Debian Linux-6.1 vulnerabilities

CVE-2025-38546 [MEDIUM] CVE-2025-38546: linux - In the Linux kernel, the following vulnerability has been resolved: atm: clip: ... In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix memory leak of struct clip_vcc. ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to vcc->user_back. The code assumes that vcc_destroy_socket() passes NULL skb to vcc->push() when the socket is close()d, and then clip_push() frees clip_vcc. However, ioctl(ATMARPD_CTRL) sets NULL

CVE-2025-38200 [MEDIUM] CVE-2025-38200: linux - In the Linux kernel, the following vulnerability has been resolved: i40e: fix M... In the Linux kernel, the following vulnerability has been resolved: i40e: fix MMIO write access to an invalid page in i40e_clear_hw When the device sends a specific input, an integer underflow can occur, leading to MMIO write access to an invalid page. Prevent the integer underflow by changing the type of related variables. Scope: local bookworm: resolved (fixed in

CVE-2025-38721 [MEDIUM] CVE-2025-38721: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix refcount leak on table dump There is a reference count leak in ctnetlink_dump_table(): if (res ct_general); // HERE cb->args[1] = (unsigned long)ct; ... While its very unlikely, its possible that ct == last. If this happens, then the refcount of ct was already incremented.

CVE-2025-39715 [MEDIUM] CVE-2025-39715: linux - In the Linux kernel, the following vulnerability has been resolved: parisc: Rev... In the Linux kernel, the following vulnerability has been resolved: parisc: Revise gateway LWS calls to probe user read access We use load and stbys,e instructions to trigger memory reference interruptions without writing to memory. Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The ke

CVE-2025-40251 [MEDIUM] CVE-2025-40251: linux - In the Linux kernel, the following vulnerability has been resolved: devlink: ra... In the Linux kernel, the following vulnerability has been resolved: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy The function devl_rate_nodes_destroy is documented to "Unset parent for all rate objects". However, it was only calling the driver-specific `rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing the parent's refcount, with

CVE-2025-71127 [MEDIUM] CVE-2025-71127: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: mac80... In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Discard Beacon frames to non-broadcast address Beacon frames are required to be sent to the broadcast address, see IEEE Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame shall be set to the broadcast address"). A unicast Beacon frame might be used as a targeted a

CVE-2025-38193 [MEDIUM] CVE-2025-38193: linux - In the Linux kernel, the following vulnerability has been resolved: net_sched: ... In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: reject invalid perturb period Gerrard Tai reported that SFQ perturb_period has no range check yet, and this can be used to trigger a race condition fixed in a separate patch. We want to make sure ctl->perturb_period * HZ will not overflow and is positive. tc qd add dev lo root sf

CVE-2025-37740 [MEDIUM] CVE-2025-37740: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: add sa... In the Linux kernel, the following vulnerability has been resolved: jfs: add sanity check for agwidth in dbMount The width in dmapctl of the AG is zero, it trigger a divide error when calculating the control page level in dbAllocAG. To avoid this issue, add a check for agwidth in dbAllocAG. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved (fix

CVE-2025-37970 [MEDIUM] CVE-2025-37970: linux - In the Linux kernel, the following vulnerability has been resolved: iio: imu: s... In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Prevent st_lsm6dsx_read_fifo from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty. Scope: local bookworm: resolved (fixed in 6.1.140-1) bullseye: resolved (fixed in 5.10.244-1) forky:

CVE-2025-21766 [MEDIUM] CVE-2025-21766: linux - In the Linux kernel, the following vulnerability has been resolved: ipv4: use R... In the Linux kernel, the following vulnerability has been resolved: ipv4: use RCU protection in __ip_rt_update_pmtu() __ip_rt_update_pmtu() must use RCU protection to make sure the net structure it reads does not disappear. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: open forky: resolved (fixed in 6.12.16-1) sid: resolved (fixed in 6.12.16-1) trix

CVE-2025-21912 [MEDIUM] CVE-2025-21912: linux - In the Linux kernel, the following vulnerability has been resolved: gpio: rcar:... In the Linux kernel, the following vulnerability has been resolved: gpio: rcar: Use raw_spinlock to protect register access Use raw_spinlock in order to fix spurious messages about invalid context when spinlock debugging is enabled. The lock is only used to serialize register access. [ 4.239592] ============================= [ 4.239595] [ BUG: Invalid wait context ]

CVE-2025-37881 [MEDIUM] CVE-2025-37881: linux - In the Linux kernel, the following vulnerability has been resolved: usb: gadget... In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() The variable d->name, returned by devm_kasprintf(), could be NULL. A pointer check is added to prevent potential NULL pointer dereference. This is similar to the fix in commit 3027e7b15b02 ("ice: Fix some null pointer dereference iss

CVE-2025-38444 [MEDIUM] CVE-2025-38444: linux - In the Linux kernel, the following vulnerability has been resolved: raid10: cle... In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid10_make_request If raid10_read_request or raid10_write_request registers a new request and the REQ_NOWAIT flag is set, the code does not free the malloc from the mempool. unreferenced object 0xffff8884802c3200 (size 192): comm "fio", pid 9197, jiffies 4298078271 hex du

CVE-2025-38495 [MEDIUM] CVE-2025-38495: linux - In the Linux kernel, the following vulnerability has been resolved: HID: core: ... In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated report buffer can contain the reserved report ID When the report ID is not used, the low level transport drivers expect the first byte to be 0. However, currently the allocated buffer not account for that extra byte, meaning that instead of having 8 guaranteed bytes f

CVE-2025-38043 [MEDIUM] CVE-2025-38043: linux - In the Linux kernel, the following vulnerability has been resolved: firmware: a... In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Set dma_mask for ffa devices Set dma_mask for FFA devices, otherwise DMA allocation using the device pointer lead to following warning: WARNING: CPU: 1 PID: 1 at kernel/dma/mapping.c:597 dma_alloc_attrs+0xe0/0x124 Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: reso

CVE-2025-38067 [MEDIUM] CVE-2025-38067: linux - In the Linux kernel, the following vulnerability has been resolved: rseq: Fix s... In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field does

CVE-2025-38608 [MEDIUM] CVE-2025-38608: linux - In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: ... In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls When sending plaintext data, we initially calculated the corresponding ciphertext length. However, if we later reduced the plaintext data length via socket policy, we failed to recalculate the ciphertext length. This results in tra

CVE-2025-22050 [MEDIUM] CVE-2025-22050: linux - In the Linux kernel, the following vulnerability has been resolved: usbnet:fix ... In the Linux kernel, the following vulnerability has been resolved: usbnet:fix NPE during rx_complete Missing usbnet_going_away Check in Critical Path. The usb_submit_urb function lacks a usbnet_going_away validation, whereas __usbnet_queue_skb includes this check. This inconsistency creates a race condition where: A URB request may succeed, but the corresponding SK

CVE-2025-22081 [MEDIUM] CVE-2025-22081: linux - In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: F... In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix a couple integer overflows on 32bit systems On 32bit systems the "off + sizeof(struct NTFS_DE)" addition can have an integer wrapping issue. Fix it by using size_add(). Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved forky: resolved (fixed in 6.12.25-1) sid: res

CVE-2025-21948 [MEDIUM] CVE-2025-21948: linux - In the Linux kernel, the following vulnerability has been resolved: HID: applei... In the Linux kernel, the following vulnerability has been resolved: HID: appleir: Fix potential NULL dereference at raw event handle Syzkaller reports a NULL pointer dereference issue in input_event(). BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instr