Debian Linux vulnerabilities

CVE-2025-38661 [MEDIUM] CVE-2025-38661: linux - In the Linux kernel, the following vulnerability has been resolved: platform/x8... In the Linux kernel, the following vulnerability has been resolved: platform/x86: alienware-wmi-wmax: Fix `dmi_system_id` array Add missing empty member to `awcc_dmi_table`. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2025-22047 [MEDIUM] CVE-2025-22047: linux - In the Linux kernel, the following vulnerability has been resolved: x86/microco... In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix __apply_microcode_amd()'s return value When verify_sha256_digest() fails, __apply_microcode_amd() should propagate the failure by returning false (and not -1 which is promoted to true). Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.12.25-1) sid

CVE-2025-37975 [HIGH] CVE-2025-37975: linux - In the Linux kernel, the following vulnerability has been resolved: riscv: modu... In the Linux kernel, the following vulnerability has been resolved: riscv: module: Fix out-of-bounds relocation access The current code allows rel[j] to access one element past the end of the relocation section. Simplify to num_relocations which is equivalent to the existing size expression. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in

CVE-2025-68193 [LOW] CVE-2025-68193: linux - In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc:... In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Add devm release action to safely tear down CT When a buffer object (BO) is allocated with the XE_BO_FLAG_GGTT_INVALIDATE flag, the driver initiates TLB invalidation requests via the CTB mechanism while releasing the BO. However a premature release of the CTB BO can lead to system crashes,

CVE-2025-22128 [MEDIUM] CVE-2025-22128: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath12... In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Clear affinity hint before calling ath12k_pci_free_irq() in error path If a shared IRQ is used by the driver due to platform limitation, then the IRQ affinity hint is set right after the allocation of IRQ vectors in ath12k_pci_msi_alloc(). This does no harm unless one of the functions

CVE-2025-68735 [LOW] CVE-2025-68735: linux - In the Linux kernel, the following vulnerability has been resolved: drm/panthor... In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Prevent potential UAF in group creation This commit prevents the possibility of a use after free issue in the GROUP_CREATE ioctl function, which arose as pointer to the group is accessed in that ioctl function after storing it in the Xarray. A malicious userspace can second guess the handl

CVE-2025-39892 [MEDIUM] CVE-2025-39892: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-c... In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-core: care NULL dirver name on snd_soc_lookup_component_nolocked() soc-generic-dmaengine-pcm.c uses same dev for both CPU and Platform. In such case, CPU component driver might not have driver->name, then snd_soc_lookup_component_nolocked() will be NULL pointer access error. Care NULL driv

CVE-2025-39899 [MEDIUM] CVE-2025-39899: linux - In the Linux kernel, the following vulnerability has been resolved: mm/userfaul... In the Linux kernel, the following vulnerability has been resolved: mm/userfaultfd: fix kmap_local LIFO ordering for CONFIG_HIGHPTE With CONFIG_HIGHPTE on 32-bit ARM, move_pages_pte() maps PTE pages using kmap_local_page(), which requires unmapping in Last-In-First-Out order. The current code maps dst_pte first, then src_pte, but unmaps them in the same order (dst_p

CVE-2025-21850 [MEDIUM] CVE-2025-21850: linux - In the Linux kernel, the following vulnerability has been resolved: nvmet: Fix ... In the Linux kernel, the following vulnerability has been resolved: nvmet: Fix crash when a namespace is disabled The namespace percpu counter protects pending I/O, and we can only safely diable the namespace once the counter drop to zero. Otherwise we end up with a crash when running blktests/nvme/058 (eg for loop transport): [ 2352.930426] [ T53909] Oops: general

CVE-2025-71201 [HIGH] CVE-2025-71201: linux - In the Linux kernel, the following vulnerability has been resolved: netfs: Fix ... In the Linux kernel, the following vulnerability has been resolved: netfs: Fix early read unlock of page with EOF in middle The read result collection for buffered reads seems to run ahead of the completion of subrequests under some circumstances, as can be seen in the following log snippet: 9p_client_res: client 18446612686390831168 response P9_TREAD tag 0 err 0 ...

