Debian Linux vulnerabilities

CVE-2025-37869 [HIGH] CVE-2025-37869: linux - In the Linux kernel, the following vulnerability has been resolved: drm/xe: Use... In the Linux kernel, the following vulnerability has been resolved: drm/xe: Use local fence in error path of xe_migrate_clear The intent of the error path in xe_migrate_clear is to wait on locally generated fence and then return. The code is waiting on m->fence which could be the local fence but this is only stable under the job mutex leading to a possible UAF. Fix co

CVE-2025-22003 [MEDIUM] CVE-2025-22003: linux - In the Linux kernel, the following vulnerability has been resolved: can: ucan: ... In the Linux kernel, the following vulnerability has been resolved: can: ucan: fix out of bound read in strscpy() source Commit 7fdaf8966aae ("can: ucan: use strscpy() to instead of strncpy()") unintentionally introduced a one byte out of bound read on strscpy()'s source argument (which is kind of ironic knowing that strscpy() is meant to be a more secure alternativ

CVE-2025-22030 [MEDIUM] CVE-2025-22030: linux - In the Linux kernel, the following vulnerability has been resolved: mm: zswap: ... In the Linux kernel, the following vulnerability has been resolved: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() Currently, zswap_cpu_comp_dead() calls crypto_free_acomp() while holding the per-CPU acomp_ctx mutex. crypto_free_acomp() then holds scomp_lock (through crypto_exit_scomp_ops_async()). On the other hand, crypto_alloc_acomp_node() h

CVE-2025-21890 [MEDIUM] CVE-2025-21890: linux - In the Linux kernel, the following vulnerability has been resolved: idpf: fix c... In the Linux kernel, the following vulnerability has been resolved: idpf: fix checksums set in idpf_rx_rsc() idpf_rx_rsc() uses skb_transport_offset(skb) while the transport header is not set yet. This triggers the following warning for CONFIG_DEBUG_NET=y builds. DEBUG_NET_WARN_ON_ONCE(!skb_transport_header_was_set(skb)) [ 69.261620] WARNING: CPU: 7 PID: 0 at ./incl

CVE-2025-39836 [HIGH] CVE-2025-39836: linux - In the Linux kernel, the following vulnerability has been resolved: efi: stmm: ... In the Linux kernel, the following vulnerability has been resolved: efi: stmm: Fix incorrect buffer allocation method The communication buffer allocated by setup_mm_hdr() is later on passed to tee_shm_register_kernel_buf(). The latter expects those buffers to be contiguous pages, but setup_mm_hdr() just uses kmalloc(). That can cause various corruptions or BUGs, speci

CVE-2025-22076 [MEDIUM] CVE-2025-22076: linux - In the Linux kernel, the following vulnerability has been resolved: exfat: fix ... In the Linux kernel, the following vulnerability has been resolved: exfat: fix missing shutdown check xfstests generic/730 test failed because after deleting the device that still had dirty data, the file could still be read without returning an error. The reason is the missing shutdown check in ->read_iter. I also noticed that shutdown checks were missing from ->wr

CVE-2025-21897 [MEDIUM] CVE-2025-21897: linux - In the Linux kernel, the following vulnerability has been resolved: sched_ext: ... In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix pick_task_scx() picking non-queued tasks when it's called without balance() a6250aa251ea ("sched_ext: Handle cases where pick_task_scx() is called without preceding balance_scx()") added a workaround to handle the cases where pick_task_scx() is called without prececing balance_scx() w

CVE-2025-40063 [LOW] CVE-2025-40063: linux - In the Linux kernel, the following vulnerability has been resolved: crypto: com... In the Linux kernel, the following vulnerability has been resolved: crypto: comp - Use same definition of context alloc and free ops In commit 42d9f6c77479 ("crypto: acomp - Move scomp stream allocation code into acomp"), the crypto_acomp_streams struct was made to rely on having the alloc_ctx and free_ctx operations defined in the same order as the scomp_alg struct. B

CVE-2025-40209 [LOW] CVE-2025-40209: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: fix ... In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the

CVE-2025-21933 [MEDIUM] CVE-2025-21933: linux - In the Linux kernel, the following vulnerability has been resolved: arm: pgtabl... In the Linux kernel, the following vulnerability has been resolved: arm: pgtable: fix NULL pointer dereference issue When update_mmu_cache_range() is called by update_mmu_cache(), the vmf parameter is NULL, which will cause a NULL pointer dereference issue in adjust_pte(): Unable to handle kernel NULL pointer dereference at virtual address 00000030 when read Hardwar

