Debian Linux-6.1 vulnerabilities

CVE-2025-38410 [MEDIUM] CVE-2025-38410: linux - In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fi... In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix a fence leak in submit error path In error paths, we could unref the submit without calling drm_sched_entity_push_job(), so msm_job_free() will never get called. Since drm_sched_job_cleanup() will NULL out the s_fence, we can use that to detect this case. Patchwork: https://patchwork.fr

CVE-2025-38650 [MEDIUM] CVE-2025-38650: linux - In the Linux kernel, the following vulnerability has been resolved: hfsplus: re... In the Linux kernel, the following vulnerability has been resolved: hfsplus: remove mutex_lock check in hfsplus_free_extents Syzbot reported an issue in hfsplus filesystem: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346 hfsplus_free_extents+0x700/0xad0 Call Trace: hfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606

CVE-2025-38345 [MEDIUM] CVE-2025-38345: linux - In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix... In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi operand cache leak in dswstate.c ACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 I found an ACPI cache leak in ACPI early termination and boot continuing case. When early termination occurs due to malicious ACPI table, Linux kernel terminates ACPI function and continues to bo

CVE-2025-38018 [MEDIUM] CVE-2025-38018: linux - In the Linux kernel, the following vulnerability has been resolved: net/tls: fi... In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so the recv path will t

CVE-2025-39798 [MEDIUM] CVE-2025-39798: linux - In the Linux kernel, the following vulnerability has been resolved: NFS: Fix th... In the Linux kernel, the following vulnerability has been resolved: NFS: Fix the setting of capabilities when automounting a new filesystem Capabilities cannot be inherited when we cross into a new filesystem. They need to be reset to the minimal defaults, and then probed for again. Scope: local bookworm: resolved (fixed in 6.1.153-1) bullseye: resolved (fixed in 5.

CVE-2025-37938 [MEDIUM] CVE-2025-37938: linux - In the Linux kernel, the following vulnerability has been resolved: tracing: Ve... In the Linux kernel, the following vulnerability has been resolved: tracing: Verify event formats that have "%*p.." The trace event verifier checks the formats of trace events to make sure that they do not point at memory that is not in the trace event itself or in data that will never be freed. If an event references data that was allocated when the event triggered

CVE-2025-39808 [MEDIUM] CVE-2025-39808: linux - In the Linux kernel, the following vulnerability has been resolved: HID: hid-nt... In the Linux kernel, the following vulnerability has been resolved: HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() in ntrig_report_version(), hdev parameter passed from hid_probe(). sending descriptor to /dev/uhid can make hdev->dev.parent->parent to null if hdev->dev.parent->parent is null, usb_dev has invalid address(0xffffffffffffff58)

CVE-2025-38727 [MEDIUM] CVE-2025-38727: linux - In the Linux kernel, the following vulnerability has been resolved: netlink: av... In the Linux kernel, the following vulnerability has been resolved: netlink: avoid infinite retry looping in netlink_unicast() netlink_attachskb() checks for the socket's read memory allocation constraints. Firstly, it has: rmem sk_rcvbuf) to check if the just increased rmem value fits into the socket's receive buffer. If not, it proceeds and tries to wait for the m

CVE-2025-21653 [MEDIUM] CVE-2025-21653: linux - In the Linux kernel, the following vulnerability has been resolved: net_sched: ... In the Linux kernel, the following vulnerability has been resolved: net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute syzbot found that TCA_FLOW_RSHIFT attribute was not validated. Right shitfing a 32bit integer is undefined for large shift values. UBSAN: shift-out-of-bounds in net/sched/cls_flow.c:329:23 shift exponent 9445 is too large for 32-bit type 'u32'

CVE-2025-21681 [MEDIUM] CVE-2025-21681: linux - In the Linux kernel, the following vulnerability has been resolved: openvswitch... In the Linux kernel, the following vulnerability has been resolved: openvswitch: fix lockup on tx to unregistering netdev with carrier Commit in a fixes tag attempted to fix the issue in the following sequence of calls: do_output -> ovs_vport_send -> dev_queue_xmit -> __dev_queue_xmit -> netdev_core_pick_tx -> skb_tx_hash When device is unregistering, the 'dev->real

