Debian Linux-6.1 vulnerabilities

CVE-2025-38219 [MEDIUM] CVE-2025-38219: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: preve... In the Linux kernel, the following vulnerability has been resolved: f2fs: prevent kernel warning due to negative i_nlink from corrupted image WARNING: CPU: 1 PID: 9426 at fs/inode.c:417 drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417 Modules linked in: CPU: 1 UID: 0 PID: 9426 Comm: syz-executor568 Not tainted 6.14.0-12627-g94d471a4f428 #2 PREEMPT(full) Hardware na

CVE-2025-39801 [MEDIUM] CVE-2025-39801: linux - In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: ... In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Remove WARN_ON for device endpoint command timeouts This commit addresses a rarely observed endpoint command timeout which causes kernel panic due to warn when 'panic_on_warn' is enabled and unnecessary call trace prints when 'panic_on_warn' is disabled. It is seen during fast software-co

CVE-2025-39885 [MEDIUM] CVE-2025-39885: linux - In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix ... In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix recursive semaphore deadlock in fiemap call syzbot detected a OCFS2 hang due to a recursive semaphore on a FS_IOC_FIEMAP of the extent list on a specially crafted mmap file. context_switch kernel/sched/core.c:5357 [inline] __schedule+0x1798/0x4cc0 kernel/sched/core.c:6961 __schedule_loop

CVE-2025-21926 [MEDIUM] CVE-2025-21926: linux - In the Linux kernel, the following vulnerability has been resolved: net: gso: f... In the Linux kernel, the following vulnerability has been resolved: net: gso: fix ownership in __udp_gso_segment In __udp_gso_segment the skb destructor is removed before segmenting the skb but the socket reference is kept as-is. This is an issue if the original skb is later orphaned as we can hit the following bug: kernel BUG at ./include/linux/skbuff.h:3312! (skb_

CVE-2025-22093 [MEDIUM] CVE-2025-22093: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: avoid NPD when ASIC does not support DMUB ctx->dmub_srv will de NULL if the ASIC does not support DMUB, which is tested in dm_dmub_sw_init. However, it will be dereferenced in dmub_hw_lock_mgr_cmd if should_use_dmub_lock returns true. This has been the case since dmub support has be

CVE-2025-71144 [MEDIUM] CVE-2025-71144: linux - In the Linux kernel, the following vulnerability has been resolved: mptcp: ensu... In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure context reset on disconnect() After the blamed commit below, if the MPC subflow is already in TCP_CLOSE status or has fallback to TCP at mptcp_disconnect() time, mptcp_do_fastclose() skips setting the `send_fastclose flag` and the later __mptcp_close_ssk() does not reset anymore the re

CVE-2025-71126 [MEDIUM] CVE-2025-71126: linux - In the Linux kernel, the following vulnerability has been resolved: mptcp: avoi... In the Linux kernel, the following vulnerability has been resolved: mptcp: avoid deadlock on fallback while reinjecting Jakub reported an MPTCP deadlock at fallback time: WARNING: possible recursive locking detected 6.18.0-rc7-virtme #1 Not tainted -------------------------------------------- mptcp_connect/20858 is trying to acquire lock: ff1100001da18b60 (&msk->fal

CVE-2025-71085 [MEDIUM] CVE-2025-71085: linux - In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG()... In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise we will trigger a

CVE-2025-21779 [MEDIUM] CVE-2025-21779: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: x86: R... In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and only if the local API is emulated/virtualized by KVM, and explicitly reject said hypercalls if the local APIC is emulated in userspace, i.e. don't r

CVE-2025-68725 [MEDIUM] CVE-2025-68725: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Do not... In the Linux kernel, the following vulnerability has been resolved: bpf: Do not let BPF test infra emit invalid GSO types to stack Yinhao et al. reported that their fuzzer tool was able to trigger a skb_warn_bad_offload() from netif_skb_features() -> gso_features_check(). When a BPF program - triggered via BPF test infra - pushes the packet to the loopback device vi

