Debian Linux vulnerabilities

CVE-2025-39807 [MEDIUM] CVE-2025-39807: linux - In the Linux kernel, the following vulnerability has been resolved: drm/mediate... In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Add error handling for old state CRTC in atomic_disable Introduce error handling to address an issue where, after a hotplug event, the cursor continues to update. This situation can lead to a kernel panic due to accessing the NULL `old_state->crtc`. E,g. Unable to handle kernel NULL po

CVE-2025-38511 [MEDIUM] CVE-2025-38511: linux - In the Linux kernel, the following vulnerability has been resolved: drm/xe/pf: ... In the Linux kernel, the following vulnerability has been resolved: drm/xe/pf: Clear all LMTT pages on alloc Our LMEM buffer objects are not cleared by default on alloc and during VF provisioning we only setup LMTT PTEs for the actually provisioned LMEM range. But beyond that valid range we might leave some stale data that could either point to some other VFs alloca

CVE-2025-37791 [MEDIUM] CVE-2025-37791: linux - In the Linux kernel, the following vulnerability has been resolved: ethtool: cm... In the Linux kernel, the following vulnerability has been resolved: ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll() rpl is passed as a pointer to ethtool_cmis_module_poll(), so the correct size of rpl is sizeof(*rpl) which should be just 1 byte. Using the pointer size instead can cause stack corruption: Kernel panic - not syncing: stack-protect

CVE-2025-21834 [MEDIUM] CVE-2025-21834: linux - In the Linux kernel, the following vulnerability has been resolved: seccomp: pa... In the Linux kernel, the following vulnerability has been resolved: seccomp: passthrough uretprobe systemcall without filtering When attaching uretprobes to processes running inside docker, the attached process is segfaulted when encountering the retprobe. The reason is that now that uretprobe is a system call the default seccomp filters in docker block it as they o

CVE-2025-38523 [MEDIUM] CVE-2025-38523: linux - In the Linux kernel, the following vulnerability has been resolved: cifs: Fix t... In the Linux kernel, the following vulnerability has been resolved: cifs: Fix the smbd_response slab to allow usercopy The handling of received data in the smbdirect client code involves using copy_to_iter() to copy data from the smbd_reponse struct's packet trailer to a folioq buffer provided by netfslib that encapsulates a chunk of pagecache. If, however, CONFIG_H

CVE-2025-39975 [LOW] CVE-2025-39975: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: fix wrong index reference in smb2_compound_op() In smb2_compound_op(), the loop that processes each command's response uses wrong indices when accessing response bufferes. This incorrect indexing leads to improper handling of command results. Also, if incorrectly computed index is greather

CVE-2025-38253 [MEDIUM] CVE-2025-38253: linux - In the Linux kernel, the following vulnerability has been resolved: HID: wacom:... In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix crash in wacom_aes_battery_handler() Commit fd2a9b29dc9c ("HID: wacom: Remove AES power_supply after extended inactivity") introduced wacom_aes_battery_handler() which is scheduled as a delayed work (aes_battery_work). In wacom_remove(), aes_battery_work is not canceled. Consequently

CVE-2025-40113 [LOW] CVE-2025-40113: linux - In the Linux kernel, the following vulnerability has been resolved: remoteproc:... In the Linux kernel, the following vulnerability has been resolved: remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E The ADSP firmware on X1E has separate firmware binaries for the main firmware and the DTB. The same applies for the "lite" firmware loaded by the boot firmware. When preparing to load the new ADSP firmware we shutdown the lite_pas_id for the main fir

CVE-2025-22052 [MEDIUM] CVE-2025-22052: linux - In the Linux kernel, the following vulnerability has been resolved: staging: gp... In the Linux kernel, the following vulnerability has been resolved: staging: gpib: Fix Oops after disconnect in ni_usb If the usb dongle is disconnected subsequent calls to the driver cause a NULL dereference Oops as the bus_interface is set to NULL on disconnect. This problem was introduced by setting usb_dev from the bus_interface for dev_xxx messages. Previously

CVE-2025-38016 [MEDIUM] CVE-2025-38016: linux - In the Linux kernel, the following vulnerability has been resolved: HID: bpf: a... In the Linux kernel, the following vulnerability has been resolved: HID: bpf: abort dispatch if device destroyed The current HID bpf implementation assumes no output report/request will go through it after hid_bpf_destroy_device() has been called. This leads to a bug that unplugging certain types of HID devices causes a cleaned- up SRCU to be accessed. The bug was p

