Debian Linux vulnerabilities

CVE-2025-39718 [MEDIUM] CWE-787 CVE-2025-39718: In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length i In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skb_put() When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, virtio_vsock_skb_rx_put() uses the length from the packet header as the length

CVE-2025-38714 [HIGH] CWE-125 CVE-2025-38714: In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() The hfsplus_bnode_read() method can trigger the issue: [ 174.852007][ T9784] ================================================================== [ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0

CVE-2025-38728 [HIGH] CWE-125 CVE-2025-38728: In the Linux kernel, the following vulnerability has been resolved: smb3: fix for slab out of bound In the Linux kernel, the following vulnerability has been resolved: smb3: fix for slab out of bounds on mount to ksmbd With KASAN enabled, it is possible to get a slab out of bounds during mount to ksmbd due to missing check in parse_server_interfaces() (see below): BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x14ee/0x1880 [cifs] Read

CVE-2025-38679 [HIGH] CWE-125 CVE-2025-38679: In the Linux kernel, the following vulnerability has been resolved: media: venus: Fix OOB read due In the Linux kernel, the following vulnerability has been resolved: media: venus: Fix OOB read due to missing payload bound check Currently, The event_seq_changed() handler processes a variable number of properties sent by the firmware. The number of properties is indicated by the firmware and used to iterate over the payload. However, the payload si

CVE-2025-38685 [HIGH] CWE-787 CVE-2025-38685: In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix vmalloc out-of-bound In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit This issue triggers when a userspace program does an ioctl FBIOPUT_CON2FBMAP by passing console number and frame buffer number. Ideally this maps console to frame buffer and updates the screen if console is visible. As part o

CVE-2025-38715 [HIGH] CWE-125 CVE-2025-38715: In the Linux kernel, the following vulnerability has been resolved: hfs: fix slab-out-of-bounds in In the Linux kernel, the following vulnerability has been resolved: hfs: fix slab-out-of-bounds in hfs_bnode_read() This patch introduces is_bnode_offset_valid() method that checks the requested offset value. Also, it introduces check_and_correct_requested_length() method that checks and correct the requested length (if it is necessary). These method

CVE-2025-38697 [HIGH] CWE-129 CVE-2025-38697: In the Linux kernel, the following vulnerability has been resolved: jfs: upper bound check of tree In the Linux kernel, the following vulnerability has been resolved: jfs: upper bound check of tree index in dbAllocAG When computing the tree index in dbAllocAG, we never check if we are out of bounds realative to the size of the stree. This could happen in a scenario where the filesystem metadata are corrupted.

CVE-2025-38724 [HIGH] CWE-416 CVE-2025-38724: In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked( In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. T

CVE-2025-38718 [HIGH] CWE-908 CVE-2025-38718: In the Linux kernel, the following vulnerability has been resolved: sctp: linearize cloned gso pack In the Linux kernel, the following vulnerability has been resolved: sctp: linearize cloned gso packets in sctp_rcv A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs. syzbot reported two use-of-uninitialized-memory bugs caused by this: BUG: KMSAN: uninit-value in sctp_inq_

CVE-2025-38708 [HIGH] CWE-416 CVE-2025-38708: In the Linux kernel, the following vulnerability has been resolved: drbd: add missing kref_get in h In the Linux kernel, the following vulnerability has been resolved: drbd: add missing kref_get in handle_write_conflicts With `two-primaries` enabled, DRBD tries to detect "concurrent" writes and handle write conflicts, so that even if you write to the same sector simultaneously on both nodes, they end up with the identical data once the writes are

CVE-2025-38699 [HIGH] CWE-415 CVE-2025-38699: In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Double-free fix Whe In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Double-free fix When the bfad_im_probe() function fails during initialization, the memory pointed to by bfad->im is freed without setting bfad->im to NULL. Subsequently, during driver uninstallation, when the state machine enters the bfad_sm_stopping state and calls the

CVE-2025-38680 [HIGH] CWE-125 CVE-2025-38680: In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix 1-byte out In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() The buffer length check before calling uvc_parse_format() only ensured that the buffer has at least 3 bytes (buflen > 2), buf the function accesses buffer[3], requiring at least 4 bytes. This can lead to an out-of

CVE-2025-38707 [HIGH] CVE-2025-38707: In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add sanity check for In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add sanity check for file name The length of the file name should be smaller than the directory entry size.

CVE-2025-38729 [HIGH] CWE-787 CVE-2025-38729: In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB accesses by malicious firmware, too.

CVE-2025-38702 [HIGH] CWE-787 CVE-2025-38702: In the Linux kernel, the following vulnerability has been resolved: fbdev: fix potential buffer ove In the Linux kernel, the following vulnerability has been resolved: fbdev: fix potential buffer overflow in do_register_framebuffer() The current implementation may lead to buffer overflow when: 1. Unregistration creates NULL gaps in registered_fb[] 2. All array slots become occupied despite num_registered_fb < FB_MAX 3. The registration loop exceed

CVE-2025-38713 [HIGH] CWE-125 CVE-2025-38713: In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() The hfsplus_readdir() method is capable to crash by calling hfsplus_uni2asc(): [ 667.121659][ T9805] ================================================================== [ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in

CVE-2025-38691 [MEDIUM] CWE-908 CVE-2025-38691: In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in block/scsi layout The error occurs on the third attempt to encode extents. When function ext_tree_prepare_commit() reallocates a larger buffer to retry encoding extents, the "layoutupdate_pages" page array is initialized only after the retry loop. B

CVE-2025-38698 [MEDIUM] CVE-2025-38698: In the Linux kernel, the following vulnerability has been resolved: jfs: Regular file corruption ch In the Linux kernel, the following vulnerability has been resolved: jfs: Regular file corruption check The reproducer builds a corrupted file on disk with a negative i_size value. Add a check when opening this file to avoid subsequent operation failures.

CVE-2025-38706 [MEDIUM] CWE-476 CVE-2025-38706: In the Linux kernel, the following vulnerability has been resolved: ASoC: core: Check for rtd == NU In the Linux kernel, the following vulnerability has been resolved: ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() snd_soc_remove_pcm_runtime() might be called with rtd == NULL which will leads to null pointer dereference. This was reproduced with topology loading and marking a link as ignore due to missing hardware component on

CVE-2025-38694 [MEDIUM] CWE-476 CVE-2025-38694: In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib7090p: In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer d