Debian Linux vulnerabilities

CVE-2025-37943 [HIGH] CVE-2025-37943: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath12... In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi In certain cases, hardware might provide packets with a length greater than the maximum native Wi-Fi header length. This can lead to accessing and modifying fields in the header within the ath12k_dp_rx_h_undecap_nwifi function for D

CVE-2025-39893 [MEDIUM] CVE-2025-39893: linux - In the Linux kernel, the following vulnerability has been resolved: spi: spi-qp... In the Linux kernel, the following vulnerability has been resolved: spi: spi-qpic-snand: unregister ECC engine on probe error and device remove The on-host hardware ECC engine remains registered both when the spi_register_controller() function returns with an error and also on device removal. Change the qcom_spi_probe() function to unregister the engine on the error

CVE-2025-39725 [MEDIUM] CVE-2025-39725: linux - In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: ... In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list In shrink_folio_list(), the hwpoisoned folio may be large folio, which can't be handled by unmap_poisoned_folio(). For THP, try_to_unmap_one() must be passed with TTU_SPLIT_HUGE_PMD to split huge PMD first and then retry. Without TT

CVE-2025-40131 [LOW] CVE-2025-40131: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath12... In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu() In ath12k_dp_mon_rx_deliver_msdu(), peer lookup fails because rxcb->peer_id is not updated with a valid value. This is expected in monitor mode, where RX frames bypass the regular RX descriptor path that typically sets rxcb->peer_id. As a

CVE-2025-38469 [MEDIUM] CVE-2025-38469: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: x86/xe... In the Linux kernel, the following vulnerability has been resolved: KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls kvm_xen_schedop_poll does a kmalloc_array() when a VM polls the host for more than one event channel potr (nr_ports > 1). After the kmalloc_array(), the error paths need to go through the "out" label, but the call to kvm_rea

CVE-2025-21854 [MEDIUM] CVE-2025-21854: linux - In the Linux kernel, the following vulnerability has been resolved: sockmap, vs... In the Linux kernel, the following vulnerability has been resolved: sockmap, vsock: For connectible sockets allow only connected sockmap expects all vsocks to have a transport assigned, which is expressed in vsock_proto::psock_update_sk_prot(). However, there is an edge case where an unconnected (connectible) socket may lose its previously assigned transport. This i

CVE-2025-38656 [HIGH] CVE-2025-38656: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwi... In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start() Preserve the error code if iwl_setup_deferred_work() fails. The current code returns ERR_PTR(0) (which is NULL) on this path. I believe the missing error code potentially leads to a use after free involving debugfs. Scope: local bookworm: resolv

CVE-2025-38489 [MEDIUM] CVE-2025-38489: linux - In the Linux kernel, the following vulnerability has been resolved: s390/bpf: F... In the Linux kernel, the following vulnerability has been resolved: s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again Commit 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic") has accidentally removed the critical piece of commit c730fce7c70c ("s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL"), causing intermittent kernel panics in e.g.

CVE-2025-37848 [MEDIUM] CVE-2025-37848: linux - In the Linux kernel, the following vulnerability has been resolved: accel/ivpu:... In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Fix PM related deadlocks in MS IOCTLs Prevent runtime resume/suspend while MS IOCTLs are in progress. Failed suspend will call ivpu_ms_cleanup() that would try to acquire file_priv->ms_lock, which is already held by the IOCTLs. Scope: local bookworm: resolved bullseye: resolved forky: re

CVE-2025-68811 [LOW] CVE-2025-68811: linux - In the Linux kernel, the following vulnerability has been resolved: svcrdma: us... In the Linux kernel, the following vulnerability has been resolved: svcrdma: use rc_pageoff for memcpy byte offset svc_rdma_copy_inline_range added rc_curpage (page index) to the page base instead of the byte offset rc_pageoff. Use rc_pageoff so copies land within the current page. Found by ZeroPath (https://zeropath.com) Scope: local bookworm: resolved bullseye: resol

CVE-2025-37873 [MEDIUM] CVE-2025-37873: linux - In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: ... In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: fix missing ring index trim on error path Commit under Fixes converted tx_prod to be free running but missed masking it on the Tx error path. This crashes on error conditions, for example when DMA mapping fails. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in

CVE-2025-40327 [LOW] CVE-2025-40327: linux - In the Linux kernel, the following vulnerability has been resolved: perf/core: ... In the Linux kernel, the following vulnerability has been resolved: perf/core: Fix system hang caused by cpu-clock usage cpu-clock usage by the async-profiler tool can trigger a system hang, which got bisected back to the following commit by Octavia Togami: 18dbcbfabfff ("perf: Fix the POLL_HUP delivery breakage") causes this issue The root cause of the hang is that cp

CVE-2025-38689 [MEDIUM] CVE-2025-38689: linux - In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Fi... In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Fix NULL dereference in avx512_status() Problem ------- With CONFIG_X86_DEBUG_FPU enabled, reading /proc/[kthread]/arch_status causes a warning and a NULL pointer dereference. This is because the AVX-512 timestamp code uses x86_task_fpu() but doesn't check it for NULL. CONFIG_X86_DEBUG_FPU

CVE-2025-68361 [LOW] CVE-2025-68361: linux - In the Linux kernel, the following vulnerability has been resolved: erofs: limi... In the Linux kernel, the following vulnerability has been resolved: erofs: limit the level of fs stacking for file-backed mounts Otherwise, it could cause potential kernel stack overflow (e.g., EROFS mounting itself). Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.17.13-1) sid: resolved (fixed in 6.17.13-1) trixie: resolved (fixed in 6.1

CVE-2025-38092 [MEDIUM] CVE-2025-38092: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: use ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: use list_first_entry_or_null for opinfo_get_list() The list_first_entry() macro never returns NULL. If the list is empty then it returns an invalid pointer. Use list_first_entry_or_null() to check if the list is empty. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed

CVE-2025-38356 [MEDIUM] CVE-2025-38356: linux - In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc:... In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Explicitly exit CT safe mode on unwind During driver probe we might be briefly using CT safe mode, which is based on a delayed work, but usually we are able to stop this once we have IRQ fully operational. However, if we abort the probe quite early then during unwind we might try to dest

CVE-2025-40212 [LOW] CVE-2025-40212: linux - In the Linux kernel, the following vulnerability has been resolved: nfsd: fix r... In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a "pseudo root filesystem" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the

CVE-2025-68805 [LOW] CVE-2025-68805: linux - In the Linux kernel, the following vulnerability has been resolved: fuse: fix i... In the Linux kernel, the following vulnerability has been resolved: fuse: fix io-uring list corruption for terminated non-committed requests When a request is terminated before it has been committed, the request is not removed from the queue's list. This leaves a dangling list entry that leads to list corruption and use-after-free issues. Remove the request from the qu

CVE-2025-21717 [HIGH] CVE-2025-21717: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: ... In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: add missing cpu_to_node to kvzalloc_node in mlx5e_open_xdpredirect_sq kvzalloc_node is not doing a runtime check on the node argument (__alloc_pages_node_noprof does have a VM_BUG_ON, but it expands to nothing on !CONFIG_DEBUG_VM builds), so doing any ethtool/netlink operation that calls ml

CVE-2025-68313 [LOW] CVE-2025-68313: linux - In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD... In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 "at a rate inconsistent with randomness while incorrectly signaling success (CF=1)". Search the web for AMD-SB-7055 for more detail. Add a fix glue whi