Debian Linux vulnerabilities

CVE-2026-23322 [LOW] CVE-2026-23322: linux - In the Linux kernel, the following vulnerability has been resolved: ipmi: Fix u... In the Linux kernel, the following vulnerability has been resolved: ipmi: Fix use-after-free and list corruption on sender error The analysis from Breno: When the SMI sender returns an error, smi_work() delivers an error response but then jumps back to restart without cleaning up properly: 1. intf->curr_msg is not cleared, so no new message is pulled 2. newmsg still po

CVE-2026-23201 [MEDIUM] CVE-2026-23201: linux - In the Linux kernel, the following vulnerability has been resolved: ceph: fix o... In the Linux kernel, the following vulnerability has been resolved: ceph: fix oops due to invalid pointer for kfree() in parse_longname() This fixes a kernel oops when reading ceph snapshot directories (.snap), for example by simply running `ls /mnt/my_ceph/.snap`. The variable str is guarded by __free(kfree), but advanced by one for skipping the initial '_' in snap

CVE-2026-23194 [HIGH] CVE-2026-23194: linux - In the Linux kernel, the following vulnerability has been resolved: rust_binder... In the Linux kernel, the following vulnerability has been resolved: rust_binder: correctly handle FDA objects of length zero Fix a bug where an empty FDA (fd array) object with 0 fds would cause an out-of-bounds error. The previous implementation used `skip == 0` to mean "this is a pointer fixup", but 0 is also the correct skip length for an empty FDA. If the FDA is a

CVE-2026-23012 [HIGH] CVE-2026-23012: linux - In the Linux kernel, the following vulnerability has been resolved: mm/damon/co... In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: remove call_control in inactive contexts If damon_call() is executed against a DAMON context that is not running, the function returns error while keeping the damon_call_control object linked to the context's call_controls list. Let's suppose the object is deallocated after the damon_ca

CVE-2026-23331 [LOW] CVE-2026-23331: linux - In the Linux kernel, the following vulnerability has been resolved: udp: Unhash... In the Linux kernel, the following vulnerability has been resolved: udp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected. Let's say we bind() an UDP socket to the wildcard address with a non-zero port, connect() it to an address, and disconnect it from the address. bind() sets SOCK_BINDPORT_LOCK on sk->sk_userlocks (but not SOCK_BINDADDR_LOCK),

CVE-2026-23360 [LOW] CVE-2026-23360: linux - In the Linux kernel, the following vulnerability has been resolved: nvme: fix a... In the Linux kernel, the following vulnerability has been resolved: nvme: fix admin queue leak on controller reset When nvme_alloc_admin_tag_set() is called during a controller reset, a previous admin queue may still exist. Release it properly before allocating a new one to avoid orphaning the old queue. This fixes a regression introduced by commit 03b3bcd319b3 ("nvme:

CVE-2026-23443 [LOW] CVE-2026-23443: linux - In the Linux kernel, the following vulnerability has been resolved: ACPI: proce... In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()"), device pointers may be dereferenced after dropping references to the device objects pointed to by them, which may cause a use-afte

CVE-2026-23115 [MEDIUM] CVE-2026-23115: linux - In the Linux kernel, the following vulnerability has been resolved: serial: Fix... In the Linux kernel, the following vulnerability has been resolved: serial: Fix not set tty->port race condition Revert commit bfc467db60b7 ("serial: remove redundant tty_port_link_device()") because the tty_port_link_device() is not redundant: the tty->port has to be confured before we call uart_configure_port(), otherwise user-space can open console without TTY li

CVE-2026-23155 [MEDIUM] CVE-2026-23155: linux - In the Linux kernel, the following vulnerability has been resolved: can: gs_usb... In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): fix error message Sinc commit 79a6d1bfe114 ("can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error") a failing resubmit URB will print an info message. In the case of a short read where netdev has not yet been assigned, initi

CVE-2026-23295 [LOW] CVE-2026-23295: linux - In the Linux kernel, the following vulnerability has been resolved: accel/amdxd... In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix dead lock for suspend and resume When an application issues a query IOCTL while auto suspend is running, a deadlock can occur. The query path holds dev_lock and then calls pm_runtime_resume_and_get(), which waits for the ongoing suspend to complete. Meanwhile, the suspend callback at

CVE-2026-23184 [HIGH] CVE-2026-23184: linux - In the Linux kernel, the following vulnerability has been resolved: binder: fix... In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF in binder_netlink_report() Oneway transactions sent to frozen targets via binder_proc_transaction() return a BR_TRANSACTION_PENDING_FROZEN error but they are still treated as successful since the target is expected to thaw at some point. It is then not safe to access 't' after BR_TRANS

CVE-2026-23199 [MEDIUM] CVE-2026-23199: linux - In the Linux kernel, the following vulnerability has been resolved: procfs: avo... In the Linux kernel, the following vulnerability has been resolved: procfs: avoid fetching build ID while holding VMA lock Fix PROCMAP_QUERY to fetch optional build ID only after dropping mmap_lock or per-VMA lock, whichever was used to lock VMA under question, to avoid deadlock reported by syzbot: -> #1 (&mm->mmap_lock){++++}-{4:4}: __might_fault+0xed/0x170 _copy_t

CVE-2026-23123 [MEDIUM] CVE-2026-23123: linux - In the Linux kernel, the following vulnerability has been resolved: interconnec... In the Linux kernel, the following vulnerability has been resolved: interconnect: debugfs: initialize src_node and dst_node to empty strings The debugfs_create_str() API assumes that the string pointer is either NULL or points to valid kmalloc() memory. Leaving the pointer uninitialized can cause problems. Initialize src_node and dst_node to empty strings before cre

CVE-2026-23162 [HIGH] CVE-2026-23162: linux - In the Linux kernel, the following vulnerability has been resolved: drm/xe/nvm:... In the Linux kernel, the following vulnerability has been resolved: drm/xe/nvm: Fix double-free on aux add failure After a successful auxiliary_device_init(), aux_dev->dev.release (xe_nvm_release_dev()) is responsible for the kfree(nvm). When there is failure with auxiliary_device_add(), driver will call auxiliary_device_uninit(), which call put_device(). So that the

CVE-2026-23305 [LOW] CVE-2026-23305: linux - In the Linux kernel, the following vulnerability has been resolved: accel/rocke... In the Linux kernel, the following vulnerability has been resolved: accel/rocket: fix unwinding in error path in rocket_probe When rocket_core_init() fails (as could be the case with EPROBE_DEFER), we need to properly unwind by decrementing the counter we just incremented and if this is the first core we failed to probe, remove the rocket DRM device with rocket_device_

CVE-2026-23328 [LOW] CVE-2026-23328: linux - In the Linux kernel, the following vulnerability has been resolved: accel/amdxd... In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix NULL pointer dereference of mgmt_chann mgmt_chann may be set to NULL if the firmware returns an unexpected error in aie2_send_mgmt_msg_wait(). This can later lead to a NULL pointer dereference in aie2_hw_stop(). Fix this by introducing a dedicated helper to destroy mgmt_chann and by

CVE-2026-23062 [MEDIUM] CVE-2026-23062: linux - In the Linux kernel, the following vulnerability has been resolved: platform/x8... In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro The GET_INSTANCE_ID macro that caused a kernel panic when accessing sysfs attributes: 1. Off-by-one error: The loop condition used 'name without checking if attr_name_kobj was NULL, causing a null pointer dereference in min_length_s

CVE-2026-23375 [LOW] CVE-2026-23375: linux - In the Linux kernel, the following vulnerability has been resolved: mm: thp: de... In the Linux kernel, the following vulnerability has been resolved: mm: thp: deny THP for files on anonymous inodes file_thp_enabled() incorrectly allows THP for files on anonymous inodes (e.g. guest_memfd and secretmem). These files are created via alloc_file_pseudo(), which does not call get_write_access() and leaves inode->i_writecount at 0. Combined with S_ISREG(in

CVE-2026-23418 [LOW] CVE-2026-23418: linux - In the Linux kernel, the following vulnerability has been resolved: drm/xe/reg_... In the Linux kernel, the following vulnerability has been resolved: drm/xe/reg_sr: Fix leak on xa_store failure Free the newly allocated entry when xa_store() fails to avoid a memory leak on the error path. v2: use goto fail_free. (Bala) (cherry picked from commit 6bc6fec71ac45f52db609af4e62bdb96b9f5fadb) Scope: local bookworm: resolved bullseye: resolved forky: resolv

CVE-2026-31406 [LOW] CVE-2026-31406: linux - In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix w... In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() After cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work.