CVE-2025-39916 [MEDIUM] CVE-2025-39916: linux - In the Linux kernel, the following vulnerability has been resolved: mm/damon/re... In the Linux kernel, the following vulnerability has been resolved: mm/damon/reclaim: avoid divide-by-zero in damon_reclaim_apply_parameters() When creating a new scheme of DAMON_RECLAIM, the calculation of 'min_age_region' uses 'aggr_interval' as the divisor, which may lead to division-by-zero errors. Fix it by directly returning -EINVAL when such a case occurs. Sc

CVE-2025-38326 [MEDIUM] CVE-2025-38326: linux - In the Linux kernel, the following vulnerability has been resolved: aoe: clean ... In the Linux kernel, the following vulnerability has been resolved: aoe: clean device rq_list in aoedev_downdev() An aoe device's rq_list contains accepted block requests that are waiting to be transmitted to the aoe target. This queue was added as part of the conversion to blk_mq. However, the queue was not cleaned out when an aoe device is downed which caused blk_

CVE-2025-38473 [MEDIUM] CVE-2025-38473: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0] l2cap_sock_resume_cb() has a similar problem that was fixed by commit 1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()"). Since both l2cap_sock_kill() and l2c

CVE-2025-21937 [MEDIUM] CVE-2025-21937: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name() Add check for the return value of mgmt_alloc_skb() in mgmt_remote_name() to prevent null pointer dereference. Scope: local bookworm: resolved (fixed in 6.1.133-1) bullseye: resolved forky: resolved (fixed in 6.12.19-1) sid: resolved (fi

CVE-2025-21765 [MEDIUM] CVE-2025-21765: linux - In the Linux kernel, the following vulnerability has been resolved: ipv6: use R... In the Linux kernel, the following vulnerability has been resolved: ipv6: use RCU protection in ip6_default_advmss() ip6_default_advmss() needs rcu protection to make sure the net structure it reads does not disappear. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved (fixed in 5.10.237-1) forky: resolved (fixed in 6.12.16-1) sid: resolved (fix

CVE-2025-39673 [MEDIUM] CVE-2025-39673: linux - In the Linux kernel, the following vulnerability has been resolved: ppp: fix ra... In the Linux kernel, the following vulnerability has been resolved: ppp: fix race conditions in ppp_fill_forward_path ppp_fill_forward_path() has two race conditions: 1. The ppp->channels list can change between list_empty() and list_first_entry(), as ppp_lock() is not held. If the only channel is deleted in ppp_disconnect_channel(), list_first_entry() may access an

CVE-2025-37969 [MEDIUM] CVE-2025-37969: linux - In the Linux kernel, the following vulnerability has been resolved: iio: imu: s... In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo Prevent st_lsm6dsx_read_tagged_fifo from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty. Scope: local bookworm: resolved (fixed in 6.1.140-1) bullseye: resolved (fixed in 5.10.

CVE-2025-22055 [MEDIUM] CVE-2025-22055: linux - In the Linux kernel, the following vulnerability has been resolved: net: fix ge... In the Linux kernel, the following vulnerability has been resolved: net: fix geneve_opt length integer overflow struct geneve_opt uses 5 bit length for each single option, which means every vary size option should be smaller than 128 bytes. However, all current related Netlink policies cannot promise this length condition and the attacker can exploit a exact 128-byt

CVE-2025-38384 [MEDIUM] CVE-2025-38384: linux - In the Linux kernel, the following vulnerability has been resolved: mtd: spinan... In the Linux kernel, the following vulnerability has been resolved: mtd: spinand: fix memory leak of ECC engine conf Memory allocated for the ECC engine conf is not released during spinand cleanup. Below kmemleak trace is seen for this memory leak: unreferenced object 0xffffff80064f00e0 (size 8): comm "swapper/0", pid 1, jiffies 4294937458 hex dump (first 8 bytes):

CVE-2025-39848 [MEDIUM] CVE-2025-39848: linux - In the Linux kernel, the following vulnerability has been resolved: ax25: prope... In the Linux kernel, the following vulnerability has been resolved: ax25: properly unshare skbs in ax25_kiss_rcv() Bernard Pidoux reported a regression apparently caused by commit c353e8983e0d ("net: introduce per netns packet chains"). skb->dev becomes NULL and we crash in __netif_receive_skb_core(). Before above commit, different kind of bugs or corruptions could