Debian Linux vulnerabilities

CVE-2026-23435 [LOW] CVE-2026-23435: linux - In the Linux kernel, the following vulnerability has been resolved: perf/x86: M... In the Linux kernel, the following vulnerability has been resolved: perf/x86: Move event pointer setup earlier in x86_pmu_enable() A production AMD EPYC system crashed with a NULL pointer dereference in the PMU NMI handler: BUG: kernel NULL pointer dereference, address: 0000000000000198 RIP: x86_perf_event_update+0xc/0xa0 Call Trace: amd_pmu_v2_handle_irq+0x1a6/0x390 p

CVE-2026-23424 [LOW] CVE-2026-23424: linux - In the Linux kernel, the following vulnerability has been resolved: accel/amdxd... In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Validate command buffer payload count The count field in the command header is used to determine the valid payload size. Verify that the valid payload does not exceed the remaining buffer space. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.19.8-1) sid: r

CVE-2026-22993 [MEDIUM] CVE-2026-22993: linux - In the Linux kernel, the following vulnerability has been resolved: idpf: Fix R... In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL ptr issue after soft reset During soft reset, the RSS LUT is freed and not restored unless the interface is up. If an ethtool command that accesses the rss lut is attempted immediately after reset, it will result in NULL ptr dereference. Also, there is no need to reset the rss

CVE-2026-23313 [LOW] CVE-2026-23313: linux - In the Linux kernel, the following vulnerability has been resolved: i40e: Fix p... In the Linux kernel, the following vulnerability has been resolved: i40e: Fix preempt count leak in napi poll tracepoint Using get_cpu() in the tracepoint assignment causes an obvious preempt count leak because nothing invokes put_cpu() to undo it: softirq: huh, entered softirq 3 NET_RX with preempt_count 00000100, exited with 00000101? This clearly has seen a lot of t

CVE-2026-23045 [LOW] CVE-2026-23045: linux - In the Linux kernel, the following vulnerability has been resolved: net/ena: fi... In the Linux kernel, the following vulnerability has been resolved: net/ena: fix missing lock when update devlink params Fix assert lock warning while calling devl_param_driverinit_value_set() in ena. WARNING: net/devlink/core.c:261 at devl_assert_locked+0x62/0x90, CPU#0: kworker/0:0/9 CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.19.0-rc2+ #1 PREEMPT(lazy) Hard

CVE-2026-23052 [LOW] CVE-2026-23052: linux - In the Linux kernel, the following vulnerability has been resolved: ftrace: Do ... In the Linux kernel, the following vulnerability has been resolved: ftrace: Do not over-allocate ftrace memory The pg_remaining calculation in ftrace_process_locs() assumes that ENTRIES_PER_PAGE multiplied by 2^order equals the actual capacity of the allocated page group. However, ENTRIES_PER_PAGE is PAGE_SIZE / ENTRY_SIZE (integer division). When PAGE_SIZE is not a mu

CVE-2026-23040 [LOW] CVE-2026-23040: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: mac80... In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: fix typo in frequency notification The NAN notification is for 5745 MHz which corresponds to channel 149 and not 5475 which is not actually a valid channel. This could result in a NULL pointer dereference in cfg80211_next_nan_dw_notif. Scope: local bookworm: resolved bullseye: res

CVE-2026-23051 [LOW] CVE-2026-23051: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu:... In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix drm panic null pointer when driver not support atomic When driver not support atomic, fb using plane->fb rather than plane->state->fb. (cherry picked from commit 2f2a72de673513247cd6fae14e53f6c40c5841ef) Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.18.8

CVE-2026-22985 [MEDIUM] CVE-2026-22985: linux - In the Linux kernel, the following vulnerability has been resolved: idpf: Fix R... In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL pointer crash on early ethtool operations The RSS LUT is not initialized until the interface comes up, causing the following NULL pointer crash when ethtool operations like rxhash on/off are performed before the interface is brought up for the first time. Move RSS LUT initiali

CVE-2026-23130 [MEDIUM] CVE-2026-23130: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath12... In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dead lock while flushing management frames Commit [1] converted the management transmission work item into a wiphy work. Since a wiphy work can only run under wiphy lock protection, a race condition happens in below scenario: 1. a management frame is queued for transmission. 2. ath

