Debian Linux vulnerabilities

CVE-2025-71155 [HIGH] CVE-2025-71155: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: s390: ... In the Linux kernel, the following vulnerability has been resolved: KVM: s390: Fix gmap_helper_zap_one_page() again A few checks were missing in gmap_helper_zap_one_page(), which can lead to memory corruption in the guest under specific circumstances. Add the missing checks. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.18.5-1) sid: re

CVE-2025-39999 [LOW] CVE-2025-39999: linux - In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix... In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix blk_mq_tags double free while nr_requests grown In the case user trigger tags grow by queue sysfs attribute nr_requests, hctx->sched_tags will be freed directly and replaced with a new allocated tags, see blk_mq_tag_update_depth(). The problem is that hctx->sched_tags is from elevator->et->

CVE-2025-37837 [MEDIUM] CVE-2025-37837: linux - In the Linux kernel, the following vulnerability has been resolved: iommu/tegra... In the Linux kernel, the following vulnerability has been resolved: iommu/tegra241-cmdqv: Fix warnings due to dmam_free_coherent() Two WARNINGs are observed when SMMU driver rolls back upon failure: arm-smmu-v3.9.auto: Failed to register iommu arm-smmu-v3.9.auto: probe with driver arm-smmu-v3 failed with error -22 ------------[ cut here ]------------ WARNING: CPU: 5

CVE-2025-39868 [HIGH] CVE-2025-39868: linux - In the Linux kernel, the following vulnerability has been resolved: erofs: fix ... In the Linux kernel, the following vulnerability has been resolved: erofs: fix runtime warning on truncate_folio_batch_exceptionals() Commit 0e2f80afcfa6("fs/dax: ensure all pages are idle prior to filesystem unmount") introduced the WARN_ON_ONCE to capture whether the filesystem has removed all DAX entries or not and applied the fix to xfs and ext4. Apply the missed

CVE-2025-38294 [MEDIUM] CVE-2025-38294: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath12... In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix NULL access in assign channel context handler Currently, when ath12k_mac_assign_vif_to_vdev() fails, the radio handle (ar) gets accessed from the link VIF handle (arvif) for debug logging, This is incorrect. In the fail scenario, radio handle is NULL. Fix the NULL access, avoid rad

CVE-2025-38435 [MEDIUM] CVE-2025-38435: linux - In the Linux kernel, the following vulnerability has been resolved: riscv: vect... In the Linux kernel, the following vulnerability has been resolved: riscv: vector: Fix context save/restore with xtheadvector Previously only v0-v7 were correctly saved/restored, and the context of v8-v31 are damanged. Correctly save/restore v8-v31 to avoid breaking userspace. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: r

CVE-2025-38534 [MEDIUM] CVE-2025-38534: linux - In the Linux kernel, the following vulnerability has been resolved: netfs: Fix ... In the Linux kernel, the following vulnerability has been resolved: netfs: Fix copy-to-cache so that it performs collection with ceph+fscache The netfs copy-to-cache that is used by Ceph with local caching sets up a new request to write data just read to the cache. The request is started and then left to look after itself whilst the app continues. The request gets n

CVE-2025-40270 [LOW] CVE-2025-40270: linux - In the Linux kernel, the following vulnerability has been resolved: mm, swap: f... In the Linux kernel, the following vulnerability has been resolved: mm, swap: fix potential UAF issue for VMA readahead Since commit 78524b05f1a3 ("mm, swap: avoid redundant swap device pinning"), the common helper for allocating and preparing a folio in the swap cache layer no longer tries to get a swap device reference internally, because all callers of __read_swap_c

CVE-2025-40017 [LOW] CVE-2025-40017: linux - In the Linux kernel, the following vulnerability has been resolved: media: iris... In the Linux kernel, the following vulnerability has been resolved: media: iris: Fix memory leak by freeing untracked persist buffer One internal buffer which is allocated only once per session was not being freed during session close because it was not being tracked as part of internal buffer list which resulted in a memory leak. Add the necessary logic to explicitly

CVE-2025-39678 [MEDIUM] CVE-2025-39678: linux - In the Linux kernel, the following vulnerability has been resolved: platform/x8... In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd/hsmp: Ensure sock->metric_tbl_addr is non-NULL If metric table address is not allocated, accessing metrics_bin will result in a NULL pointer dereference, so add a check. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.16.5-1) sid: resolved (fixed in 6.

