Debian Linux vulnerabilities

CVE-2025-40296 [LOW] CVE-2025-40296: linux - In the Linux kernel, the following vulnerability has been resolved: platform/x8... In the Linux kernel, the following vulnerability has been resolved: platform/x86: int3472: Fix double free of GPIO device during unregister regulator_unregister() already frees the associated GPIO device. On ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to random failures when other drivers (typically Intel THC) attempt to allocate interrupts. Th

CVE-2025-21849 [MEDIUM] CVE-2025-21849: linux - In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt... In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Use spin_lock_irqsave() in interruptible context spin_lock/unlock() functions used in interrupt contexts could result in a deadlock, as seen in GitLab issue #13399, which occurs when interrupt comes in while holding a lock. Try to remedy the problem by saving irq state before spin lock

CVE-2025-37843 [MEDIUM] CVE-2025-37843: linux - In the Linux kernel, the following vulnerability has been resolved: PCI: pciehp... In the Linux kernel, the following vulnerability has been resolved: PCI: pciehp: Avoid unnecessary device replacement check Hot-removal of nested PCI hotplug ports suffers from a long-standing race condition which can lead to a deadlock: A parent hotplug port acquires pci_lock_rescan_remove(), then waits for pciehp to unbind from a child hotplug port. Meanwhile that

CVE-2025-37965 [MEDIUM] CVE-2025-37965: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix invalid context error in dml helper [Why] "BUG: sleeping function called from invalid context" error. after: "drm/amd/display: Protect FPU in dml2_validate()/dml21_validate()" The populate_dml_plane_cfg_from_plane_state() uses the GFP_KERNEL flag for memory allocation, which sho

CVE-2025-21784 [MEDIUM] CVE-2025-21784: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu:... In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode() In function psp_init_cap_microcode(), it should bail out when failed to load firmware, otherwise it may cause invalid memory access. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.12.16-1) sid: re

CVE-2025-21915 [HIGH] CVE-2025-21915: linux - In the Linux kernel, the following vulnerability has been resolved: cdx: Fix po... In the Linux kernel, the following vulnerability has been resolved: cdx: Fix possible UAF error in driver_override_show() Fixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c This function driver_override_show() is part of DEVICE_ATTR_RW, which includes both driver_override_show() and driver_override_store(). These functions can be executed conc

CVE-2025-39822 [MEDIUM] CVE-2025-39822: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring/kb... In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: fix signedness in this_len calculation When importing and using buffers, buf->len is considered unsigned. However, buf->len is converted to signed int when committing. This can lead to unexpected behavior if the buffer is large enough to be interpreted as a negative value. Make min_t

CVE-2025-21746 [MEDIUM] CVE-2025-21746: linux - In the Linux kernel, the following vulnerability has been resolved: Input: syna... In the Linux kernel, the following vulnerability has been resolved: Input: synaptics - fix crash when enabling pass-through port When enabling a pass-through port an interrupt might come before psmouse driver binds to the pass-through port. However synaptics sub-driver tries to access psmouse instance presumably associated with the pass-through port to figure out if

CVE-2025-71117 [MEDIUM] CVE-2025-71117: linux - In the Linux kernel, the following vulnerability has been resolved: block: Remo... In the Linux kernel, the following vulnerability has been resolved: block: Remove queue freezing from several sysfs store callbacks Freezing the request queue from inside sysfs store callbacks may cause a deadlock in combination with the dm-multipath driver and the queue_if_no_path option. Additionally, freezing the request queue slows down system boot on systems wh

CVE-2025-38330 [HIGH] CVE-2025-38330: linux - In the Linux kernel, the following vulnerability has been resolved: firmware: c... In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Fix OOB memory read access in KUnit test (ctl cache) KASAN reported out of bounds access - cs_dsp_ctl_cache_init_multiple_offsets(). The code uses mock_coeff_template.length_bytes (4 bytes) for register value allocations. But later, this length is set to 8 bytes which causes test cod

