Debian Linux vulnerabilities

CVE-2025-39719 [HIGH] CWE-125 CVE-2025-39719: In the Linux kernel, the following vulnerability has been resolved: iio: imu: bno055: fix OOB acces In the Linux kernel, the following vulnerability has been resolved: iio: imu: bno055: fix OOB access of hw_xlate array Fix a potential out-of-bounds array access of the hw_xlate array in bno055.c. In bno055_get_regmask(), hw_xlate was iterated over the length of the vals array instead of the length of the hw_xlate array. In the case of bno055_gyr_s

CVE-2025-39673 [MEDIUM] CWE-362 CVE-2025-39673: In the Linux kernel, the following vulnerability has been resolved: ppp: fix race conditions in ppp In the Linux kernel, the following vulnerability has been resolved: ppp: fix race conditions in ppp_fill_forward_path ppp_fill_forward_path() has two race conditions: 1. The ppp->channels list can change between list_empty() and list_first_entry(), as ppp_lock() is not held. If the only channel is deleted in ppp_disconnect_channel(), list_first_e

CVE-2025-38735 [MEDIUM] CWE-476 CVE-2025-38735: In the Linux kernel, the following vulnerability has been resolved: gve: prevent ethtool ops after In the Linux kernel, the following vulnerability has been resolved: gve: prevent ethtool ops after shutdown A crash can occur if an ethtool operation is invoked after shutdown() is called. shutdown() is invoked during system shutdown to stop DMA operations without performing expensive deallocations. It is discouraged to unregister the netdev in th

CVE-2025-39697 [MEDIUM] CWE-362 CVE-2025-39697: In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a race when updating a In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a race when updating an existing write After nfs_lock_and_join_requests() tests for whether the request is still attached to the mapping, nothing prevents a call to nfs_inode_remove_request() from succeeding until we actually lock the page group. The reason is that whoeve

CVE-2025-39714 [MEDIUM] CVE-2025-39714: In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Lock resolution w In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Lock resolution while streaming When an program is streaming (ffplay) and another program (qv4l2) changes the TV standard from NTSC to PAL, the kernel crashes due to trying to copy to unmapped memory. Changing from NTSC to PAL increases the resolution in the usbtv struct, b

CVE-2025-39703 [MEDIUM] CWE-476 CVE-2025-39703: In the Linux kernel, the following vulnerability has been resolved: net, hsr: reject HSR frame if s In the Linux kernel, the following vulnerability has been resolved: net, hsr: reject HSR frame if skb can't hold tag Receiving HSR frame with insufficient space to hold HSR tag in the skb can result in a crash (kernel BUG): [ 45.390915] skbuff: skb_under_panic: text:ffffffff86f32cac len:26 put:14 head:ffff888042418000 data:ffff888042417ff4 tail:0

CVE-2025-39693 [MEDIUM] CWE-476 CVE-2025-39693: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid a NULL p In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid a NULL pointer dereference [WHY] Although unlikely drm_atomic_get_new_connector_state() or drm_atomic_get_old_connector_state() can return NULL. [HOW] Check returns before dereference. (cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9)

CVE-2025-39675 [MEDIUM] CWE-476 CVE-2025-39675: In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null point In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() The function mod_hdcp_hdcp1_create_session() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will le

CVE-2025-39709 [MEDIUM] CWE-476 CVE-2025-39709: In the Linux kernel, the following vulnerability has been resolved: media: venus: protect against s In the Linux kernel, the following vulnerability has been resolved: media: venus: protect against spurious interrupts during probe Make sure the interrupt handler is initialized before the interrupt is registered. If the IRQ is registered before hfi_create(), it's possible that an interrupt fires before the handler setup is complete, leading to a

CVE-2025-39713 [MEDIUM] CWE-367 CVE-2025-39713: In the Linux kernel, the following vulnerability has been resolved: media: rainshadow-cec: fix TOCT In the Linux kernel, the following vulnerability has been resolved: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() In the interrupt handler rain_interrupt(), the buffer full check on rain->buf_len is performed before acquiring rain->buf_lock. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as rain->buf_le

CVE-2025-39694 [MEDIUM] CWE-476 CVE-2025-39694: In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix SCCB present che In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix SCCB present check Tracing code called by the SCLP interrupt handler contains early exits if the SCCB address associated with an interrupt is NULL. This check is performed after physical to virtual address translation. If the kernel identity mapping does not start

CVE-2025-39681 [MEDIUM] CVE-2025-39681: In the Linux kernel, the following vulnerability has been resolved: x86/cpu/hygon: Add missing resc In the Linux kernel, the following vulnerability has been resolved: x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Since 923f3a2b48bd ("x86/resctrl: Query LLC monitoring properties once during boot") resctrl_cpu_detect() has been moved from common CPU initialization code to the vendor-specific BSP init helper, while Hygon didn't put

CVE-2025-39684 [MEDIUM] CWE-908 CVE-2025-39684: In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialize In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` sample

CVE-2025-39716 [MEDIUM] CVE-2025-39716: In the Linux kernel, the following vulnerability has been resolved: parisc: Revise __get_user() to In the Linux kernel, the following vulnerability has been resolved: parisc: Revise __get_user() to probe user read access Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel executes at privilege level 0, so __get_user() never triggers a read access interruption (code 2

CVE-2025-39706 [MEDIUM] CWE-476 CVE-2025-39706: In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Destroy KFD debugfs In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Destroy KFD debugfs after destroy KFD wq Since KFD proc content was moved to kernel debugfs, we can't destroy KFD debugfs before kfd_process_destroy_wq. Move kfd_process_destroy_wq prior to kfd_debugfs_fini to fix a kernel NULL pointer problem. It happens when /sys/ker

CVE-2025-39676 [MEDIUM] CWE-476 CVE-2025-39676: In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potent In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() function is supposed to return NULL on error, but qla4xxx_ep_connect() returns error pointers. Propagating the error pointers will lead to an Oops in the caller, so change the error pointers to

CVE-2025-39724 [MEDIUM] CVE-2025-39724: In the Linux kernel, the following vulnerability has been resolved: serial: 8250: fix panic due to In the Linux kernel, the following vulnerability has been resolved: serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR,

CVE-2025-38732 [MEDIUM] CVE-2025-38732: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't lea In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't leak dst refcount for loopback packets recent patches to add a WARN() when replacing skb dst entry found an old bug: WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline] WARNING: include/linux/skbuff.h:1165 skb_dst_set

CVE-2025-39692 [MEDIUM] CWE-476 CVE-2025-39692: In the Linux kernel, the following vulnerability has been resolved: smb: server: split ksmbd_rdma_s In the Linux kernel, the following vulnerability has been resolved: smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() We can't call destroy_workqueue(smb_direct_wq); before stop_sessions()! Otherwise already existing connections try to use smb_direct_wq as a NULL pointer.

CVE-2025-39715 [MEDIUM] CVE-2025-39715: In the Linux kernel, the following vulnerability has been resolved: parisc: Revise gateway LWS call In the Linux kernel, the following vulnerability has been resolved: parisc: Revise gateway LWS calls to probe user read access We use load and stbys,e instructions to trigger memory reference interruptions without writing to memory. Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 an