Debian Linux vulnerabilities

CVE-2025-40147 [LOW] CVE-2025-40147: linux - In the Linux kernel, the following vulnerability has been resolved: blk-throttl... In the Linux kernel, the following vulnerability has been resolved: blk-throttle: fix access race during throttle policy activation On repeated cold boots we occasionally hit a NULL pointer crash in blk_should_throtl() when throttling is consulted before the throttle policy is fully enabled for the queue. Checking only q->td != NULL is insufficient during early initial

CVE-2025-39858 [MEDIUM] CVE-2025-39858: linux - In the Linux kernel, the following vulnerability has been resolved: eth: mlx4: ... In the Linux kernel, the following vulnerability has been resolved: eth: mlx4: Fix IS_ERR() vs NULL check bug in mlx4_en_create_rx_ring Replace NULL check with IS_ERR() check after calling page_pool_create() since this function returns error pointers (ERR_PTR). Using NULL check could lead to invalid pointer dereference. Scope: local bookworm: resolved bullseye: reso

CVE-2025-38220 [MEDIUM] CVE-2025-38220: linux - In the Linux kernel, the following vulnerability has been resolved: ext4: only ... In the Linux kernel, the following vulnerability has been resolved: ext4: only dirty folios when data journaling regular files fstest generic/388 occasionally reproduces a crash that looks as follows: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... Call Trace: ext4_block_zero_page_range+0x30c/0x380 [ext4] ext4_truncate+0x436/0x440 [ext4] ext4_pro

CVE-2025-71134 [MEDIUM] CVE-2025-71134: linux - In the Linux kernel, the following vulnerability has been resolved: mm/page_all... In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: change all pageblocks migrate type on coalescing When a page is freed it coalesces with a buddy into a higher order page while possible. When the buddy page migrate type differs, it is expected to be updated to match the one of the page being freed. However, only the first pageblock o

CVE-2025-38390 [MEDIUM] CVE-2025-38390: linux - In the Linux kernel, the following vulnerability has been resolved: firmware: a... In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Fix memory leak by freeing notifier callback node Commit e0573444edbf ("firmware: arm_ffa: Add interfaces to request notification callbacks") adds support for notifier callbacks by allocating and inserting a callback node into a hashtable during registration of notifiers. However,

CVE-2025-37868 [MEDIUM] CVE-2025-37868: linux - In the Linux kernel, the following vulnerability has been resolved: drm/xe/user... In the Linux kernel, the following vulnerability has been resolved: drm/xe/userptr: fix notifier vs folio deadlock User is reporting what smells like notifier vs folio deadlock, where migrate_pages_batch() on core kernel side is holding folio lock(s) and then interacting with the mappings of it, however those mappings are tied to some userptr, which means calling in

CVE-2025-37845 [HIGH] CVE-2025-37845: linux - In the Linux kernel, the following vulnerability has been resolved: tracing: fp... In the Linux kernel, the following vulnerability has been resolved: tracing: fprobe events: Fix possible UAF on modules Commit ac91052f0ae5 ("tracing: tprobe-events: Fix leakage of module refcount") moved try_module_get() from __find_tracepoint_module_cb() to find_tracepoint() caller, but that introduced a possible UAF because the module can be unloaded before try_mod

CVE-2025-21851 [LOW] CVE-2025-21851: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Fix so... In the Linux kernel, the following vulnerability has been resolved: bpf: Fix softlockup in arena_map_free on 64k page kernel On an aarch64 kernel with CONFIG_PAGE_SIZE_64KB=y, arena_htab tests cause a segmentation fault and soft lockup. The same failure is not observed with 4k pages on aarch64. It turns out arena_map_free() is calling apply_to_existing_page_range() wit

CVE-2025-38613 [MEDIUM] CVE-2025-38613: linux - In the Linux kernel, the following vulnerability has been resolved: staging: gp... In the Linux kernel, the following vulnerability has been resolved: staging: gpib: fix unset padding field copy back to userspace The introduction of a padding field in the gpib_board_info_ioctl is showing up as initialized data on the stack frame being copyied back to userspace in function board_info_ioctl. The simplest fix is to initialize the entire struct to zer

CVE-2025-38450 [MEDIUM] CVE-2025-38450: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: mt76:... In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() Add a NULL check for msta->vif before accessing its members to prevent a kernel panic in AP mode deployment. This also fix the issue reported in [1]. The crash occurs when this function is triggered before the sta

