Debian Linux-6.1 vulnerabilities

CVE-2025-21636 [MEDIUM] CVE-2025-21636: linux - In the Linux kernel, the following vulnerability has been resolved: sctp: sysct... In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - cur

CVE-2025-22027 [MEDIUM] CVE-2025-22027: linux - In the Linux kernel, the following vulnerability has been resolved: media: stre... In the Linux kernel, the following vulnerability has been resolved: media: streamzap: fix race between device disconnection and urb callback Syzkaller has reported a general protection fault at function ir_raw_event_store_with_filter(). This crash is caused by a NULL pointer dereference of dev->raw pointer, even though it is checked for NULL in the same function, wh

CVE-2025-21853 [MEDIUM] CVE-2025-21853: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: avoid ... In the Linux kernel, the following vulnerability has been resolved: bpf: avoid holding freeze_mutex during mmap operation We use map->freeze_mutex to prevent races between map_freeze() and memory mapping BPF map contents with writable permissions. The way we naively do this means we'll hold freeze_mutex for entire duration of all the mm and VMA manipulations, which

CVE-2025-21838 [MEDIUM] CVE-2025-21838: linux - In the Linux kernel, the following vulnerability has been resolved: usb: gadget... In the Linux kernel, the following vulnerability has been resolved: usb: gadget: core: flush gadget workqueue after device removal device_del() can lead to new work being scheduled in gadget->work workqueue. This is observed, for example, with the dwc3 driver with the following call stack: device_del() gadget_unbind_driver() usb_gadget_disconnect_locked() dwc3_gadge

CVE-2025-38090 [MEDIUM] CVE-2025-38090: linux - In the Linux kernel, the following vulnerability has been resolved: drivers/rap... In the Linux kernel, the following vulnerability has been resolved: drivers/rapidio/rio_cm.c: prevent possible heap overwrite In riocm_cdev_ioctl(RIO_CM_CHAN_SEND) -> cm_chan_msg_send() -> riocm_ch_send() cm_chan_msg_send() checks that userspace didn't send too much data but riocm_ch_send() failed to check that userspace sent sufficient data. The result is that rioc

CVE-2025-21866 [MEDIUM] CVE-2025-21866: linux - In the Linux kernel, the following vulnerability has been resolved: powerpc/cod... In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by t

CVE-2025-22095 [MEDIUM] CVE-2025-22095: linux - In the Linux kernel, the following vulnerability has been resolved: PCI: brcmst... In the Linux kernel, the following vulnerability has been resolved: PCI: brcmstb: Fix error path after a call to regulator_bulk_get() If the regulator_bulk_get() returns an error and no regulators are created, we need to set their number to zero. If we don't do this and the PCIe link up fails, a call to the regulator_bulk_free() will result in a kernel panic. While

CVE-2025-71185 [MEDIUM] CVE-2025-71185: linux - In the Linux kernel, the following vulnerability has been resolved: dmaengine: ... In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation Make sure to drop the reference taken when looking up the crossbar platform device during am335x route allocation. Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved (fixed in 5.10.249-1) forky: resolved (fi

CVE-2025-21986 [MEDIUM] CVE-2025-21986: linux - In the Linux kernel, the following vulnerability has been resolved: net: switch... In the Linux kernel, the following vulnerability has been resolved: net: switchdev: Convert blocking notification chain to a raw one A blocking notification chain uses a read-write semaphore to protect the integrity of the chain. The semaphore is acquired for writing when adding / removing notifiers to / from the chain and acquired for reading when traversing the ch

CVE-2025-21668 [MEDIUM] CVE-2025-21668: linux - In the Linux kernel, the following vulnerability has been resolved: pmdomain: i... In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8mp-blk-ctrl: add missing loop break condition Currently imx8mp_blk_ctrl_remove() will continue the for loop until an out-of-bounds exception occurs. pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : dev_pm_domain_detach+0x8/0x48 lr : imx8mp_blk_ctrl_shutdown+0x58/0x9

