Debian Linux vulnerabilities

CVE-2025-38715 [HIGH] CWE-125 CVE-2025-38715: In the Linux kernel, the following vulnerability has been resolved: hfs: fix slab-out-of-bounds in In the Linux kernel, the following vulnerability has been resolved: hfs: fix slab-out-of-bounds in hfs_bnode_read() This patch introduces is_bnode_offset_valid() method that checks the requested offset value. Also, it introduces check_and_correct_requested_length() method that checks and correct the requested length (if it is necessary). These method

CVE-2025-38697 [HIGH] CWE-129 CVE-2025-38697: In the Linux kernel, the following vulnerability has been resolved: jfs: upper bound check of tree In the Linux kernel, the following vulnerability has been resolved: jfs: upper bound check of tree index in dbAllocAG When computing the tree index in dbAllocAG, we never check if we are out of bounds realative to the size of the stree. This could happen in a scenario where the filesystem metadata are corrupted.

CVE-2025-38724 [HIGH] CWE-416 CVE-2025-38724: In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked( In the Linux kernel, the following vulnerability has been resolved: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Lei Lu recently reported that nfsd4_setclientid_confirm() did not check the return value from get_client_locked(). a SETCLIENTID_CONFIRM could race with a confirmed client expiring and fail to get a reference. T

CVE-2025-38718 [HIGH] CWE-908 CVE-2025-38718: In the Linux kernel, the following vulnerability has been resolved: sctp: linearize cloned gso pack In the Linux kernel, the following vulnerability has been resolved: sctp: linearize cloned gso packets in sctp_rcv A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs. syzbot reported two use-of-uninitialized-memory bugs caused by this: BUG: KMSAN: uninit-value in sctp_inq_

CVE-2025-38708 [HIGH] CWE-416 CVE-2025-38708: In the Linux kernel, the following vulnerability has been resolved: drbd: add missing kref_get in h In the Linux kernel, the following vulnerability has been resolved: drbd: add missing kref_get in handle_write_conflicts With `two-primaries` enabled, DRBD tries to detect "concurrent" writes and handle write conflicts, so that even if you write to the same sector simultaneously on both nodes, they end up with the identical data once the writes are

CVE-2025-38699 [HIGH] CWE-415 CVE-2025-38699: In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Double-free fix Whe In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Double-free fix When the bfad_im_probe() function fails during initialization, the memory pointed to by bfad->im is freed without setting bfad->im to NULL. Subsequently, during driver uninstallation, when the state machine enters the bfad_sm_stopping state and calls the

CVE-2025-38680 [HIGH] CWE-125 CVE-2025-38680: In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix 1-byte out In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() The buffer length check before calling uvc_parse_format() only ensured that the buffer has at least 3 bytes (buflen > 2), buf the function accesses buffer[3], requiring at least 4 bytes. This can lead to an out-of

CVE-2025-38707 [HIGH] CVE-2025-38707: In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add sanity check for In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add sanity check for file name The length of the file name should be smaller than the directory entry size.

CVE-2025-38729 [HIGH] CWE-787 CVE-2025-38729: In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB accesses by malicious firmware, too.

CVE-2025-38702 [HIGH] CWE-787 CVE-2025-38702: In the Linux kernel, the following vulnerability has been resolved: fbdev: fix potential buffer ove In the Linux kernel, the following vulnerability has been resolved: fbdev: fix potential buffer overflow in do_register_framebuffer() The current implementation may lead to buffer overflow when: 1. Unregistration creates NULL gaps in registered_fb[] 2. All array slots become occupied despite num_registered_fb < FB_MAX 3. The registration loop exceed

CVE-2025-38713 [HIGH] CWE-125 CVE-2025-38713: In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() The hfsplus_readdir() method is capable to crash by calling hfsplus_uni2asc(): [ 667.121659][ T9805] ================================================================== [ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in

CVE-2025-38691 [MEDIUM] CWE-908 CVE-2025-38691: In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in block/scsi layout The error occurs on the third attempt to encode extents. When function ext_tree_prepare_commit() reallocates a larger buffer to retry encoding extents, the "layoutupdate_pages" page array is initialized only after the retry loop. B

CVE-2025-38698 [MEDIUM] CVE-2025-38698: In the Linux kernel, the following vulnerability has been resolved: jfs: Regular file corruption ch In the Linux kernel, the following vulnerability has been resolved: jfs: Regular file corruption check The reproducer builds a corrupted file on disk with a negative i_size value. Add a check when opening this file to avoid subsequent operation failures.

CVE-2025-38706 [MEDIUM] CWE-476 CVE-2025-38706: In the Linux kernel, the following vulnerability has been resolved: ASoC: core: Check for rtd == NU In the Linux kernel, the following vulnerability has been resolved: ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() snd_soc_remove_pcm_runtime() might be called with rtd == NULL which will leads to null pointer dereference. This was reproduced with topology loading and marking a link as ignore due to missing hardware component on

CVE-2025-38694 [MEDIUM] CWE-476 CVE-2025-38694: In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib7090p: In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer d

CVE-2025-38693 [MEDIUM] CWE-476 CVE-2025-38693: In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: w7090p: f In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[

CVE-2025-38684 [MEDIUM] CWE-476 CVE-2025-38684: In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: use old 'nbands In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: use old 'nbands' while purging unused classes Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() after recent changes from Lion [2]. The problem is: in ets_qdisc_change() we purge unused DWRR queues; the value of 'q->nbands' is the new one, a

CVE-2025-38725 [MEDIUM] CWE-476 CVE-2025-38725: In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: add phy In the Linux kernel, the following vulnerability has been resolved: net: usb: asix_devices: add phy_mask for ax88772 mdio bus Without setting phy_mask for ax88772 mdio bus, current driver may create at most 32 mdio phy devices with phy address range from 0x00 ~ 0x1f. DLink DUB-E100 H/W Ver B1 is such a device. However, only one main phy device wil

CVE-2025-38711 [MEDIUM] CWE-667 CVE-2025-38711: In the Linux kernel, the following vulnerability has been resolved: smb/server: avoid deadlock when In the Linux kernel, the following vulnerability has been resolved: smb/server: avoid deadlock when linking with ReplaceIfExists If smb2_create_link() is called with ReplaceIfExists set and the name does exist then a deadlock will happen. ksmbd_vfs_kern_path_locked() will return with success and the parent directory will be locked. ksmbd_vfs_remo

CVE-2025-38683 [MEDIUM] CWE-476 CVE-2025-38683: In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Fix panic during nam In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Fix panic during namespace deletion with VF The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved