Debian Linux vulnerabilities

CVE-2025-38427 [MEDIUM] CVE-2025-38427: linux - In the Linux kernel, the following vulnerability has been resolved: video: scre... In the Linux kernel, the following vulnerability has been resolved: video: screen_info: Relocate framebuffers behind PCI bridges Apply PCI host-bridge window offsets to screen_info framebuffers. Fixes invalid access to I/O memory. Resources behind a PCI host bridge can be relocated by a certain offset in the kernel's CPU address range used for I/O. The framebuffer m

CVE-2025-40129 [LOW] CVE-2025-40129: linux - In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix... In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix null pointer dereference on zero-length checksum In xdr_stream_decode_opaque_auth(), zero-length checksum.len causes checksum.data to be set to NULL. This triggers a NPD when accessing checksum.data in gss_krb5_verify_mic_v2(). This patch ensures that the value of checksum.len is not less t

CVE-2025-21843 [MEDIUM] CVE-2025-21843: linux - In the Linux kernel, the following vulnerability has been resolved: drm/panthor... In the Linux kernel, the following vulnerability has been resolved: drm/panthor: avoid garbage value in panthor_ioctl_dev_query() 'priorities_info' is uninitialized, and the uninitialized value is copied to user object when calling PANTHOR_UOBJ_SET(). Using memset to initialize 'priorities_info' to avoid this garbage value problem. Scope: local bookworm: resolved bu

CVE-2025-38055 [MEDIUM] CVE-2025-38055: linux - In the Linux kernel, the following vulnerability has been resolved: perf/x86/in... In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq Currently, using PEBS-via-PT with a sample frequency instead of a sample period, causes a segfault. For example: BUG: kernel NULL pointer dereference, address: 0000000000000195 ? __die_body.cold+0x19/0x27 ? page_fault_oops+0xca/0x290 ? e

CVE-2025-40227 [LOW] CVE-2025-40227: linux - In the Linux kernel, the following vulnerability has been resolved: mm/damon/sy... In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: dealloc commit test ctx always The damon_ctx for testing online DAMON parameters commit inputs is deallocated only when the test fails. This means memory is leaked for every successful online DAMON parameters commit. Fix the leak by always deallocating it. Scope: local bookworm: resolve

CVE-2025-68305 [LOW] CVE-2025-68305: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sock: Prevent race in socket write iter and sock bind There is a potential race condition between sock bind and socket write iter. bind may free the same cmd via mgmt_pending before write iter sends the cmd, just as syzbot reported in UAF[1]. Here we use hci_dev_lock to synchronize the t

CVE-2025-37939 [MEDIUM] CVE-2025-37939: linux - In the Linux kernel, the following vulnerability has been resolved: libbpf: Fix... In the Linux kernel, the following vulnerability has been resolved: libbpf: Fix accessing BTF.ext core_relo header Update btf_ext_parse_info() to ensure the core_relo header is present before reading its fields. This avoids a potential buffer read overflow reported by the OSS Fuzz project. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resol

CVE-2025-38351 [MEDIUM] CVE-2025-38351: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: x86/hy... In the Linux kernel, the following vulnerability has been resolved: KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX allow a guest to request invalidation of portions of a virtual TLB. For this, the hypercall para

CVE-2025-21930 [MEDIUM] CVE-2025-21930: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwi... In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don't try to talk to a dead firmware This fixes: bad state = 0 WARNING: CPU: 10 PID: 702 at drivers/net/wireless/inel/iwlwifi/iwl-trans.c:178 iwl_trans_send_cmd+0xba/0xe0 [iwlwifi] Call Trace: ? __warn+0xca/0x1c0 ? iwl_trans_send_cmd+0xba/0xe0 [iwlwifi 64fa9ad799a0e0d2ba53d4af93a

CVE-2025-21998 [MEDIUM] CVE-2025-21998: linux - In the Linux kernel, the following vulnerability has been resolved: firmware: q... In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: uefisecapp: fix efivars registration race Since the conversion to using the TZ allocator, the efivars service is registered before the memory pool has been allocated, something which can lead to a NULL-pointer dereference in case of a racing EFI variable access. Make sure that all re