CVE-2025-37910 [MEDIUM] CVE-2025-37910: linux - In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: F... In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations On Adva boards, SMA sysfs store/get operations can call __handle_signal_outputs() or __handle_signal_inputs() while the `irig` and `dcf` pointers are uninitialized, leading to a NULL pointer dereference in __handle_signal() and causin

CVE-2025-37809 [MEDIUM] CVE-2025-37809: linux - In the Linux kernel, the following vulnerability has been resolved: usb: typec:... In the Linux kernel, the following vulnerability has been resolved: usb: typec: class: Fix NULL pointer access Concurrent calls to typec_partner_unlink_device can lead to a NULL pointer dereference. This patch adds a mutex to protect USB device pointers and prevent this issue. The same mutex protects both the device pointers and the partner device registration. Scop

CVE-2025-38557 [MEDIUM] CVE-2025-38557: linux - In the Linux kernel, the following vulnerability has been resolved: HID: apple:... In the Linux kernel, the following vulnerability has been resolved: HID: apple: validate feature-report field count to prevent NULL pointer dereference A malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL pointer dereference whilst the power feature-report is toggled and sent to the device in apple_magic_backlight_report_set(). The power featur

CVE-2025-38299 [MEDIUM] CVE-2025-38299: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: media... In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY() ETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(), in the case the codec dai_name will be null. Avoid a crash if the device tree is not assigning a codec to these links. [ 1.179936] Unable to handle kernel NULL pointer dereference at

CVE-2025-40169 [LOW] CVE-2025-40169: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Reject... In the Linux kernel, the following vulnerability has been resolved: bpf: Reject negative offsets for ALU ops When verifying BPF programs, the check_alu_op() function validates instructions with ALU operations. The 'offset' field in these instructions is a signed 16-bit integer. The existing check 'insn->off > 1' was intended to ensure the offset is either 0, or 1 for B

CVE-2025-38533 [HIGH] CVE-2025-38533: linux - In the Linux kernel, the following vulnerability has been resolved: net: libwx:... In the Linux kernel, the following vulnerability has been resolved: net: libwx: fix the using of Rx buffer DMA The wx_rx_buffer structure contained two DMA address fields: 'dma' and 'page_dma'. However, only 'page_dma' was actually initialized and used to program the Rx descriptor. But 'dma' was uninitialized and used in some paths. This could lead to undefined behavi

CVE-2025-39948 [MEDIUM] CVE-2025-39948: linux - In the Linux kernel, the following vulnerability has been resolved: ice: fix Rx... In the Linux kernel, the following vulnerability has been resolved: ice: fix Rx page leak on multi-buffer frames The ice_put_rx_mbuf() function handles calling ice_put_rx_buf() for each buffer in the current frame. This function was introduced as part of handling multi-buffer XDP support in the ice driver. It works by iterating over the buffers from first_desc up to

CVE-2025-37896 [MEDIUM] CVE-2025-37896: linux - In the Linux kernel, the following vulnerability has been resolved: spi: spi-me... In the Linux kernel, the following vulnerability has been resolved: spi: spi-mem: Add fix to avoid divide error For some SPI flash memory operations, dummy bytes are not mandatory. For example, in Winbond SPINAND flash memory devices, the `write_cache` and `update_cache` operation variants have zero dummy bytes. Calculating the duration for SPI memory operations wit

CVE-2025-68169 [LOW] CVE-2025-68169: linux - In the Linux kernel, the following vulnerability has been resolved: netpoll: Fi... In the Linux kernel, the following vulnerability has been resolved: netpoll: Fix deadlock in memory allocation under spinlock Fix a AA deadlock in refill_skbs() where memory allocation while holding skb_pool->lock can trigger a recursive lock acquisition attempt. The deadlock scenario occurs when the system is under severe memory pressure: 1. refill_skbs() acquires skb

CVE-2025-39904 [MEDIUM] CVE-2025-39904: linux - In the Linux kernel, the following vulnerability has been resolved: arm64: kexe... In the Linux kernel, the following vulnerability has been resolved: arm64: kexec: initialize kexec_buf struct in load_other_segments() Patch series "kexec: Fix invalid field access". The kexec_buf structure was previously declared without initialization. commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly") added a field that is always read but not c