Debian Linux-6.1 vulnerabilities

CVE-2025-39706 [MEDIUM] CVE-2025-39706: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd:... In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Destroy KFD debugfs after destroy KFD wq Since KFD proc content was moved to kernel debugfs, we can't destroy KFD debugfs before kfd_process_destroy_wq. Move kfd_process_destroy_wq prior to kfd_debugfs_fini to fix a kernel NULL pointer problem. It happens when /sys/kernel/debug/kfd was a

CVE-2025-21978 [MEDIUM] CVE-2025-21978: linux - In the Linux kernel, the following vulnerability has been resolved: drm/hyperv:... In the Linux kernel, the following vulnerability has been resolved: drm/hyperv: Fix address space leak when Hyper-V DRM device is removed When a Hyper-V DRM device is probed, the driver allocates MMIO space for the vram, and maps it cacheable. If the device removed, or in the error path for device probing, the MMIO space is released but no unmap is done. Consequentl

CVE-2025-39782 [MEDIUM] CVE-2025-39782: linux - In the Linux kernel, the following vulnerability has been resolved: jbd2: preve... In the Linux kernel, the following vulnerability has been resolved: jbd2: prevent softlockup in jbd2_log_do_checkpoint() Both jbd2_log_do_checkpoint() and jbd2_journal_shrink_checkpoint_list() periodically release j_list_lock after processing a batch of buffers to avoid long hold times on the j_list_lock. However, since both functions contend for j_list_lock, the co

CVE-2025-38158 [MEDIUM] CVE-2025-38158: linux - In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vf... In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: fix XQE dma address error The dma addresses of EQE and AEQE are wrong after migration and results in guest kernel-mode encryption services failure. Comparing the definition of hardware registers, we found that there was an error when the data read from the register was combined in

CVE-2025-21956 [MEDIUM] CVE-2025-21956: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Assign normalized_pix_clk when color depth = 14 [WHY & HOW] A warning message "WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397 calculate_phy_pix_clks+0xef/0x100 [amdgpu]" occurs because the display_color_depth == COLOR_DEPTH_141414 is not handled. This is observed in Radeon RX 6

CVE-2025-23146 [MEDIUM] CVE-2025-23146: linux - In the Linux kernel, the following vulnerability has been resolved: mfd: ene-kb... In the Linux kernel, the following vulnerability has been resolved: mfd: ene-kb3930: Fix a potential NULL pointer dereference The off_gpios could be NULL. Add missing check in the kb3930_probe(). This is similar to the issue fixed in commit b1ba8bcb2d1f ("backlight: hx8357: Fix potential NULL pointer dereference"). This was detected by our static analysis tool. Scop

CVE-2025-21639 [MEDIUM] CVE-2025-21639: linux - In the Linux kernel, the following vulnerability has been resolved: sctp: sysct... In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: rto_min/max: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->nspro

CVE-2025-38251 [MEDIUM] CVE-2025-38251: linux - In the Linux kernel, the following vulnerability has been resolved: atm: clip: ... In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() calls clip_push() with a NULL skb. If clip_devs is NULL, clip_push() then crashes when reading skb->truesize. Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: resolved (fixed in 5.10.244-1) fork

CVE-2025-38700 [MEDIUM] CVE-2025-38700: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: libis... In the Linux kernel, the following vulnerability has been resolved: scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated In case of an ib_fast_reg_mr allocation failure during iSER setup, the machine hits a panic because iscsi_conn->dd_data is initialized unconditionally, even when no memory is allocated (dd_size == 0). This leads invalid point

CVE-2025-38577 [MEDIUM] CVE-2025-38577: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix t... In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid panic in f2fs_evict_inode As syzbot [1] reported as below: R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe17473450 R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520 ---[ end trace 0000000000000000 ]--- =====================================================

CVE-2025-38003 [MEDIUM] CVE-2025-38003: linux - In the Linux kernel, the following vulnerability has been resolved: can: bcm: a... In the Linux kernel, the following vulnerability has been resolved: can: bcm: add missing rcu read protection for procfs content When the procfs content is generated for a bcm_op which is in the process to be removed the procfs output might show unreliable data (UAF). As the removal of bcm_op's is already implemented with rcu handling this patch adds the missing rcu