CVE-2025-22117 [MEDIUM] CVE-2025-22117: linux - In the Linux kernel, the following vulnerability has been resolved: ice: fix us... In the Linux kernel, the following vulnerability has been resolved: ice: fix using untrusted value of pkt_len in ice_vc_fdir_parse_raw() Fix using the untrusted value of proto->raw.pkt_len in function ice_vc_fdir_parse_raw() by verifying if it does not exceed the VIRTCHNL_MAX_SIZE_RAW_PACKET value. Scope: local bookworm: resolved bullseye: resolved forky: resolved (

CVE-2025-40132 [LOW] CVE-2025-40132: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel... In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback In create_sdw_dailink() check that sof_end->codec_info->add_sidecar is not NULL before calling it. The original code assumed that if include_sidecar is true, the codec on that link has an add_sidecar callback. But there could be other code

CVE-2025-37876 [MEDIUM] CVE-2025-37876: linux - In the Linux kernel, the following vulnerability has been resolved: netfs: Only... In the Linux kernel, the following vulnerability has been resolved: netfs: Only create /proc/fs/netfs with CONFIG_PROC_FS When testing a special config: CONFIG_NETFS_SUPPORTS=y CONFIG_PROC_FS=n The system crashes with something like: [ 3.766197] ------------[ cut here ]------------ [ 3.766484] kernel BUG at mm/mempool.c:560! [ 3.766789] Oops: invalid opcode: 0000 [#

CVE-2025-21822 [MEDIUM] CVE-2025-21822: linux - In the Linux kernel, the following vulnerability has been resolved: ptp: vmcloc... In the Linux kernel, the following vulnerability has been resolved: ptp: vmclock: Set driver data before its usage If vmclock_ptp_register() fails during probing, vmclock_remove() is called to clean up the ptp clock and misc device. It uses dev_get_drvdata() to access the vmclock state. However the driver data is not yet set at this point. Assign the driver data ear

CVE-2025-68189 [LOW] CVE-2025-68189: linux - In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fi... In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix GEM free for imported dma-bufs Imported dma-bufs also have obj->resv != &obj->_resv. So we should check both this condition in addition to flags for handling the _NO_SHARE case. Fixes this splat that was reported with IRIS video playback: ------------[ cut here ]------------ WARNING: CPU:

CVE-2025-68250 [LOW] CVE-2025-68250: linux - In the Linux kernel, the following vulnerability has been resolved: hung_task: ... In the Linux kernel, the following vulnerability has been resolved: hung_task: fix warnings caused by unaligned lock pointers The blocker tracking mechanism assumes that lock pointers are at least 4-byte aligned to use their lower bits for type encoding. However, as reported by Eero Tamminen, some architectures like m68k only guarantee 2-byte alignment of 32-bit values

CVE-2025-21901 [MEDIUM] CVE-2025-21901: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_r... In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Add sanity checks on rdev validity There is a possibility that ulp_irq_stop and ulp_irq_start callbacks will be called when the device is in detached state. This can cause a crash due to NULL pointer dereference as the rdev is already freed. Scope: local bookworm: resolved bullseye: re

CVE-2025-22078 [MEDIUM] CVE-2025-22078: linux - In the Linux kernel, the following vulnerability has been resolved: staging: vc... In the Linux kernel, the following vulnerability has been resolved: staging: vchiq_arm: Fix possible NPR of keep-alive thread In case vchiq_platform_conn_state_changed() is never called or fails before driver removal, ka_thread won't be a valid pointer to a task_struct. So do the necessary checks before calling kthread_stop to avoid a crash. Scope: local bookworm: r

CVE-2025-40079 [LOW] CVE-2025-40079: linux - In the Linux kernel, the following vulnerability has been resolved: riscv, bpf:... In the Linux kernel, the following vulnerability has been resolved: riscv, bpf: Sign extend struct ops return values properly The ns_bpf_qdisc selftest triggers a kernel panic: Unable to handle kernel paging request at virtual address ffffffffa38dbf58 Current test_progs pgtable: 4K pagesize, 57-bit VAs, pgdp=0x00000001109cc000 [ffffffffa38dbf58] pgd=000000011fffd801, p

CVE-2025-22092 [MEDIUM] CVE-2025-22092: linux - In the Linux kernel, the following vulnerability has been resolved: PCI: Fix NU... In the Linux kernel, the following vulnerability has been resolved: PCI: Fix NULL dereference in SR-IOV VF creation error path Clean up when virtfn setup fails to prevent NULL pointer dereference during device removal. The kernel oops below occurred due to incorrect error handling flow when pci_setup_device() fails. Add pci_iov_scan_device(), which handles virtfn al