CVE-2025-37982 [MEDIUM] CVE-2025-37982: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: wl125... In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: fix memory leak in wl1251_tx_work The skb dequeued from tx_queue is lost when wl1251_ps_elp_wakeup fails with a -ETIMEDOUT error. Fix that by queueing the skb back to tx_queue. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved (fixed in 5.10.237-1) forky: resolved

CVE-2025-39773 [MEDIUM] CVE-2025-39773: linux - In the Linux kernel, the following vulnerability has been resolved: net: bridge... In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix soft lockup in br_multicast_query_expired() When set multicast_query_interval to a large value, the local variable 'time' in br_multicast_send_query() may overflow. If the time is smaller than jiffies, the timer will expire immediately, and then call mod_timer() again, which creates

CVE-2025-38612 [MEDIUM] CVE-2025-38612: linux - In the Linux kernel, the following vulnerability has been resolved: staging: fb... In the Linux kernel, the following vulnerability has been resolved: staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() In the error paths after fb_info structure is successfully allocated, the memory allocated in fb_deferred_io_init() for info->pagerefs is not freed. Fix that by adding the cleanup function on the error path. Scope: local bookworm

CVE-2025-71121 [MEDIUM] CVE-2025-71121: linux - In the Linux kernel, the following vulnerability has been resolved: parisc: Do ... In the Linux kernel, the following vulnerability has been resolved: parisc: Do not reprogram affinitiy on ASP chip The ASP chip is a very old variant of the GSP chip and is used e.g. in HP 730 workstations. When trying to reprogram the affinity it will crash with a HPMC as the relevant registers don't seem to be at the usual location. Let's avoid the crash by checki

CVE-2025-38683 [MEDIUM] CVE-2025-38683: linux - In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: ... In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Fix panic during namespace deletion with VF The existing code move the VF NIC to new namespace when NETDEV_REGISTER is received on netvsc NIC. During deletion of the namespace, default_device_exit_batch() >> default_device_exit_net() is called. When netvsc NIC is moved back and registered

CVE-2025-38225 [MEDIUM] CVE-2025-38225: linux - In the Linux kernel, the following vulnerability has been resolved: media: imx-... In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Cleanup after an allocation error When allocation failures are not cleaned up by the driver, further allocation errors will be false-positives, which will cause buffers to remain uninitialized and cause NULL pointer dereferences. Ensure proper cleanup of failed allocations to preven

CVE-2025-37742 [MEDIUM] CVE-2025-37742: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: Fix un... In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uninit-value access of imap allocated in the diMount() function syzbot reports that hex_dump_to_buffer is using uninit-value: ===================================================== BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171 hex_dump_to_buffer+0x888/0x1100 l

CVE-2025-37770 [MEDIUM] CVE-2025-37770: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm:... In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Prevent division by zero The user can set any speed value. If speed is greater than UINT_MAX/8, division by zero is possible. Found by Linux Verification Center (linuxtesting.org) with SVACE. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved (fixed in 5.10.237-1) fo

CVE-2025-38148 [MEDIUM] CVE-2025-38148: linux - In the Linux kernel, the following vulnerability has been resolved: net: phy: m... In the Linux kernel, the following vulnerability has been resolved: net: phy: mscc: Fix memory leak when using one step timestamping Fix memory leak when running one-step timestamping. When running one-step sync timestamping, the HW is configured to insert the TX time into the frame, so there is no reason to keep the skb anymore. As in this case the HW will never ge

CVE-2025-38094 [MEDIUM] CVE-2025-38094: linux - In the Linux kernel, the following vulnerability has been resolved: net: cadenc... In the Linux kernel, the following vulnerability has been resolved: net: cadence: macb: Fix a possible deadlock in macb_halt_tx. There is a situation where after THALT is set high, TGO stays high as well. Because jiffies are never updated, as we are in a context with interrupts disabled, we never exit that loop and have a deadlock. That deadlock was noticed on a sam