Debian Linux-6.1 vulnerabilities

CVE-2025-38579 [HIGH] CVE-2025-38579: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix K... In the Linux kernel, the following vulnerability has been resolved: f2fs: fix KMSAN uninit-value in extent_info usage KMSAN reported a use of uninitialized value in `__is_extent_mergeable()` and `__is_back_mergeable()` via the read extent tree path. The root cause is that `get_read_extent_info()` only initializes three fields (`fofs`, `blk`, `len`) of `struct extent_i

CVE-2025-71162 [HIGH] CVE-2025-71162: linux - In the Linux kernel, the following vulnerability has been resolved: dmaengine: ... In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegra_adma_terminate_all() before the vchan completion tasklet finishes accessing it.

CVE-2025-71086 [HIGH] CVE-2025-71086: linux - In the Linux kernel, the following vulnerability has been resolved: net: rose: ... In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this

CVE-2025-38707 [HIGH] CVE-2025-38707: linux - In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: A... In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add sanity check for file name The length of the file name should be smaller than the directory entry size. Scope: local bookworm: resolved (fixed in 6.1.153-1) bullseye: resolved forky: resolved (fixed in 6.16.3-1) sid: resolved (fixed in 6.16.3-1) trixie: resolved (fixed in 6.12.43-1)

CVE-2025-37849 [HIGH] CVE-2025-37849: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: arm64:... In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Tear down vGIC on failed vCPU creation If kvm_arch_vcpu_create() fails to share the vCPU page with the hypervisor, we propagate the error back to the ioctl but leave the vGIC vCPU data initialised. Note only does this leak the corresponding memory when the vCPU is destroyed but it can also

CVE-2025-39790 [HIGH] CVE-2025-39790: linux - In the Linux kernel, the following vulnerability has been resolved: bus: mhi: h... In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Detect events pointing to unexpected TREs When a remote device sends a completion event to the host, it contains a pointer to the consumed TRE. The host uses this pointer to process all of the TREs between it and the host's local copy of the ring's read pointer. This works when process

CVE-2025-37913 [HIGH] CVE-2025-37913: linux - In the Linux kernel, the following vulnerability has been resolved: net_sched: ... In the Linux kernel, the following vulnerability has been resolved: net_sched: qfq: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of qfq, there won't be a UAF, but the code will add the same classifier to the

CVE-2025-21735 [HIGH] CVE-2025-21735: linux - In the Linux kernel, the following vulnerability has been resolved: NFC: nci: A... In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Add bounds checking in nci_hci_create_pipe() The "pipe" variable is a u8 which comes from the network. If it's more than 127, then it results in memory corruption in the caller, nci_hci_connect_gate(). Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved (fixed in 5.10.237

CVE-2025-21887 [HIGH] CVE-2025-21887: linux - In the Linux kernel, the following vulnerability has been resolved: ovl: fix UA... In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use

CVE-2025-37739 [HIGH] CVE-2025-37739: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix t... In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() syzbot reports an UBSAN issue as below: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10 index 18446744073709550692 is out of range for type '__le32[5]' (aka 'unsigned int[5]') CPU: 0

CVE-2025-37899 [HIGH] CVE-2025-37899: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use

CVE-2025-38497 [HIGH] CVE-2025-38497: linux - In the Linux kernel, the following vulnerability has been resolved: usb: gadget... In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Fix OOB read on empty string write When writing an empty string to either 'qw_sign' or 'landingPage' sysfs attributes, the store functions attempt to access page[l - 1] before validating that the length 'l' is greater than zero. This patch fixes the vulnerability by adding a che

CVE-2025-23156 [HIGH] CVE-2025-23156: linux - In the Linux kernel, the following vulnerability has been resolved: media: venu... In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi_parser: refactor hfi packet parsing logic words_count denotes the number of words in total payload, while data points to payload of various property within it. When words_count reaches last word, data can access memory beyond the total payload. This can lead to OOB access. With this

CVE-2025-21722 [HIGH] CVE-2025-21722: linux - In the Linux kernel, the following vulnerability has been resolved: nilfs2: do ... In the Linux kernel, the following vulnerability has been resolved: nilfs2: do not force clear folio if buffer is referenced Patch series "nilfs2: protect busy buffer heads from being force-cleared". This series fixes the buffer head state inconsistency issues reported by syzbot that occurs when the filesystem is corrupted and falls back to read-only, and the associat

CVE-2025-38422 [HIGH] CVE-2025-38422: linux - In the Linux kernel, the following vulnerability has been resolved: net: lan743... In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices Maximum OTP and EEPROM size for hearthstone PCI1xxxx devices are 8 Kb and 64 Kb respectively. Adjust max size definitions and return correct EEPROM length based on device. Also prevent out-of-bound read/write. Scope: local bookworm: res

CVE-2025-39683 [HIGH] CVE-2025-39683: linux - In the Linux kernel, the following vulnerability has been resolved: tracing: Li... In the Linux kernel, the following vulnerability has been resolved: tracing: Limit access to parser->buffer when trace_get_user failed When the length of the string written to set_ftrace_filter exceeds FTRACE_BUFF_MAX, the following KASAN alarm will be triggered: BUG: KASAN: slab-out-of-bounds in strsep+0x18c/0x1b0 Read of size 1 at addr ffff0000d00bd5ba by task ash/1

CVE-2025-22097 [HIGH] CVE-2025-22097: linux - In the Linux kernel, the following vulnerability has been resolved: drm/vkms: F... In the Linux kernel, the following vulnerability has been resolved: drm/vkms: Fix use after free and double free on init error If the driver initialization fails, the vkms_exit() function might access an uninitialized or freed default_config pointer and it might double free it. Fix both possible errors by initializing default_config only when the driver initialization

CVE-2025-21734 [HIGH] CVE-2025-21734: linux - In the Linux kernel, the following vulnerability has been resolved: misc: fastr... In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix copy buffer page size For non-registered buffer, fastrpc driver copies the buffer and pass it to the remote subsystem. There is a problem with current implementation of page size calculation which is not considering the offset in the calculation. This might lead to passing of improp

CVE-2025-21772 [HIGH] CVE-2025-21772: linux - In the Linux kernel, the following vulnerability has been resolved: partitions:... In the Linux kernel, the following vulnerability has been resolved: partitions: mac: fix handling of bogus partition table Fix several issues in partition probing: - The bailout for a bad partoffset must use put_dev_sector(), since the preceding read_part_sector() succeeded. - If the partition table claims a silly sector size like 0xfff bytes (which results in partiti

CVE-2025-21726 [HIGH] CVE-2025-21726: linux - In the Linux kernel, the following vulnerability has been resolved: padata: avo... In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen just as below: crypto_request crypto_request crypto_del_alg padata_do_serial ... padata_reorder // processes all remaining