Debian Linux-6.1 vulnerabilities

CVE-2026-23190 [MEDIUM] CVE-2026-23190: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: ... In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: fix memory leak in acp3x pdm dma ops Scope: local bookworm: resolved (fixed in 6.1.164-1) bullseye: resolved (fixed in 5.10.251-1) forky: resolved (fixed in 6.18.10-1) sid: resolved (fixed in 6.18.10-1) trixie: resolved (fixed in 6.12.73-1)

CVE-2026-23091 [MEDIUM] CVE-2026-23091: linux - In the Linux kernel, the following vulnerability has been resolved: intel_th: f... In the Linux kernel, the following vulnerability has been resolved: intel_th: fix device leak on output open() Make sure to drop the reference taken when looking up the th device during output device open() on errors and on close(). Note that a recent commit fixed the leak in a couple of open() error paths but not all of them, and the reference is still leaking on s

CVE-2026-22990 [MEDIUM] CVE-2026-22990: linux - In the Linux kernel, the following vulnerability has been resolved: libceph: re... In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid. Scope: local bookworm: resolved (

CVE-2026-22978 [LOW] CVE-2026-22978: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: avoid... In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak from struct iw_point struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero the structur

CVE-2026-23049 CVE-2026-23049: linux - In the Linux kernel, the following vulnerability has been resolved: drm/panel-s... In the Linux kernel, the following vulnerability has been resolved: drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel The connector type for the DataImage SCF0700C48GGU18 panel is missing and devm_drm_panel_bridge_add() requires connector type to be set. This leads to a warning and a backtrace in the kernel log and panel does not work: " WARNING: CPU:

CVE-2026-23182 CVE-2026-23182: linux - In the Linux kernel, the following vulnerability has been resolved: spi: tegra:... In the Linux kernel, the following vulnerability has been resolved: spi: tegra: Fix a memory leak in tegra_slink_probe() In tegra_slink_probe(), when platform_get_irq() fails, it directly returns from the function with an error code, which causes a memory leak. Replace it with a goto label to ensure proper cleanup. Scope: local bookworm: resolved (fixed in 6.1.164-1) bullsey

CVE-2026-23056 CVE-2026-23056: linux - In the Linux kernel, the following vulnerability has been resolved: uacce: impl... In the Linux kernel, the following vulnerability has been resolved: uacce: implement mremap in uacce_vm_ops to return -EPERM The current uacce_vm_ops does not support the mremap operation of vm_operations_struct. Implement .mremap to return -EPERM to remind users. The reason we need to explicitly disable mremap is that when the driver does not implement .mremap, it uses the

CVE-2026-23058 CVE-2026-23058: linux - In the Linux kernel, the following vulnerability has been resolved: can: ems_us... In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"). In ems_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the c

CVE-2026-23037 CVE-2026-23037: linux - In the Linux kernel, the following vulnerability has been resolved: can: etas_e... In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: allow partial RX URB allocation to succeed When es58x_alloc_rx_urbs() fails to allocate the requested number of URBs but succeeds in allocating some, it returns an error code. This causes es58x_open() to return early, skipping the cleanup label 'free_urbs', which leads to the anchored URBs b

CVE-2026-23038 CVE-2026-23038: linux - In the Linux kernel, the following vulnerability has been resolved: pnfs/flexfi... In the Linux kernel, the following vulnerability has been resolved: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, the function jumps to the out_scratch label without freeing the already allocated dsaddrs list, leading to a memory leak. Fix this by jumping to the out_err_drain_dsaddr

CVE-2026-23054 CVE-2026-23054: linux - In the Linux kernel, the following vulnerability has been resolved: net: hv_net... In the Linux kernel, the following vulnerability has been resolved: net: hv_netvsc: reject RSS hash key programming without RX indirection table RSS configuration requires a valid RX indirection table. When the device reports a single receive queue, rndis_filter_device_add() does not allocate an indirection table, accepting RSS hash key updates in this state leads to a hang.

CVE-2026-23176 CVE-2026-23176: linux - In the Linux kernel, the following vulnerability has been resolved: platform/x8... In the Linux kernel, the following vulnerability has been resolved: platform/x86: toshiba_haps: Fix memory leaks in add/remove routines toshiba_haps_add() leaks the haps object allocated by it if it returns an error after allocating that object successfully. toshiba_haps_remove() does not free the object pointed to by toshiba_haps before clearing that pointer, so it becomes

CVE-2026-23047 CVE-2026-23047: linux - In the Linux kernel, the following vulnerability has been resolved: libceph: ma... In the Linux kernel, the following vulnerability has been resolved: libceph: make calc_target() set t->paused, not just clear it Currently calc_target() clears t->paused if the request shouldn't be paused anymore, but doesn't ever set t->paused even though it's able to determine when the request should be paused. Setting t->paused is left to __submit_request() which is fine

CVE-2026-23031 CVE-2026-23031: linux - In the Linux kernel, the following vulnerability has been resolved: can: gs_usb... In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak In gs_can_open(), the URBs for USB-in transfers are allocated, added to the parent->rx_submitted anchor and submitted. In the complete callback gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In gs_can_close() the URBs are

CVE-2026-23030 CVE-2026-23030: linux - In the Linux kernel, the following vulnerability has been resolved: phy: rockch... In the Linux kernel, the following vulnerability has been resolved: phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() The for_each_available_child_of_node() calls of_node_put() to release child_np in each success loop. After breaking from the loop with the child_np has been released, the code will jump to the put_child label and will call the of_nod

CVE-2026-23033 CVE-2026-23033: linux - In the Linux kernel, the following vulnerability has been resolved: dmaengine: ... In the Linux kernel, the following vulnerability has been resolved: dmaengine: omap-dma: fix dma_pool resource leak in error paths The dma_pool created by dma_pool_create() is not destroyed when dma_async_device_register() or of_dma_controller_register() fails, causing a resource leak in the probe error paths. Add dma_pool_destroy() in both error paths to properly release th

CVE-2025-68263 [CRITICAL] CVE-2025-68263: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: ipc:... In the Linux kernel, the following vulnerability has been resolved: ksmbd: ipc: fix use-after-free in ipc_msg_send_request ipc_msg_send_request() waits for a generic netlink reply using an ipc_msg_table_entry on the stack. The generic netlink handler (handle_generic_event()/handle_response()) fills entry->response under ipc_msg_table_lock, but ipc_msg_send_request

CVE-2025-39946 [CRITICAL] CVE-2025-39946: linux - In the Linux kernel, the following vulnerability has been resolved: tls: make s... In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out l

CVE-2025-37924 [CRITICAL] CVE-2025-37924: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in kerberos authentication Setting sess->user = NULL was introduced to fix the dangling pointer created by ksmbd_free_user. However, it is possible another thread could be operating on the session and make use of sess->user after it has been passed to ksmbd_free_user but

CVE-2025-22088 [HIGH] CVE-2025-22088: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma:... In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() After the erdma_cep_put(new_cep) being called, new_cep will be freed, and the following dereference will cause a UAF problem. Fix this issue. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved forky: resolved (fixed in 6