Debian Linux vulnerabilities

CVE-2025-39756 [MEDIUM] CWE-401 CVE-2025-39756: In the Linux kernel, the following vulnerability has been resolved: fs: Prevent file descriptor tab In the Linux kernel, the following vulnerability has been resolved: fs: Prevent file descriptor table allocations exceeding INT_MAX When sysctl_nr_open is set to a very high value (for example, 1073741816 as set by systemd), processes attempting to use file descriptors near the limit can trigger massive memory allocation attempts that exceed INT_M

CVE-2025-39730 [HIGH] CVE-2025-39730: In the Linux kernel, the following vulnerability has been resolved: NFS: Fix filehandle bounds chec In the Linux kernel, the following vulnerability has been resolved: NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() The function needs to check the minimal filehandle length before it can access the embedded filehandle.

CVE-2025-39734 [MEDIUM] CVE-2025-39734: In the Linux kernel, the following vulnerability has been resolved: Revert "fs/ntfs3: Replace inode In the Linux kernel, the following vulnerability has been resolved: Revert "fs/ntfs3: Replace inode_trylock with inode_lock" This reverts commit 69505fe98f198ee813898cbcaf6770949636430b. Initially, conditional lock acquisition was removed to fix an xfstest bug that was observed during internal testing. The deadlock reported by syzbot is resolved by reint

CVE-2025-39731 [MEDIUM] CVE-2025-39731: In the Linux kernel, the following vulnerability has been resolved: f2fs: vm_unmap_ram() may be cal In the Linux kernel, the following vulnerability has been resolved: f2fs: vm_unmap_ram() may be called from an invalid context When testing F2FS with xfstests using UFS backed virtual disks the kernel complains sometimes that f2fs_release_decomp_mem() calls vm_unmap_ram() from an invalid context. Example trace from f2fs/007 test: f2fs/007 5s ... [12:59:3

CVE-2025-39689 [HIGH] CWE-416 CVE-2025-39689: In the Linux kernel, the following vulnerability has been resolved: ftrace: Also allocate and copy In the Linux kernel, the following vulnerability has been resolved: ftrace: Also allocate and copy hash for reading of filter files Currently the reader of set_ftrace_filter and set_ftrace_notrace just adds the pointer to the global tracer hash to its iterator. Unlike the writer that allocates a copy of the hash, the reader keeps the pointer to the f

CVE-2025-38736 [HIGH] CWE-125 CVE-2025-38736: In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: Fix PHY In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Syzbot reported shift-out-of-bounds exception on MDIO bus initialization. The PHY address should be masked to 5 bits (0-31). Without this mask, invalid PHY addresses could be used, potentially causing issues wi

CVE-2025-39683 [HIGH] CWE-125 CVE-2025-39683: In the Linux kernel, the following vulnerability has been resolved: tracing: Limit access to parser In the Linux kernel, the following vulnerability has been resolved: tracing: Limit access to parser->buffer when trace_get_user failed When the length of the string written to set_ftrace_filter exceeds FTRACE_BUFF_MAX, the following KASAN alarm will be triggered: BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0 Read of size 1 at addr ffff0000d0

CVE-2025-39686 [HIGH] CVE-2025-39686: In the Linux kernel, the following vulnerability has been resolved: comedi: Make insn_rw_emulate_bi In the Linux kernel, the following vulnerability has been resolved: comedi: Make insn_rw_emulate_bits() do insn->n samples The `insn_rw_emulate_bits()` function is used as a default handler for `INSN_READ` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default handler for `INSN_WRITE` inst

CVE-2025-39701 [HIGH] CVE-2025-39701: In the Linux kernel, the following vulnerability has been resolved: ACPI: pfr_update: Fix the drive In the Linux kernel, the following vulnerability has been resolved: ACPI: pfr_update: Fix the driver update version check The security-version-number check should be used rather than the runtime version check for driver updates. Otherwise, the firmware update would fail when the update binary had a lower runtime version number than the current one. [ rjw:

CVE-2025-39702 [HIGH] CWE-203 CVE-2025-39702: In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: Fix MAC comparison to In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.

