Debian Linux vulnerabilities

CVE-2025-39703 [MEDIUM] CWE-476 CVE-2025-39703: In the Linux kernel, the following vulnerability has been resolved: net, hsr: reject HSR frame if s In the Linux kernel, the following vulnerability has been resolved: net, hsr: reject HSR frame if skb can't hold tag Receiving HSR frame with insufficient space to hold HSR tag in the skb can result in a crash (kernel BUG): [ 45.390915] skbuff: skb_under_panic: text:ffffffff86f32cac len:26 put:14 head:ffff888042418000 data:ffff888042417ff4 tail:0

CVE-2025-39693 [MEDIUM] CWE-476 CVE-2025-39693: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid a NULL p In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid a NULL pointer dereference [WHY] Although unlikely drm_atomic_get_new_connector_state() or drm_atomic_get_old_connector_state() can return NULL. [HOW] Check returns before dereference. (cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9)

CVE-2025-39675 [MEDIUM] CWE-476 CVE-2025-39675: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null point In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() The function mod_hdcp_hdcp1_create_session() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will le

CVE-2025-39709 [MEDIUM] CWE-476 CVE-2025-39709: In the Linux kernel, the following vulnerability has been resolved: media: venus: protect against s In the Linux kernel, the following vulnerability has been resolved: media: venus: protect against spurious interrupts during probe Make sure the interrupt handler is initialized before the interrupt is registered. If the IRQ is registered before hfi_create(), it's possible that an interrupt fires before the handler setup is complete, leading to a

CVE-2025-39713 [MEDIUM] CWE-367 CVE-2025-39713: In the Linux kernel, the following vulnerability has been resolved: media: rainshadow-cec: fix TOCT In the Linux kernel, the following vulnerability has been resolved: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() In the interrupt handler rain_interrupt(), the buffer full check on rain->buf_len is performed before acquiring rain->buf_lock. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as rain->buf_le

CVE-2025-39694 [MEDIUM] CWE-476 CVE-2025-39694: In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix SCCB present che In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix SCCB present check Tracing code called by the SCLP interrupt handler contains early exits if the SCCB address associated with an interrupt is NULL. This check is performed after physical to virtual address translation. If the kernel identity mapping does not start

CVE-2025-39681 [MEDIUM] CVE-2025-39681: In the Linux kernel, the following vulnerability has been resolved: x86/cpu/hygon: Add missing resc In the Linux kernel, the following vulnerability has been resolved: x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Since 923f3a2b48bd ("x86/resctrl: Query LLC monitoring properties once during boot") resctrl_cpu_detect() has been moved from common CPU initialization code to the vendor-specific BSP init helper, while Hygon didn't put

CVE-2025-39684 [MEDIUM] CWE-908 CVE-2025-39684: In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialize In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` sample

CVE-2025-39716 [MEDIUM] CVE-2025-39716: In the Linux kernel, the following vulnerability has been resolved: parisc: Revise __get_user() to In the Linux kernel, the following vulnerability has been resolved: parisc: Revise __get_user() to probe user read access Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel executes at privilege level 0, so __get_user() never triggers a read access interruption (code 2

CVE-2025-39706 [MEDIUM] CWE-476 CVE-2025-39706: In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Destroy KFD debugfs In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Destroy KFD debugfs after destroy KFD wq Since KFD proc content was moved to kernel debugfs, we can't destroy KFD debugfs before kfd_process_destroy_wq. Move kfd_process_destroy_wq prior to kfd_debugfs_fini to fix a kernel NULL pointer problem. It happens when /sys/ker

CVE-2025-39676 [MEDIUM] CWE-476 CVE-2025-39676: In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potent In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() function is supposed to return NULL on error, but qla4xxx_ep_connect() returns error pointers. Propagating the error pointers will lead to an Oops in the caller, so change the error pointers to

CVE-2025-39724 [MEDIUM] CVE-2025-39724: In the Linux kernel, the following vulnerability has been resolved: serial: 8250: fix panic due to In the Linux kernel, the following vulnerability has been resolved: serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR,

CVE-2025-38732 [MEDIUM] CVE-2025-38732: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't lea In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't leak dst refcount for loopback packets recent patches to add a WARN() when replacing skb dst entry found an old bug: WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline] WARNING: include/linux/skbuff.h:1165 skb_dst_set

CVE-2025-39692 [MEDIUM] CWE-476 CVE-2025-39692: In the Linux kernel, the following vulnerability has been resolved: smb: server: split ksmbd_rdma_s In the Linux kernel, the following vulnerability has been resolved: smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() We can't call destroy_workqueue(smb_direct_wq); before stop_sessions()! Otherwise already existing connections try to use smb_direct_wq as a NULL pointer.

CVE-2025-39715 [MEDIUM] CVE-2025-39715: In the Linux kernel, the following vulnerability has been resolved: parisc: Revise gateway LWS call In the Linux kernel, the following vulnerability has been resolved: parisc: Revise gateway LWS calls to probe user read access We use load and stbys,e instructions to trigger memory reference interruptions without writing to memory. Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 an

CVE-2025-39718 [MEDIUM] CWE-787 CVE-2025-39718: In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length i In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skb_put() When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, virtio_vsock_skb_rx_put() uses the length from the packet header as the length

CVE-2025-38714 [HIGH] CWE-125 CVE-2025-38714: In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() The hfsplus_bnode_read() method can trigger the issue: [ 174.852007][ T9784] ================================================================== [ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0

CVE-2025-38728 [HIGH] CWE-125 CVE-2025-38728: In the Linux kernel, the following vulnerability has been resolved: smb3: fix for slab out of bound In the Linux kernel, the following vulnerability has been resolved: smb3: fix for slab out of bounds on mount to ksmbd With KASAN enabled, it is possible to get a slab out of bounds during mount to ksmbd due to missing check in parse_server_interfaces() (see below): BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x14ee/0x1880 [cifs] Read

CVE-2025-38679 [HIGH] CWE-125 CVE-2025-38679: In the Linux kernel, the following vulnerability has been resolved: media: venus: Fix OOB read due In the Linux kernel, the following vulnerability has been resolved: media: venus: Fix OOB read due to missing payload bound check Currently, The event_seq_changed() handler processes a variable number of properties sent by the firmware. The number of properties is indicated by the firmware and used to iterate over the payload. However, the payload si

CVE-2025-38685 [HIGH] CWE-787 CVE-2025-38685: In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix vmalloc out-of-bound In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit This issue triggers when a userspace program does an ioctl FBIOPUT_CON2FBMAP by passing console number and frame buffer number. Ideally this maps console to frame buffer and updates the screen if console is visible. As part o