Debian Linux vulnerabilities

CVE-2026-23458 CVE-2026-23458: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct() ctnetlink_dump_exp_ct() stores a conntrack pointer in cb->data for the netlink dump callback ctnetlink_exp_ct_dump_table(), but drops the conntrack reference immediately after netlink_dump_start(). When the dump spans multiple rounds, the se

CVE-2026-23287 CVE-2026-23287: linux - In the Linux kernel, the following vulnerability has been resolved: irqchip/sif... In the Linux kernel, the following vulnerability has been resolved: irqchip/sifive-plic: Fix frozen interrupt due to affinity setting PLIC ignores interrupt completion message for disabled interrupt, explained by the specification: The PLIC signals it has completed executing an interrupt handler by writing the interrupt ID it received from the claim to the claim/complete reg

CVE-2026-31409 CVE-2026-31409: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: unse... In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn->binding on failed binding request When a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true but never clears it on the error path. This leaves the connection in a binding state where all subsequent ksmbd_session_lookup_all() cal

CVE-2025-68263 [CRITICAL] CVE-2025-68263: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: ipc:... In the Linux kernel, the following vulnerability has been resolved: ksmbd: ipc: fix use-after-free in ipc_msg_send_request ipc_msg_send_request() waits for a generic netlink reply using an ipc_msg_table_entry on the stack. The generic netlink handler (handle_generic_event()/handle_response()) fills entry->response under ipc_msg_table_lock, but ipc_msg_send_request

CVE-2025-39946 [CRITICAL] CVE-2025-39946: linux - In the Linux kernel, the following vulnerability has been resolved: tls: make s... In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out l

CVE-2025-37924 [CRITICAL] CVE-2025-37924: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in kerberos authentication Setting sess->user = NULL was introduced to fix the dangling pointer created by ksmbd_free_user. However, it is possible another thread could be operating on the session and make use of sess->user after it has been passed to ksmbd_free_user but

CVE-2025-38182 [HIGH] CVE-2025-38182: linux - In the Linux kernel, the following vulnerability has been resolved: ublk: santi... In the Linux kernel, the following vulnerability has been resolved: ublk: santizize the arguments from userspace when adding a device Sanity check the values for queue depth and number of queues we get from userspace when adding a device. Scope: local bookworm: open bullseye: resolved forky: resolved (fixed in 6.12.35-1) sid: resolved (fixed in 6.12.35-1) trixie: reso

CVE-2025-22088 [HIGH] CVE-2025-22088: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma:... In the Linux kernel, the following vulnerability has been resolved: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn() After the erdma_cep_put(new_cep) being called, new_cep will be freed, and the following dereference will cause a UAF problem. Fix this issue. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved forky: resolved (fixed in 6

CVE-2025-38579 [HIGH] CVE-2025-38579: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix K... In the Linux kernel, the following vulnerability has been resolved: f2fs: fix KMSAN uninit-value in extent_info usage KMSAN reported a use of uninitialized value in `__is_extent_mergeable()` and `__is_back_mergeable()` via the read extent tree path. The root cause is that `get_read_extent_info()` only initializes three fields (`fofs`, `blk`, `len`) of `struct extent_i

CVE-2025-71162 [HIGH] CVE-2025-71162: linux - In the Linux kernel, the following vulnerability has been resolved: dmaengine: ... In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegra_adma_terminate_all() before the vchan completion tasklet finishes accessing it.

CVE-2025-71086 [HIGH] CVE-2025-71086: linux - In the Linux kernel, the following vulnerability has been resolved: net: rose: ... In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRAY_SIZE(array), this

CVE-2025-38707 [HIGH] CVE-2025-38707: linux - In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: A... In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add sanity check for file name The length of the file name should be smaller than the directory entry size. Scope: local bookworm: resolved (fixed in 6.1.153-1) bullseye: resolved forky: resolved (fixed in 6.16.3-1) sid: resolved (fixed in 6.16.3-1) trixie: resolved (fixed in 6.12.43-1)

CVE-2025-37849 [HIGH] CVE-2025-37849: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: arm64:... In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Tear down vGIC on failed vCPU creation If kvm_arch_vcpu_create() fails to share the vCPU page with the hypervisor, we propagate the error back to the ioctl but leave the vGIC vCPU data initialised. Note only does this leak the corresponding memory when the vCPU is destroyed but it can also

CVE-2025-39790 [HIGH] CVE-2025-39790: linux - In the Linux kernel, the following vulnerability has been resolved: bus: mhi: h... In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Detect events pointing to unexpected TREs When a remote device sends a completion event to the host, it contains a pointer to the consumed TRE. The host uses this pointer to process all of the TREs between it and the host's local copy of the ring's read pointer. This works when process

CVE-2025-37913 [HIGH] CVE-2025-37913: linux - In the Linux kernel, the following vulnerability has been resolved: net_sched: ... In the Linux kernel, the following vulnerability has been resolved: net_sched: qfq: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of qfq, there won't be a UAF, but the code will add the same classifier to the

CVE-2025-21735 [HIGH] CVE-2025-21735: linux - In the Linux kernel, the following vulnerability has been resolved: NFC: nci: A... In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Add bounds checking in nci_hci_create_pipe() The "pipe" variable is a u8 which comes from the network. If it's more than 127, then it results in memory corruption in the caller, nci_hci_connect_gate(). Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved (fixed in 5.10.237

CVE-2025-21887 [HIGH] CVE-2025-21887: linux - In the Linux kernel, the following vulnerability has been resolved: ovl: fix UA... In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use

CVE-2025-37739 [HIGH] CVE-2025-37739: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix t... In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() syzbot reports an UBSAN issue as below: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10 index 18446744073709550692 is out of range for type '__le32[5]' (aka 'unsigned int[5]') CPU: 0

CVE-2025-21927 [HIGH] CVE-2025-21927: linux - In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: f... In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu() nvme_tcp_recv_pdu() doesn't check the validity of the header length. When header digests are enabled, a target might send a packet with an invalid header length (e.g. 255), causing nvme_tcp_verify_hdgst() to access memory outside the all

CVE-2025-37899 [HIGH] CVE-2025-37899: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use