Debian Linux-6.1 vulnerabilities

CVE-2026-23006 [MEDIUM] CVE-2026-23006: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv32... In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adcx140_priv". Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved forky: resolved (fixed in 6.18.8-1

CVE-2026-23090 [MEDIUM] CVE-2026-23090: linux - In the Linux kernel, the following vulnerability has been resolved: slimbus: co... In the Linux kernel, the following vulnerability has been resolved: slimbus: core: fix device reference leak on report present Slimbus devices can be allocated dynamically upon reception of report-present messages. Make sure to drop the reference taken when looking up already registered devices. Note that this requires taking an extra reference in case the device ha

CVE-2026-23087 [MEDIUM] CVE-2026-23087: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: xen: ... In the Linux kernel, the following vulnerability has been resolved: scsi: xen: scsiback: Fix potential memory leak in scsiback_remove() Memory allocated for struct vscsiblk_info in scsiback_probe() is not freed in scsiback_remove() leading to potential memory leaks on remove, as well as in the scsiback_probe() error paths. Fix that by freeing it in scsiback_remove()

CVE-2026-23003 [MEDIUM] CVE-2026-23003: linux - In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel:... In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Blamed commit did not take care of VLAN encapsulations as spotted by syzbot [1]. Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMS

CVE-2026-23021 [MEDIUM] CVE-2026-23021: linux - In the Linux kernel, the following vulnerability has been resolved: net: usb: p... In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: fix memory leak in update_eth_regs_async() When asynchronously writing to the device registers and if usb_submit_urb() fail, the code fail to release allocated to this point resources. Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved (fixed in 5.10.249-1) fo

CVE-2026-23084 [MEDIUM] CVE-2026-23084: linux - In the Linux kernel, the following vulnerability has been resolved: be2net: Fix... In the Linux kernel, the following vulnerability has been resolved: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is set to false, the driver may request the PMAC_ID from the firmware of the network card, and this function will store that PMAC_ID at the provided address pmac_i

CVE-2026-22997 [MEDIUM] CVE-2026-22997: linux - In the Linux kernel, the following vulnerability has been resolved: net: can: j... In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we cancelled the timer. Othe

CVE-2026-22977 [MEDIUM] CVE-2026-22977: linux - In the Linux kernel, the following vulnerability has been resolved: net: sock: ... In the Linux kernel, the following vulnerability has been resolved: net: sock: fix hardened usercopy panic in sock_recv_errqueue skbuff_fclone_cache was created without defining a usercopy region, [1] unlike skbuff_head_cache which properly whitelists the cb[] field. [2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is enabled and the kernel attempts to

CVE-2026-23220 [MEDIUM] CVE-2026-23220: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths The problem occurs when a signed request fails smb2 signature verification check. In __process_request(), if check_sign_req() returns an error, set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called. set_smb2_rsp_status

CVE-2026-23086 [MEDIUM] CVE-2026-23086: linux - In the Linux kernel, the following vulnerability has been resolved: vsock/virti... In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: cap TX credit to local buffer size The virtio transports derives its TX credit directly from peer_buf_alloc, which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value. On the host side this means that the amount of data we are willing to queue for a connection is scaled b

CVE-2026-23110 [MEDIUM] CVE-2026-23110: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: core:... In the Linux kernel, the following vulnerability has been resolved: scsi: core: Wake up the error handler when final completions race against each other The fragile ordering between marking commands completed or failed so that the error handler only wakes when the last running command completes or times out has race conditions. These race conditions can cause the SC

CVE-2026-23097 [MEDIUM] CVE-2026-23097: linux - In the Linux kernel, the following vulnerability has been resolved: migrate: co... In the Linux kernel, the following vulnerability has been resolved: migrate: correct lock ordering for hugetlb file folios Syzbot has found a deadlock (analyzed by Lance Yang): 1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock). 2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire folio_lock. migrate_pages() -> migrate_h

CVE-2026-22991 [MEDIUM] CVE-2026-22991: linux - In the Linux kernel, the following vulnerability has been resolved: libceph: ma... In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_m

CVE-2026-23238 [MEDIUM] CVE-2026-23238: linux - In the Linux kernel, the following vulnerability has been resolved: romfs: chec... In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using io

CVE-2026-23205 [MEDIUM] CVE-2026-23205: linux - In the Linux kernel, the following vulnerability has been resolved: smb/client:... In the Linux kernel, the following vulnerability has been resolved: smb/client: fix memory leak in smb2_open_file() Reproducer: 1. server: directories are exported read-only 2. client: mount -t cifs //${server_ip}/export /mnt 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct 4. client: umount /mnt 5. client: sleep 1 6. client: modprobe -r cifs T

CVE-2026-23064 [MEDIUM] CVE-2026-23064: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: avoid possible NULL deref tcf_ife_encode() must make sure ife_encode() does not return NULL. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000

CVE-2026-22999 [MEDIUM] CVE-2026-22999: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF. Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved (fixed in 5.10.249-

CVE-2026-23005 [MEDIUM] CVE-2026-23005: linux - In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Cl... In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for features tha

CVE-2026-22982 [MEDIUM] CVE-2026-22982: linux - In the Linux kernel, the following vulnerability has been resolved: net: mscc: ... In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix crash when adding interface under a lag Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic an

CVE-2026-23202 [MEDIUM] CVE-2026-23202: linux - In the Linux kernel, the following vulnerability has been resolved: spi: tegra2... In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. When clearing curr_xfer in the combined sequence transfer loop, protect it with the spinlock to prevent a race with the