CVE-2025-38417 [MEDIUM] CVE-2025-38417: linux - In the Linux kernel, the following vulnerability has been resolved: ice: fix es... In the Linux kernel, the following vulnerability has been resolved: ice: fix eswitch code memory leak in reset scenario Add simple eswitch mode checker in attaching VF procedure and allocate required port representor memory structures only in switchdev mode. The reset flows triggers VF (if present) detach/attach procedure. It might involve VF port representor(s) re-

CVE-2025-38047 [MEDIUM] CVE-2025-38047: linux - In the Linux kernel, the following vulnerability has been resolved: x86/fred: F... In the Linux kernel, the following vulnerability has been resolved: x86/fred: Fix system hang during S4 resume with FRED enabled Upon a wakeup from S4, the restore kernel starts and initializes the FRED MSRs as needed from its perspective. It then loads a hibernation image, including the image kernel, and attempts to load image pages directly into their original pag

CVE-2025-22077 [MEDIUM] CVE-2025-22077: linux - In the Linux kernel, the following vulnerability has been resolved: Revert "smb... In the Linux kernel, the following vulnerability has been resolved: Revert "smb: client: fix TCP timers deadlock after rmmod" This reverts commit e9f2517a3e18a54a3943c098d2226b245d488801. Commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod") is intended to fix a null-ptr-deref in LOCKDEP, which is mentioned as CVE-2024-54680, but is actually did n

CVE-2025-21845 [MEDIUM] CVE-2025-21845: linux - In the Linux kernel, the following vulnerability has been resolved: mtd: spi-no... In the Linux kernel, the following vulnerability has been resolved: mtd: spi-nor: sst: Fix SST write failure 'commit 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()`")' introduced a bug where only one byte of data is written, regardless of the number of bytes passed to sst_nor_write_data(), causing a kernel crash during t

CVE-2025-39935 [HIGH] CVE-2025-39935: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: codec... In the Linux kernel, the following vulnerability has been resolved: ASoC: codec: sma1307: Fix memory corruption in sma1307_setting_loaded() The sma1307->set.header_size is how many integers are in the header (there are 8 of them) but instead of allocating space of 8 integers we allocate 8 bytes. This leads to memory corruption when we copy data it on the next line: me

CVE-2025-40161 [LOW] CVE-2025-40161: linux - In the Linux kernel, the following vulnerability has been resolved: mailbox: zy... In the Linux kernel, the following vulnerability has been resolved: mailbox: zynqmp-ipi: Fix SGI cleanup on unbind The driver incorrectly determines SGI vs SPI interrupts by checking IRQ number < 16, which fails with dynamic IRQ allocation. During unbind, this causes improper SGI cleanup leading to kernel crash. Add explicit irq_type field to pdata for reliable identif

CVE-2025-39753 [MEDIUM] CVE-2025-39753: linux - In the Linux kernel, the following vulnerability has been resolved: gfs2: Set .... In the Linux kernel, the following vulnerability has been resolved: gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops Clears up the warning added in 7ee3647243e5 ("migrate: Remove call to ->writepage") that occurs in various xfstests, causing "something found in dmesg" failures. [ 341.136573] gfs2_meta_aops does not implement migrate_folio [ 341.136953] WARNING: CPU

CVE-2025-38432 [MEDIUM] CVE-2025-38432: linux - In the Linux kernel, the following vulnerability has been resolved: net: netpol... In the Linux kernel, the following vulnerability has been resolved: net: netpoll: Initialize UDP checksum field before checksumming commit f1fce08e63fe ("netpoll: Eliminate redundant assignment") removed the initialization of the UDP checksum, which was wrong and broke netpoll IPv6 transmission due to bad checksumming. udph->check needs to be set before calling csum

CVE-2025-40114 [HIGH] CVE-2025-40114: linux - In the Linux kernel, the following vulnerability has been resolved: iio: light:... In the Linux kernel, the following vulnerability has been resolved: iio: light: Add check for array bounds in veml6075_read_int_time_ms The array contains only 5 elements, but the index calculated by veml6075_read_int_time_index can range from 0 to 7, which could lead to out-of-bounds access. The check prevents this issue. Coverity Issue CID 1574309: (#1 of 1): Out-of

CVE-2025-39815 [MEDIUM] CVE-2025-39815: linux - In the Linux kernel, the following vulnerability has been resolved: RISC-V: KVM... In the Linux kernel, the following vulnerability has been resolved: RISC-V: KVM: fix stack overrun when loading vlenb The userspace load can put up to 2048 bits into an xlen bit stack buffer. We want only xlen bits, so check the size beforehand. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.16.5-1) sid: resolved (fixed in 6.16.5-1) t