Debian Linux-6.1 vulnerabilities

CVE-2025-38668 [MEDIUM] CVE-2025-38668: linux - In the Linux kernel, the following vulnerability has been resolved: regulator: ... In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix NULL dereference on unbind due to stale coupling data Failing to reset coupling_desc.n_coupled after freeing coupled_rdevs can lead to NULL pointer dereference when regulators are accessed post-unbind. This can happen during runtime PM or other regulator operations that rely on

CVE-2025-37790 [MEDIUM] CVE-2025-37790: linux - In the Linux kernel, the following vulnerability has been resolved: net: mctp: ... In the Linux kernel, the following vulnerability has been resolved: net: mctp: Set SOCK_RCU_FREE Bind lookup runs under RCU, so ensure that a socket doesn't go away in the middle of a lookup. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved forky: resolved (fixed in 6.12.25-1) sid: resolved (fixed in 6.12.25-1) trixie: resolved (fixed in 6.12.

CVE-2025-21799 [MEDIUM] CVE-2025-21799: linux - In the Linux kernel, the following vulnerability has been resolved: net: ethern... In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() When getting the IRQ we use k3_udma_glue_tx_get_irq() which returns negative error value on error. So not NULL check is not sufficient to deteremine if IRQ is valid. Check that IRQ is greater then zero to ensure it is v

CVE-2025-39827 [MEDIUM] CVE-2025-39827: linux - In the Linux kernel, the following vulnerability has been resolved: net: rose: ... In the Linux kernel, the following vulnerability has been resolved: net: rose: include node references in rose_neigh refcount Current implementation maintains two separate reference counting mechanisms: the 'count' field in struct rose_neigh tracks references from rose_node structures, while the 'use' field (now refcount_t) tracks references from rose_sock. This pat

CVE-2025-39795 [MEDIUM] CVE-2025-39795: linux - In the Linux kernel, the following vulnerability has been resolved: block: avoi... In the Linux kernel, the following vulnerability has been resolved: block: avoid possible overflow for chunk_sectors check in blk_stack_limits() In blk_stack_limits(), we check that the t->chunk_sectors value is a multiple of the t->physical_block_size value. However, by finding the chunk_sectors value in bytes, we may overflow the unsigned int which holds chunk_sec

CVE-2025-38591 [MEDIUM] CVE-2025-38591: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Reject... In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = *(u8 *)(r1 + 169); exit; With pointer field sk being at offset 168 in __sk_buff. This access is detected as a narrower read in bpf_skb_is_valid_access because

CVE-2025-21835 [MEDIUM] CVE-2025-21835: linux - In the Linux kernel, the following vulnerability has been resolved: usb: gadget... In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_midi: fix MIDI Streaming descriptor lengths While the MIDI jacks are configured correctly, and the MIDIStreaming endpoint descriptors are filled with the correct information, bNumEmbMIDIJack and bLength are set incorrectly in these descriptors. This does not matter when the numbers of

CVE-2025-21728 [MEDIUM] CVE-2025-21728: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Send s... In the Linux kernel, the following vulnerability has been resolved: bpf: Send signals asynchronously if !preemptible BPF programs can execute in all kinds of contexts and when a program running in a non-preemptible context uses the bpf_send_signal() kfunc, it will cause issues because this kfunc can sleep. Change `irqs_disabled()` to `!preemptible()`. Scope: local b

CVE-2025-38136 [MEDIUM] CVE-2025-38136: linux - In the Linux kernel, the following vulnerability has been resolved: usb: renesa... In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Reorder clock handling and power management in probe Reorder the initialization sequence in `usbhs_probe()` to enable runtime PM before accessing registers, preventing potential crashes due to uninitialized clocks. Currently, in the probe path, registers are accessed before enabl

CVE-2025-21975 [MEDIUM] CVE-2025-21975: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5: h... In the Linux kernel, the following vulnerability has been resolved: net/mlx5: handle errors in mlx5_chains_create_table() In mlx5_chains_create_table(), the return value of mlx5_get_fdb_sub_ns() and mlx5_get_flow_namespace() must be checked to prevent NULL pointer dereferences. If either function fails, the function should log error message with mlx5_core_warn() and

