Debian Linux vulnerabilities

CVE-2025-39770 [MEDIUM] CVE-2025-39770: In the Linux kernel, the following vulnerability has been resolved: net: gso: Forbid IPv6 TSO with In the Linux kernel, the following vulnerability has been resolved: net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM When performing Generic Segmentation Offload (GSO) on an IPv6 packet that contains extension headers, the kernel incorrectly requests checksum offload if the egress device only advertises NETIF_F_IPV6_CSUM feature, wh

CVE-2025-39736 [MEDIUM] CWE-667 CVE-2025-39736: In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid deadlock by In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock When netpoll is enabled, calling pr_warn_once() while holding kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock inversion with the netconsole subsystem. This occurs because pr_warn_once() may tri

CVE-2025-40300 [MEDIUM] CVE-2025-40300: In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IB In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be prote

CVE-2025-39787 [MEDIUM] CVE-2025-39787: In the Linux kernel, the following vulnerability has been resolved: soc: qcom: mdt_loader: Ensure w In the Linux kernel, the following vulnerability has been resolved: soc: qcom: mdt_loader: Ensure we don't read past the ELF header When the MDT loader is used in remoteproc, the ELF header is sanitized beforehand, but that's not necessary the case for other clients. Validate the size of the firmware buffer to ensure that we don't read past the end as we

CVE-2025-39782 [MEDIUM] CWE-667 CVE-2025-39782: In the Linux kernel, the following vulnerability has been resolved: jbd2: prevent softlockup in jbd In the Linux kernel, the following vulnerability has been resolved: jbd2: prevent softlockup in jbd2_log_do_checkpoint() Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() periodically release j_list_lock after processing a batch of buffers to avoid long hold times on the j_list_lock. However, since both functions contend for

CVE-2025-39756 [MEDIUM] CWE-401 CVE-2025-39756: In the Linux kernel, the following vulnerability has been resolved: fs: Prevent file descriptor tab In the Linux kernel, the following vulnerability has been resolved: fs: Prevent file descriptor table allocations exceeding INT_MAX When sysctl_nr_open is set to a very high value (for example, 1073741816 as set by systemd), processes attempting to use file descriptors near the limit can trigger massive memory allocation attempts that exceed INT_M

CVE-2025-39730 [HIGH] CVE-2025-39730: In the Linux kernel, the following vulnerability has been resolved: NFS: Fix filehandle bounds chec In the Linux kernel, the following vulnerability has been resolved: NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() The function needs to check the minimal filehandle length before it can access the embedded filehandle.

CVE-2025-39734 [MEDIUM] CVE-2025-39734: In the Linux kernel, the following vulnerability has been resolved: Revert "fs/ntfs3: Replace inode In the Linux kernel, the following vulnerability has been resolved: Revert "fs/ntfs3: Replace inode_trylock with inode_lock" This reverts commit 69505fe98f198ee813898cbcaf6770949636430b. Initially, conditional lock acquisition was removed to fix an xfstest bug that was observed during internal testing. The deadlock reported by syzbot is resolved by reint

CVE-2025-39731 [MEDIUM] CVE-2025-39731: In the Linux kernel, the following vulnerability has been resolved: f2fs: vm_unmap_ram() may be cal In the Linux kernel, the following vulnerability has been resolved: f2fs: vm_unmap_ram() may be called from an invalid context When testing F2FS with xfstests using UFS backed virtual disks the kernel complains sometimes that f2fs_release_decomp_mem() calls vm_unmap_ram() from an invalid context. Example trace from f2fs/007 test: f2fs/007 5s ... [12:59:3

CVE-2025-39689 [HIGH] CWE-416 CVE-2025-39689: In the Linux kernel, the following vulnerability has been resolved: ftrace: Also allocate and copy In the Linux kernel, the following vulnerability has been resolved: ftrace: Also allocate and copy hash for reading of filter files Currently the reader of set_ftrace_filter and set_ftrace_notrace just adds the pointer to the global tracer hash to its iterator. Unlike the writer that allocates a copy of the hash, the reader keeps the pointer to the f