CVE-2025-68197 [LOW] CVE-2025-68197: linux - In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fi... In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix null pointer dereference in bnxt_bs_trace_check_wrap() With older FW, we may get the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER for FW trace data type that has not been initialized. This will result in a crash in bnxt_bs_trace_type_wrap(). Add a guard to check for a valid magic_byte pointe

CVE-2025-40038 [LOW] CVE-2025-40038: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: S... In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid Skip the WRMSR and HLT fastpaths in SVM's VM-Exit handler if the next RIP isn't valid, e.g. because KVM is running with nrips=false. SVM must decode and emulate to skip the instruction if the CPU doesn't provide the next RIP, and gett

CVE-2025-38341 [HIGH] CVE-2025-38341: linux - In the Linux kernel, the following vulnerability has been resolved: eth: fbnic:... In the Linux kernel, the following vulnerability has been resolved: eth: fbnic: avoid double free when failing to DMA-map FW msg The semantics are that caller of fbnic_mbx_map_msg() retains the ownership of the message on error. All existing callers dutifully free the page. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.12.35-1) sid: re

CVE-2025-38287 [MEDIUM] CVE-2025-38287: linux - In the Linux kernel, the following vulnerability has been resolved: IB/cm: Drop... In the Linux kernel, the following vulnerability has been resolved: IB/cm: Drop lockdep assert and WARN when freeing old msg The send completion handler can run after cm_id has advanced to another message. The cm_id lock is not needed in this case, but a recent change re-used cm_free_priv_msg(), which asserts that the lock is held and WARNs if the cm_id's currently

CVE-2025-22082 [MEDIUM] CVE-2025-22082: linux - In the Linux kernel, the following vulnerability has been resolved: iio: backen... In the Linux kernel, the following vulnerability has been resolved: iio: backend: make sure to NULL terminate stack buffer Make sure to NULL terminate the buffer in iio_backend_debugfs_write_reg() before passing it to sscanf(). It is a stack variable so we should not assume it will 0 initialized. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fi

CVE-2025-21809 [MEDIUM] CVE-2025-21809: linux - In the Linux kernel, the following vulnerability has been resolved: rxrpc, afs:... In the Linux kernel, the following vulnerability has been resolved: rxrpc, afs: Fix peer hash locking vs RCU callback In its address list, afs now retains pointers to and refs on one or more rxrpc_peer objects. The address list is freed under RCU and at this time, it puts the refs on those peers. Now, when an rxrpc_peer object runs out of refs, it gets removed from

CVE-2025-22123 [MEDIUM] CVE-2025-22123: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix t... In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid accessing uninitialized curseg syzbot reports a f2fs bug as below: F2FS-fs (loop3): Stopped filesystem due to reason: 7 kworker/u8:7: attempt to access beyond end of device BUG: unable to handle page fault for address: ffffed1604ea3dfa RIP: 0010:get_ckpt_valid_blocks fs/f2fs/segme

CVE-2025-37799 [MEDIUM] CVE-2025-37799: linux - In the Linux kernel, the following vulnerability has been resolved: vmxnet3: Fi... In the Linux kernel, the following vulnerability has been resolved: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp vmxnet3 driver's XDP handling is buggy for packet sizes using ring0 (that is, packet sizes between 128 - 3k bytes). We noticed MTU-related connectivity issues with Cilium's service load- balancing in case of vmxnet3 as NIC underneath. A sim

CVE-2025-40004 [LOW] CVE-2025-40004: linux - In the Linux kernel, the following vulnerability has been resolved: net/9p: Fix... In the Linux kernel, the following vulnerability has been resolved: net/9p: Fix buffer overflow in USB transport layer A buffer overflow vulnerability exists in the USB 9pfs transport layer where inconsistent size validation between packet header parsing and actual data copying allows a malicious USB host to overflow heap buffers. The issue occurs because: - usb9pfs_rx

CVE-2025-37743 [MEDIUM] CVE-2025-37743: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath12... In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Avoid memory leak while enabling statistics Driver uses monitor destination rings for extended statistics mode and standalone monitor mode. In extended statistics mode, TLVs are parsed from the buffer received from the monitor destination ring and assigned to the ppdu_info structure to