CVE-2025-38418 [MEDIUM] CVE-2025-38418: linux - In the Linux kernel, the following vulnerability has been resolved: remoteproc:... In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Release rproc->clean_table after rproc_attach() fails When rproc->state = RPROC_DETACHED is attached to remote processor through rproc_attach(), if rproc_handle_resources() returns failure, then the clean table should be released, otherwise the following memory leak will occur. unr

CVE-2025-38007 [MEDIUM] CVE-2025-38007: linux - In the Linux kernel, the following vulnerability has been resolved: HID: uclogi... In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Add NULL check in uclogic_input_configured() devm_kasprintf() returns NULL when memory allocation fails. Currently, uclogic_input_configured() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. Scope:

CVE-2025-38528 [MEDIUM] CVE-2025-38528: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Reject... In the Linux kernel, the following vulnerability has been resolved: bpf: Reject %p% format string in bprintf-like helpers static const char fmt[] = "%p%"; bpf_trace_printk(fmt, sizeof(fmt)); The above BPF program isn't rejected and causes a kernel warning at runtime: Please remove unsupported %\x00 in format string WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 fo

CVE-2025-21669 [MEDIUM] CVE-2025-21669: linux - In the Linux kernel, the following vulnerability has been resolved: vsock/virti... In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: discard packets if the transport changes If the socket has been de-assigned or assigned to another transport, we must discard any packets received because they are not expected and would cause issues when we access vsk->transport. A possible scenario is described by Hyunwoo Kim in the

CVE-2025-39713 [MEDIUM] CVE-2025-39713: linux - In the Linux kernel, the following vulnerability has been resolved: media: rain... In the Linux kernel, the following vulnerability has been resolved: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() In the interrupt handler rain_interrupt(), the buffer full check on rain->buf_len is performed before acquiring rain->buf_lock. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as rain->buf_len is concurrently a

CVE-2025-21802 [MEDIUM] CVE-2025-21802: linux - In the Linux kernel, the following vulnerability has been resolved: net: hns3: ... In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix oops when unload drivers paralleling When unload hclge driver, it tries to disable sriov first for each ae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at the time, because it removes all the ae_dev nodes, and it may cause oops. But we can't simply use hnae3_common_loc

CVE-2025-21891 [MEDIUM] CVE-2025-21891: linux - In the Linux kernel, the following vulnerability has been resolved: ipvlan: ens... In the Linux kernel, the following vulnerability has been resolved: ipvlan: ensure network headers are in skb linear part syzbot found that ipvlan_process_v6_outbound() was assuming the IPv6 network header isis present in skb->head [1] Add the needed pskb_network_may_pull() calls for both IPv4 and IPv6 handlers. [1] BUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/

CVE-2025-38602 [MEDIUM] CVE-2025-38602: linux - In the Linux kernel, the following vulnerability has been resolved: iwlwifi: Ad... In the Linux kernel, the following vulnerability has been resolved: iwlwifi: Add missing check for alloc_ordered_workqueue Add check for the return value of alloc_ordered_workqueue since it may return NULL pointer. Scope: local bookworm: resolved (fixed in 6.1.148-1) bullseye: resolved (fixed in 5.10.244-1) forky: resolved (fixed in 6.16.3-1) sid: resolved (fixed in

CVE-2025-37905 [MEDIUM] CVE-2025-37905: linux - In the Linux kernel, the following vulnerability has been resolved: firmware: a... In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Balance device refcount when destroying devices Using device_find_child() to lookup the proper SCMI device to destroy causes an unbalance in device refcount, since device_find_child() calls an implicit get_device(): this, in turns, inhibits the call of the provided release method

CVE-2025-38335 [MEDIUM] CVE-2025-38335: linux - In the Linux kernel, the following vulnerability has been resolved: Input: gpio... In the Linux kernel, the following vulnerability has been resolved: Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT When enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in hard irq context, but the input_event() takes a spin_lock, which isn't allowed there as it is converted to a rt_spin_lock(). [ 4054.289999] BUG: sleeping function called f