CVE-2026-23377 [LOW] CVE-2026-23377: linux - In the Linux kernel, the following vulnerability has been resolved: ice: change... In the Linux kernel, the following vulnerability has been resolved: ice: change XDP RxQ frag_size from DMA write length to xdp.frame_sz The only user of frag_size field in XDP RxQ info is bpf_xdp_frags_increase_tail(). It clearly expects whole buff size instead of DMA write size. Different assumptions in ice driver configuration lead to negative tailroom. This allows t

CVE-2026-23425 [LOW] CVE-2026-23425: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: arm64:... In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix ID register initialization for non-protected pKVM guests In protected mode, the hypervisor maintains a separate instance of the `kvm` structure for each VM. For non-protected VMs, this structure is initialized from the host's `kvm` state. Currently, `pkvm_init_features_from_host()` copi

CVE-2026-23252 [LOW] CVE-2026-23252: linux - In the Linux kernel, the following vulnerability has been resolved: xfs: get ri... In the Linux kernel, the following vulnerability has been resolved: xfs: get rid of the xchk_xfile_*_descr calls The xchk_xfile_*_descr macros call kasprintf, which can fail to allocate memory if the formatted string is larger than 16 bytes (or whatever the nofail guarantees are nowadays). Some of them could easily exceed that, and Jiaming Zhang found a few places wher

CVE-2026-23185 [HIGH] CVE-2026-23185: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwi... In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: cancel mlo_scan_start_wk mlo_scan_start_wk is not canceled on disconnection. In fact, it is not canceled anywhere except in the restart cleanup, where we don't really have to. This can cause an init-after-queue issue: if, for example, the work was queued and then drv_change_interfa

CVE-2026-23014 [MEDIUM] CVE-2026-23014: linux - In the Linux kernel, the following vulnerability has been resolved: perf: Ensur... In the Linux kernel, the following vulnerability has been resolved: perf: Ensure swevent hrtimer is properly destroyed With the change to hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to still be active by the time the event gets freed. Make sure the event does a full hrtimer_cancel() on the free path by installing a pe

CVE-2026-23341 [LOW] CVE-2026-23341: linux - In the Linux kernel, the following vulnerability has been resolved: accel/amdxd... In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix crash when destroying a suspended hardware context If userspace issues an ioctl to destroy a hardware context that has already been automatically suspended, the driver may crash because the mailbox channel pointer is NULL for the suspended context. Fix this by checking the mailbox ch

CVE-2026-23104 [MEDIUM] CVE-2026-23104: linux - In the Linux kernel, the following vulnerability has been resolved: ice: fix de... In the Linux kernel, the following vulnerability has been resolved: ice: fix devlink reload call trace Commit 4da71a77fc3b ("ice: read internal temperature sensor") introduced internal temperature sensor reading via HWMON. ice_hwmon_init() was added to ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a result if devlink reload is used to reinit

CVE-2026-23046 [LOW] CVE-2026-23046: linux - In the Linux kernel, the following vulnerability has been resolved: virtio_net:... In the Linux kernel, the following vulnerability has been resolved: virtio_net: fix device mismatch in devm_kzalloc/devm_kfree Initial rss_hdr allocation uses virtio_device->device, but virtnet_set_queues() frees using net_device->device. This device mismatch causing below devres warning [ 3788.514041] ------------[ cut here ]------------ [ 3788.514044] WARNING: driver

CVE-2026-23280 [HIGH] CVE-2026-23280: linux - In the Linux kernel, the following vulnerability has been resolved: accel/amdxd... In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Prevent ubuf size overflow The ubuf size calculation may overflow, resulting in an undersized allocation and possible memory corruption. Use check_add_overflow() helpers to validate the size calculation before allocation. Scope: local bookworm: resolved bullseye: resolved forky: resolve

CVE-2026-23219 [MEDIUM] CVE-2026-23219: linux - In the Linux kernel, the following vulnerability has been resolved: mm/slab: Ad... In the Linux kernel, the following vulnerability has been resolved: mm/slab: Add alloc_tagging_slab_free_hook for memcg_alloc_abort_single When CONFIG_MEM_ALLOC_PROFILING_DEBUG is enabled, the following warning may be noticed: [ 3959.023862] ------------[ cut here ]------------ [ 3959.023891] alloc_tag was not cleared (got tag for lib/xarray.c:378) [ 3959.023947] WA