Debian Linux-6.1 vulnerabilities

CVE-2025-68782 CVE-2025-68782: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: targe... In the Linux kernel, the following vulnerability has been resolved: scsi: target: Reset t_task_cdb pointer in error case If allocation of cmd->t_task_cdb fails, it remains NULL but is later dereferenced in the 'err' path. In case of error, reset NULL t_task_cdb value to point at the default fixed-size buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE.

CVE-2025-68766 CVE-2025-68766: linux - In the Linux kernel, the following vulnerability has been resolved: irqchip/mch... In the Linux kernel, the following vulnerability has been resolved: irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then it results in an out of bounds access. The code checks for invalid values, but doesn't set the error code. Return -EINVAL in that case, instead of returning success. Scope:

CVE-2025-40179 CVE-2025-40179: linux - In the Linux kernel, the following vulnerability has been resolved: ext4: verif... In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan files can lead to big amounts of memory consumed. Limit orphan file size to a s

CVE-2025-40100 CVE-2025-40100: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: do n... In the Linux kernel, the following vulnerability has been resolved: btrfs: do not assert we found block group item when creating free space tree Currently, when building a free space tree at populate_free_space_tree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFS_BL

CVE-2025-68349 CVE-2025-68349: linux - In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS:... In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid Fixes a crash when layout is null during this call stack: write_inode -> nfs4_write_inode -> pnfs_layoutcommit_inode pnfs_set_layoutcommit relies on the lseg refcount to keep the layout around. Need to clear NFS_INO_LAYOUTCOMMIT other

CVE-2025-71196 CVE-2025-71196: linux - In the Linux kernel, the following vulnerability has been resolved: phy: stm32-... In the Linux kernel, the following vulnerability has been resolved: phy: stm32-usphyc: Fix off by one in probe() The "index" variable is used as an index into the usbphyc->phys[] array which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys then it is one element out of bounds. The "index" comes from the device tree so it's data that we trust and it's unlikely

CVE-2025-40257 CVE-2025-40257: linux - In the Linux kernel, the following vulnerability has been resolved: mptcp: fix ... In the Linux kernel, the following vulnerability has been resolved: mptcp: fix a race in mptcp_pm_del_add_timer() mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer) while another might have free entry already, as reported by syzbot. Add RCU protection to fix this issue. Also change confusing add_timer variable with stop_timer boolean. syzbot report:

CVE-2025-68788 CVE-2025-68788: linux - In the Linux kernel, the following vulnerability has been resolved: fsnotify: d... In the Linux kernel, the following vulnerability has been resolved: fsnotify: do not generate ACCESS/MODIFY events on child for special files inotify/fanotify do not allow users with no read access to a file to subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the same user to subscribe for watching events on children when the user has access to the parent di

CVE-2025-68173 CVE-2025-68173: linux - In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix... In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix softlockup in ftrace_module_enable A soft lockup was observed when loading amdgpu module. If a module has a lot of tracable functions, multiple calls to kallsyms_lookup can spend too much time in RCU critical section and with disabled preemption, causing kernel panic. This is the same issue that

CVE-2025-40134 CVE-2025-40134: linux - In the Linux kernel, the following vulnerability has been resolved: dm: fix NUL... In the Linux kernel, the following vulnerability has been resolved: dm: fix NULL pointer dereference in __dm_suspend() There is a race condition between dm device suspend and table load that can lead to null pointer dereference. The issue occurs when suspend is invoked before table load completes: BUG: kernel NULL pointer dereference, address: 0000000000000054 Oops: 0000 [#1

CVE-2025-40205 CVE-2025-40205: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: avoi... In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8

CVE-2025-68233 CVE-2025-68233: linux - In the Linux kernel, the following vulnerability has been resolved: drm/tegra: ... In the Linux kernel, the following vulnerability has been resolved: drm/tegra: Add call to put_pid() Add a call to put_pid() corresponding to get_task_pid(). host1x_memory_context_alloc() does not take ownership of the PID so we need to free it here to avoid leaking. [[email protected]: reword commit message] Scope: local bookworm: resolved (fixed in 6.1.159-1) bullseye:

CVE-2025-68282 CVE-2025-68282: linux - In the Linux kernel, the following vulnerability has been resolved: usb: gadget... In the Linux kernel, the following vulnerability has been resolved: usb: gadget: udc: fix use-after-free in usb_gadget_state_work A race condition during gadget teardown can lead to a use-after-free in usb_gadget_state_work(), as reported by KASAN: BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0 Workqueue: events usb_gadget_state_work The fundamental race occurs because

CVE-2025-39993 CVE-2025-39993: linux - In the Linux kernel, the following vulnerability has been resolved: media: rc: ... In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/44

CVE-2025-40070 CVE-2025-40070: linux - In the Linux kernel, the following vulnerability has been resolved: pps: fix wa... In the Linux kernel, the following vulnerability has been resolved: pps: fix warning in pps_register_cdev when register device fail Similar to previous commit 2a934fdb01db ("media: v4l2-dev: fix error handling in __video_register_device()"), the release hook should be set before device_register(). Otherwise, when device_register() return error and put_device() try to callbac

CVE-2025-40207 CVE-2025-40207: linux - In the Linux kernel, the following vulnerability has been resolved: media: v4l2... In the Linux kernel, the following vulnerability has been resolved: media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() v4l2_subdev_call_state_try() macro allocates a subdev state with __v4l2_subdev_state_alloc(), but does not check the returned value. If __v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would cause v4l2_subdev_call_sta

CVE-2025-40110 CVE-2025-40110: linux - In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx:... In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix a null-ptr access in the cursor snooper Check that the resource which is converted to a surface exists before trying to use the cursor snooper on it. vmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers because some svga commands accept SVGA3D_INVALID_ID to mean "no surfa

CVE-2025-68168 CVE-2025-68168: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: fix un... In the Linux kernel, the following vulnerability has been resolved: jfs: fix uninitialized waitqueue in transaction manager The transaction manager initialization in txInit() was not properly initializing TxBlock[0].waitor waitqueue, causing a crash when txEnd(0) is called on read-only filesystems. When a filesystem is mounted read-only, txBegin() returns tid=0 to indicate n

CVE-2025-40081 CVE-2025-40081: linux - In the Linux kernel, the following vulnerability has been resolved: perf: arm_s... In the Linux kernel, the following vulnerability has been resolved: perf: arm_spe: Prevent overflow in PERF_IDX2OFF() Cast nr_pages to unsigned long to avoid overflow when handling large AUX buffer sizes (>= 2 GiB). Scope: local bookworm: resolved (fixed in 6.1.158-1) bullseye: resolved (fixed in 5.10.247-1) forky: resolved (fixed in 6.17.6-1) sid: resolved (fixed in 6.17.6-

CVE-2025-39970 CVE-2025-39970: linux - In the Linux kernel, the following vulnerability has been resolved: i40e: fix i... In the Linux kernel, the following vulnerability has been resolved: i40e: fix input validation logic for action_meta Fix condition to check 'greater or equal' to prevent OOB dereference. Scope: local bookworm: resolved (fixed in 6.1.158-1) bullseye: resolved (fixed in 5.10.247-1) forky: resolved (fixed in 6.16.10-1) sid: resolved (fixed in 6.16.10-1) trixie: resolved (fixed