Debian Linux-6.1 vulnerabilities

CVE-2025-71137 [HIGH] CVE-2025-71137: linux - In the Linux kernel, the following vulnerability has been resolved: octeontx2-p... In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" This patch ensures that the RX ring size (rx_pending) is not set below the permitted length. This avoids UBSAN shift-out-of-bounds errors when users passes small or zero ring sizes via ethtool -G. Scope: local bookworm: resolved (fixed in 6.1.162-1)

CVE-2025-39738 [HIGH] CVE-2025-39738: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: do n... In the Linux kernel, the following vulnerability has been resolved: btrfs: do not allow relocation of partially dropped subvolumes [BUG] There is an internal report that balance triggered transaction abort, with the following call trace: item 85 key (594509824 169 0) itemoff 12599 itemsize 33 extent refs 1 gen 197740 flags 2 ref#0: tree block backref root 7 item 86 ke

CVE-2025-37926 [HIGH] CVE-2025-37926: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_session_rpc_open A UAF issue can occur due to a race condition between ksmbd_session_rpc_open() and __session_rpc_close(). Add rpc_lock to the session to protect it. Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved forky: resolved (fixed in 6.1

CVE-2025-38198 [HIGH] CVE-2025-38198: linux - In the Linux kernel, the following vulnerability has been resolved: fbcon: Make... In the Linux kernel, the following vulnerability has been resolved: fbcon: Make sure modelist not set on unregistered console It looks like attempting to write to the "store_modes" sysfs node will run afoul of unregistered consoles: UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28 index -1 is out of range for type 'fb_info *[32]' ... fbcon_i

CVE-2025-39701 [HIGH] CVE-2025-39701: linux - In the Linux kernel, the following vulnerability has been resolved: ACPI: pfr_u... In the Linux kernel, the following vulnerability has been resolved: ACPI: pfr_update: Fix the driver update version check The security-version-number check should be used rather than the runtime version check for driver updates. Otherwise, the firmware update would fail when the update binary had a lower runtime version number than the current one. [ rjw: Changelog ed

CVE-2025-38476 [HIGH] CVE-2025-38476: linux - In the Linux kernel, the following vulnerability has been resolved: rpl: Fix us... In the Linux kernel, the following vulnerability has been resolved: rpl: Fix use-after-free in rpl_do_srh_inline(). Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers the splat below [0]. rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after skb_cow_head(), which is illegal as the header could be freed then. Let's fix it by making oldhdr to a

CVE-2025-37749 [HIGH] CVE-2025-37749: linux - In the Linux kernel, the following vulnerability has been resolved: net: ppp: A... In the Linux kernel, the following vulnerability has been resolved: net: ppp: Add bound checking for skb data on ppp_sync_txmung Ensure we have enough data in linear buffer from skb before accessing initial bytes. This prevents potential out-of-bounds accesses when processing short packets. When ppp_sync_txmung receives an incoming package with an empty payload: (remo

CVE-2025-38389 [HIGH] CVE-2025-38389: linux - In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt... In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix timeline left held on VMA alloc error The following error has been reported sporadically by CI when a test unbinds the i915 driver on a ring submission platform: [239.330153] ------------[ cut here ]------------ [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv->mm.shrink_cou

CVE-2025-22035 [HIGH] CVE-2025-22035: linux - In the Linux kernel, the following vulnerability has been resolved: tracing: Fi... In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the

CVE-2025-21796 [HIGH] CVE-2025-21796: linux - In the Linux kernel, the following vulnerability has been resolved: nfsd: clear... In the Linux kernel, the following vulnerability has been resolved: nfsd: clear acl_access/acl_default after releasing them If getting acl_default fails, acl_access and acl_default will be released simultaneously. However, acl_access will still retain a pointer pointing to the released posix_acl, which will trigger a WARNING in nfs3svc_release_getacl like this: ------

CVE-2025-37798 [HIGH] CVE-2025-37798: linux - In the Linux kernel, the following vulnerability has been resolved: codel: remo... In the Linux kernel, the following vulnerability has been resolved: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() After making all ->qlen_notify() callbacks idempotent, now it is safe to remove the check of qlen!=0 from both fq_codel_dequeue() and codel_qdisc_dequeue(). Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved (fixed

CVE-2025-39945 [HIGH] CVE-2025-39945: linux - In the Linux kernel, the following vulnerability has been resolved: cnic: Fix u... In the Linux kernel, the following vulnerability has been resolved: cnic: Fix use-after-free bugs in cnic_delete_task The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(), which does not guarantee that the delayed work item 'delete_task' has fully completed if it was already running. Additionally, the delayed work item is cyclic, the flush_workqueue

CVE-2025-39864 [HIGH] CVE-2025-39864: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80... In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_free() quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding 'hidden_beacon_bss'

CVE-2025-39951 [HIGH] CVE-2025-39951: linux - In the Linux kernel, the following vulnerability has been resolved: um: virtio_... In the Linux kernel, the following vulnerability has been resolved: um: virtio_uml: Fix use-after-free after put_device in probe When register_virtio_device() fails in virtio_uml_probe(), the code sets vu_dev->registered = 1 even though the device was not successfully registered. This can lead to use-after-free or other issues. Scope: local bookworm: resolved (fixed i

CVE-2025-37803 [HIGH] CVE-2025-37803: linux - In the Linux kernel, the following vulnerability has been resolved: udmabuf: fi... In the Linux kernel, the following vulnerability has been resolved: udmabuf: fix a buf size overflow issue during udmabuf creation by casting size_limit_mb to u64 when calculate pglimit. Scope: local bookworm: resolved (fixed in 6.1.137-1) bullseye: resolved (fixed in 5.10.237-1) forky: resolved (fixed in 6.16.3-1) sid: resolved (fixed in 6.16.3-1) trixie: resolved (f

CVE-2025-38259 [HIGH] CVE-2025-38259: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: codec... In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd9335: Fix missing free of regulator supplies Driver gets and enables all regulator supplies in probe path (wcd9335_parse_dt() and wcd9335_power_on_reset()), but does not cleanup in final error paths and in unbind (missing remove() callback). This leads to leaked memory and unbalanced

CVE-2025-38000 [HIGH] CVE-2025-38000: linux - In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: F... In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the child qdisc's peek() operation before incrementing sch->q.qlen and sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may trigger an imme

CVE-2025-37786 [HIGH] CVE-2025-37786: linux - In the Linux kernel, the following vulnerability has been resolved: net: dsa: f... In the Linux kernel, the following vulnerability has been resolved: net: dsa: free routing table on probe failure If complete = true in dsa_tree_setup(), it means that we are the last switch of the tree which is successfully probing, and we should be setting up all switches from our probe path. After "complete" becomes true, dsa_tree_setup_cpu_ports() or any subsequen

CVE-2025-21867 [HIGH] CVE-2025-21867: linux - In the Linux kernel, the following vulnerability has been resolved: bpf, test_r... In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The cause of the issue was that eth_skb_pkt_type() accessed skb's data that didn't contain an Ethernet header. This occurs when bpf_prog_test_run_xdp() passes an invalid value

CVE-2025-38456 [HIGH] CVE-2025-38456: linux - In the Linux kernel, the following vulnerability has been resolved: ipmi:msghan... In the Linux kernel, the following vulnerability has been resolved: ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() The "intf" list iterator is an invalid pointer if the correct "intf->intf_num" is not found. Calling atomic_dec(&intf->nr_users) on and invalid pointer will lead to memory corruption. We don't really need to call atomic_dec() if we