Debian Linux-6.1 vulnerabilities

CVE-2025-38462 [MEDIUM] CVE-2025-38462: linux - In the Linux kernel, the following vulnerability has been resolved: vsock: Fix ... In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} TOCTOU vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload. transport_{g2h,h2g} may become NULL after the NULL check. Introduce vsock_transport_local_cid() to protect from a potential null-ptr-deref. KASAN: null-ptr-deref in range [0x0000000000000118-

CVE-2025-22119 [MEDIUM] CVE-2025-22119: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80... In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: init wiphy_work before allocating rfkill fails syzbort reported a uninitialize wiphy_work_lock in cfg80211_dev_free. [1] After rfkill allocation fails, the wiphy release process will be performed, which will cause cfg80211_dev_free to access the uninitialized wiphy_work related data.

CVE-2025-23151 [MEDIUM] CVE-2025-23151: linux - In the Linux kernel, the following vulnerability has been resolved: bus: mhi: h... In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Fix race between unprepare and queue_buf A client driver may use mhi_unprepare_from_transfer() to quiesce incoming data during the client driver's tear down. The client driver might also be processing data at the same time, resulting in a call to mhi_queue_buf() which will invoke mhi

CVE-2025-37773 [MEDIUM] CVE-2025-37773: linux - In the Linux kernel, the following vulnerability has been resolved: virtiofs: a... In the Linux kernel, the following vulnerability has been resolved: virtiofs: add filesystem context source name check In certain scenarios, for example, during fuzz testing, the source name may be NULL, which could lead to a kernel panic. Therefore, an extra check for the source name should be added. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: re

CVE-2025-37788 [MEDIUM] CVE-2025-37788: linux - In the Linux kernel, the following vulnerability has been resolved: cxgb4: fix ... In the Linux kernel, the following vulnerability has been resolved: cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path In the for loop used to allocate the loc_array and bmap for each port, a memory leak is possible when the allocation for loc_array succeeds, but the allocation for bmap fails. This is because when the control flow goes to the label fr

CVE-2025-21943 [MEDIUM] CVE-2025-21943: linux - In the Linux kernel, the following vulnerability has been resolved: gpio: aggre... In the Linux kernel, the following vulnerability has been resolved: gpio: aggregator: protect driver attr handlers against module unload Both new_device_store and delete_device_store touch module global resources (e.g. gpio_aggregator_lock). To prevent race conditions with module unload, a reference needs to be held. Add try_module_get() in these handlers. For new_d

CVE-2025-71102 [MEDIUM] CVE-2025-71102: linux - In the Linux kernel, the following vulnerability has been resolved: scs: fix a ... In the Linux kernel, the following vulnerability has been resolved: scs: fix a wrong parameter in __scs_magic __scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is given. 'task_scs(tsk)' is the starting address of the task's shadow call stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's shadow call stack. Here should be '__sc

CVE-2025-22021 [MEDIUM] CVE-2025-22021: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: socket: Lookup orig tuple for IPv6 SNAT nf_sk_lookup_slow_v4 does the conntrack lookup for IPv4 packets to restore the original 5-tuple in case of SNAT, to be able to find the right socket (if any). Then socket_match() can correctly check whether the socket was transparent. However, the I

CVE-2025-38515 [MEDIUM] CVE-2025-38515: linux - In the Linux kernel, the following vulnerability has been resolved: drm/sched: ... In the Linux kernel, the following vulnerability has been resolved: drm/sched: Increment job count before swapping tail spsc queue A small race exists between spsc_queue_push and the run-job worker, in which spsc_queue_push may return not-first while the run-job worker has already idled due to the job count being zero. If this race occurs, job scheduling stops, lead

CVE-2025-71186 [MEDIUM] CVE-2025-71186: linux - In the Linux kernel, the following vulnerability has been resolved: dmaengine: ... In the Linux kernel, the following vulnerability has been resolved: dmaengine: stm32: dmamux: fix device leak on route allocation Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the refe

