Debian Linux vulnerabilities

CVE-2026-23343 CVE-2026-23343: linux - In the Linux kernel, the following vulnerability has been resolved: xdp: produc... In the Linux kernel, the following vulnerability has been resolved: xdp: produce a warning when calculated tailroom is negative Many ethernet drivers report xdp Rx queue frag size as being the same as DMA write size. However, the only user of this field, namely bpf_xdp_frags_increase_tail(), clearly expects a truesize. Such difference leads to unspecific memory corruption is

CVE-2026-23247 CVE-2026-23247: linux - In the Linux kernel, the following vulnerability has been resolved: tcp: secure... In the Linux kernel, the following vulnerability has been resolved: tcp: secure_seq: add back ports to TS offset This reverts 28ee1b746f49 ("secure_seq: downgrade to per-host timestamp offsets") tcp_tw_recycle went away in 2017. Zhouyan Deng reported off-path TCP source port leakage via SYN cookie side-channel that can be fixed in multiple ways. One of them is to bring back

CVE-2026-23318 CVE-2026-23318: linux - In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-a... In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Use correct version for UAC3 header validation The entry of the validators table for UAC3 AC header descriptor is defined with the wrong protocol version UAC_VERSION_2, while it should have been UAC_VERSION_3. This results in the validator never matching for actual UAC3 devices (protocol ==

CVE-2026-23357 CVE-2026-23357: linux - In the Linux kernel, the following vulnerability has been resolved: can: mcp251... In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock in error path of mcp251x_open The mcp251x_open() function call free_irq() in its error path with the mpc_lock mutex held. But if an interrupt already occurred the interrupt handler will be waiting for the mpc_lock and free_irq() will deadlock waiting for the handler to finish. This

CVE-2026-23335 CVE-2026-23335: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma:... In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah() struct irdma_create_ah_resp { // 8 bytes, no padding __u32 ah_id; // offset 0 - SET (uresp.ah_id = ah->sc_ah.ah_info.ah_idx) __u8 rsvd[4]; // offset 4 - NEVER SET <- LEAK }; rsvd[4]: 4 bytes of stack memory leaked unconditionally. Only ah_id is assi

CVE-2026-23290 CVE-2026-23290: linux - In the Linux kernel, the following vulnerability has been resolved: net: usb: p... In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: validate USB endpoints The pegasus driver should validate that the device it is probing has the proper number and types of USB endpoints it is expecting before it binds to it. If a malicious device were to not have the same urbs the driver will crash later on when it blindly accesses these

CVE-2026-23047 CVE-2026-23047: linux - In the Linux kernel, the following vulnerability has been resolved: libceph: ma... In the Linux kernel, the following vulnerability has been resolved: libceph: make calc_target() set t->paused, not just clear it Currently calc_target() clears t->paused if the request shouldn't be paused anymore, but doesn't ever set t->paused even though it's able to determine when the request should be paused. Setting t->paused is left to __submit_request() which is fine

CVE-2026-23368 CVE-2026-23368: linux - In the Linux kernel, the following vulnerability has been resolved: net: phy: r... In the Linux kernel, the following vulnerability has been resolved: net: phy: register phy led_triggers during probe to avoid AB-BA deadlock There is an AB-BA deadlock when both LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are enabled: [ 1362.049207] [] led_trigger_register+0x5c/0x1fc ] phy_led_triggers_register+0xd0/0x234 [ 1362.060329] [] phy_attach_direct+0x33c/0x40c [ 1362.06

CVE-2026-23428 CVE-2026-23428: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free of share_conf in compound request smb2_get_ksmbd_tcon() reuses work->tcon in compound requests without validating tcon->t_state. ksmbd_tree_conn_lookup() checks t_state == TREE_CONNECTED on the initial lookup path, but the compound reuse path bypasses this check entirely. If a prior

CVE-2026-23281 CVE-2026-23281: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: liber... In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix use-after-free in lbs_free_adapter() The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If a time

