Debian Linux vulnerabilities

CVE-2026-23332 [LOW] CVE-2026-23332: linux - In the Linux kernel, the following vulnerability has been resolved: cpufreq: in... In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix crash during turbo disable When the system is booted with kernel command line argument "nosmt" or "maxcpus" to limit the number of CPUs, disabling turbo via: echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo results in a crash: PF: supervisor read access in kernel mode P

CVE-2026-23326 [LOW] CVE-2026-23326: linux - In the Linux kernel, the following vulnerability has been resolved: xsk: Fix fr... In the Linux kernel, the following vulnerability has been resolved: xsk: Fix fragment node deletion to prevent buffer leak After commit b692bf9a7543 ("xsk: Get rid of xdp_buff_xsk::xskb_list_node"), the list_node field is reused for both the xskb pool list and the buffer free list, this causes a buffer leak as described below. xp_free() checks if a buffer is already on

CVE-2026-23181 [LOW] CVE-2026-23181: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: sync... In the Linux kernel, the following vulnerability has been resolved: btrfs: sync read disk super and set block size When the user performs a btrfs mount, the block device is not set correctly. The user sets the block size of the block device to 0x4000 by executing the BLKBSZSET command. Since the block size change also changes the mapping->flags value, this further affe

CVE-2026-23129 [MEDIUM] CVE-2026-23129: linux - In the Linux kernel, the following vulnerability has been resolved: dpll: Preve... In the Linux kernel, the following vulnerability has been resolved: dpll: Prevent duplicate registrations Modify the internal registration helpers dpll_xa_ref_{dpll,pin}_add() to reject duplicate registration attempts. Previously, if a caller attempted to register the same pin multiple times (with the same ops, priv, and cookie) on the same device, the core silently

CVE-2026-23117 [MEDIUM] CVE-2026-23117: linux - In the Linux kernel, the following vulnerability has been resolved: ice: add mi... In the Linux kernel, the following vulnerability has been resolved: ice: add missing ice_deinit_hw() in devlink reinit path devlink-reload results in ice_init_hw failed error, and then removing the ice driver causes a NULL pointer dereference. [ +0.102213] ice 0000:ca:00.0: ice_init_hw failed: -16 ... [ +0.000001] Call Trace: [ +0.000003] [ +0.000006] ice_unload+0x8

CVE-2026-23211 [MEDIUM] CVE-2026-23211: linux - In the Linux kernel, the following vulnerability has been resolved: mm, swap: r... In the Linux kernel, the following vulnerability has been resolved: mm, swap: restore swap_space attr aviod kernel panic commit 8b47299a411a ("mm, swap: mark swap address space ro and add context debug check") made the swap address space read-only. It may lead to kernel panic if arch_prepare_to_swap returns a failure under heavy memory pressure as follows, el1_abort

CVE-2026-23032 [LOW] CVE-2026-23032: linux - In the Linux kernel, the following vulnerability has been resolved: null_blk: f... In the Linux kernel, the following vulnerability has been resolved: null_blk: fix kmemleak by releasing references to fault configfs items When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk driver sets up fault injection support by creating the timeout_inject, requeue_inject, and init_hctx_fault_inject configfs items as children of the top-level null

CVE-2026-23427 [LOW] CVE-2026-23427: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in durable v2 replay of active file handles parse_durable_handle_context() unconditionally assigns dh_info->fp->conn to the current connection when handling a DURABLE_REQ_V2 context with SMB2_FLAGS_REPLAY_OPERATION. ksmbd_lookup_fd_cguid() does not filter by fp->conn, so it re

CVE-2026-23386 [LOW] CVE-2026-23386: linux - In the Linux kernel, the following vulnerability has been resolved: gve: fix in... In the Linux kernel, the following vulnerability has been resolved: gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL In DQ-QPL mode, gve_tx_clean_pending_packets() incorrectly uses the RDA buffer cleanup path. It iterates num_bufs times and attempts to unmap entries in the dma array. This leads to two issues: 1. The dma array shares storage wit