CVE-2025-71119 [MEDIUM] CVE-2025-71119: linux - In the Linux kernel, the following vulnerability has been resolved: powerpc/kex... In the Linux kernel, the following vulnerability has been resolved: powerpc/kexec: Enable SMT before waking offline CPUs If SMT is disabled or a partial SMT state is enabled, when a new kernel image is loaded for kexec, on reboot the following warning is observed: kexec: Waking offline cpu 228. WARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:223 kexec_prep

CVE-2025-22072 [MEDIUM] CVE-2025-22072: linux - In the Linux kernel, the following vulnerability has been resolved: spufs: fix ... In the Linux kernel, the following vulnerability has been resolved: spufs: fix gang directory lifetimes prior to "[POWERPC] spufs: Fix gang destroy leaks" we used to have a problem with gang lifetimes - creation of a gang returns opened gang directory, which normally gets removed when that gets closed, but if somebody has created a context belonging to that gang and

CVE-2025-38696 [MEDIUM] CVE-2025-38696: linux - In the Linux kernel, the following vulnerability has been resolved: MIPS: Don't... In the Linux kernel, the following vulnerability has been resolved: MIPS: Don't crash in stack_top() for tasks without ABI or vDSO Not all tasks have an ABI associated or vDSO mapped, for example kthreads never do. If such a task ever ends up calling stack_top(), it will derefence the NULL ABI pointer and crash. This can for example happen when using kunit: mips_sta

CVE-2025-37967 [MEDIUM] CVE-2025-37967: linux - In the Linux kernel, the following vulnerability has been resolved: usb: typec:... In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix deadlock This patch introduces the ucsi_con_mutex_lock / ucsi_con_mutex_unlock functions to the UCSI driver. ucsi_con_mutex_lock ensures the connector mutex is only locked if a connection is established and the partner pointer is valid. This resolves a deadlock sce

CVE-2025-22049 [MEDIUM] CVE-2025-22049: linux - In the Linux kernel, the following vulnerability has been resolved: LoongArch: ... In the Linux kernel, the following vulnerability has been resolved: LoongArch: Increase ARCH_DMA_MINALIGN up to 16 ARCH_DMA_MINALIGN is 1 by default, but some LoongArch-specific devices (such as APBDMA) require 16 bytes alignment. When the data buffer length is too small, the hardware may make an error writing cacheline. Thus, it is dangerous to allocate a small mem

CVE-2025-39736 [MEDIUM] CVE-2025-39736: linux - In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak... In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock When netpoll is enabled, calling pr_warn_once() while holding kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock inversion with the netconsole subsystem. This occurs because pr_warn_once() may trigger netpoll, whic

CVE-2025-71149 [MEDIUM] CVE-2025-71149: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring/po... In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: correctly handle io_poll_add() return value on update When the core of io_uring was updated to handle completions consistently and with fixed return codes, the POLL_REMOVE opcode with updates got slightly broken. If a POLL_ADD is pending and then POLL_REMOVE is used to update the even

CVE-2025-37767 [MEDIUM] CVE-2025-37767: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm:... In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Prevent division by zero The user can set any speed value. If speed is greater than UINT_MAX/8, division by zero is possible. Found by Linux Verification Center (linuxtesting.org) with SVACE. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved forky: resolved (fixed i

CVE-2025-38044 [MEDIUM] CVE-2025-38044: linux - In the Linux kernel, the following vulnerability has been resolved: media: cx23... In the Linux kernel, the following vulnerability has been resolved: media: cx231xx: set device_caps for 417 The video_device for the MPEG encoder did not set device_caps. Add this, otherwise the video device can't be registered (you get a WARN_ON instead). Not seen before since currently 417 support is disabled, but I found this while experimenting with it. Scope: l

CVE-2025-22054 [MEDIUM] CVE-2025-22054: linux - In the Linux kernel, the following vulnerability has been resolved: arcnet: Add... In the Linux kernel, the following vulnerability has been resolved: arcnet: Add NULL check in com20020pci_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, com20020pci_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue and ensure no resources are