CVE-2025-37932 [MEDIUM] CVE-2025-37932: linux - In the Linux kernel, the following vulnerability has been resolved: sch_htb: ma... In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_qlen_notify() idempotent htb_qlen_notify() always deactivates the HTB class and in fact could trigger a warning if it is already deactivated. Therefore, it is not idempotent and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce

CVE-2025-39718 [MEDIUM] CVE-2025-39718: linux - In the Linux kernel, the following vulnerability has been resolved: vsock/virti... In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Validate length in packet header before skb_put() When receiving a vsock packet in the guest, only the virtqueue buffer size is validated prior to virtio_vsock_skb_rx_put(). Unfortunately, virtio_vsock_skb_rx_put() uses the length from the packet header as the length argument to skb_pu

CVE-2025-38635 [MEDIUM] CVE-2025-38635: linux - In the Linux kernel, the following vulnerability has been resolved: clk: davinc... In the Linux kernel, the following vulnerability has been resolved: clk: davinci: Add NULL check in davinci_lpsc_clk_register() devm_kasprintf() returns NULL when memory allocation fails. Currently, davinci_lpsc_clk_register() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue and en

CVE-2025-39794 [MEDIUM] CVE-2025-39794: linux - In the Linux kernel, the following vulnerability has been resolved: ARM: tegra:... In the Linux kernel, the following vulnerability has been resolved: ARM: tegra: Use I/O memcpy to write to IRAM Kasan crashes the kernel trying to check boundaries when using the normal memcpy. Scope: local bookworm: resolved (fixed in 6.1.153-1) bullseye: resolved (fixed in 5.10.244-1) forky: resolved (fixed in 6.16.3-1) sid: resolved (fixed in 6.16.3-1) trixie: re

CVE-2025-21787 [MEDIUM] CVE-2025-21787: linux - In the Linux kernel, the following vulnerability has been resolved: team: bette... In the Linux kernel, the following vulnerability has been resolved: team: better TEAM_OPTION_TYPE_STRING validation syzbot reported following splat [1] Make sure user-provided data contains one nul byte. [1] BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline] BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714 string_nocheck lib/vspr

CVE-2025-39731 [MEDIUM] CVE-2025-39731: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: vm_un... In the Linux kernel, the following vulnerability has been resolved: f2fs: vm_unmap_ram() may be called from an invalid context When testing F2FS with xfstests using UFS backed virtual disks the kernel complains sometimes that f2fs_release_decomp_mem() calls vm_unmap_ram() from an invalid context. Example trace from f2fs/007 test: f2fs/007 5s ... [12:59:38][ 8.902525

CVE-2025-21666 [MEDIUM] CVE-2025-21666: linux - In the Linux kernel, the following vulnerability has been resolved: vsock: prev... In the Linux kernel, the following vulnerability has been resolved: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Recent reports have shown how we sometimes call vsock_*_has_data() when a vsock socket has been de-assigned from a transport (see attached links), but we shouldn't. Previous commits should have solved the real problems, but we may have mor

CVE-2025-38723 [MEDIUM] CVE-2025-38723: linux - In the Linux kernel, the following vulnerability has been resolved: LoongArch: ... In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Fix jump offset calculation in tailcall The extra pass of bpf_int_jit_compile() skips JIT context initialization which essentially skips offset calculation leaving out_offset = -1, so the jmp_offset in emit_bpf_tail_call is calculated by "#define jmp_offset (out_offset - (cur_offset)

CVE-2025-71120 [MEDIUM] CVE-2025-71120: linux - In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svc... In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the cop

CVE-2025-71088 [MEDIUM] CVE-2025-71088: linux - In the Linux kernel, the following vulnerability has been resolved: mptcp: fall... In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simult connection Syzkaller reports a simult-connect race leading to inconsistent fallback status: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Modules linked in: CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tai