CVE-2026-23367 CVE-2026-23367: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: radio... In the Linux kernel, the following vulnerability has been resolved: wifi: radiotap: reject radiotap with unknown bits The radiotap parser is currently only used with the radiotap namespace (not with vendor namespaces), but if the undefined field 18 is used, the alignment/size is unknown as well. In this case, iterator->_next_ns_data isn't initialized (it's only set for skipp

CVE-2026-23362 CVE-2026-23362: linux - In the Linux kernel, the following vulnerability has been resolved: can: bcm: f... In the Linux kernel, the following vulnerability has been resolved: can: bcm: fix locking for bcm_op runtime updates Commit c2aba69d0c36 ("can: bcm: add locking for bcm_op runtime updates") added a locking for some variables that can be modified at runtime when updating the sending bcm_op with a new TX_SETUP command in bcm_tx_setup(). Usually the RX_SETUP only handles and fi

CVE-2026-23296 CVE-2026-23296: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: core:... In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix refcount leak for tagset_refcnt This leak will cause a hang when tearing down the SCSI host. For example, iscsid hangs with the following call trace: [130120.652718] scsi_alloc_sdev: Allocation failure during SCSI scanning, some SCSI devices might not be configured PID: 2528 TASK: ffff9d04089

CVE-2026-23267 CVE-2026-23267: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix I... In the Linux kernel, the following vulnerability has been resolved: f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes During SPO tests, when mounting F2FS, an -EINVAL error was returned from f2fs_recover_inode_page. The issue occurred under the following scenario Thread A Thread B f2fs_ioc_commit_atomic_write - f2fs_d

CVE-2026-23321 CVE-2026-23321: linux - In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ... In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: in-kernel: always mark signal+subflow endp as used Syzkaller managed to find a combination of actions that was generating this warning: msk->pm.local_addr_used == 0 WARNING: net/mptcp/pm_kernel.c:1071 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1071 [inline], CPU#1: syz.2.17/961 WARNING

CVE-2026-23339 CVE-2026-23339: linux - In the Linux kernel, the following vulnerability has been resolved: nfc: nci: f... In the Linux kernel, the following vulnerability has been resolved: nfc: nci: free skb on nci_transceive early error paths nci_transceive() takes ownership of the skb passed by the caller, but the -EPROTO, -EINVAL, and -EBUSY error paths return without freeing it. Due to issues clearing NCI_DATA_EXCHANGE fixed by subsequent changes the nci/nci_dev selftest hits the error pat

CVE-2026-23031 CVE-2026-23031: linux - In the Linux kernel, the following vulnerability has been resolved: can: gs_usb... In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak In gs_can_open(), the URBs for USB-in transfers are allocated, added to the parent->rx_submitted anchor and submitted. In the complete callback gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In gs_can_close() the URBs are

CVE-2026-23289 CVE-2026-23289: linux - In the Linux kernel, the following vulnerability has been resolved: IB/mthca: A... In the Linux kernel, the following vulnerability has been resolved: IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq() Fix a user triggerable leak on the system call failure path. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 6.19.8-1) sid: resolved (fixed in 6.19.8-1) trixie: open

CVE-2026-23455 CVE-2026-23455: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: check for zero length in DecodeQ931() In DecodeQ931(), the UserUserIE code path reads a 16-bit length from the packet, then decrements it by 1 to skip the protocol discriminator byte before passing it to DecodeH323_UserInformation(). If the encoded length is 0, the decrement wra

CVE-2026-23438 CVE-2026-23438: linux - In the Linux kernel, the following vulnerability has been resolved: net: mvpp2:... In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: guard flow control update with global_tx_fc in buffer switching mvpp2_bm_switch_buffers() unconditionally calls mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and shared buffer pool modes. This function programs CM3 flow control registers via mvpp2_cm3_read()/mvpp2_cm3_write(), whi