Debian Linux-6.1 vulnerabilities

CVE-2025-22040 [HIGH] CVE-2025-22040: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix session use-after-free in multichannel connection There is a race condition between session setup and ksmbd_sessions_deregister. The session can be freed before the connection is added to channel list of session. This patch check reference count of session before freeing it. Scope: local bo

CVE-2025-21791 [HIGH] CVE-2025-21791: linux - In the Linux kernel, the following vulnerability has been resolved: vrf: use RC... In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF. Scope: local bookworm: resolved (

CVE-2025-37822 [HIGH] CVE-2025-37822: linux - In the Linux kernel, the following vulnerability has been resolved: riscv: upro... In the Linux kernel, the following vulnerability has been resolved: riscv: uprobes: Add missing fence.i after building the XOL buffer The XOL (execute out-of-line) buffer is used to single-step the replaced instruction(s) for uprobes. The RISC-V port was missing a proper fence.i (i$ flushing) after constructing the XOL buffer, which can result in incorrect execution o

CVE-2025-21782 [HIGH] CVE-2025-21782: linux - In the Linux kernel, the following vulnerability has been resolved: orangefs: f... In the Linux kernel, the following vulnerability has been resolved: orangefs: fix a oob in orangefs_debug_write I got a syzbot report: slab-out-of-bounds Read in orangefs_debug_write... several people suggested fixes, I tested Al Viro's suggestion and made this patch. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved (fixed in 5.10.237-1) forky:

CVE-2025-23142 [HIGH] CVE-2025-23142: linux - In the Linux kernel, the following vulnerability has been resolved: sctp: detec... In the Linux kernel, the following vulnerability has been resolved: sctp: detect and prevent references to a freed transport in sendmsg sctp_sendmsg() re-uses associations and transports when possible by doing a lookup based on the socket endpoint and the message destination address, and then sctp_sendmsg_to_asoc() sets the selected transport in all the message chunks

CVE-2025-38415 [HIGH] CVE-2025-38415: linux - In the Linux kernel, the following vulnerability has been resolved: Squashfs: c... In the Linux kernel, the following vulnerability has been resolved: Squashfs: check return result of sb_min_blocksize Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug. Syzkaller forks multiple processes which after mounting the Squashfs filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000). Now if this ioctl occurs at the sam

CVE-2025-71136 [HIGH] CVE-2025-71136: linux - In the Linux kernel, the following vulnerability has been resolved: media: adv7... In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() It's possible for cp_read() and hdmi_read() to return -EIO. Those values are further used as indexes for accessing arrays. Fix that by checking return values where it's needed. Found by Linux Verification Center (li

CVE-2025-38212 [HIGH] CVE-2025-38212: linux - In the Linux kernel, the following vulnerability has been resolved: ipc: fix to... In the Linux kernel, the following vulnerability has been resolved: ipc: fix to protect IPCS lookups using RCU syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/[email protected]/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical regi

CVE-2025-39841 [HIGH] CVE-2025-39841: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc:... In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/clear order in deferred receive path Fix a use-after-free window by correcting the buffer release sequence in the deferred receive path. The code freed the RQ buffer first and only then cleared the context pointer under the lock. Concurrent paths (e.g., ABTS and the repost

CVE-2025-37819 [HIGH] CVE-2025-37819: linux - In the Linux kernel, the following vulnerability has been resolved: irqchip/gic... In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() With ACPI in place, gicv2m_get_fwnode() is registered with the pci subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime during a PCI host bridge probe. But, the call back is wrongly marked as __init, causing it to be free

CVE-2025-21731 [HIGH] CVE-2025-21731: linux - In the Linux kernel, the following vulnerability has been resolved: nbd: don't ... In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_

CVE-2025-71116 [HIGH] CVE-2025-71116: linux - In the Linux kernel, the following vulnerability has been resolved: libceph: ma... In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there

CVE-2025-39957 [HIGH] CVE-2025-39957: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: mac80... In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: increase scan_ies_len for S1G Currently the S1G capability element is not taken into account for the scan_ies_len, which leads to a buffer length validation failure in ieee80211_prep_hw_scan() and subsequent WARN in __ieee80211_start_scan(). This prevents hw scanning from functioning.

CVE-2025-21946 [HIGH] CVE-2025-21946: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bounds in parse_sec_desc() If osidoffset, gsidoffset and dacloffset could be greater than smb_ntsd struct size. If it is smaller, It could cause slab-out-of-bounds. And when validating sid, It need to check it included subauth array size. Scope: local bookworm: resolved (fixed in 6.1

CVE-2025-38102 [HIGH] CVE-2025-38102: linux - In the Linux kernel, the following vulnerability has been resolved: VMCI: fix r... In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify During our test, it is found that a warning can be trigger in try_grab_folio as follow: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 Modules linked in: CPU: 0 UID: 0 PID

CVE-2025-38118 [HIGH] CVE-2025-38118: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x5

CVE-2025-39911 [HIGH] CVE-2025-39911: linux - In the Linux kernel, the following vulnerability has been resolved: i40e: fix I... In the Linux kernel, the following vulnerability has been resolved: i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration later than the first, the error path wants to free the IRQs requested so far. However, it uses the wrong dev_id argument for free_irq(), so it does not free the IRQs corr

CVE-2025-38494 [HIGH] CVE-2025-38494: linux - In the Linux kernel, the following vulnerability has been resolved: HID: core: ... In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw_raw_request hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used. Scope: local bookworm: resolved (fixed in 6.1.1

CVE-2025-71220 [HIGH] CVE-2025-71220: linux - In the Linux kernel, the following vulnerability has been resolved: smb/server:... In the Linux kernel, the following vulnerability has been resolved: smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe() When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close(). Scope: local bookworm: resolved (fixed in 6.1.164-1) bullseye: resolved forky: resolved (fixed in 6.18.10-1) sid: resolved (fixed in 6.18.10-1) trixi

CVE-2025-37817 [HIGH] CVE-2025-37817: linux - In the Linux kernel, the following vulnerability has been resolved: mcb: fix a ... In the Linux kernel, the following vulnerability has been resolved: mcb: fix a double free bug in chameleon_parse_gdd() In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev' would be released in mcb_device_register() via put_device(). Thus, goto 'err' label and free 'mdev' again causes a double free. Just return if mcb_device_register() fails. Scope: local