CVE-2025-68762 [LOW] CVE-2025-68762: linux - In the Linux kernel, the following vulnerability has been resolved: net: netpol... In the Linux kernel, the following vulnerability has been resolved: net: netpoll: initialize work queue before error checks Prevent a kernel warning when netconsole setup fails on devices with IFF_DISABLE_NETPOLL flag. The warning (at kernel/workqueue.c:4242 in __flush_work) occurs because the cleanup path tries to cancel an uninitialized work queue. When __netpoll_set

CVE-2025-40226 [LOW] CVE-2025-40226: linux - In the Linux kernel, the following vulnerability has been resolved: firmware: a... In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Account for failed debug initialization When the SCMI debug subsystem fails to initialize, the related debug root will be missing, and the underlying descriptor will be NULL. Handle this fault condition in the SCMI debug helpers that maintain metrics counters. Scope: local bookworm:

CVE-2025-37960 [MEDIUM] CVE-2025-37960: linux - In the Linux kernel, the following vulnerability has been resolved: memblock: A... In the Linux kernel, the following vulnerability has been resolved: memblock: Accept allocated memory before use in memblock_double_array() When increasing the array size in memblock_double_array() and the slab is not yet available, a call to memblock_find_in_range() is used to reserve/allocate memory. However, the range returned may not have been accepted, which ca

CVE-2025-38243 [MEDIUM] CVE-2025-38243: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: fix ... In the Linux kernel, the following vulnerability has been resolved: btrfs: fix invalid inode pointer dereferences during log replay In a few places where we call read_one_inode(), if we get a NULL pointer we end up jumping into an error path, or fallthrough in case of __add_inode_ref(), where we then do something like this: iput(&inode->vfs_inode); which results in

CVE-2025-38606 [MEDIUM] CVE-2025-38606: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath12... In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Avoid accessing uninitialized arvif->ar during beacon miss During beacon miss handling, ath12k driver iterates over active virtual interfaces (vifs) and attempts to access the radio object (ar) via arvif->deflink->ar. However, after commit aa80f12f3bed ("wifi: ath12k: defer vdev creati

CVE-2025-21709 [MEDIUM] CVE-2025-21709: linux - In the Linux kernel, the following vulnerability has been resolved: kernel: be ... In the Linux kernel, the following vulnerability has been resolved: kernel: be more careful about dup_mmap() failures and uprobe registering If a memory allocation fails during dup_mmap(), the maple tree can be left in an unsafe state for other iterators besides the exit path. All the locks are dropped before the exit_mmap() call (in mm/mmap.c), but the incomplete m

CVE-2025-68167 [LOW] CVE-2025-68167: linux - In the Linux kernel, the following vulnerability has been resolved: gpiolib: fi... In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix invalid pointer access in debugfs If the memory allocation in gpiolib_seq_start() fails, the s->private field remains uninitialized and is later dereferenced without checking in gpiolib_seq_stop(). Initialize s->private to NULL before calling kzalloc() and check it before dereferencing it.

CVE-2025-22017 [MEDIUM] CVE-2025-22017: linux - In the Linux kernel, the following vulnerability has been resolved: devlink: fi... In the Linux kernel, the following vulnerability has been resolved: devlink: fix xa_alloc_cyclic() error handling In case of returning 1 from xa_alloc_cyclic() (wrapping) ERR_PTR(1) will be returned, which will cause IS_ERR() to be false. Which can lead to dereference not allocated pointer (rel). Fix it by checking if err is lower than zero. This wasn't found in rea

CVE-2025-21642 [MEDIUM] CVE-2025-21642: linux - In the Linux kernel, the following vulnerability has been resolved: mptcp: sysc... In the Linux kernel, the following vulnerability has been resolved: mptcp: sysctl: sched: avoid using current->nsproxy Using the 'net' structure via 'current' is not recommended for different reasons. First, if the goal is to use it to read or write per-netns data, this is inconsistent with how the "generic" sysctl entries are doing: directly by only using pointers

CVE-2025-38199 [MEDIUM] CVE-2025-38199: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath12... In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix memory leak due to multiple rx_stats allocation rx_stats for each arsta is allocated when adding a station. arsta->rx_stats will be freed when a station is removed. Redundant allocations are occurring when the same station is added multiple times. This causes ath12k_mac_station_add