Debian Linux vulnerabilities

CVE-2025-71070 [LOW] CVE-2025-71070: linux - In the Linux kernel, the following vulnerability has been resolved: ublk: clean... In the Linux kernel, the following vulnerability has been resolved: ublk: clean up user copy references on ublk server exit If a ublk server process releases a ublk char device file, any requests dispatched to the ublk server but not yet completed will retain a ref value of UBLK_REFCOUNT_INIT. Before commit e63d2228ef83 ("ublk: simplify aborting ublk request"), __ublk_

CVE-2025-38175 [HIGH] CVE-2025-38175: linux - In the Linux kernel, the following vulnerability has been resolved: binder: fix... In the Linux kernel, the following vulnerability has been resolved: binder: fix yet another UAF in binder_devices Commit e77aff5528a18 ("binderfs: fix use-after-free in binder_devices") addressed a use-after-free where devices could be released without first being removed from the binder_devices list. However, there is a similar path in binder_free_proc() that was mis

CVE-2025-21661 [MEDIUM] CVE-2025-21661: linux - In the Linux kernel, the following vulnerability has been resolved: gpio: virtu... In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix missing lookup table cleanups When a virtuser device is created via configfs and the probe fails due to an incorrect lookup table, the table is not removed. This prevents subsequent probe attempts from succeeding, even if the issue is corrected, unless the device is released. Add

CVE-2025-39785 [MEDIUM] CVE-2025-39785: linux - In the Linux kernel, the following vulnerability has been resolved: drm/hisilic... In the Linux kernel, the following vulnerability has been resolved: drm/hisilicon/hibmc: fix irq_request()'s irq name variable is local The local variable is passed in request_irq (), and there will be use after free problem, which will make request_irq failed. Using the global irq name instead of it to fix. Scope: local bookworm: resolved bullseye: resolved forky:

CVE-2025-38372 [MEDIUM] CVE-2025-38372: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: ... In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix unsafe xarray access in implicit ODP handling __xa_store() and __xa_erase() were used without holding the proper lock, which led to a lockdep warning due to unsafe RCU usage. This patch replaces them with xa_store() and xa_erase(), which perform the necessary locking internally. =====

CVE-2025-40072 [LOW] CVE-2025-40072: linux - In the Linux kernel, the following vulnerability has been resolved: fanotify: V... In the Linux kernel, the following vulnerability has been resolved: fanotify: Validate the return value of mnt_ns_from_dentry() before dereferencing The function do_fanotify_mark() does not validate if mnt_ns_from_dentry() returns NULL before dereferencing mntns->user_ns. This causes a NULL pointer dereference in do_fanotify_mark() if the path is not a mount namespace

CVE-2025-68730 [LOW] CVE-2025-68730: linux - In the Linux kernel, the following vulnerability has been resolved: accel/ivpu:... In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix page fault in ivpu_bo_unbind_all_bos_from_context() Don't add BO to the vdev->bo_list in ivpu_gem_create_object(). When failure happens inside drm_gem_shmem_create(), the BO is not fully created and ivpu_gem_bo_free() callback will not be called causing a deleted BO to be left on the li

CVE-2025-40150 [LOW] CVE-2025-40150: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix t... In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid migrating empty section It reports a bug from device w/ zufs: F2FS-fs (dm-64): Inconsistent segment (173822) type [1, 0] in SSA and SIT F2FS-fs (dm-64): Stopped filesystem due to reason: 4 Thread A Thread B - f2fs_expand_inode_data - f2fs_allocate_pinning_section - f2fs_gc_range - do

CVE-2025-37761 [HIGH] CVE-2025-37761: linux - In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix... In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix an out-of-bounds shift when invalidating TLB When the size of the range invalidated is larger than rounddown_pow_of_two(ULONG_MAX), The function macro roundup_pow_of_two(length) will hit an out-of-bounds shift [1]. Use a full TLB invalidation for such cases. v2: - Use a define for the rang

CVE-2025-39680 [HIGH] CVE-2025-39680: linux - In the Linux kernel, the following vulnerability has been resolved: i2c: rtl930... In the Linux kernel, the following vulnerability has been resolved: i2c: rtl9300: Fix out-of-bounds bug in rtl9300_i2c_smbus_xfer The data->block[0] variable comes from user. Without proper check, the variable may be very large to cause an out-of-bounds bug. Fix this bug by checking the value of data->block[0] first. 1. commit 39244cc75482 ("i2c: ismt: Fix an out-of-b

