Debian Linux-6.1 vulnerabilities

CVE-2025-38304 [MEDIUM] CVE-2025-38304: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer deference on eir_get_service_data The len parameter is considered optional so it can be NULL so it cannot be used for skipping to next entry of EIR_SERVICE_DATA. Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: resolved forky: resolved (fixed in 6.12.35-1) s

CVE-2025-71222 [MEDIUM] CVE-2025-71222: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: wlcor... In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: ensure skb headroom before skb_push This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is less than needed (typically 110 - 94 = 16 bytes). Scope: local bookworm: resolved (fixed in 6.1.164-1) bullseye: resolved (fixed in 5.10.251-1) forky: resolved

CVE-2025-21655 [MEDIUM] CVE-2025-21655: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring/ev... In the Linux kernel, the following vulnerability has been resolved: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period io_eventfd_do_signal() is invoked from an RCU callback, but when dropping the reference to the io_ev_fd, it calls io_eventfd_free() directly if the refcount drops to zero. This isn't correct, as any potential freeing of the io_ev

CVE-2025-21684 [MEDIUM] CVE-2025-21684: linux - In the Linux kernel, the following vulnerability has been resolved: gpio: xilin... In the Linux kernel, the following vulnerability has been resolved: gpio: xilinx: Convert gpio_lock to raw spinlock irq_chip functions may be called in raw spinlock context. Therefore, we must also use a raw spinlock for our own internal locking. This fixes the following lockdep splat: [ 5.349336] ============================= [ 5.353349] [ BUG: Invalid wait context

CVE-2025-38057 [MEDIUM] CVE-2025-38057: linux - In the Linux kernel, the following vulnerability has been resolved: espintcp: f... In the Linux kernel, the following vulnerability has been resolved: espintcp: fix skb leaks A few error paths are missing a kfree_skb. Scope: local bookworm: resolved (fixed in 6.1.159-1) bullseye: open forky: resolved (fixed in 6.12.32-1) sid: resolved (fixed in 6.12.32-1) trixie: resolved (fixed in 6.12.32-1)

CVE-2025-71087 [MEDIUM] CVE-2025-71087: linux - In the Linux kernel, the following vulnerability has been resolved: iavf: fix o... In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), the loop upp

CVE-2025-38583 [MEDIUM] CVE-2025-38583: linux - In the Linux kernel, the following vulnerability has been resolved: clk: xilinx... In the Linux kernel, the following vulnerability has been resolved: clk: xilinx: vcu: unregister pll_post only if registered correctly If registration of pll_post is failed, it will be set to NULL or ERR, unregistering same will fail with following call trace: Unable to handle kernel NULL pointer dereference at virtual address 008 pc : clk_hw_unregister+0xc/0x20 lr

CVE-2025-37852 [MEDIUM] CVE-2025-37852: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu:... In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() Add error handling to propagate amdgpu_cgs_create_device() failures to the caller. When amdgpu_cgs_create_device() fails, release hwmgr and return -ENOMEM to prevent null pointer dereference. [v1]->[v2]: Change error code

CVE-2025-21629 [MEDIUM] CVE-2025-21629: linux - In the Linux kernel, the following vulnerability has been resolved: net: reenab... In the Linux kernel, the following vulnerability has been resolved: net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets The blamed commit disabled hardware offoad of IPv6 packets with extension headers on devices that advertise NETIF_F_IPV6_CSUM, based on the definition of that feature in skbuff.h: * * - %NETIF_F_IPV6_CSUM * - Driver (device) is only able to

CVE-2025-21996 [MEDIUM] CVE-2025-21996: linux - In the Linux kernel, the following vulnerability has been resolved: drm/radeon:... In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon

CVE-2025-38174 [MEDIUM] CVE-2025-38174: linux - In the Linux kernel, the following vulnerability has been resolved: thunderbolt... In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequeue a configuration request Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0 Call

CVE-2025-39847 [MEDIUM] CVE-2025-39847: linux - In the Linux kernel, the following vulnerability has been resolved: ppp: fix me... In the Linux kernel, the following vulnerability has been resolved: ppp: fix memory leak in pad_compress_skb If alloc_skb() fails in pad_compress_skb(), it returns NULL without releasing the old skb. The caller does: skb = pad_compress_skb(ppp, skb); if (!skb) goto drop; drop: kfree_skb(skb); When pad_compress_skb() returns NULL, the reference to the old skb is lost

CVE-2025-39942 [MEDIUM] CVE-2025-39942: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbd... In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size This is inspired by the check for data_offset + data_length. Scope: local bookworm: resolved (fixed in 6.1.158-1) bullseye: resolved forky: resolved (fixed in 6.16.9-1) sid: resolved (fixed in 6.16.9-1) trixie: resolved

CVE-2025-38393 [MEDIUM] CVE-2025-38393: linux - In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS:... In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN We found a few different systems hung up in writeback waiting on the same page lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in pnfs_update_layout(), however the pnfs_layout_hdr's plh_outstanding count was zero. It seems most likely that th

CVE-2025-37820 [MEDIUM] CVE-2025-37820: linux - In the Linux kernel, the following vulnerability has been resolved: xen-netfron... In the Linux kernel, the following vulnerability has been resolved: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() The function xdp_convert_buff_to_frame() may return NULL if it fails to correctly convert the XDP buffer into an XDP frame due to memory constraints, internal errors, or invalid data. Failing to check for NULL may lead to a NULL point

CVE-2025-38430 [MEDIUM] CVE-2025-38430: linux - In the Linux kernel, the following vulnerability has been resolved: nfsd: nfsd4... In the Linux kernel, the following vulnerability has been resolved: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request If the request being processed is not a v4 compound request, then examining the cstate can have undefined results. This patch adds a check that the rpc procedure being executed (rq_procinfo) is the NFSPROC4_COMPOUND procedure. Sco

CVE-2025-38698 [MEDIUM] CVE-2025-38698: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: Regula... In the Linux kernel, the following vulnerability has been resolved: jfs: Regular file corruption check The reproducer builds a corrupted file on disk with a negative i_size value. Add a check when opening this file to avoid subsequent operation failures. Scope: local bookworm: resolved (fixed in 6.1.153-1) bullseye: resolved (fixed in 5.10.244-1) forky: resolved (fi

CVE-2025-21638 [MEDIUM] CVE-2025-21638: linux - In the Linux kernel, the following vulnerability has been resolved: sctp: sysct... In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: auth_enable: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nspro

CVE-2025-39876 [MEDIUM] CVE-2025-39876: linux - In the Linux kernel, the following vulnerability has been resolved: net: fec: F... In the Linux kernel, the following vulnerability has been resolved: net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() The function of_phy_find_device may return NULL, so we need to take care before dereferencing phy_dev. Scope: local bookworm: resolved (fixed in 6.1.153-1) bullseye: resolved (fixed in 5.10.247-1) forky: resolved (fixed in 6.16.8-1)

CVE-2025-71189 [MEDIUM] CVE-2025-71189: linux - In the Linux kernel, the following vulnerability has been resolved: dmaengine: ... In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw: dmamux: fix OF node leak on route allocation failure Make sure to drop the reference taken to the DMA master OF node also on late route allocation failures. Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved forky: resolved (fixed in 6.18.8-1) sid: resolved (fixed