TYPE incorrectly as 0. This is because the left hand side of the shift is 1, which is of

CVE-2025-39760 [HIGH] CWE-125 CVE-2025-39760: In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss_endpoint_companion() checks descriptor type before length, enabling a potentially odd read outside of the buffer size. Fix this up by checking the size first before looking at any of the fields in the

CVE-2025-39749 [HIGH] CVE-2025-39749: In the Linux kernel, the following vulnerability has been resolved: rcu: Protect ->defer_qs_iw_pend In the Linux kernel, the following vulnerability has been resolved: rcu: Protect ->defer_qs_iw_pending from data race On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is invoked within an interrupts-disabled region of code [1], it will invoke rcu_read_unlock_special(), which uses an irq-work handler to force the system to notice when the RCU

CVE-2025-39757 [HIGH] CWE-125 CVE-2025-39757: In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 cluster segment descriptors UAC3 class segment descriptors need to be verified whether their sizes match with the declared lengths and whether they fit with the allocated buffer sizes, too. Otherwise malicious firmware may lead to the unexpected OOB acc

CVE-2025-39766 [HIGH] CVE-2025-39766: In the Linux kernel, the following vulnerability has been resolved: net/sched: Make cake_enqueue re In the Linux kernel, the following vulnerability has been resolved: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qlen tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 \ h

CVE-2025-39776 [HIGH] CWE-416 CVE-2025-39776: In the Linux kernel, the following vulnerability has been resolved: mm/debug_vm_pgtable: clear page In the Linux kernel, the following vulnerability has been resolved: mm/debug_vm_pgtable: clear page table entries at destroy_args() The mm/debug_vm_pagetable test allocates manually page table entries for the tests it runs, using also its manually allocated mm_struct. That in itself is ok, but when it exits, at destroy_args() it fails to clear those

CVE-2025-39743 [HIGH] CVE-2025-39743: In the Linux kernel, the following vulnerability has been resolved: jfs: truncate good inode pages In the Linux kernel, the following vulnerability has been resolved: jfs: truncate good inode pages when hard link is 0 The fileset value of the inode copy from the disk by the reproducer is AGGR_RESERVED_I. When executing evict, its hard link number is 0, so its inode pages are not truncated. This causes the bugon to be triggered when executing clear_inode()

CVE-2025-39738 [HIGH] CVE-2025-39738: In the Linux kernel, the following vulnerability has been resolved: btrfs: do not allow relocation In the Linux kernel, the following vulnerability has been resolved: btrfs: do not allow relocation of partially dropped subvolumes [BUG] There is an internal report that balance triggered transaction abort, with the following call trace: item 85 key (594509824 169 0) itemoff 12599 itemsize 33 extent refs 1 gen 197740 flags 2 ref#0: tree block backref root 7

CVE-2025-39783 [HIGH] CWE-787 CVE-2025-39783: In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix configfs gro In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix configfs group list head handling Doing a list_del() on the epf_group field of struct pci_epf_driver in pci_epf_remove_cfs() is not correct as this field is a list head, not a list entry. This list_del() call triggers a KASAN warning when an endpoint function driv

CVE-2025-39772 [MEDIUM] CWE-476 CVE-2025-39772: In the Linux kernel, the following vulnerability has been resolved: drm/hisilicon/hibmc: fix the hi In the Linux kernel, the following vulnerability has been resolved: drm/hisilicon/hibmc: fix the hibmc loaded failed bug When hibmc loaded failed, the driver use hibmc_unload to free the resource, but the mutexes in mode.config are not init, which will access an NULL pointer. Just change goto statement to return, because hibnc_hw_init() doesn't ne

CVE-2025-39742 [MEDIUM] CWE-369 CVE-2025-39742: In the Linux kernel, the following vulnerability has been resolved: RDMA: hfi1: fix possible divide In the Linux kernel, the following vulnerability has been resolved: RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() The function divides number of online CPUs by num_core_siblings, and later checks the divider by zero. This implies a possibility to get and divide-by-zero runtime error. Fix it by moving the check prior to division.

CVE-2025-39752 [MEDIUM] CVE-2025-39752: In the Linux kernel, the following vulnerability has been resolved: ARM: rockchip: fix kernel hang In the Linux kernel, the following vulnerability has been resolved: ARM: rockchip: fix kernel hang during smp initialization In order to bring up secondary CPUs main CPU write trampoline code to SRAM. The trampoline code is written while secondary CPUs are powered on (at least that true for RK3188 CPU). Sometimes that leads to kernel hang. Probably because

CVE-2025-39773 [MEDIUM] CWE-667 CVE-2025-39773: In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix soft lockup in In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix soft lockup in br_multicast_query_expired() When set multicast_query_interval to a large value, the local variable 'time' in br_multicast_send_query() may overflow. If the time is smaller than jiffies, the timer will expire immediately, and then call mod_timer() a

CVE-2025-39737 [MEDIUM] CWE-401 CVE-2025-39737: In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid soft lockup In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() A soft lockup warning was observed on a relative small system x86-64 system with 16 GB of memory when running a debug kernel with kmemleak enabled. watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134] The te

CVE-2025-39770 [MEDIUM] CVE-2025-39770: In the Linux kernel, the following vulnerability has been resolved: net: gso: Forbid IPv6 TSO with In the Linux kernel, the following vulnerability has been resolved: net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM When performing Generic Segmentation Offload (GSO) on an IPv6 packet that contains extension headers, the kernel incorrectly requests checksum offload if the egress device only advertises NETIF_F_IPV6_CSUM feature, wh

CVE-2025-39736 [MEDIUM] CWE-667 CVE-2025-39736: In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid deadlock by In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock When netpoll is enabled, calling pr_warn_once() while holding kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock inversion with the netconsole subsystem. This occurs because pr_warn_once() may tri

CVE-2025-40300 [MEDIUM] CVE-2025-40300: In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IB In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be prote

CVE-2025-39787 [MEDIUM] CVE-2025-39787: In the Linux kernel, the following vulnerability has been resolved: soc: qcom: mdt_loader: Ensure w In the Linux kernel, the following vulnerability has been resolved: soc: qcom: mdt_loader: Ensure we don't read past the ELF header When the MDT loader is used in remoteproc, the ELF header is sanitized beforehand, but that's not necessary the case for other clients. Validate the size of the firmware buffer to ensure that we don't read past the end as we

CVE-2025-39782 [MEDIUM] CWE-667 CVE-2025-39782: In the Linux kernel, the following vulnerability has been resolved: jbd2: prevent softlockup in jbd In the Linux kernel, the following vulnerability has been resolved: jbd2: prevent softlockup in jbd2_log_do_checkpoint() Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() periodically release j_list_lock after processing a batch of buffers to avoid long hold times on the j_list_lock. However, since both functions contend for