Debian Linux vulnerabilities

CVE-2026-23034 [LOW] CVE-2026-23034: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/... In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Fix fence reference leak on queue teardown v2 The user mode queue keeps a pointer to the most recent fence in userq->last_fence. This pointer holds an extra dma_fence reference. When the queue is destroyed, we free the fence driver and its xarray, but we forgot to drop the last_fence

CVE-2026-22989 [MEDIUM] CVE-2026-22989: linux - In the Linux kernel, the following vulnerability has been resolved: nfsd: check... In the Linux kernel, the following vulnerability has been resolved: nfsd: check that server is running in unlock_filesystem If we are trying to unlock the filesystem via an administrative interface and nfsd isn't running, it crashes the server. This happens currently because nfsd4_revoke_states() access state structures (eg., conf_id_hashtbl) that has been freed as

CVE-2026-23200 [MEDIUM] CVE-2026-23200: linux - In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix E... In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF syzbot reported a kernel BUG in fib6_add_rt2node() when adding an IPv6 route. [0] Commit f72514b3c569 ("ipv6: clear RA flags when adding a static route") introduced logic to clear RTF_ADDRCONF from existing routes when a static route w

CVE-2026-23323 [LOW] CVE-2026-23323: linux - In the Linux kernel, the following vulnerability has been resolved: hwmon: (mac... In the Linux kernel, the following vulnerability has been resolved: hwmon: (macsmc) Fix regressions in Apple Silicon SMC hwmon driver The recently added macsmc-hwmon driver contained several critical bugs in its sensor population logic and float conversion routines. Specifically: - The voltage sensor population loop used the wrong prefix ("volt-" instead of "voltage-")

CVE-2026-23347 [LOW] CVE-2026-23347: linux - In the Linux kernel, the following vulnerability has been resolved: can: usb: f... In the Linux kernel, the following vulnerability has been resolved: can: usb: f81604: correctly anchor the urb in the read bulk callback When submitting an urb, that is using the anchor pattern, it needs to be anchored before submitting it otherwise it could be leaked if usb_kill_anchored_urbs() is called. This logic is correctly done elsewhere in the driver, except in

CVE-2026-23297 [LOW] CVE-2026-23297: linux - In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix c... In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit(). syzbot reported memory leak of struct cred. [0] nfsd_nl_threads_set_doit() passes get_current_cred() to nfsd_svc(), but put_cred() is not called after that. The cred is finally passed down to _svc_xprt_create(), which calls get_cred() with the cred

CVE-2026-23251 [LOW] CVE-2026-23251: linux - In the Linux kernel, the following vulnerability has been resolved: xfs: only c... In the Linux kernel, the following vulnerability has been resolved: xfs: only call xf{array,blob}_destroy if we have a valid pointer Only call the xfarray and xfblob destructor if we have a valid pointer, and be sure to null out that pointer afterwards. Note that this patch fixes a large number of commits, most of which were merged between 6.9 and 6.10. Scope: local bo

CVE-2026-23431 [LOW] CVE-2026-23431: linux - In the Linux kernel, the following vulnerability has been resolved: spi: amlogi... In the Linux kernel, the following vulnerability has been resolved: spi: amlogic-spisg: Fix memory leak in aml_spisg_probe() In aml_spisg_probe(), ctlr is allocated by spi_alloc_target()/spi_alloc_host(), but fails to call spi_controller_put() in several error paths. This leads to a memory leak whenever the driver fails to probe after the initial allocation. Convert to

CVE-2026-23160 [MEDIUM] CVE-2026-23160: linux - In the Linux kernel, the following vulnerability has been resolved: octeon_ep: ... In the Linux kernel, the following vulnerability has been resolved: octeon_ep: Fix memory leak in octep_device_setup() In octep_device_setup(), if octep_ctrl_net_init() fails, the function returns directly without unmapping the mapped resources and freeing the allocated configuration memory. Fix this by jumping to the unsupported_dev label, which performs the necess