CVE-2025-38733 [MEDIUM] CVE-2025-38733: linux - In the Linux kernel, the following vulnerability has been resolved: s390/mm: Do... In the Linux kernel, the following vulnerability has been resolved: s390/mm: Do not map lowcore with identity mapping Since the identity mapping is pinned to address zero the lowcore is always also mapped to address zero, this happens regardless of the relocate_lowcore command line option. If the option is specified the lowcore is mapped twice, instead of only once.

CVE-2025-40320 [LOW] CVE-2025-40320: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay, later cleanup could act on a stale pointer, leading to a potential use-after-free. Reinitia

CVE-2025-68743 [LOW] CVE-2025-68743: linux - In the Linux kernel, the following vulnerability has been resolved: mshv: Fix c... In the Linux kernel, the following vulnerability has been resolved: mshv: Fix create memory region overlap check The current check is incorrect; it only checks if the beginning or end of a region is within an existing region. This doesn't account for userspace specifying a region that begins before and ends after an existing region. Change the logic to a range intersec

CVE-2025-21942 [MEDIUM] CVE-2025-21942: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: zone... In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix extent range end unlock in cow_file_range() Running generic/751 on the for-next branch often results in a hang like below. They are both stack by locking an extent. This suggests someone forget to unlock an extent. INFO: task kworker/u128:1:12 blocked for more than 323 seconds. Not

CVE-2025-40260 [LOW] CVE-2025-40260: linux - In the Linux kernel, the following vulnerability has been resolved: sched_ext: ... In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix scx_enable() crash on helper kthread creation failure A crash was observed when the sched_ext selftests runner was terminated with Ctrl+\ while test 15 was running: NIP [c00000000028fa58] scx_enable.constprop.0+0x358/0x12b0 LR [c00000000028fa2c] scx_enable.constprop.0+0x32c/0x12b0 Call T

CVE-2025-21679 [MEDIUM] CVE-2025-21679: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: add ... In the Linux kernel, the following vulnerability has been resolved: btrfs: add the missing error handling inside get_canonical_dev_path Inside function get_canonical_dev_path(), we call d_path() to get the final device path. But d_path() can return error, and in that case the next strscpy() call will trigger an invalid memory access. Add back the missing error handl

CVE-2025-21932 [MEDIUM] CVE-2025-21932: linux - In the Linux kernel, the following vulnerability has been resolved: mm: abort v... In the Linux kernel, the following vulnerability has been resolved: mm: abort vma_modify() on merge out of memory failure The remainder of vma_modify() relies upon the vmg state remaining pristine after a merge attempt. Usually this is the case, however in the one edge case scenario of a merge attempt failing not due to the specified range being unmergeable, but rat

CVE-2025-38276 [MEDIUM] CVE-2025-38276: linux - In the Linux kernel, the following vulnerability has been resolved: fs/dax: Fix... In the Linux kernel, the following vulnerability has been resolved: fs/dax: Fix "don't skip locked entries when scanning entries" Commit 6be3e21d25ca ("fs/dax: don't skip locked entries when scanning entries") introduced a new function, wait_entry_unlocked_exclusive(), which waits for the current entry to become unlocked without advancing the XArray iterator state.

CVE-2025-71101 [HIGH] CVE-2025-71101: linux - In the Linux kernel, the following vulnerability has been resolved: platform/x8... In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI packages into internal data structures using a for loop with inde

CVE-2025-71092 [HIGH] CVE-2025-71092: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_r... In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats() Commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters update") added three new counters and placed them after BNXT_RE_OUT_OF_SEQ_ERR. BNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware statistics with different