Debian Linux-6.1 vulnerabilities

CVE-2025-71199 CVE-2025-71199: linux - In the Linux kernel, the following vulnerability has been resolved: iio: adc: a... In the Linux kernel, the following vulnerability has been resolved: iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver at91_adc_interrupt can call at91_adc_touch_data_handler function to start the work by schedule_work(&st->touch_st.workq). If we remove the module which will call at91_adc_remove to make cleanup, it will free indio_dev through iio_

CVE-2025-40116 CVE-2025-40116: linux - In the Linux kernel, the following vulnerability has been resolved: usb: host: ... In the Linux kernel, the following vulnerability has been resolved: usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup The kthread_run() function returns error pointers so the max3421_hcd->spi_thread pointer can be either error pointers or NULL. Check for both before dereferencing it. Scope: local bookworm: resolved (fixed in 6.1.158-1) bullseye: resolved

CVE-2025-68261 CVE-2025-68261: linux - In the Linux kernel, the following vulnerability has been resolved: ext4: add i... In the Linux kernel, the following vulnerability has been resolved: ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Fix a race between inline data destruction and block mapping. The function ext4_destroy_inline_data_nolock() changes the inode data layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS. At the same time, another thread m

CVE-2025-68734 CVE-2025-68734: linux - In the Linux kernel, the following vulnerability has been resolved: isdn: mISDN... In the Linux kernel, the following vulnerability has been resolved: isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() In hfcsusb_probe(), the memory allocated for ctrl_urb gets leaked when setup_instance() fails with an error code. Fix that by freeing the urb before freeing the hw structure. Also change the error paths to use the goto ladder style. Compile tested only

CVE-2025-40078 CVE-2025-40078: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Explic... In the Linux kernel, the following vulnerability has been resolved: bpf: Explicitly check accesses to bpf_sock_addr Syzkaller found a kernel warning on the following sock_addr program: 0: r0 = 0 1: r2 = *(u32 *)(r1 +60) 2: exit which triggers: verifier bug: error during ctx access conversion (0) This is happening because offset 60 in bpf_sock_addr corresponds to an implicit

CVE-2025-40056 CVE-2025-40056: linux - In the Linux kernel, the following vulnerability has been resolved: vhost: vrin... In the Linux kernel, the following vulnerability has been resolved: vhost: vringh: Fix copy_to_iter return value check The return value of copy_to_iter can't be negative, check whether the copied length is equal to the requested length instead of checking for negative values. Scope: local bookworm: resolved (fixed in 6.1.158-1) bullseye: resolved forky: resolved (fixed in 6.

CVE-2025-40055 CVE-2025-40055: linux - In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix ... In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix double free in user_cluster_connect() user_cluster_disconnect() frees "conn->cc_private" which is "lc" but then the error handling frees "lc" a second time. Set "lc" to NULL on this path to avoid a double free. Scope: local bookworm: resolved (fixed in 6.1.158-1) bullseye: resolved (fixed in 5.10.

CVE-2025-40263 CVE-2025-40263: linux - In the Linux kernel, the following vulnerability has been resolved: Input: cros... In the Linux kernel, the following vulnerability has been resolved: Input: cros_ec_keyb - fix an invalid memory access If cros_ec_keyb_register_matrix() isn't called (due to `buttons_switches_only`) in cros_ec_keyb_probe(), `ckdev->idev` remains NULL. An invalid memory access is observed in cros_ec_keyb_process() when receiving an EC_MKBP_EVENT_KEY_MATRIX event in cros_ec_ke

CVE-2025-39986 CVE-2025-39986: linux - In the Linux kernel, the following vulnerability has been resolved: can: sun4i_... In the Linux kernel, the following vulnerability has been resolved: can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow Sending an PF_PACKET allows to bypass the CAN framework logic and to directly reach the xmit() function of a CAN driver. The only check which is performed by the PF_PACKET framework is to make sure that skb->len fits the interface's MTU. Un

CVE-2025-40099 CVE-2025-40099: linux - In the Linux kernel, the following vulnerability has been resolved: cifs: parse... In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Re

CVE-2025-40051 CVE-2025-40051: linux - In the Linux kernel, the following vulnerability has been resolved: vhost: vrin... In the Linux kernel, the following vulnerability has been resolved: vhost: vringh: Modify the return value check The return value of copy_from_iter and copy_to_iter can't be negative, check whether the copied lengths are equal. Scope: local bookworm: resolved (fixed in 6.1.158-1) bullseye: resolved forky: resolved (fixed in 6.17.6-1) sid: resolved (fixed in 6.17.6-1) trixie:

CVE-2025-40011 CVE-2025-40011: linux - In the Linux kernel, the following vulnerability has been resolved: drm/gma500:... In the Linux kernel, the following vulnerability has been resolved: drm/gma500: Fix null dereference in hdmi teardown pci_set_drvdata sets the value of pdev->driver_data to NULL, after which the driver_data obtained from the same dev is dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is extracted from it. To prevent this, swap these calls. Found by Linux Verification

CVE-2025-39988 CVE-2025-39988: linux - In the Linux kernel, the following vulnerability has been resolved: can: etas_e... In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow Sending an PF_PACKET allows to bypass the CAN framework logic and to directly reach the xmit() function of a CAN driver. The only check which is performed by the PF_PACKET framework is to make sure that skb->len fits the interface's MTU. U

CVE-2025-40083 CVE-2025-40083: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix null-deref in agg_dequeue To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c) when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return value before using it, similar to the existing approach in sch_hfsc.c. To avoid code duplication, the following changes ar

CVE-2025-40154 CVE-2025-40154: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel... In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping When an invalid value is passed via quirk option, currently bytcr_rt5640 driver only shows an error message but leaves as is. This may lead to unepxected results like OOB access. This patch corrects the input mapping to the certain default value if a

CVE-2025-40021 CVE-2025-40021: linux - In the Linux kernel, the following vulnerability has been resolved: tracing: dy... In the Linux kernel, the following vulnerability has been resolved: tracing: dynevent: Add a missing lockdown check on dynevent Since dynamic_events interface on tracefs is compatible with kprobe_events and uprobe_events, it should also check the lockdown status and reject if it is set. Scope: local bookworm: resolved (fixed in 6.1.158-1) bullseye: resolved (fixed in 5.10.24

CVE-2025-68380 CVE-2025-68380: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath11... In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix peer HE MCS assignment In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to firmware as receive MCS while peer's receive MCS sent as transmit MCS, which goes against firmwire's definition. While connecting to a misbehaved AP that advertises 0xffff (meaning not supported) for

CVE-2025-40104 CVE-2025-40104: linux - In the Linux kernel, the following vulnerability has been resolved: ixgbevf: fi... In the Linux kernel, the following vulnerability has been resolved: ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4.

CVE-2025-68781 CVE-2025-68781: linux - In the Linux kernel, the following vulnerability has been resolved: usb: phy: f... In the Linux kernel, the following vulnerability has been resolved: usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal The delayed work item otg_event is initialized in fsl_otg_conf() and scheduled under two conditions: 1. When a host controller binds to the OTG controller. 2. When the USB ID pin state changes (cable insertion/removal). A race condit

CVE-2025-40096 CVE-2025-40096: linux - In the Linux kernel, the following vulnerability has been resolved: drm/sched: ... In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double f