CVE-2025-38736 [HIGH] CWE-125 CVE-2025-38736: In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: Fix PHY In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Syzbot reported shift-out-of-bounds exception on MDIO bus initialization. The PHY address should be masked to 5 bits (0-31). Without this mask, invalid PHY addresses could be used, potentially causing issues wi

CVE-2025-39683 [HIGH] CWE-125 CVE-2025-39683: In the Linux kernel, the following vulnerability has been resolved: tracing: Limit access to parser In the Linux kernel, the following vulnerability has been resolved: tracing: Limit access to parser->buffer when trace_get_user failed When the length of the string written to set_ftrace_filter exceeds FTRACE_BUFF_MAX, the following KASAN alarm will be triggered: BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0 Read of size 1 at addr ffff0000d0

CVE-2025-39686 [HIGH] CVE-2025-39686: In the Linux kernel, the following vulnerability has been resolved: comedi: Make insn_rw_emulate_bi In the Linux kernel, the following vulnerability has been resolved: comedi: Make insn_rw_emulate_bits() do insn->n samples The `insn_rw_emulate_bits()` function is used as a default handler for `INSN_READ` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default handler for `INSN_WRITE` inst

CVE-2025-39701 [HIGH] CVE-2025-39701: In the Linux kernel, the following vulnerability has been resolved: ACPI: pfr_update: Fix the drive In the Linux kernel, the following vulnerability has been resolved: ACPI: pfr_update: Fix the driver update version check The security-version-number check should be used rather than the runtime version check for driver updates. Otherwise, the firmware update would fail when the update binary had a lower runtime version number than the current one. [ rjw:

CVE-2025-39702 [HIGH] CWE-203 CVE-2025-39702: In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: Fix MAC comparison to In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.

CVE-2025-39682 [HIGH] CVE-2025-39682: In the Linux kernel, the following vulnerability has been resolved: tls: fix handling of zero-lengt In the Linux kernel, the following vulnerability has been resolved: tls: fix handling of zero-length records on the rx_list Each recvmsg() call must process either - only contiguous DATA records (any number of them) - one non-DATA record If the next record has different type than what has already been processed we break out of the main processing loop. If

CVE-2025-39685 [HIGH] CWE-125 CVE-2025-39685: In the Linux kernel, the following vulnerability has been resolved: comedi: pcl726: Prevent invalid In the Linux kernel, the following vulnerability has been resolved: comedi: pcl726: Prevent invalid irq number The reproducer passed in an irq number(0x80008000) that was too large, which triggered the oob. Added an interrupt number check to prevent users from passing in an irq number that was too large. If `it->options[1]` is 31, then `1 options[

CVE-2025-39691 [HIGH] CWE-416 CVE-2025-39691: In the Linux kernel, the following vulnerability has been resolved: fs/buffer: fix use-after-free w In the Linux kernel, the following vulnerability has been resolved: fs/buffer: fix use-after-free when call bh_read() helper There's issue as follows: BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110 Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0 CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64

CVE-2025-39687 [HIGH] CVE-2025-39687: In the Linux kernel, the following vulnerability has been resolved: iio: light: as73211: Ensure buf In the Linux kernel, the following vulnerability has been resolved: iio: light: as73211: Ensure buffer holes are zeroed Given that the buffer is copied to a kfifo that ultimately user space can read, ensure we zero it.

CVE-2025-39710 [HIGH] CWE-125 CVE-2025-39710: In the Linux kernel, the following vulnerability has been resolved: media: venus: Add a check for p In the Linux kernel, the following vulnerability has been resolved: media: venus: Add a check for packet size after reading from shared memory Add a check to ensure that the packet size does not exceed the number of available words after reading the packet header from shared memory. This ensures that the size provided by the firmware is safe to proc