Debian Linux-6.1 vulnerabilities

CVE-2025-21846 [MEDIUM] CVE-2025-21846: linux - In the Linux kernel, the following vulnerability has been resolved: acct: perfo... In the Linux kernel, the following vulnerability has been resolved: acct: perform last write from workqueue In [1] it was reported that the acct(2) system call can be used to trigger NULL deref in cases where it is set to write to a file that triggers an internal lookup. This can e.g., happen when pointing acc(2) to /sys/power/resume. At the point the where the writ

CVE-2025-39865 [MEDIUM] CVE-2025-39865: linux - In the Linux kernel, the following vulnerability has been resolved: tee: fix NU... In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereference in tee_shm_put tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to handle kernel paging r

CVE-2025-38477 [MEDIUM] CVE-2025-38477: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-f

CVE-2025-21662 [MEDIUM] CVE-2025-21662: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5: F... In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix variable not being completed when function returns When cmd_alloc_index(), fails cmd_work_handler() needs to complete ent->slotted before returning early. Otherwise the task which issued the command may hang: mlx5_core 0000:01:00.0: cmd_work_handler:877:(pid 3880418): failed to allocat

CVE-2025-37920 [MEDIUM] CVE-2025-37920: linux - In the Linux kernel, the following vulnerability has been resolved: xsk: Fix ra... In the Linux kernel, the following vulnerability has been resolved: xsk: Fix race condition in AF_XDP generic RX path Move rx_lock from xsk_socket to xsk_buff_pool. Fix synchronization for shared umem mode in generic RX path where multiple sockets share single xsk_buff_pool. RX queue is exclusive to xsk_socket, while FILL queue can be shared between multiple sockets

CVE-2025-71183 [MEDIUM] CVE-2025-71183: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: alwa... In the Linux kernel, the following vulnerability has been resolved: btrfs: always detect conflicting inodes when logging inode refs After rename exchanging (either with the rename exchange operation or regular renames in multiple non-atomic steps) two inodes and at least one of them is a directory, we can end up with a log tree that contains only of the inodes and a

CVE-2025-38439 [MEDIUM] CVE-2025-38439: linux - In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Se... In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x15

CVE-2025-38406 [MEDIUM] CVE-2025-38406: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath6k... In the Linux kernel, the following vulnerability has been resolved: wifi: ath6kl: remove WARN on bad firmware input If the firmware gives bad input, that's nothing to do with the driver's stack at this point etc., so the WARN_ON() doesn't add any value. Additionally, this is one of the top syzbot reports now. Just print a message, and as an added bonus, print the si

CVE-2025-39907 [MEDIUM] CVE-2025-39907: linux - In the Linux kernel, the following vulnerability has been resolved: mtd: rawnan... In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer Avoid below overlapping mappings by using a contiguous non-cacheable buffer. [ 4.077708] DMA-API: stm32_fmc2_nfc 48810000.nand-controller: cacheline tracking EEXIST, overlapping mappings aren't supported [ 4.089103] WARNING: CPU: 1 P

CVE-2025-38277 [MEDIUM] CVE-2025-38277: linux - In the Linux kernel, the following vulnerability has been resolved: mtd: nand: ... In the Linux kernel, the following vulnerability has been resolved: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret If ctx->steps is zero, the loop processing ECC steps is skipped, and the variable ret remains uninitialized. It is later checked and returned, which leads to undefined behavior and may cause unpredictable results in user space or kernel cras

CVE-2025-38115 [MEDIUM] CVE-2025-38115: linux - In the Linux kernel, the following vulnerability has been resolved: net_sched: ... In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: fix a potential crash on gso_skb handling SFQ has an assumption of always being able to queue at least one packet. However, after the blamed commit, sch->q.len can be inflated by packets in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed by an immediate drop.

CVE-2025-37964 [MEDIUM] CVE-2025-37964: linux - In the Linux kernel, the following vulnerability has been resolved: x86/mm: Eli... In the Linux kernel, the following vulnerability has been resolved: x86/mm: Eliminate window where TLB flushes may be inadvertently skipped tl;dr: There is a window in the mm switching code where the new CR3 is set and the CPU should be getting TLB flushes for the new mm. But should_flush_tlb() has a bug and suppresses the flush. Fix it by widening the window where

CVE-2025-40300 [MEDIUM] CVE-2025-40300: linux - In the Linux kernel, the following vulnerability has been resolved: x86/vmscape... In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flu

CVE-2025-21645 [MEDIUM] CVE-2025-21645: linux - In the Linux kernel, the following vulnerability has been resolved: platform/x8... In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it Wakeup for IRQ1 should be disabled only in cases where i8042 had actually enabled it, otherwise "wake_depth" for this IRQ will try to drop below zero and there will be an unpleasant WARN() logged: kernel: atkbd serio0: Di

CVE-2025-21944 [MEDIUM] CVE-2025-21944: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix bug on trap in smb2_lock If lock count is greater than 1, flags could be old value. It should be checked with flags of smb_lock, not flags. It will cause bug-on trap from locks_free_lock in error handling routine. Scope: local bookworm: resolved (fixed in 6.1.133-1) bullseye: resolved for

CVE-2025-38455 [MEDIUM] CVE-2025-38455: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: R... In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Reject migration of SEV{-ES} state if either the source or destination VM is actively creating a vCPU, i.e. if kvm_vm_ioctl_create_vcpu() is in the section between incrementing created_vcpus and online_vcpus. The bulk of vC

CVE-2025-38262 [MEDIUM] CVE-2025-38262: linux - In the Linux kernel, the following vulnerability has been resolved: tty: serial... In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register uart driver in init When two instances of uart devices are probing, a concurrency race can occur. If one thread calls uart_register_driver function, which first allocates and assigns memory to 'uart_state' member of uart_driver structure, the other instance can bypass

CVE-2025-68340 [MEDIUM] CVE-2025-68340: linux - In the Linux kernel, the following vulnerability has been resolved: team: Move ... In the Linux kernel, the following vulnerability has been resolved: team: Move team device type change at the end of team_port_add Attempting to add a port device that is already up will expectedly fail, but not before modifying the team device header_ops. In the case of the syzbot reproducer the gre0 device is already in state UP when it attempts to add it as a por

CVE-2025-21738 [MEDIUM] CVE-2025-21738: linux - In the Linux kernel, the following vulnerability has been resolved: ata: libata... In the Linux kernel, the following vulnerability has been resolved: ata: libata-sff: Ensure that we cannot write outside the allocated buffer reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to write

CVE-2025-21675 [MEDIUM] CVE-2025-21675: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5: C... In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Clear port select structure when fail to create Clear the port select structure on error so no stale values left after definers are destroyed. That's because the mlx5_lag_destroy_definers() always try to destroy all lag definers in the tt_map, so in the flow below lag definers get double-d