Debian Linux-6.1 vulnerabilities

CVE-2025-38157 [HIGH] CVE-2025-38157: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k... In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software beacon handling if disabled A malicious USB device can send a WMI_SWBA_EVENTID event from an ath9k_htc-managed device before beaconing has been enabled. This causes a device-by-zero error in the driver, leading to either a crash or an out of bounds read. Prevent this by

CVE-2025-37890 [HIGH] CVE-2025-37890: linux - In the Linux kernel, the following vulnerability has been resolved: net_sched: ... In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted th

CVE-2025-22022 [HIGH] CVE-2025-22022: linux - In the Linux kernel, the following vulnerability has been resolved: usb: xhci: ... In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Apply the link chain quirk on NEC isoc endpoints Two clearly different specimens of NEC uPD720200 (one with start/stop bug, one without) were seen to cause IOMMU faults after some Missed Service Errors. Faulting address is immediately after a transfer ring segment and patched dynamic debug

CVE-2025-38565 [HIGH] CVE-2025-38565: linux - In the Linux kernel, the following vulnerability has been resolved: perf/core: ... In the Linux kernel, the following vulnerability has been resolved: perf/core: Exit early on perf_mmap() fail When perf_mmap() fails to allocate a buffer, it still invokes the event_mapped() callback of the related event. On X86 this might increase the perf_rdpmc_allowed reference counter. But nothing undoes this as perf_mmap_close() is never called in this case, whic

CVE-2025-21780 [HIGH] CVE-2025-21780: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu:... In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() It malicious user provides a small pptable through sysfs and then a bigger pptable, it may cause buffer overflow attack in function smu_sys_set_pp_table(). Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: open forky: reso

CVE-2025-37915 [HIGH] CVE-2025-37915: linux - In the Linux kernel, the following vulnerability has been resolved: net_sched: ... In the Linux kernel, the following vulnerability has been resolved: net_sched: drr: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of drr, there won't be a UAF, but the code will add the same classifier to the

CVE-2025-38538 [HIGH] CVE-2025-38538: linux - In the Linux kernel, the following vulnerability has been resolved: dmaengine: ... In the Linux kernel, the following vulnerability has been resolved: dmaengine: nbpfaxi: Fix memory corruption in probe() The nbpf->chan[] array is allocated earlier in the nbpf_probe() function and it has "num_channels" elements. These three loops iterate one element farther than they should and corrupt memory. The changes to the second loop are more involved. In this

CVE-2025-21968 [HIGH] CVE-2025-21968: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free on hdcp_work [Why] A slab-use-after-free is reported when HDCP is destroyed but the property_validate_dwork queue is still running. [How] Cancel the delayed work when destroying workqueue. (cherry picked from commit 725a04ba5a95e89c89633d4322430cfbca7ce128) Sco

CVE-2025-38079 [HIGH] CVE-2025-38079: linux - In the Linux kernel, the following vulnerability has been resolved: crypto: alg... In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error. Scope: local bookworm: resolved (fixed in 6.1.147-

CVE-2025-71093 [HIGH] CVE-2025-71093: linux - In the Linux kernel, the following vulnerability has been resolved: e1000: fix ... In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_should_accept() In e1000_tbi_should_accept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and can hit unrelated sla

CVE-2025-39776 [HIGH] CVE-2025-39776: linux - In the Linux kernel, the following vulnerability has been resolved: mm/debug_vm... In the Linux kernel, the following vulnerability has been resolved: mm/debug_vm_pgtable: clear page table entries at destroy_args() The mm/debug_vm_pagetable test allocates manually page table entries for the tests it runs, using also its manually allocated mm_struct. That in itself is ok, but when it exits, at destroy_args() it fails to clear those entries with the *

