Debian Linux-6.1 vulnerabilities

CVE-2025-68759 CVE-2025-68759: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: rtl81... In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() In rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA allocations in a loop. When an allocation fails, the previously successful allocations are not freed on exit. Fix that by jumping to err_free_rings label on error, which

CVE-2025-40278 CVE-2025-40278: linux - In the Linux kernel, the following vulnerability has been resolved: net: sched:... In the Linux kernel, the following vulnerability has been resolved: net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-infoleak Fix a KMSAN kernel-infoleak detected by the syzbot . [net?] KMSAN: kernel-infoleak in __skb_datagram_iter In tcf_ife_dump(), the variable 'opt' was partially initialized using a designatied initializer. While the padding bytes are rea

CVE-2025-68815 CVE-2025-68815: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Remove drr class from the active list if it changes to strict Whenever a user issues an ets qdisc change command, transforming a drr class into a strict one, the ets code isn't checking whether that class was in the active list and removing it. This means that, if a user changes a strict clas

CVE-2025-40198 CVE-2025-40198: linux - In the Linux kernel, the following vulnerability has been resolved: ext4: avoid... In the Linux kernel, the following vulnerability has been resolved: ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() Unlike other strings in the ext4 superblock, we rely on tune2fs to make sure s_mount_opts is NUL terminated. Harden parse_apply_sb_mount_options() by treating s_mount_opts as a potential __nonstring. Scope: local bookworm: resolved (fix

CVE-2025-40188 CVE-2025-40188: linux - In the Linux kernel, the following vulnerability has been resolved: pwm: berlin... In the Linux kernel, the following vulnerability has been resolved: pwm: berlin: Fix wrong register in suspend/resume The 'enable' register should be BERLIN_PWM_EN rather than BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there will be cpu exception then kernel panic during suspend/resume. Scope: local bookworm: resolved (fixed in 6.1.158-1) bullseye: reso

CVE-2025-68816 CVE-2025-68816: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5: f... In the Linux kernel, the following vulnerability has been resolved: net/mlx5: fw_tracer, Validate format string parameters Add validation for format string parameters in the firmware tracer to prevent potential security vulnerabilities and crashes from malformed format strings received from firmware. The firmware tracer receives format strings from the device firmware and us

CVE-2025-40109 CVE-2025-40109: linux - In the Linux kernel, the following vulnerability has been resolved: crypto: rng... In the Linux kernel, the following vulnerability has been resolved: crypto: rng - Ensure set_ent is always present Ensure that set_ent is always set since only drbg provides it. Scope: local bookworm: resolved (fixed in 6.1.158-1) bullseye: resolved (fixed in 5.10.247-1) forky: resolved (fixed in 6.17.6-1) sid: resolved (fixed in 6.17.6-1) trixie: resolved (fixed in 6.12.57-

CVE-2025-39977 CVE-2025-39977: linux - In the Linux kernel, the following vulnerability has been resolved: futex: Prev... In the Linux kernel, the following vulnerability has been resolved: futex: Prevent use-after-free during requeue-PI syzbot managed to trigger the following race: T1 T2 futex_wait_requeue_pi() futex_do_wait() schedule() futex_requeue() futex_proxy_trylock_atomic() futex_requeue_pi_prepare() requeue_pi_wake_futex() futex_requeue_pi_complete() /* preempt */ * timeout/ signal wa

CVE-2025-40080 CVE-2025-40080: linux - In the Linux kernel, the following vulnerability has been resolved: nbd: restri... In the Linux kernel, the following vulnerability has been resolved: nbd: restrict sockets to TCP and UDP Recently, syzbot started to abuse NBD with all kinds of sockets. Commit cf1b2326b734 ("nbd: verify socket is supported during setup") made sure the socket supported a shutdown() method. Explicitely accept TCP and UNIX stream sockets. Scope: local bookworm: resolved (fixed

CVE-2025-40292 CVE-2025-40292: linux - In the Linux kernel, the following vulnerability has been resolved: virtio-net:... In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big

