Debian Linux vulnerabilities

CVE-2026-23453 [LOW] CVE-2026-23453: linux - In the Linux kernel, the following vulnerability has been resolved: net: ti: ic... In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: Fix memory leak in XDP_DROP for non-zero-copy mode Page recycling was removed from the XDP_DROP path in emac_run_xdp() to avoid conflicts with AF_XDP zero-copy mode, which uses xsk_buff_free() instead. However, this causes a memory leak when running XDP programs that drop packets

CVE-2026-31404 [LOW] CVE-2026-31404: linux - In the Linux kernel, the following vulnerability has been resolved: NFSD: Defer... In the Linux kernel, the following vulnerability has been resolved: NFSD: Defer sub-object cleanup in export put callbacks svc_export_put() calls path_put() and auth_domain_put() immediately when the last reference drops, before the RCU grace period. RCU readers in e_show() and c_show() access both ex_path (via seq_path/d_path) and ex_client->name (via seq_escape) with

CVE-2026-23254 [LOW] CVE-2026-23254: linux - In the Linux kernel, the following vulnerability has been resolved: net: gro: f... In the Linux kernel, the following vulnerability has been resolved: net: gro: fix outer network offset The udp GRO complete stage assumes that all the packets inserted the RX have the `encapsulation` flag zeroed. Such assumption is not true, as a few H/W NICs can set such flag when H/W offloading the checksum for an UDP encapsulated traffic, the tun driver can inject G

CVE-2026-23232 [MEDIUM] CVE-2026-23232: linux - In the Linux kernel, the following vulnerability has been resolved: Revert "f2f... In the Linux kernel, the following vulnerability has been resolved: Revert "f2fs: block cache/dio write during f2fs_enable_checkpoint()" This reverts commit 196c81fdd438f7ac429d5639090a9816abb9760a. Original patch may cause below deadlock, revert it. write remount - write_begin - lock_page --- lock A - prepare_write_begin - f2fs_map_lock - f2fs_enable_checkpoint - d

CVE-2026-23430 [LOW] CVE-2026-23430: linux - In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx:... In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Don't overwrite KMS surface dirty tracker We were overwriting the surface's dirty tracker here causing a memory leak. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.19.10-1) sid: resolved (fixed in 6.19.10-1) trixie: resolved

CVE-2026-23224 [HIGH] CVE-2026-23224: linux - In the Linux kernel, the following vulnerability has been resolved: erofs: fix ... In the Linux kernel, the following vulnerability has been resolved: erofs: fix UAF issue for file-backed mounts w/ directio option [ 9.269940][ T3222] Call trace: [ 9.269948][ T3222] ext4_file_read_iter+0xac/0x108 [ 9.269979][ T3222] vfs_iocb_iter_read+0xac/0x198 [ 9.269993][ T3222] erofs_fileio_rq_submit+0x12c/0x180 [ 9.270008][ T3222] erofs_fileio_submit_bio+0x14/0x

CVE-2026-23387 [LOW] CVE-2026-23387: linux - In the Linux kernel, the following vulnerability has been resolved: pinctrl: ci... In the Linux kernel, the following vulnerability has been resolved: pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe() devm_add_action_or_reset() already invokes the action on failure, so the explicit put causes a double-put. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.19.8-1) sid: resolved (fixed in 6.19.8-1) trixie: ope

CVE-2026-23159 [MEDIUM] CVE-2026-23159: linux - In the Linux kernel, the following vulnerability has been resolved: perf: sched... In the Linux kernel, the following vulnerability has been resolved: perf: sched: Fix perf crash with new is_user_task() helper In order to do a user space stacktrace the current task needs to be a user task that has executed in user space. It use to be possible to test if a task is a user task or not by simply checking the task_struct mm field. If it was non NULL, i

CVE-2026-23203 [MEDIUM] CVE-2026-23203: linux - In the Linux kernel, the following vulnerability has been resolved: net: cpsw_n... In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue Commit 1767bb2d47b7 ("ipv6: mcast: Don't hold RTNL for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.") removed the RTNL lock for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations. However, this change triggered the following call trace on

CVE-2026-23210 [MEDIUM] CVE-2026-23210: linux - In the Linux kernel, the following vulnerability has been resolved: ice: Fix PT... In the Linux kernel, the following vulnerability has been resolved: ice: Fix PTP NULL pointer dereference during VSI rebuild Fix race condition where PTP periodic work runs while VSI is being rebuilt, accessing NULL vsi->rx_rings. The sequence was: 1. ice_ptp_prepare_for_reset() cancels PTP work 2. ice_ptp_rebuild() immediately queues PTP work 3. VSI rebuild happens

