Debian Linux-6.1 vulnerabilities

CVE-2025-21994 [MEDIUM] CVE-2025-21994: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix incorrect validation for num_aces field of smb_acl parse_dcal() validate num_aces to allocate posix_ace_state_array. if (num_aces > ULONG_MAX / sizeof(struct smb_ace *)) It is an incorrect validation that we can create an array of size ULONG_MAX. smb_acl has ->size field to calculate actu

CVE-2025-37875 [MEDIUM] CVE-2025-37875: linux - In the Linux kernel, the following vulnerability has been resolved: igc: fix PT... In the Linux kernel, the following vulnerability has been resolved: igc: fix PTM cycle trigger logic Writing to clear the PTM status 'valid' bit while the PTM cycle is triggered results in unreliable PTM operation. To fix this, clear the PTM 'trigger' and status after each PTM transaction. The issue can be reproduced with the following: $ sudo phc2sys -R 1000 -O 0 -

CVE-2025-38125 [MEDIUM] CVE-2025-38125: linux - In the Linux kernel, the following vulnerability has been resolved: net: stmmac... In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring EST If the ptp_rate recorded earlier in the driver happens to be 0, this bogus value will propagate up to EST configuration, where it will trigger a division by 0. Prevent this division by 0 by adding the corresponding check and error

CVE-2025-39737 [MEDIUM] CVE-2025-39737: linux - In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak... In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() A soft lockup warning was observed on a relative small system x86-64 system with 16 GB of memory when running a debug kernel with kmemleak enabled. watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134] The test system was runnin

CVE-2025-21665 [MEDIUM] CVE-2025-21665: linux - In the Linux kernel, the following vulnerability has been resolved: filemap: av... In the Linux kernel, the following vulnerability has been resolved: filemap: avoid truncating 64-bit offset to 32 bits On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a 64-bit value to 32 bits, leading to a possible infinite loop when writing to an xfs filesystem. Scope: local bookworm: resolved (fixed in 6.1.128-1) bullseye: resolved forky: r

CVE-2025-38061 [MEDIUM] CVE-2025-38061: linux - In the Linux kernel, the following vulnerability has been resolved: net: pktgen... In the Linux kernel, the following vulnerability has been resolved: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer). Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: resolved (fixed in 5.10.

CVE-2025-37983 [MEDIUM] CVE-2025-37983: linux - In the Linux kernel, the following vulnerability has been resolved: qibfs: fix ... In the Linux kernel, the following vulnerability has been resolved: qibfs: fix _another_ leak failure to allocate inode => leaked dentry... this one had been there since the initial merge; to be fair, if we are that far OOM, the odds of failing at that particular allocation are low... Scope: local bookworm: resolved (fixed in 6.1.137-1) bullseye: resolved (fixed in

CVE-2025-21871 [MEDIUM] CVE-2025-21871: linux - In the Linux kernel, the following vulnerability has been resolved: tee: optee:... In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix supplicant wait loop OP-TEE supplicant is a user-space daemon and it's possible for it be hung or crashed or killed in the middle of processing an OP-TEE RPC call. It becomes more complicated when there is incorrect shutdown ordering of the supplicant process vs the OP-TEE client app

CVE-2025-22033 [MEDIUM] CVE-2025-22033: linux - In the Linux kernel, the following vulnerability has been resolved: arm64: Don'... In the Linux kernel, the following vulnerability has been resolved: arm64: Don't call NULL in do_compat_alignment_fixup() do_alignment_t32_to_handler() only fixes up alignment faults for specific instructions; it returns NULL otherwise (e.g. LDREX). When that's the case, signal to the caller that it needs to proceed with the regular alignment fault handling (i.e. SI

CVE-2025-38465 [MEDIUM] CVE-2025-38465: linux - In the Linux kernel, the following vulnerability has been resolved: netlink: Fi... In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e ("udp: Fix multiple wraparounds of sk->sk_rmem_alloc.")

CVE-2025-38684 [MEDIUM] CVE-2025-38684: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: use old 'nbands' while purging unused classes Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() after recent changes from Lion [2]. The problem is: in ets_qdisc_change() we purge unused DWRR queues; the value of 'q->nbands' is the new one, and the cleanup shou

CVE-2025-38441 [MEDIUM] CVE-2025-38441: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() Blamed commit forgot the Ethernet header. BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_flo

CVE-2025-39716 [MEDIUM] CVE-2025-39716: linux - In the Linux kernel, the following vulnerability has been resolved: parisc: Rev... In the Linux kernel, the following vulnerability has been resolved: parisc: Revise __get_user() to probe user read access Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel executes at privilege level 0, so __get_user() never triggers a read access interruption (code 26). Thus,

CVE-2025-21875 [MEDIUM] CVE-2025-21875: linux - In the Linux kernel, the following vulnerability has been resolved: mptcp: alwa... In the Linux kernel, the following vulnerability has been resolved: mptcp: always handle address removal under msk socket lock Syzkaller reported a lockdep splat in the PM control path: WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mp

CVE-2025-37897 [MEDIUM] CVE-2025-37897: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: plfxl... In the Linux kernel, the following vulnerability has been resolved: wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release plfxlc_mac_release() asserts that mac->lock is held. This assertion is incorrect, because even if it was possible, it would not be the valid behaviour. The function is used when probe fails or after the device is disconnected. In both cases

CVE-2025-38645 [MEDIUM] CVE-2025-38645: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5: C... In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Check device memory pointer before usage Add a NULL check before accessing device memory to prevent a crash if dev->dm allocation in mlx5_init_once() fails. Scope: local bookworm: resolved (fixed in 6.1.148-1) bullseye: open forky: resolved (fixed in 6.16.3-1) sid: resolved (fixed in 6.16.

CVE-2025-38031 [MEDIUM] CVE-2025-38031: linux - In the Linux kernel, the following vulnerability has been resolved: padata: do ... In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decreme

CVE-2025-71232 [MEDIUM] CVE-2025-71232: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: qla2x... In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Free sp in error path to fix system crash System crash seen during load/unload test in a loop, [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. [61110.467494] ============================================================================= [61110.467498] BUG qla2xxx_srbs (Ta

CVE-2025-38215 [MEDIUM] CVE-2025-38215: linux - In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix ... In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in do_register_framebuffer() fails to allocate memory for fb_videomode, it will later lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered while not having the m

CVE-2025-38474 [MEDIUM] CVE-2025-38474: linux - In the Linux kernel, the following vulnerability has been resolved: usb: net: s... In the Linux kernel, the following vulnerability has been resolved: usb: net: sierra: check for no status endpoint The driver checks for having three endpoints and having bulk in and out endpoints, but not that the third endpoint is interrupt input. Rectify the omission. Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: resolved (fixed in 5.10.244-1) fo