CVE-2025-37994 [MEDIUM] CVE-2025-37994: linux - In the Linux kernel, the following vulnerability has been resolved: usb: typec:... In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix NULL pointer access This patch ensures that the UCSI driver waits for all pending tasks in the ucsi_displayport_work workqueue to finish executing before proceeding with the partner removal. Scope: local bookworm: resolved (fixed in 6.1.139-1) bullseye: resolved (f

CVE-2025-71094 [MEDIUM] CVE-2025-71094: linux - In the Linux kernel, the following vulnerability has been resolved: net: usb: a... In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: validate PHY address before use The ASIX driver reads the PHY address from the USB device via asix_read_phy_addr(). A malicious or faulty device can return an invalid address (>= PHY_MAX_ADDR), which causes a warning in mdiobus_get_phy(): addr 207 out of range WARNING: drivers/net/ph

CVE-2025-38520 [MEDIUM] CVE-2025-38520: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd:... In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Don't call mmput from MMU notifier callback If the process is exiting, the mmput inside mmu notifier callback from compactd or fork or numa balancing could release the last reference of mm struct to call exit_mmap and free_pgtable, this triggers deadlock with below backtrace. The deadloc

CVE-2025-38319 [MEDIUM] CVE-2025-38319: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/pp:... In the Linux kernel, the following vulnerability has been resolved: drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table The function atomctrl_initialize_mc_reg_table() and atomctrl_initialize_mc_reg_table_v2_2() does not check the return value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to retrieve vram_info, i

CVE-2025-39953 [MEDIUM] CVE-2025-39953: linux - In the Linux kernel, the following vulnerability has been resolved: cgroup: spl... In the Linux kernel, the following vulnerability has been resolved: cgroup: split cgroup_destroy_wq into 3 workqueues A hung task can occur during [1] LTP cgroup testing when repeatedly mounting/unmounting perf_event and net_prio controllers with systemd.unified_cgroup_hierarchy=1. The hang manifests in cgroup_lock_and_drain_offline() during root destruction. Relate

CVE-2025-39709 [MEDIUM] CVE-2025-39709: linux - In the Linux kernel, the following vulnerability has been resolved: media: venu... In the Linux kernel, the following vulnerability has been resolved: media: venus: protect against spurious interrupts during probe Make sure the interrupt handler is initialized before the interrupt is registered. If the IRQ is registered before hfi_create(), it's possible that an interrupt fires before the handler setup is complete, leading to a NULL dereference. T

CVE-2025-22025 [MEDIUM] CVE-2025-22025: linux - In the Linux kernel, the following vulnerability has been resolved: nfsd: put d... In the Linux kernel, the following vulnerability has been resolved: nfsd: put dl_stid if fail to queue dl_recall Before calling nfsd4_run_cb to queue dl_recall to the callback_wq, we increment the reference count of dl_stid. We expect that after the corresponding work_struct is processed, the reference count of dl_stid will be decremented through the callback functi

CVE-2025-21935 [MEDIUM] CVE-2025-21935: linux - In the Linux kernel, the following vulnerability has been resolved: rapidio: ad... In the Linux kernel, the following vulnerability has been resolved: rapidio: add check for rio_add_net() in rio_scan_alloc_net() The return value of rio_add_net() should be checked. If it fails, put_device() should be called to free the memory and give up the reference initialized in rio_add_net(). Scope: local bookworm: resolved (fixed in 6.1.133-1) bullseye: resol

CVE-2025-21706 [MEDIUM] CVE-2025-21706: linux - In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ... In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: only set fullmesh for subflow endp With the in-kernel path-manager, it is possible to change the 'fullmesh' flag. The code in mptcp_pm_nl_fullmesh() expects to change it only on 'subflow' endpoints, to recreate more or less subflows using the linked address. Unfortunately, the set_flags()