CVE-2026-23353 [LOW] CVE-2026-23353: linux - In the Linux kernel, the following vulnerability has been resolved: ice: fix cr... In the Linux kernel, the following vulnerability has been resolved: ice: fix crash in ethtool offline loopback test Since the conversion of ice to page pool, the ethtool loopback test crashes: BUG: kernel NULL pointer dereference, address: 000000000000000c #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 1100f1067 P4D 0 Oops: O

CVE-2026-23048 [LOW] CVE-2026-23048: linux - In the Linux kernel, the following vulnerability has been resolved: udp: call s... In the Linux kernel, the following vulnerability has been resolved: udp: call skb_orphan() before skb_attempt_defer_free() Standard UDP receive path does not use skb->destructor. But skmsg layer does use it, since it calls skb_set_owner_sk_safe() from udp_read_skb(). This then triggers this warning in skb_attempt_defer_free(): DEBUG_NET_WARN_ON_ONCE(skb->destructor); W

CVE-2026-23459 [LOW] CVE-2026-23459: linux - In the Linux kernel, the following vulnerability has been resolved: ip_tunnel: ... In the Linux kernel, the following vulnerability has been resolved: ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS Blamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which call iptunnel_xmit_stats(). iptunnel_xmit_stats() was assuming tunnels were only using NETDEV_PCPU_STAT_TSTATS. @syncp offset in pcpu_sw_netstats and pcpu_dstats

CVE-2026-23250 [LOW] CVE-2026-23250: linux - In the Linux kernel, the following vulnerability has been resolved: xfs: check ... In the Linux kernel, the following vulnerability has been resolved: xfs: check return value of xchk_scrub_create_subord Fix this function to return NULL instead of a mangled ENOMEM, then fix the callers to actually check for a null pointer and return ENOMEM. Most of the corrections here are for code merged between 6.2 and 6.10. Scope: local bookworm: resolved bullseye:

CVE-2026-23057 [LOW] CVE-2026-23057: linux - In the Linux kernel, the following vulnerability has been resolved: vsock/virti... In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Coalesce only linear skb vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb (with a spare tail room) is followed by a small skb (length limited by GOOD_COPY_LEN = 128), an attempt is made to join them. Since the introduction of MSG_ZEROCOPY support, assumption that

CVE-2026-23016 [MEDIUM] CVE-2026-23016: linux - In the Linux kernel, the following vulnerability has been resolved: inet: frags... In the Linux kernel, the following vulnerability has been resolved: inet: frags: drop fraglist conntrack references Jakub added a warning in nf_conntrack_cleanup_net_list() to make debugging leaked skbs/conntrack references more obvious. syzbot reports this as triggering, and I can also reproduce this via ip_defrag.sh selftest: conntrack cleanup blocked for 60s WARN

CVE-2026-23384 [LOW] CVE-2026-23384: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic:... In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix kernel stack leak in ionic_create_cq() struct ionic_cq_resp resp { __u32 cqid[2]; // offset 0 - PARTIALLY SET (see below) __u8 udma_mask; // offset 8 - SET (resp.udma_mask = vcq->udma_mask) __u8 rsvd[7]; // offset 9 - NEVER SET udma_mask & BIT(udma_idx)). The array has 2 entries but udm

CVE-2026-23373 [LOW] CVE-2026-23373: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: ... In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Don't default to -EOPNOTSUPP in rsi_mac80211_config This triggers a WARN_ON in ieee80211_hw_conf_init and isn't the expected behavior from the driver - other drivers default to 0 too. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.19.8-1) sid: resolved (fixed

CVE-2026-23432 [LOW] CVE-2026-23432: linux - In the Linux kernel, the following vulnerability has been resolved: mshv: Fix u... In the Linux kernel, the following vulnerability has been resolved: mshv: Fix use-after-free in mshv_map_user_memory error path In the error path of mshv_map_user_memory(), calling vfree() directly on the region leaves the MMU notifier registered. When userspace later unmaps the memory, the notifier fires and accesses the freed region, causing a use-after-free and pote

CVE-2026-23065 [MEDIUM] CVE-2026-23065: linux - In the Linux kernel, the following vulnerability has been resolved: platform/x8... In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd: Fix memory leak in wbrf_record() The tmp buffer is allocated using kcalloc() but is not freed if acpi_evaluate_dsm() fails. This causes a memory leak in the error path. Fix this by explicitly freeing the tmp buffer in the error handling path of acpi_evaluate_dsm(). Scope: local boo