CVE-2026-22983 [MEDIUM] CVE-2026-22983: linux - In the Linux kernel, the following vulnerability has been resolved: net: do not... In the Linux kernel, the following vulnerability has been resolved: net: do not write to msg_get_inq in callee NULL pointer dereference fix. msg_get_inq is an input field from caller to callee. Don't set it in the callee, as the caller may not clear it on struct reuse. This is a kernel-internal variant of msghdr only, and the only user does reinitialize the field. S

CVE-2026-23469 [LOW] CVE-2026-23469: linux - In the Linux kernel, the following vulnerability has been resolved: drm/imagina... In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Synchronize interrupts before suspending the GPU The runtime PM suspend callback doesn't know whether the IRQ handler is in progress on a different CPU core and doesn't wait for it to finish. Depending on timing, the IRQ handler could be running while the GPU is suspended, leading to k

CVE-2026-23315 CVE-2026-23315: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: mt76:... In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt76_connac2_mac_write_txwi_80211 in order to avoid a possible oob access. [fix check to also cover mgmt->u.action.u.addba_req.capab, correct Fixes tag] Scope: local bookworm: ope

CVE-2026-23409 CVE-2026-23409: linux - In the Linux kernel, the following vulnerability has been resolved: apparmor: f... In the Linux kernel, the following vulnerability has been resolved: apparmor: fix differential encoding verification Differential encoding allows loops to be created if it is abused. To prevent this the unpack should verify that a diff-encode chain terminates. Unfortunately the differential encode verification had two bugs. 1. it conflated states that had gone through check

CVE-2026-23462 CVE-2026-23462: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: HIDP: Fix possible UAF This fixes the following trace caused by not dropping l2cap_conn reference when user->remove callback is called: [ 97.809249] l2cap_conn_free: freeing conn ffff88810a171c00 [ 97.809907] CPU: 1 UID: 0 PID: 1419 Comm: repro_standalon Not tainted 7.0.0-rc1-dirty #14 PREEMPT(laz

CVE-2026-23346 CVE-2026-23346: linux - In the Linux kernel, the following vulnerability has been resolved: arm64: io: ... In the Linux kernel, the following vulnerability has been resolved: arm64: io: Extract user memory type in ioremap_prot() The only caller of ioremap_prot() outside of the generic ioremap() implementation is generic_access_phys(), which passes a 'pgprot_t' value determined from the user mapping of the target 'pfn' being accessed by the kernel. On arm64, the 'pgprot_t' contain

CVE-2026-23422 CVE-2026-23422: linux - In the Linux kernel, the following vulnerability has been resolved: dpaa2-switc... In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler Commit 31a7a0bbeb00 ("dpaa2-switch: add bounds check for if_id in IRQ handler") introduces a range check for if_id to avoid an out-of-bounds access. If an out-of-bounds if_id is detected, the interrupt status is not cleared. This may

CVE-2026-23256 CVE-2026-23256: linux - In the Linux kernel, the following vulnerability has been resolved: net: liquid... In the Linux kernel, the following vulnerability has been resolved: net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup In setup_nic_devices(), the initialization loop jumps to the label setup_nic_dev_free on failure. The current cleanup loop while(i--) skip the failing index i, causing a memory leak. Fix this by changing the loop to iterate from the curren

CVE-2026-31402 CVE-2026-31402: linux - In the Linux kernel, the following vulnerability has been resolved: nfsd: fix h... In the Linux kernel, the following vulnerability has been resolved: nfsd: fix heap overflow in NFSv4.0 LOCK replay cache The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting

CVE-2026-23359 CVE-2026-23359: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Fix st... In the Linux kernel, the following vulnerability has been resolved: bpf: Fix stack-out-of-bounds write in devmap get_upper_ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds. Also the callers assume that the max number of upper devices is MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack, but that

CVE-2026-23473 CVE-2026-23473: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring/po... In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: fix multishot recv missing EOF on wakeup race When a socket send and shutdown() happen back-to-back, both fire wake-ups before the receiver's task_work has a chance to run. The first wake gets poll ownership (poll_refs=1), and the second bumps it to 2. When io_poll_check_events() runs, it call