Debian Linux-6.1 vulnerabilities

CVE-2025-71150 [MEDIUM] CVE-2025-71150: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2_SESSION_VALID, It indicates that no valid session was found, but it is missing to decrement the reference count acquired by the session lookup, which results in a reference coun

CVE-2025-38074 [MEDIUM] CVE-2025-38074: linux - In the Linux kernel, the following vulnerability has been resolved: vhost-scsi:... In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used v

CVE-2025-22007 [MEDIUM] CVE-2025-22007: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix error code in chan_alloc_skb_cb() The chan_alloc_skb_cb() function is supposed to return error pointers on error. Returning NULL will lead to a NULL dereference. Scope: local bookworm: resolved (fixed in 6.1.133-1) bullseye: resolved (fixed in 5.10.237-1) forky: resolved (fixed in 6.1

CVE-2025-21712 [MEDIUM] CVE-2025-21712: linux - In the Linux kernel, the following vulnerability has been resolved: md/md-bitma... In the Linux kernel, the following vulnerability has been resolved: md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime After commit ec6bb299c7c3 ("md/md-bitmap: add 'sync_size' into struct md_bitmap_stats"), following panic is reported: Oops: general protection fault, probably for non-canonical address RIP: 0010:bitmap_get_stats+0x2b/0xa0 Call Trace:

CVE-2025-38037 [MEDIUM] CVE-2025-38037: linux - In the Linux kernel, the following vulnerability has been resolved: vxlan: Anno... In the Linux kernel, the following vulnerability has been resolved: vxlan: Annotate FDB data races The 'used' and 'updated' fields in the FDB entry structure can be accessed concurrently by multiple threads, leading to reports such as [1]. Can be reproduced using [2]. Suppress these reports by annotating these accesses using READ_ONCE() / WRITE_ONCE(). [1] BUG: KCSA

CVE-2025-38151 [MEDIUM] CVE-2025-38151: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: F... In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work The cited commit fixed a crash when cma_netevent_callback was called for a cma_id while work on that id from a previous call had not yet started. The work item was re-initialized in the second call, which corrupted the work item curre

CVE-2025-37937 [MEDIUM] CVE-2025-37937: linux - In the Linux kernel, the following vulnerability has been resolved: objtool, me... In the Linux kernel, the following vulnerability has been resolved: objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() If dib8000_set_dds()'s call to dib8000_read32() returns zero, the result is a divide-by-zero. Prevent that from happening. Fixes the following warning with an UBSAN kernel: drivers/media/dvb-frontends/dib8000.o: warning: objtool: d

CVE-2025-37867 [MEDIUM] CVE-2025-37867: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/core: ... In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Silence oversized kvmalloc() warning syzkaller triggered an oversized kvmalloc() warning. Silence it by adding __GFP_NOWARN. syzkaller log: WARNING: CPU: 7 PID: 518 at mm/util.c:665 __kvmalloc_node_noprof+0x175/0x180 CPU: 7 UID: 0 PID: 518 Comm: c_repro Not tainted 6.11.0-rc6+ #6 Hardware

CVE-2025-38122 [MEDIUM] CVE-2025-38122: linux - In the Linux kernel, the following vulnerability has been resolved: gve: add mi... In the Linux kernel, the following vulnerability has been resolved: gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo() did not check for this case before dereferencing the returned pointer. Add a missing NULL check to prevent a potential NULL pointer dereference when allocation fa

CVE-2025-21776 [MEDIUM] CVE-2025-21776: linux - In the Linux kernel, the following vulnerability has been resolved: USB: hub: I... In the Linux kernel, the following vulnerability has been resolved: USB: hub: Ignore non-compliant devices with too many configs or interfaces Robert Morris created a test program which can cause usb_hub_to_struct_hub() to dereference a NULL or inappropriate pointer: Oops: general protection fault, probably for non-canonical address 0xcccccccccccccccc: 0000 [#1] SMP

CVE-2025-37930 [MEDIUM] CVE-2025-37930: linux - In the Linux kernel, the following vulnerability has been resolved: drm/nouveau... In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Nouveau is mostly designed in a way that it's expected that fences only ever get signaled through nouveau_fence_signal(). However, in at least one other place, nouveau_fence_done(), can signal fences, too. If that happens (race) a signaled fen

CVE-2025-37757 [MEDIUM] CVE-2025-37757: linux - In the Linux kernel, the following vulnerability has been resolved: tipc: fix m... In the Linux kernel, the following vulnerability has been resolved: tipc: fix memory leak in tipc_link_xmit In case the backlog transmit queue for system-importance messages is overloaded, tipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to memory leak and failure when a skb is allocated. This commit fixes this issue by purging the skb li

CVE-2025-39964 [LOW] CVE-2025-39964: linux - In the Linux kernel, the following vulnerability has been resolved: crypto: af_... In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->wri

CVE-2025-38512 [LOW] CVE-2025-38512: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: preve... In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to prevent the A-MSDU spoofing vulnerability for mesh networks. The initial update to the IEEE 802.11 standard, in response to the FragAttacks, missed this case (CVE-2025-27558). It can be considered a variant of CVE-2020-24588 bu

CVE-2025-27558 [LOW] CVE-2025-27558: linux - IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. I... IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, or WPA3) or Wired Equivalent Privacy (WEP), an adversary can exploit this vulnerability to inject arbitrary frames towards devices that support receiving non-SSP A-MSDU frames. NOTE: this issue exists because of an incorrect fix for C

CVE-2025-40215 CVE-2025-40215: linux - In the Linux kernel, the following vulnerability has been resolved: xfrm: delet... In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists,

CVE-2025-40284 CVE-2025-40284: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: cancel mesh send timer when hdev removed mesh_send_done timer is not canceled when hdev is removed, which causes crash if the timer triggers after hdev is gone. Cancel the timer when MGMT removes the hdev, like other MGMT timers. Should fix the BUG: sporadically seen by BlueZ test bot (in "M

CVE-2025-40026 CVE-2025-40026: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: x86: D... In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O When completing emulation of instruction that generated a userspace exit for I/O, don't recheck L1 intercepts as KVM has already finished that phase of instruction execution, i.e. has already committed to allowing L2 to perform I/O. If L1

CVE-2025-40286 CVE-2025-40286: linux - In the Linux kernel, the following vulnerability has been resolved: smb/server:... In the Linux kernel, the following vulnerability has been resolved: smb/server: fix possible memory leak in smb2_read() Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree(). Scope: local bookworm: resolved (fixed in 6.1.159-1) bullseye: resolved forky: resolved (fixed in 6.17.9-1) sid: resolved (fixed in 6.17.9-1) trixie: resolved (fixed in

CVE-2025-40093 CVE-2025-40093: linux - In the Linux kernel, the following vulnerability has been resolved: usb: gadget... In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handlin