Debian Linux-6.1 vulnerabilities

CVE-2025-21963 [MEDIUM] CVE-2025-21963: linux - In the Linux kernel, the following vulnerability has been resolved: cifs: Fix i... In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing acdirmax mount option User-provided mount parameter acdirmax of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Cente

CVE-2025-23155 [MEDIUM] CVE-2025-23155: linux - In the Linux kernel, the following vulnerability has been resolved: net: stmmac... In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Fix accessing freed irq affinity_hint In stmmac_request_irq_multi_msi(), a pointer to the stack variable cpu_mask is passed to irq_set_affinity_hint(). This value is stored in irq_desc->affinity_hint, but once stmmac_request_irq_multi_msi() returns, the pointer becomes dangling. The aff

CVE-2025-37989 [MEDIUM] CVE-2025-37989: linux - In the Linux kernel, the following vulnerability has been resolved: net: phy: l... In the Linux kernel, the following vulnerability has been resolved: net: phy: leds: fix memory leak A network restart test on a router led to an out-of-memory condition, which was traced to a memory leak in the PHY LED trigger code. The root cause is misuse of the devm API. The registration function (phy_led_triggers_register) is called from phy_attach_direct, not p

CVE-2025-38083 [MEDIUM] CVE-2025-38083: linux - In the Linux kernel, the following vulnerability has been resolved: net_sched: ... In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_

CVE-2025-38409 [MEDIUM] CVE-2025-38409: linux - In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fi... In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix another leak in the submit error path put_unused_fd() doesn't free the installed file, if we've already done fd_install(). So we need to also free the sync_file. Patchwork: https://patchwork.freedesktop.org/patch/653583/ Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: ope

CVE-2025-71154 [MEDIUM] CVE-2025-71154: linux - In the Linux kernel, the following vulnerability has been resolved: net: usb: r... In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. The completion callback async_set_reg_cb() is responsible for freeing these allocations, but it is onl

CVE-2025-39734 [MEDIUM] CVE-2025-39734: linux - In the Linux kernel, the following vulnerability has been resolved: Revert "fs/... In the Linux kernel, the following vulnerability has been resolved: Revert "fs/ntfs3: Replace inode_trylock with inode_lock" This reverts commit 69505fe98f198ee813898cbcaf6770949636430b. Initially, conditional lock acquisition was removed to fix an xfstest bug that was observed during internal testing. The deadlock reported by syzbot is resolved by reintroducing con

CVE-2025-38706 [MEDIUM] CVE-2025-38706: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: core:... In the Linux kernel, the following vulnerability has been resolved: ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() snd_soc_remove_pcm_runtime() might be called with rtd == NULL which will leads to null pointer dereference. This was reproduced with topology loading and marking a link as ignore due to missing hardware component on the system. On mod

CVE-2025-71079 [MEDIUM] CVE-2025-71079: linux - In the Linux kernel, the following vulnerability has been resolved: net: nfc: f... In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex. The problematic lock order is: Thread A (rfkill_fop_write): rfkill_fop_wri

CVE-2025-37824 [MEDIUM] CVE-2025-37824: linux - In the Linux kernel, the following vulnerability has been resolved: tipc: fix N... In the Linux kernel, the following vulnerability has been resolved: tipc: fix NULL pointer dereference in tipc_mon_reinit_self() syzbot reported: tipc: Node number set to 1055423674 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CP

CVE-2025-37958 [MEDIUM] CVE-2025-37958: linux - In the Linux kernel, the following vulnerability has been resolved: mm/huge_mem... In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry

CVE-2025-38063 [MEDIUM] CVE-2025-38063: linux - In the Linux kernel, the following vulnerability has been resolved: dm: fix unc... In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO throttle caused by REQ_PREFLUSH When a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush() generates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC, which causes the flush_bio to be throttled by wbt_wait(). An example from v5.4, similar problem also exist

CVE-2025-39676 [MEDIUM] CVE-2025-39676: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: qla4x... In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() function is supposed to return NULL on error, but qla4xxx_ep_connect() returns error pointers. Propagating the error pointers will lead to an Oops in the caller, so change the error pointers to NULL. Scope: local

CVE-2025-21904 [MEDIUM] CVE-2025-21904: linux - In the Linux kernel, the following vulnerability has been resolved: caif_virtio... In the Linux kernel, the following vulnerability has been resolved: caif_virtio: fix wrong pointer check in cfv_probe() del_vqs() frees virtqueues, therefore cfv->vq_tx pointer should be checked for NULL before calling it, not cfv->vdev. Also the current implementation is redundant because the pointer cfv->vdev is dereferenced before it is checked for NULL. Fix this

CVE-2025-37787 [MEDIUM] CVE-2025-37787: linux - In the Linux kernel, the following vulnerability has been resolved: net: dsa: m... In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered Russell King reports that a system with mv88e6xxx dereferences a NULL pointer when unbinding this driver: https://lore.kernel.org/netdev/[email protected]/ The crash seems to be in devlink_regio

CVE-2025-38382 [MEDIUM] CVE-2025-38382: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: fix ... In the Linux kernel, the following vulnerability has been resolved: btrfs: fix iteration of extrefs during log replay At __inode_add_ref() when processing extrefs, if we jump into the next label we have an undefined value of victim_name.len, since we haven't initialized it before we did the goto. This results in an invalid memory access in the next iteration of the

CVE-2025-38058 [MEDIUM] CVE-2025-38058: linux - In the Linux kernel, the following vulnerability has been resolved: __legitimiz... In the Linux kernel, the following vulnerability has been resolved: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock ... or we risk stealing final mntput from sync umount - raising mnt_count after umount(2) has verified that victim is not busy, but before it has set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see that it's safe t

CVE-2025-23159 [MEDIUM] CVE-2025-23159: linux - In the Linux kernel, the following vulnerability has been resolved: media: venu... In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi: add a check to handle OOB in sfr region sfr->buf_size is in shared memory and can be modified by malicious user. OOB write is possible when the size is made higher than actual sfr data buffer. Cap the size to allocated size for such cases. Scope: local bookworm: resolved (fixed in

CVE-2025-38671 [MEDIUM] CVE-2025-38671: linux - In the Linux kernel, the following vulnerability has been resolved: i2c: qup: j... In the Linux kernel, the following vulnerability has been resolved: i2c: qup: jump out of the loop in case of timeout Original logic only sets the return value but doesn't jump out of the loop if the bus is kept active by a client. This is not expected. A malicious or buggy i2c client can hang the kernel in this case and should be avoided. This is observed during a

CVE-2025-71114 [MEDIUM] CVE-2025-71114: linux - In the Linux kernel, the following vulnerability has been resolved: via_wdt: fi... In the Linux kernel, the following vulnerability has been resolved: via_wdt: fix critical boot hang due to unnamed resource allocation The VIA watchdog driver uses allocate_resource() to reserve a MMIO region for the watchdog control register. However, the allocated resource was not given a name, which causes the kernel resource tree to contain an entry marked as ""