Debian Linux-6.1 vulnerabilities

CVE-2025-21878 [MEDIUM] CVE-2025-21878: linux - In the Linux kernel, the following vulnerability has been resolved: i2c: npcm: ... In the Linux kernel, the following vulnerability has been resolved: i2c: npcm: disable interrupt enable bit before devm_request_irq The customer reports that there is a soft lockup issue related to the i2c driver. After checking, the i2c module was doing a tx transfer and the bmc machine reboots in the middle of the i2c transaction, the i2c module keeps the status w

CVE-2025-21748 [MEDIUM] CVE-2025-21748: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix integer overflows on 32 bit systems On 32bit systems the addition operations in ipc_msg_alloc() can potentially overflow leading to memory corruption. Add bounds checking using KSMBD_IPC_MAX_PAYLOAD to avoid overflow. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved

CVE-2025-68288 [MEDIUM] CVE-2025-68288: linux - In the Linux kernel, the following vulnerability has been resolved: usb: storag... In the Linux kernel, the following vulnerability has been resolved: usb: storage: Fix memory leak in USB bulk transport A kernel memory leak was identified by the 'ioctl_sg01' test from Linux Test Project (LTP). The following bytes were mainly observed: 0x53425355. When USB storage devices incorrectly skip the data phase with status data, the code extracts/validates

CVE-2025-37792 [MEDIUM] CVE-2025-37792: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: Prevent potential NULL dereference The btrtl_initialize() function checks that rtl_load_file() either had an error or it loaded a zero length file. However, if it loaded a zero length file then the error code is not set correctly. It results in an error pointer vs NULL bug, followe

CVE-2025-37812 [MEDIUM] CVE-2025-37812: linux - In the Linux kernel, the following vulnerability has been resolved: usb: cdns3:... In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: Fix deadlock when using NCM gadget The cdns3 driver has the same NCM deadlock as fixed in cdnsp by commit 58f2fcb3a845 ("usb: cdnsp: Fix deadlock issue during using NCM gadget"). Under PREEMPT_RT the deadlock can be readily triggered by heavy network traffic, for example using "iperf --b

CVE-2025-38324 [MEDIUM] CVE-2025-38324: linux - In the Linux kernel, the following vulnerability has been resolved: mpls: Use r... In the Linux kernel, the following vulnerability has been resolved: mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). As syzbot reported [0], mpls_route_input_rcu() can be called from mpls_getroute(), where is under RTNL. net->mpls.platform_label is only updated under RTNL. Let's use rcu_dereference_rtnl() in mpls_route_input_rcu() to silence the splat. [0

CVE-2025-21758 [MEDIUM] CVE-2025-21758: linux - In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast... In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: add RCU protection to mld_newpack() mld_newpack() can be called without RTNL or RCU being held. Note that we no longer can use sock_alloc_send_skb() because ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep. Instead use alloc_skb() and charge the net->ipv6.igmp_sk socket under RC

CVE-2025-37961 [MEDIUM] CVE-2025-37961: linux - In the Linux kernel, the following vulnerability has been resolved: ipvs: fix u... In the Linux kernel, the following vulnerability has been resolved: ipvs: fix uninit-value for saddr in do_output_route4 syzbot reports for uninit-value for the saddr argument [1]. commit 4754957f04f5 ("ipvs: do not use random local source address for tunnels") already implies that the input value of saddr should be ignored but the code is still reading it which can

CVE-2025-37912 [MEDIUM] CVE-2025-37912: linux - In the Linux kernel, the following vulnerability has been resolved: ice: Check ... In the Linux kernel, the following vulnerability has been resolved: ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() As mentioned in the commit baeb705fd6a7 ("ice: always check VF VSI pointer values"), we need to perform a null pointer check on the return value of ice_get_vf_vsi() before using it. Scope: local bookworm: resolved (fixed in 6.1.140-1) bullsey