CVE-2025-38373 [MEDIUM] CVE-2025-38373: linux - In the Linux kernel, the following vulnerability has been resolved: IB/mlx5: Fi... In the Linux kernel, the following vulnerability has been resolved: IB/mlx5: Fix potential deadlock in MR deregistration The issue arises when kzalloc() is invoked while holding umem_mutex or any other lock acquired under umem_mutex. This is problematic because kzalloc() can trigger fs_reclaim_aqcuire(), which may, in turn, invoke mmu_notifier_invalidate_range_start

CVE-2025-68731 [LOW] CVE-2025-68731: linux - In the Linux kernel, the following vulnerability has been resolved: accel/amdxd... In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix an integer overflow in aie2_query_ctx_status_array() The unpublished smatch static checker reported a warning. drivers/accel/amdxdna/aie2_pci.c:904 aie2_query_ctx_status_array() warn: potential user controlled sizeof overflow 'args->num_element * args->element_size' '1-u32max(user) *

CVE-2025-38121 [MEDIUM] CVE-2025-38121: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwi... In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: avoid panic on init failure In case of an error during init, in_hw_restart will be set, but it will never get cleared. Instead, we will retry to init again, and then we will act like we are in a restart when we are actually not. This causes (among others) to a NULL pointer derefe

CVE-2025-21884 [MEDIUM] CVE-2025-21884: linux - In the Linux kernel, the following vulnerability has been resolved: net: better... In the Linux kernel, the following vulnerability has been resolved: net: better track kernel sockets lifetime While kernel sockets are dismantled during pernet_operations->exit(), their freeing can be delayed by any tx packets still held in qdisc or device queues, due to skb_set_owner_w() prior calls. This then trigger the following warning from ref_tracker_dir_exit

CVE-2025-21798 [MEDIUM] CVE-2025-21798: linux - In the Linux kernel, the following vulnerability has been resolved: firewire: t... In the Linux kernel, the following vulnerability has been resolved: firewire: test: Fix potential null dereference in firewire kunit test kunit_kzalloc() may return a NULL pointer, dereferencing it without NULL check may lead to NULL dereference. Add a NULL check for test_state. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.12.13-1)

CVE-2025-38573 [MEDIUM] CVE-2025-38573: linux - In the Linux kernel, the following vulnerability has been resolved: spi: cs42l4... In the Linux kernel, the following vulnerability has been resolved: spi: cs42l43: Property entry should be a null-terminated array The software node does not specify a count of property entries, so the array must be null-terminated. When unterminated, this can lead to a fault in the downstream cs35l56 amplifier driver, because the node parse walks off the end of the

CVE-2025-68181 [LOW] CVE-2025-68181: linux - In the Linux kernel, the following vulnerability has been resolved: drm/radeon:... In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Remove calls to drm_put_dev() Since the allocation of the drivers main structure was changed to devm_drm_dev_alloc() drm_put_dev()'ing to trigger it to be free'd should be done by devres. However, drm_put_dev() is still in the probe error and device remove paths. When the driver fails to pr

CVE-2025-38605 [MEDIUM] CVE-2025-38605: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath12... In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Pass ab pointer directly to ath12k_dp_tx_get_encap_type() In ath12k_dp_tx_get_encap_type(), the arvif parameter is only used to retrieve the ab pointer. In vdev delete sequence the arvif->ar could become NULL and that would trigger kernel panic. Since the caller ath12k_dp_tx() already

CVE-2025-68226 [LOW] CVE-2025-68226: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: fix incomplete backport in cfids_invalidation_worker() The previous commit bdb596ceb4b7 ("smb: client: fix potential UAF in smb2_close_cached_fid()") was an incomplete backport and missed one kref_put() call in cfids_invalidation_worker() that should have been converted to close_cached_dir

CVE-2025-37751 [MEDIUM] CVE-2025-37751: linux - In the Linux kernel, the following vulnerability has been resolved: x86/cpu: Av... In the Linux kernel, the following vulnerability has been resolved: x86/cpu: Avoid running off the end of an AMD erratum table The NULL array terminator at the end of erratum_1386_microcode was removed during the switch from x86_cpu_desc to x86_cpu_id. This causes readers to run off the end of the array. Replace the NULL. Scope: local bookworm: resolved bullseye: re