Debian Linux-6.1 vulnerabilities

CVE-2025-38693 [MEDIUM] CVE-2025-38693: linux - In the Linux kernel, the following vulnerability has been resolved: media: dvb-... In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity c

CVE-2025-37841 [MEDIUM] CVE-2025-37841: linux - In the Linux kernel, the following vulnerability has been resolved: pm: cpupowe... In the Linux kernel, the following vulnerability has been resolved: pm: cpupower: bench: Prevent NULL dereference on malloc failure If malloc returns NULL due to low memory, 'config' pointer can be NULL. Add a check to prevent NULL dereference. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved (fixed in 5.10.237-1) forky: resolved (fixed in 6.1

CVE-2025-71131 [MEDIUM] CVE-2025-71131: linux - In the Linux kernel, the following vulnerability has been resolved: crypto: seq... In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt As soon as crypto_aead_encrypt is called, the underlying request may be freed by an asynchronous completion. Thus dereferencing req->iv after it returns is invalid. Instead of checking req->iv against info, create a new variable unaligned_

CVE-2025-38665 [MEDIUM] CVE-2025-38665: linux - In the Linux kernel, the following vulnerability has been resolved: can: netlin... In the Linux kernel, the following vulnerability has been resolved: can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Andrei Lalaev reported a NULL pointer deref when a CAN device is restarted from Bus Off and the driver does not implement the struct can_priv::do_set_mode callback. There are 2 code path that call struct can_priv:

CVE-2025-39770 [MEDIUM] CVE-2025-39770: linux - In the Linux kernel, the following vulnerability has been resolved: net: gso: F... In the Linux kernel, the following vulnerability has been resolved: net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM When performing Generic Segmentation Offload (GSO) on an IPv6 packet that contains extension headers, the kernel incorrectly requests checksum offload if the egress device only advertises NETIF_F_IPV6_CSUM feature, which has a

CVE-2025-38120 [MEDIUM] CVE-2025-38120: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo_avx2: fix initial map fill If the first field doesn't cover the entire start map, then we must zero out the remainder, else we leak those bits into the next match round map. The early fix was incomplete and did only fix up the generic C implementation. A followup patch adds

CVE-2025-21664 [MEDIUM] CVE-2025-21664: linux - In the Linux kernel, the following vulnerability has been resolved: dm thin: ma... In the Linux kernel, the following vulnerability has been resolved: dm thin: make get_first_thin use rcu-safe list first function The documentation in rculist.h explains the absence of list_empty_rcu() and cautions programmers against relying on a list_empty() -> list_first() sequence in RCU safe code. This is because each of these functions performs its own READ_ON

CVE-2025-71098 [MEDIUM] CVE-2025-71098: linux - In the Linux kernel, the following vulnerability has been resolved: ip6_gre: ma... In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb w

CVE-2025-38460 [MEDIUM] CVE-2025-38460: linux - In the Linux kernel, the following vulnerability has been resolved: atm: clip: ... In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 ("[ATM]: clip causes unregister hang"). However, it is not enough because to_atmarpd() is called without RTNL, especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable. Also,

CVE-2025-38312 [MEDIUM] CVE-2025-38312: linux - In the Linux kernel, the following vulnerability has been resolved: fbdev: core... In the Linux kernel, the following vulnerability has been resolved: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's then passed to fb_cvt_hperiod(), where it's used as a divider -- division by 0 will result

CVE-2025-39800 [MEDIUM] CVE-2025-39800: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: abor... In the Linux kernel, the following vulnerability has been resolved: btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() If we find an unexpected generation for the extent buffer we are cloning at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the transaction, meaning we allow to persist metadata with an unexpected generation

CVE-2025-40039 [MEDIUM] CVE-2025-40039: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix race condition in RPC handle list access The 'sess->rpc_handle_list' XArray manages RPC handles within a ksmbd session. Access to this list is intended to be protected by 'sess->rpc_lock' (an rw_semaphore). However, the locking implementation was flawed, leading to potential race conditio

CVE-2025-21806 [MEDIUM] CVE-2025-21806: linux - In the Linux kernel, the following vulnerability has been resolved: net: let ne... In the Linux kernel, the following vulnerability has been resolved: net: let net.core.dev_weight always be non-zero The following problem was encountered during stability test: (NULL net_device): NAPI poll function process_backlog+0x0/0x530 \ returned 1, exceeding its budget of 0. ------------[ cut here ]------------ list_add double add: new=ffff88905f746f48, prev=f

CVE-2025-38630 [MEDIUM] CVE-2025-38630: linux - In the Linux kernel, the following vulnerability has been resolved: fbdev: imxf... In the Linux kernel, the following vulnerability has been resolved: fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref fb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot allocate a struct fb_modelist. If that happens, the modelist stays empty but the driver continues to register. Add a check for its return value to prevent potein

CVE-2025-38263 [MEDIUM] CVE-2025-38263: linux - In the Linux kernel, the following vulnerability has been resolved: bcache: fix... In the Linux kernel, the following vulnerability has been resolved: bcache: fix NULL pointer in cache_set_flush() 1. LINE#1794 - LINE#1887 is some codes about function of bch_cache_set_alloc(). 2. LINE#2078 - LINE#2142 is some codes about function of register_cache_set(). 3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098. 1794 struct cache_set *bc

CVE-2025-38184 [MEDIUM] CVE-2025-38184: linux - In the Linux kernel, the following vulnerability has been resolved: tipc: fix n... In the Linux kernel, the following vulnerability has been resolved: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer The reproduction steps: 1. create a tun interface 2. enable l2 bearer 3. TIPC_NL_UDP_GET_REMOTEIP with media name set to tun tipc: Started in network mode tipc: Node identity 8af312d38a21, cluster identity 4711 tipc: Enabled bearer

CVE-2025-37929 [MEDIUM] CVE-2025-37929: linux - In the Linux kernel, the following vulnerability has been resolved: arm64: erra... In the Linux kernel, the following vulnerability has been resolved: arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays Commit a5951389e58d ("arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists") added some additional CPUs to the Spectre-BHB workaround, including some new arrays for designs that require new 'k' values for the work

CVE-2025-23150 [MEDIUM] CVE-2025-23150: linux - In the Linux kernel, the following vulnerability has been resolved: ext4: fix o... In the Linux kernel, the following vulnerability has been resolved: ext4: fix off-by-one error in do_split Syzkaller detected a use-after-free issue in ext4_insert_dentry that was caused by out-of-bounds access due to incorrect splitting in do_split. BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 Write of size 251 at addr ffff88807

CVE-2025-37801 [MEDIUM] CVE-2025-37801: linux - In the Linux kernel, the following vulnerability has been resolved: spi: spi-im... In the Linux kernel, the following vulnerability has been resolved: spi: spi-imx: Add check for spi_imx_setupxfer() Add check for the return value of spi_imx_setupxfer(). spi_imx->rx and spi_imx->tx function pointer can be NULL when spi_imx_setupxfer() return error, and make NULL pointer dereference. Unable to handle kernel NULL pointer dereference at virtual addres

CVE-2025-37865 [MEDIUM] CVE-2025-37865: linux - In the Linux kernel, the following vulnerability has been resolved: net: dsa: m... In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is unsupported Russell King reports that on the ZII dev rev B, deleting a bridge VLAN from a user port fails with -ENOENT: https://lore.kernel.org/netdev/[email protected]/ This comes from mv88e6xxx_port_vlan_leave() -