CVE-2025-68806 CVE-2025-68806: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix buffer validation by including null terminator size in EA length The smb2_set_ea function, which handles Extended Attributes (EA), was performing buffer validation checks that incorrectly omitted the size of the null terminating character (+1 byte) for EA Name. This patch fixes the issue by explic

CVE-2025-40253 CVE-2025-40253: linux - In the Linux kernel, the following vulnerability has been resolved: s390/ctcm: ... In the Linux kernel, the following vulnerability has been resolved: s390/ctcm: Fix double-kfree The function 'mpc_rcvd_sweep_req(mpcginfo)' is called conditionally from function 'ctcmpc_unpack_skb'. It frees passed mpcginfo. After that a call to function 'kfree' in function 'ctcmpc_unpack_skb' frees it again. Remove 'kfree' call in function 'mpc_rcvd_sweep_req(mpcginfo)'. Bu

CVE-2025-68192 CVE-2025-68192: linux - In the Linux kernel, the following vulnerability has been resolved: net: usb: q... In the Linux kernel, the following vulnerability has been resolved: net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup Raw IP packets have no MAC header, leaving skb->mac_header uninitialized. This can trigger kernel panics on ARM64 when xfrm or other subsystems access the offset due to strict alignment checks. Initialize the MAC header to prevent such crash

CVE-2025-40106 CVE-2025-40106: linux - In the Linux kernel, the following vulnerability has been resolved: comedi: fix... In the Linux kernel, the following vulnerability has been resolved: comedi: fix divide-by-zero in comedi_buf_munge() The comedi_buf_munge() function performs a modulo operation `async->munge_chan %= async->cmd.chanlist_len` without first checking if chanlist_len is zero. If a user program submits a command with chanlist_len set to zero, this causes a divide-by-zero error whe

CVE-2025-68764 CVE-2025-68764: linux - In the Linux kernel, the following vulnerability has been resolved: NFS: Automo... In the Linux kernel, the following vulnerability has been resolved: NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags When a filesystem is being automounted, it needs to preserve the user-set superblock mount options, such as the "ro" flag. Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved (fixed in 5.10.249-1) forky: resolved (fixe

CVE-2025-40111 CVE-2025-40111: linux - In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx:... In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix Use-after-free in validation Nodes stored in the validation duplicates hashtable come from an arena allocator that is cleared at the end of vmw_execbuf_process. All nodes are expected to be cleared in vmw_validation_drop_ht but this node escaped because its resource was destroyed prematurely.

CVE-2025-68799 CVE-2025-68799: linux - In the Linux kernel, the following vulnerability has been resolved: caif: fix i... In the Linux kernel, the following vulnerability has been resolved: caif: fix integer underflow in cffrml_receive() The cffrml_receive() function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len >= 2. If an attacker sends a malicious packet with a length field of 0 or 1 to an interface with FCS

CVE-2025-39968 CVE-2025-39968: linux - In the Linux kernel, the following vulnerability has been resolved: i40e: add m... In the Linux kernel, the following vulnerability has been resolved: i40e: add max boundary check for VF filters There is no check for max filters that VF can request. Add it. Scope: local bookworm: resolved (fixed in 6.1.158-1) bullseye: resolved (fixed in 5.10.247-1) forky: resolved (fixed in 6.16.10-1) sid: resolved (fixed in 6.16.10-1) trixie: resolved (fixed in 6.12.57-1

CVE-2025-68231 CVE-2025-68231: linux - In the Linux kernel, the following vulnerability has been resolved: mm/mempool:... In the Linux kernel, the following vulnerability has been resolved: mm/mempool: fix poisoning order>0 pages with HIGHMEM The kernel test has reported: BUG: unable to handle page fault for address: fffba000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page *pde = 03171067 *pte = 00000000 Oops: Oops: 0002 [#1] CPU: 0 UID: 0 PID: 1 Comm: swa

CVE-2025-68337 CVE-2025-68337: linux - In the Linux kernel, the following vulnerability has been resolved: jbd2: avoid... In the Linux kernel, the following vulnerability has been resolved: jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted There's issue when file system corrupted: ------------[ cut here ]------------ kernel BUG at fs/jbd2/transaction.c:1289! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-n