Debian Linux-6.1 vulnerabilities

CVE-2025-38457 [MEDIUM] CVE-2025-38457: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and

CVE-2025-38085 [MEDIUM] CVE-2025-38085: linux - In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb:... In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race huge_pmd_unshare() drops a reference on a page table that may have previously been shared across processes, potentially turning it into a normal page table used in another process in which unrelated VMAs can afterwards be installed. If this happens

CVE-2025-39819 [MEDIUM] CVE-2025-39819: linux - In the Linux kernel, the following vulnerability has been resolved: fs/smb: Fix... In the Linux kernel, the following vulnerability has been resolved: fs/smb: Fix inconsistent refcnt update A possible inconsistent update of refcount was identified in `smb2_compound_op`. Such inconsistent update could lead to possible resource leaks. Why it is a possible bug: 1. In the comment section of the function, it clearly states that the reference to `cfile`

CVE-2025-71095 [MEDIUM] CVE-2025-71095: linux - In the Linux kernel, the following vulnerability has been resolved: net: stmmac... In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDP_TX action There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 0000000096000144 [#1] S

CVE-2025-21667 [MEDIUM] CVE-2025-21667: linux - In the Linux kernel, the following vulnerability has been resolved: iomap: avoi... In the Linux kernel, the following vulnerability has been resolved: iomap: avoid avoid truncating 64-bit offset to 32 bits on 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a 32-bit position due to folio_next_index() returning an unsigned long. This could lead to an infinite loop when writing to an xfs filesystem. Scope: local bookworm: resolved

CVE-2025-22089 [MEDIUM] CVE-2025-22089: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/core: ... In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Don't expose hw_counters outside of init net namespace Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs attributes") accidentally almost exposed hw counters to non-init net namespaces. It didn't expose them fully, as an attempt to read any of those counters leads to a

CVE-2025-21750 [MEDIUM] CVE-2025-21750: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: brcmf... In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Check the return value of of_property_read_string_index() Somewhen between 6.10 and 6.11 the driver started to crash on my MacBookPro14,3. The property doesn't exist and 'tmp' remains uninitialized, so we pass a random pointer to devm_kstrdup(). The crash I am getting looks like this

CVE-2025-37959 [MEDIUM] CVE-2025-37959: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Scrub ... In the Linux kernel, the following vulnerability has been resolved: bpf: Scrub packet on bpf_redirect_peer When bpf_redirect_peer is used to redirect packets to a device in another network namespace, the skb isn't scrubbed. That can lead skb information from one namespace to be "misused" in another namespace. As one example, this is causing Cilium to drop traffic wh

CVE-2025-21951 [MEDIUM] CVE-2025-21951: linux - In the Linux kernel, the following vulnerability has been resolved: bus: mhi: h... In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock There are multiple places from where the recovery work gets scheduled asynchronously. Also, there are multiple places where the caller waits synchronously for the recovery to be completed. One such place is during the PM shu

CVE-2025-38732 [MEDIUM] CVE-2025-38732: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't leak dst refcount for loopback packets recent patches to add a WARN() when replacing skb dst entry found an old bug: WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline] WARNING: include/linux/skbuff.h:1165 skb_dst_set include/linu

CVE-2025-38331 [MEDIUM] CVE-2025-38331: linux - In the Linux kernel, the following vulnerability has been resolved: net: ethern... In the Linux kernel, the following vulnerability has been resolved: net: ethernet: cortina: Use TOE/TSO on all TCP It is desireable to push the hardware accelerator to also process non-segmented TCP frames: we pass the skb->len to the "TOE/TSO" offloader and it will handle them. Without this quirk the driver becomes unstable and lock up and and crash. I do not know

CVE-2025-21964 [MEDIUM] CVE-2025-21964: linux - In the Linux kernel, the following vulnerability has been resolved: cifs: Fix i... In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing acregmax mount option User-provided mount parameter acregmax of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Cente

CVE-2025-37985 [MEDIUM] CVE-2025-37985: linux - In the Linux kernel, the following vulnerability has been resolved: USB: wdm: c... In the Linux kernel, the following vulnerability has been resolved: USB: wdm: close race between wdm_open and wdm_wwan_port_stop Clearing WDM_WWAN_IN_USE must be the last action or we can open a chardev whose URBs are still poisoned Scope: local bookworm: resolved (fixed in 6.1.137-1) bullseye: resolved forky: resolved (fixed in 6.12.27-1) sid: resolved (fixed in 6.

CVE-2025-37830 [MEDIUM] CVE-2025-37830: linux - In the Linux kernel, the following vulnerability has been resolved: cpufreq: sc... In the Linux kernel, the following vulnerability has been resolved: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() cpufreq_cpu_get_raw() can return NULL when the target CPU is not present in the policy->cpus mask. scmi_cpufreq_get_rate() does not check for this case, which results in a NULL pointer dereference. Add NULL check after cpufreq_cpu_get_raw(

CVE-2025-39846 [MEDIUM] CVE-2025-39846: linux - In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix... In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() In __iodyn_find_io_region(), pcmcia_make_resource() is assigned to res and used in pci_bus_alloc_resource(). There is a dereference of res in pci_bus_alloc_resource(), which could lead to a NULL pointer dereference on failure of pcmc

CVE-2025-38470 [MEDIUM] CVE-2025-38470: linux - In the Linux kernel, the following vulnerability has been resolved: net: vlan: ... In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Assuming the "rx-vlan-filter" feature is enabled on a net device, the 8021q module will automatically add or remove VLAN 0 when the net device is put administratively up or down, respectively. There are a couple of problem

CVE-2025-21960 [MEDIUM] CVE-2025-21960: linux - In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: ... In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: do not update checksum in bnxt_xdp_build_skb() The bnxt_rx_pkt() updates ip_summed value at the end if checksum offload is enabled. When the XDP-MB program is attached and it returns XDP_PASS, the bnxt_xdp_build_skb() is called to update skb_shared_info. The main purpose of bnxt_xdp_build

CVE-2025-39949 [MEDIUM] CVE-2025-39949: linux - In the Linux kernel, the following vulnerability has been resolved: qed: Don't ... In the Linux kernel, the following vulnerability has been resolved: qed: Don't collect too many protection override GRC elements In the protection override dump path, the firmware can return far too many GRC elements, resulting in attempting to write past the end of the previously-kmalloc'ed dump buffer. This will result in a kernel panic with reason: BUG: unable to

CVE-2025-38197 [MEDIUM] CVE-2025-38197: linux - In the Linux kernel, the following vulnerability has been resolved: platform/x8... In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell_rbu: Fix list usage Pass the correct list head to list_for_each_entry*() when looping through the packet list. Without this patch, reading the packet data via sysfs will show the data incorrectly (because it starts at the wrong packet), and clearing the packet list will result in

CVE-2025-38065 [MEDIUM] CVE-2025-38065: linux - In the Linux kernel, the following vulnerability has been resolved: orangefs: D... In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len' a size_t results in truncation to 4GiB on 32-bit systems. Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: resolved (fixed in 5.10.244-1) forky: resolved (fixed in 6.12.32-1) sid: re