CVE-2025-38353 [MEDIUM] CVE-2025-38353: linux - In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix... In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix taking invalid lock on wedge If device wedges on e.g. GuC upload, the submission is not yet enabled and the state is not even initialized. Protect the wedge call so it does nothing in this case. It fixes the following splat: [] xe 0000:bf:00.0: [drm] device wedged, needs recovery [] ----

CVE-2025-38325 [MEDIUM] CVE-2025-38325: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: add ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: add free_transport ops in ksmbd connection free_transport function for tcp connection can be called from smbdirect. It will cause kernel oops. This patch add free_transport ops in ksmbd connection, and add each free_transports for tcp and smbdirect. Scope: local bookworm: resolved bullseye: r

CVE-2025-39765 [MEDIUM] CVE-2025-39765: linux - In the Linux kernel, the following vulnerability has been resolved: ALSA: timer... In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: fix ida_free call while not allocated In the snd_utimer_create() function, if the kasprintf() function return NULL, snd_utimer_put_id() will be called, finally use ida_free() to free the unallocated id 0. the syzkaller reported the following information: ------------[ cut here ]--------

CVE-2025-40033 [LOW] CVE-2025-40033: linux - In the Linux kernel, the following vulnerability has been resolved: remoteproc:... In the Linux kernel, the following vulnerability has been resolved: remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable() pru_rproc_set_ctable() accessed rproc->priv before the IS_ERR_OR_NULL check, which could lead to a null pointer dereference. Move the pru assignment, ensuring we never dereference a NULL rproc pointer. Scope: local bookwo

CVE-2025-37759 [MEDIUM] CVE-2025-37759: linux - In the Linux kernel, the following vulnerability has been resolved: ublk: fix h... In the Linux kernel, the following vulnerability has been resolved: ublk: fix handling recovery & reissue in ublk_abort_queue() Commit 8284066946e6 ("ublk: grab request reference when the request is handled by userspace") doesn't grab request reference in case of recovery reissue. Then the request can be requeued & re-dispatch & failed when canceling uring command.

CVE-2025-37745 [MEDIUM] CVE-2025-37745: linux - In the Linux kernel, the following vulnerability has been resolved: PM: hiberna... In the Linux kernel, the following vulnerability has been resolved: PM: hibernate: Avoid deadlock in hibernate_compressor_param_set() syzbot reported a deadlock in lock_system_sleep() (see below). The write operation to "/sys/module/hibernate/parameters/compressor" conflicts with the registration of ieee80211 device, resulting in a deadlock when attempting to acquir

CVE-2025-21803 [MEDIUM] CVE-2025-21803: linux - In the Linux kernel, the following vulnerability has been resolved: LoongArch: ... In the Linux kernel, the following vulnerability has been resolved: LoongArch: Fix warnings during S3 suspend The enable_gpe_wakeup() function calls acpi_enable_all_wakeup_gpes(), and the later one may call the preempt_schedule_common() function, resulting in a thread switch and causing the CPU to be in an interrupt enabled state after the enable_gpe_wakeup() functi

CVE-2025-40195 [LOW] CVE-2025-40195: linux - In the Linux kernel, the following vulnerability has been resolved: mount: hand... In the Linux kernel, the following vulnerability has been resolved: mount: handle NULL values in mnt_ns_release() When calling in listmount() mnt_ns_release() may be passed a NULL pointer. Handle that case gracefully. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.17.6-1) sid: resolved (fixed in 6.17.6-1) trixie: resolved (fixed in 6.12.

CVE-2025-38567 [MEDIUM] CVE-2025-38567: linux - In the Linux kernel, the following vulnerability has been resolved: nfsd: avoid... In the Linux kernel, the following vulnerability has been resolved: nfsd: avoid ref leak in nfsd_open_local_fh() If two calls to nfsd_open_local_fh() race and both successfully call nfsd_file_acquire_local(), they will both get an extra reference to the net to accompany the file reference stored in *pnf. One of them will fail to store (using xchg()) the file referen

CVE-2025-39708 [MEDIUM] CVE-2025-39708: linux - In the Linux kernel, the following vulnerability has been resolved: media: iris... In the Linux kernel, the following vulnerability has been resolved: media: iris: Fix NULL pointer dereference A warning reported by smatch indicated a possible null pointer dereference where one of the arguments to API "iris_hfi_gen2_handle_system_error" could sometimes be null. To fix this, add a check to validate that the argument passed is not null before accessi