CVE-2025-39682 [HIGH] CVE-2025-39682: In the Linux kernel, the following vulnerability has been resolved: tls: fix handling of zero-lengt In the Linux kernel, the following vulnerability has been resolved: tls: fix handling of zero-length records on the rx_list Each recvmsg() call must process either - only contiguous DATA records (any number of them) - one non-DATA record If the next record has different type than what has already been processed we break out of the main processing loop. If

CVE-2025-39685 [HIGH] CWE-125 CVE-2025-39685: In the Linux kernel, the following vulnerability has been resolved: comedi: pcl726: Prevent invalid In the Linux kernel, the following vulnerability has been resolved: comedi: pcl726: Prevent invalid irq number The reproducer passed in an irq number(0x80008000) that was too large, which triggered the oob. Added an interrupt number check to prevent users from passing in an irq number that was too large. If `it->options[1]` is 31, then `1 options[

CVE-2025-39691 [HIGH] CWE-416 CVE-2025-39691: In the Linux kernel, the following vulnerability has been resolved: fs/buffer: fix use-after-free w In the Linux kernel, the following vulnerability has been resolved: fs/buffer: fix use-after-free when call bh_read() helper There's issue as follows: BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110 Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0 CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64

CVE-2025-39687 [HIGH] CVE-2025-39687: In the Linux kernel, the following vulnerability has been resolved: iio: light: as73211: Ensure buf In the Linux kernel, the following vulnerability has been resolved: iio: light: as73211: Ensure buffer holes are zeroed Given that the buffer is copied to a kfifo that ultimately user space can read, ensure we zero it.

CVE-2025-39710 [HIGH] CWE-125 CVE-2025-39710: In the Linux kernel, the following vulnerability has been resolved: media: venus: Add a check for p In the Linux kernel, the following vulnerability has been resolved: media: venus: Add a check for packet size after reading from shared memory Add a check to ensure that the packet size does not exceed the number of available words after reading the packet header from shared memory. This ensures that the size provided by the firmware is safe to proc

CVE-2025-39719 [HIGH] CWE-125 CVE-2025-39719: In the Linux kernel, the following vulnerability has been resolved: iio: imu: bno055: fix OOB acces In the Linux kernel, the following vulnerability has been resolved: iio: imu: bno055: fix OOB access of hw_xlate array Fix a potential out-of-bounds array access of the hw_xlate array in bno055.c. In bno055_get_regmask(), hw_xlate was iterated over the length of the vals array instead of the length of the hw_xlate array. In the case of bno055_gyr_s

CVE-2025-39673 [MEDIUM] CWE-362 CVE-2025-39673: In the Linux kernel, the following vulnerability has been resolved: ppp: fix race conditions in ppp In the Linux kernel, the following vulnerability has been resolved: ppp: fix race conditions in ppp_fill_forward_path ppp_fill_forward_path() has two race conditions: 1. The ppp->channels list can change between list_empty() and list_first_entry(), as ppp_lock() is not held. If the only channel is deleted in ppp_disconnect_channel(), list_first_e

CVE-2025-38735 [MEDIUM] CWE-476 CVE-2025-38735: In the Linux kernel, the following vulnerability has been resolved: gve: prevent ethtool ops after In the Linux kernel, the following vulnerability has been resolved: gve: prevent ethtool ops after shutdown A crash can occur if an ethtool operation is invoked after shutdown() is called. shutdown() is invoked during system shutdown to stop DMA operations without performing expensive deallocations. It is discouraged to unregister the netdev in th

CVE-2025-39697 [MEDIUM] CWE-362 CVE-2025-39697: In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a race when updating a In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a race when updating an existing write After nfs_lock_and_join_requests() tests for whether the request is still attached to the mapping, nothing prevents a call to nfs_inode_remove_request() from succeeding until we actually lock the page group. The reason is that whoeve

CVE-2025-39714 [MEDIUM] CVE-2025-39714: In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Lock resolution w In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Lock resolution while streaming When an program is streaming (ffplay) and another program (qv4l2) changes the TV standard from NTSC to PAL, the kernel crashes due to trying to copy to unmapped memory. Changing from NTSC to PAL increases the resolution in the usbtv struct, b