CVE-2026-23136 [HIGH] CVE-2026-23136: linux - In the Linux kernel, the following vulnerability has been resolved: libceph: re... In the Linux kernel, the following vulnerability has been resolved: libceph: reset sparse-read state in osd_fault() When a fault occurs, the connection is abandoned, reestablished, and any pending operations are retried. The OSD client tracks the progress of a sparse-read reply using a separate state machine, largely independent of the messenger's state. If a connecti

CVE-2026-23067 [MEDIUM] CVE-2026-23067: linux - In the Linux kernel, the following vulnerability has been resolved: iommu/io-pg... In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). Th

CVE-2026-23451 [LOW] CVE-2026-23451: linux - In the Linux kernel, the following vulnerability has been resolved: bonding: pr... In the Linux kernel, the following vulnerability has been resolved: bonding: prevent potential infinite loop in bond_header_parse() bond_header_parse() can loop if a stack of two bonding devices is setup, because skb->dev always points to the hierarchy top. Add new "const struct net_device *dev" parameter to (struct header_ops)->parse() method to make sure the recursio

CVE-2026-23153 [MEDIUM] CVE-2026-23153: linux - In the Linux kernel, the following vulnerability has been resolved: firewire: c... In the Linux kernel, the following vulnerability has been resolved: firewire: core: fix race condition against transaction list The list of transaction is enumerated without acquiring card lock when processing AR response event. This causes a race condition bug when processing AT request completion event concurrently. This commit fixes the bug by put timer start for

CVE-2026-23147 [MEDIUM] CVE-2026-23147: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: zlib... In the Linux kernel, the following vulnerability has been resolved: btrfs: zlib: fix the folio leak on S390 hardware acceleration [BUG] After commit aa60fe12b4f4 ("btrfs: zlib: refactor S390x HW acceleration buffer preparation"), we no longer release the folio of the page cache of folio returned by btrfs_compress_filemap_get_folio() for S390 hardware acceleration pa

CVE-2026-23082 [MEDIUM] CVE-2026-23082: linux - In the Linux kernel, the following vulnerability has been resolved: can: gs_usb... In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error In commit 7352e1d5932a ("can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak"), the URB was re-anchored before usb_submit_urb() in gs_usb_receive_bulk_callback() to prevent a leak of this URB during clea

CVE-2026-23342 [LOW] CVE-2026-23342: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Fix ra... In the Linux kernel, the following vulnerability has been resolved: bpf: Fix race in cpumap on PREEMPT_RT On PREEMPT_RT kernels, the per-CPU xdp_bulk_queue (bq) can be accessed concurrently by multiple preemptible tasks on the same CPU. The original code assumes bq_enqueue() and __cpu_map_flush() run atomically with respect to each other on the same CPU, relying on loc

CVE-2026-23363 [LOW] CVE-2026-23363: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: mt76:... In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: Fix possible oob access in mt7925_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt7925_mac_write_txwi_80211 in order to avoid a possible oob access. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.19.8-1) sid: resolved (

CVE-2026-23077 [HIGH] CVE-2026-23077: linux - In the Linux kernel, the following vulnerability has been resolved: mm/vma: fix... In the Linux kernel, the following vulnerability has been resolved: mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge Patch series "mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge", v2. Commit 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges") introduced the ability to merge previously unavailable VMA merge scenarios. Ho

CVE-2026-23135 [MEDIUM] CVE-2026-23135: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath12... In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix dma_free_coherent() pointer dma_alloc_coherent() allocates a DMA mapped buffer and stores the addresses in XXX_unaligned fields. Those should be reused when freeing the buffer rather than the aligned addresses. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fix

CVE-2026-23158 [HIGH] CVE-2026-23158: linux - In the Linux kernel, the following vulnerability has been resolved: gpio: virtu... In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix UAF in configfs release path The gpio-virtuser configfs release path uses guard(mutex) to protect the device structure. However, the device is freed before the guard cleanup runs, causing mutex_unlock() to operate on freed memory. Specifically, gpio_virtuser_device_config_group_rel