CVE-2025-38563 [HIGH] CVE-2025-38563: linux - In the Linux kernel, the following vulnerability has been resolved: perf/core: ... In the Linux kernel, the following vulnerability has been resolved: perf/core: Prevent VMA split of buffer mappings The perf mmap code is careful about mmap()'ing the user page with the ringbuffer and additionally the auxiliary buffer, when the event supports it. Once the first mapping is established, subsequent mapping have to use the same offset and the same size in

CVE-2025-38361 [HIGH] CVE-2025-38361: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check dce_hwseq before dereferencing it [WHAT] hws was checked for null earlier in dce110_blank_stream, indicating hws can be null, and should be checked whenever it is used. (cherry picked from commit 79db43611ff61280b6de58ce1305e0b2ecf675ad) Scope: local bookworm: resolved (fixed in

CVE-2025-38482 [HIGH] CVE-2025-38482: linux - In the Linux kernel, the following vulnerability has been resolved: comedi: das... In the Linux kernel, the following vulnerability has been resolved: comedi: das6402: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ if ((1 options[1]) & 0x8cec) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could

CVE-2025-21761 [HIGH] CVE-2025-21761: linux - In the Linux kernel, the following vulnerability has been resolved: openvswitch... In the Linux kernel, the following vulnerability has been resolved: openvswitch: use RCU protection in ovs_vport_cmd_fill_info() ovs_vport_cmd_fill_info() can be called without RTNL or RCU. Use RCU protection and dev_net_rcu() to avoid potential UAF. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved (fixed in 5.10.237-1) forky: resolved (fixed in

CVE-2025-39877 [HIGH] CVE-2025-39877: linux - In the Linux kernel, the following vulnerability has been resolved: mm/damon/sy... In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: fix use-after-free in state_show() state_show() reads kdamond->damon_ctx without holding damon_sysfs_lock. This allows a use-after-free race: CPU 0 CPU 1 ----- ----- state_show() damon_sysfs_turn_damon_on() ctx = kdamond->damon_ctx; mutex_lock(&damon_sysfs_lock); damon_destroy_ctx(kdam

CVE-2025-38377 [HIGH] CVE-2025-38377: linux - In the Linux kernel, the following vulnerability has been resolved: rose: fix d... In the Linux kernel, the following vulnerability has been resolved: rose: fix dangling neighbour pointers in rose_rt_device_down() There are two bugs in rose_rt_device_down() that can cause use-after-free: 1. The loop bound `t->count` is modified within the loop, which can cause the loop to terminate early and miss some entries. 2. When removing an entry from the neig

CVE-2025-39719 [HIGH] CVE-2025-39719: linux - In the Linux kernel, the following vulnerability has been resolved: iio: imu: b... In the Linux kernel, the following vulnerability has been resolved: iio: imu: bno055: fix OOB access of hw_xlate array Fix a potential out-of-bounds array access of the hw_xlate array in bno055.c. In bno055_get_regmask(), hw_xlate was iterated over the length of the vals array instead of the length of the hw_xlate array. In the case of bno055_gyr_scale, the vals array

CVE-2025-38342 [HIGH] CVE-2025-38342: linux - In the Linux kernel, the following vulnerability has been resolved: software no... In the Linux kernel, the following vulnerability has been resolved: software node: Correct a OOB check in software_node_get_reference_args() software_node_get_reference_args() wants to get @index-th element, so the property value requires at least '(index + 1) * sizeof(*ref)' bytes but that can not be guaranteed by current OOB check, and may cause OOB for malformed pr

CVE-2025-38323 [HIGH] CVE-2025-38323: linux - In the Linux kernel, the following vulnerability has been resolved: net: atm: a... In the Linux kernel, the following vulnerability has been resolved: net: atm: add lec_mutex syzbot found its way in net/atm/lec.c, and found an error path in lecd_attach() could leave a dangling pointer in dev_lec[]. Add a mutex to protect dev_lecp[] uses from lecd_attach(), lec_vcc_attach() and lec_mcast_attach(). Following patch will use this mutex for /proc/net/atm