CVE-2025-39703 [MEDIUM] CVE-2025-39703: linux - In the Linux kernel, the following vulnerability has been resolved: net, hsr: r... In the Linux kernel, the following vulnerability has been resolved: net, hsr: reject HSR frame if skb can't hold tag Receiving HSR frame with insufficient space to hold HSR tag in the skb can result in a crash (kernel BUG): [ 45.390915] skbuff: skb_under_panic: text:ffffffff86f32cac len:26 put:14 head:ffff888042418000 data:ffff888042417ff4 tail:0xe end:0x180 dev:bri

CVE-2025-38575 [MEDIUM] CVE-2025-38575: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: use ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: use aead_request_free to match aead_request_alloc Use aead_request_free() instead of kfree() to properly free memory allocated by aead_request_alloc(). This ensures sensitive crypto data is zeroed before being freed. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved fork

CVE-2025-21925 [MEDIUM] CVE-2025-21925: linux - In the Linux kernel, the following vulnerability has been resolved: llc: do not... In the Linux kernel, the following vulnerability has been resolved: llc: do not use skb_get() before dev_queue_xmit() syzbot is able to crash hosts [1], using llc and devices not supporting IFF_TX_SKB_SHARING. In this case, e1000 driver calls eth_skb_pad(), while the skb is shared. Simply replace skb_get() by skb_clone() in net/llc/llc_s_ac.c Note that e1000 driver

CVE-2025-39684 [MEDIUM] CVE-2025-39684: linux - In the Linux kernel, the following vulnerability has been resolved: comedi: Fix... In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back t

CVE-2025-21830 [MEDIUM] CVE-2025-21830: linux - In the Linux kernel, the following vulnerability has been resolved: landlock: H... In the Linux kernel, the following vulnerability has been resolved: landlock: Handle weird files A corrupted filesystem (e.g. bcachefs) might return weird files. Instead of throwing a warning and allowing access to such file, treat them as regular files. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved forky: resolved (fixed in 6.12.13-1) sid:

CVE-2025-37931 [MEDIUM] CVE-2025-37931: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: adju... In the Linux kernel, the following vulnerability has been resolved: btrfs: adjust subpage bit start based on sectorsize When running machines with 64k page size and a 16k nodesize we started seeing tree log corruption in production. This turned out to be because we were not writing out dirty blocks sometimes, so this in fact affects all metadata writes. When writing

CVE-2025-23140 [MEDIUM] CVE-2025-23140: linux - In the Linux kernel, the following vulnerability has been resolved: misc: pci_e... In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error After devm_request_irq() fails with error in pci_endpoint_test_request_irq(), the pci_endpoint_test_free_irq_vectors() is called assuming that all IRQs have been released. However, some requested IRQs remain unrelea

CVE-2025-71190 [MEDIUM] CVE-2025-71190: linux - In the Linux kernel, the following vulnerability has been resolved: dmaengine: ... In the Linux kernel, the following vulnerability has been resolved: dmaengine: bcm-sba-raid: fix device leak on probe Make sure to drop the reference taken when looking up the mailbox device during probe on probe failures and on driver unbind. Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved (fixed in 5.10.249-1) forky: resolved (fixed in 6.18

CVE-2025-38487 [MEDIUM] CVE-2025-38487: linux - In the Linux kernel, the following vulnerability has been resolved: soc: aspeed... In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Mitigate e.g. the following: # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind ... [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write [ 120.373866] [00000

CVE-2025-39844 [MEDIUM] CVE-2025-39844: linux - In the Linux kernel, the following vulnerability has been resolved: mm: move pa... In the Linux kernel, the following vulnerability has been resolved: mm: move page table sync declarations to linux/pgtable.h During our internal testing, we started observing intermittent boot failures when the machine uses 4-level paging and has a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write

CVE-2025-22008 [MEDIUM] CVE-2025-22008: linux - In the Linux kernel, the following vulnerability has been resolved: regulator: ... In the Linux kernel, the following vulnerability has been resolved: regulator: check that dummy regulator has been probed before using it Due to asynchronous driver probing there is a chance that the dummy regulator hasn't already been probed when first accessing it. Scope: local bookworm: resolved (fixed in 6.1.133-1) bullseye: resolved (fixed in 5.10.237-1) forky: