Debian Linux vulnerabilities

CVE-2026-23437 [LOW] CVE-2026-23437: linux - In the Linux kernel, the following vulnerability has been resolved: net: shaper... In the Linux kernel, the following vulnerability has been resolved: net: shaper: protect late read accesses to the hierarchy We look up a netdev during prep of Netlink ops (pre- callbacks) and take a ref to it. Then later in the body of the callback we take its lock or RCU which are the actual protections. This is not proper, a conversion from a ref to a locked netdev

CVE-2026-23079 [MEDIUM] CVE-2026-23079: linux - In the Linux kernel, the following vulnerability has been resolved: gpio: cdev:... In the Linux kernel, the following vulnerability has been resolved: gpio: cdev: Fix resource leaks on errors in lineinfo_changed_notify() On error handling paths, lineinfo_changed_notify() doesn't free the allocated resources which results leaks. Fix it. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.18.8-1) sid: resolved (fixed in 6.

CVE-2026-23017 [MEDIUM] CVE-2026-23017: linux - In the Linux kernel, the following vulnerability has been resolved: idpf: fix e... In the Linux kernel, the following vulnerability has been resolved: idpf: fix error handling in the init_task on load If the init_task fails during a driver load, we end up without vports and netdevs, effectively failing the entire process. In that state a subsequent reset will result in a crash as the service task attempts to access uninitialized resources. Followi

CVE-2026-23416 [LOW] CVE-2026-23416: linux - In the Linux kernel, the following vulnerability has been resolved: mm/mseal: u... In the Linux kernel, the following vulnerability has been resolved: mm/mseal: update VMA end correctly on merge Previously we stored the end of the current VMA in curr_end, and then upon iterating to the next VMA updated curr_start to curr_end to advance to the next VMA. However, this doesn't take into account the fact that a VMA might be updated due to a merge by vma_

CVE-2026-22978 [LOW] CVE-2026-22978: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: avoid... In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak from struct iw_point struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero the structur

CVE-2026-23094 [MEDIUM] CVE-2026-23094: linux - In the Linux kernel, the following vulnerability has been resolved: uacce: fix ... In the Linux kernel, the following vulnerability has been resolved: uacce: fix isolate sysfs check condition uacce supports the device isolation feature. If the driver implements the isolate_err_threshold_read and isolate_err_threshold_write callback functions, uacce will create sysfs files now. Users can read and configure the isolation policy through sysfs. Curren

CVE-2026-23259 [LOW] CVE-2026-23259: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring/rw... In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: free potentially allocated iovec on cache put failure If a read/write request goes through io_req_rw_cleanup() and has an allocated iovec attached and fails to put to the rw_cache, then it may end up with an unaccounted iovec pointer. Have io_rw_recycle() return whether it recycled the req

CVE-2026-23024 [MEDIUM] CVE-2026-23024: linux - In the Linux kernel, the following vulnerability has been resolved: idpf: fix m... In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak of flow steer list on rmmod The flow steering list maintains entries that are added and removed as ethtool creates and deletes flow steering rules. Module removal with active entries causes memory leak as the list is not properly cleaned up. Prevent this by iterating through th

CVE-2026-23402 [LOW] CVE-2026-23402: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mm... In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Only WARN in direct MMUs when overwriting shadow-present SPTE Adjust KVM's sanity check against overwriting a shadow-present SPTE with a another SPTE with a different target PFN to only apply to direct MMUs, i.e. only to MMUs without shadowed gPTEs. While it's impossible for KVM to overwr

CVE-2026-23275 [HIGH] CVE-2026-23275: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring: e... In the Linux kernel, the following vulnerability has been resolved: io_uring: ensure ctx->rings is stable for task work flags manipulation If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while the ring is being resized, it's possible for the OR'ing of IORING_SQ_TASKRUN to happen in the small window of swapping into the new rings and the old rings being

CVE-2026-23134 [MEDIUM] CVE-2026-23134: linux - In the Linux kernel, the following vulnerability has been resolved: slab: fix k... In the Linux kernel, the following vulnerability has been resolved: slab: fix kmalloc_nolock() context check for PREEMPT_RT On PREEMPT_RT kernels, local_lock becomes a sleeping lock. The current check in kmalloc_nolock() only verifies we're not in NMI or hard IRQ context, but misses the case where preemption is disabled. When a BPF program runs from a tracepoint wit

CVE-2026-23288 [HIGH] CVE-2026-23288: linux - In the Linux kernel, the following vulnerability has been resolved: accel/amdxd... In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix out-of-bounds memset in command slot handling The remaining space in a command slot may be smaller than the size of the command header. Clearing the command header with memset() before verifying the available slot space can result in an out-of-bounds write and memory corruption. Fix

CVE-2026-31398 [LOW] CVE-2026-31398: linux - In the Linux kernel, the following vulnerability has been resolved: mm/rmap: fi... In the Linux kernel, the following vulnerability has been resolved: mm/rmap: fix incorrect pte restoration for lazyfree folios We batch unmap anonymous lazyfree folios by folio_unmap_pte_batch. If the batch has a mix of writable and non-writable bits, we may end up setting the entire batch writable. Fix this by respecting writable bit during batching. Although on a suc

CVE-2026-23263 [LOW] CVE-2026-23263: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring/zc... In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix page array leak d9f595b9a65e ("io_uring/zcrx: fix leaking pages on sg init fail") fixed a page leakage but didn't free the page array, release it as well. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.18.10-1) sid: resolved (fixed in 6.18.10-1) trixie

CVE-2026-23015 [MEDIUM] CVE-2026-23015: linux - In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse... In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths The reference obtained by calling usb_get_dev() is not released in the gpio_mpsse_probe() error paths. Fix that by using device managed helper functions. Also remove the usb_put_dev() call in the disconnect function since now it will

CVE-2026-23197 [MEDIUM] CVE-2026-23197: linux - In the Linux kernel, the following vulnerability has been resolved: i2c: imx: p... In the Linux kernel, the following vulnerability has been resolved: i2c: imx: preserve error state in block data length handler When a block read returns an invalid length, zero or >I2C_SMBUS_BLOCK_MAX, the length handler sets the state to IMX_I2C_STATE_FAILED. However, i2c_imx_master_isr() unconditionally overwrites this with IMX_I2C_STATE_READ_CONTINUE, causing an

CVE-2026-23464 [LOW] CVE-2026-23464: linux - In the Linux kernel, the following vulnerability has been resolved: soc: microc... In the Linux kernel, the following vulnerability has been resolved: soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe() In mpfs_sys_controller_probe(), if of_get_mtd_device_by_node() fails, the function returns immediately without freeing the allocated memory for sys_controller, leading to a memory leak. Fix this by jumping to the out_free label to ens

CVE-2026-23027 [LOW] CVE-2026-23027: linux - In the Linux kernel, the following vulnerability has been resolved: LoongArch: ... In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_pch_pic_destroy() is not currently doing this, that would lead to a memory leak. So, fix it. Scop

CVE-2026-23417 [LOW] CVE-2026-23417: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Fix co... In the Linux kernel, the following vulnerability has been resolved: bpf: Fix constant blinding for PROBE_MEM32 stores BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to survive unblinded into JIT-compiled native code when bpf_jit_harden >= 1. The root cause is that convert_ctx_accesses() rewr

CVE-2026-23028 [LOW] CVE-2026-23028: linux - In the Linux kernel, the following vulnerability has been resolved: LoongArch: ... In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_ipi_destroy() is not currently doing this, that would lead to a memory leak. So, fix it. Scope: local