Debian Linux-6.1 vulnerabilities

CVE-2025-38445 [HIGH] CVE-2025-38445: linux - In the Linux kernel, the following vulnerability has been resolved: md/raid1: F... In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic. Example acces

CVE-2025-38556 [HIGH] CVE-2025-38556: linux - In the Linux kernel, the following vulnerability has been resolved: HID: core: ... In the Linux kernel, the following vulnerability has been resolved: HID: core: Harden s32ton() against conversion to 0 bits Testing by the syzbot fuzzer showed that the HID core gets a shift-out-of-bounds exception when it tries to convert a 32-bit quantity to a 0-bit quantity. Ideally this should never occur, but there are buggy devices and some might have a report f

CVE-2025-38502 [HIGH] CVE-2025-38502: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oo... In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup local storage Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size, and one program doing a tail call into the other. The verifier will vali

CVE-2025-38245 [HIGH] CVE-2025-38245: linux - In the Linux kernel, the following vulnerability has been resolved: atm: Releas... In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). syzbot reported a warning below during atm_dev_register(). [0] Before creating a new device and procfs/sysfs for it, atm_dev_register() looks up a duplicated device by __atm_dev_lookup(). These operations are done under atm_dev_

CVE-2025-38401 [HIGH] CVE-2025-38401: linux - In the Linux kernel, the following vulnerability has been resolved: mtk-sd: Pre... In the Linux kernel, the following vulnerability has been resolved: mtk-sd: Prevent memory corruption from DMA map failure If msdc_prepare_data() fails to map the DMA region, the request is not prepared for data receiving, but msdc_start_data() proceeds the DMA with previous setting. Since this will lead a memory corruption, we have to stop the request operation soon

CVE-2025-38527 [HIGH] CVE-2025-38527: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in cifs_oplock_break A race condition can occur in cifs_oplock_break() leading to a use-after-free of the cinode structure when unmounting: cifs_oplock_break() _cifsFileInfo_put(cfile) cifsFileInfo_put_final() cifs_sb_deactive() [last ref, start releasing sb] kill_sb()

CVE-2025-38239 [HIGH] CVE-2025-38239: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: megar... In the Linux kernel, the following vulnerability has been resolved: scsi: megaraid_sas: Fix invalid node index On a system with DRAM interleave enabled, out-of-bound access is detected: megaraid_sas 0000:3f:00.0: requested/available msix 128/128 poll_queue 0 ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:2

CVE-2025-38550 [HIGH] CVE-2025-38550: linux - In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast... In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Delay put pmc->idev in mld_del_delrec() pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec() does, the reference should be put after ip6_mc_clear_src() return. Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: resolved forky: resolved (fixed in 6.16.3-1) si

CVE-2025-21760 [HIGH] CVE-2025-21760: linux - In the Linux kernel, the following vulnerability has been resolved: ndisc: exte... In the Linux kernel, the following vulnerability has been resolved: ndisc: extend RCU protection in ndisc_send_skb() ndisc_send_skb() can be called without RTNL or RCU held. Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu() and avoid a potential UAF. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved (fixed in 5.10.237-1) forky: re

CVE-2025-39682 [HIGH] CVE-2025-39682: linux - In the Linux kernel, the following vulnerability has been resolved: tls: fix ha... In the Linux kernel, the following vulnerability has been resolved: tls: fix handling of zero-length records on the rx_list Each recvmsg() call must process either - only contiguous DATA records (any number of them) - one non-DATA record If the next record has different type than what has already been processed we break out of the main processing loop. If the record h

CVE-2025-37947 [HIGH] CVE-2025-37947: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: prev... In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent out-of-bounds stream writes by validating *pos ksmbd_vfs_stream_write() did not validate whether the write offset (*pos) was within the bounds of the existing stream data length (v_len). If *pos was greater than or equal to v_len, this could lead to an out-of-bounds memory write. This p

CVE-2025-21950 [HIGH] CVE-2025-21950: linux - In the Linux kernel, the following vulnerability has been resolved: drivers: vi... In the Linux kernel, the following vulnerability has been resolved: drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl In the "pmcmd_ioctl" function, three memory objects allocated by kmalloc are initialized by "hcall_get_cpu_state", which are then copied to user space. The initializer is indeed implemented in "acrn_hypercall2" (arch/x86/include/a

CVE-2025-39788 [HIGH] CVE-2025-39788: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: ... In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE On Google gs101, the number of UTP transfer request slots (nutrs) is 32, and in this case the driver ends up programming the UTRL_NEXUS_TYPE incorrectly as 0. This is because the left hand side of the shift is 1, which is of type int, i.e. 31 b

CVE-2025-22056 [HIGH] CVE-2025-22056: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix geneve_opt type confusion addition When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the parsing logic should place every geneve_opt structure one by one compactly. Hence, when deciding the next geneve_opt position, the pointer addition should be in units of cha

CVE-2025-38676 [HIGH] CVE-2025-38676: linux - In the Linux kernel, the following vulnerability has been resolved: iommu/amd: ... In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Avoid stack buffer overflow from kernel cmdline While the kernel command line is considered trusted in most environments, avoid writing 1 byte past the end of "acpiid" if the "str" argument is maximum length. Scope: local bookworm: resolved (fixed in 6.1.153-1) bullseye: resolved (fixed in

CVE-2025-21727 [HIGH] CVE-2025-21727: linux - In the Linux kernel, the following vulnerability has been resolved: padata: fix... In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_paral

CVE-2025-38416 [HIGH] CVE-2025-38416: linux - In the Linux kernel, the following vulnerability has been resolved: NFC: nci: u... In the Linux kernel, the following vulnerability has been resolved: NFC: nci: uart: Set tty->disc_data only in success path Setting tty->disc_data before opening the NCI device means we need to clean it up on error paths. This also opens some short window if device starts sending data, even before NCIUARTSETDRIVER IOCTL succeeded (broken hardware?). Close the window b

CVE-2025-38443 [HIGH] CVE-2025-38443: linux - In the Linux kernel, the following vulnerability has been resolved: nbd: fix ua... In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104) block nbd6: shutting down sockets ================================================================== BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/b

CVE-2025-37879 [HIGH] CVE-2025-37879: linux - In the Linux kernel, the following vulnerability has been resolved: 9p/net: fix... In the Linux kernel, the following vulnerability has been resolved: 9p/net: fix improper handling of bogus negative read/write replies In p9_client_write() and p9_client_read_once(), if the server incorrectly replies with success but a negative write/read count then we would consider written (negative) 3) Scope: local bookworm: resolved (fixed in 6.1.137-1) bullseye:

CVE-2025-38227 [HIGH] CVE-2025-38227: linux - In the Linux kernel, the following vulnerability has been resolved: media: vidt... In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Terminating the subsequent process of initialization failure syzbot reported a slab-use-after-free Read in vidtv_mux_init. [1] After PSI initialization fails, the si member is accessed again, resulting in this uaf. After si initialization fails, the subsequent process needs to be exited.