Debian Linux vulnerabilities

CVE-2025-38088 [HIGH] CVE-2025-38088: linux - In the Linux kernel, the following vulnerability has been resolved: powerpc/pow... In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap memtrace mmap issue has an out of bounds issue. This patch fixes the by checking that the requested mapping region size should stay within the allocated region size. Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: resolv

CVE-2025-71221 [HIGH] CVE-2025-71221: linux - In the Linux kernel, the following vulnerability has been resolved: dmaengine: ... In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents. The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descript

CVE-2025-37991 [HIGH] CVE-2025-37991: linux - In the Linux kernel, the following vulnerability has been resolved: parisc: Fix... In the Linux kernel, the following vulnerability has been resolved: parisc: Fix double SIGFPE crash Camm noticed that on parisc a SIGFPE exception will crash an application with a second SIGFPE in the signal handler. Dave analyzed it, and it happens because glibc uses a double-word floating-point store to atomically update function descriptors. As a result of lazy bin

CVE-2025-39839 [HIGH] CVE-2025-39839: linux - In the Linux kernel, the following vulnerability has been resolved: batman-adv:... In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix OOB read/write in network-coding decode batadv_nc_skb_decode_packet() trusts coded_len and checks only against skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing payload headroom, and the source skb length is not verified, allowing an out-of-bounds read and a small

CVE-2025-39691 [HIGH] CVE-2025-39691: linux - In the Linux kernel, the following vulnerability has been resolved: fs/buffer: ... In the Linux kernel, the following vulnerability has been resolved: fs/buffer: fix use-after-free when call bh_read() helper There's issue as follows: BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110 Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0 CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64 Hardware name: QEM

CVE-2025-38529 [HIGH] CVE-2025-38529: linux - In the Linux kernel, the following vulnerability has been resolved: comedi: aio... In the Linux kernel, the following vulnerability has been resolved: comedi: aio_iiro_16: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring

CVE-2025-38108 [HIGH] CVE-2025-38108: linux - In the Linux kernel, the following vulnerability has been resolved: net_sched: ... In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in __red_change() Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_b

CVE-2025-38348 [HIGH] CVE-2025-38348: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: p54: ... In the Linux kernel, the following vulnerability has been resolved: wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Robert Morris reported: |If a malicious USB device pretends to be an Intersil p54 wifi |interface and generates an eeprom_readback message with a large |eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the |message beyond the e

CVE-2025-39866 [HIGH] CVE-2025-39866: linux - In the Linux kernel, the following vulnerability has been resolved: fs: writeba... In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-free in __mark_inode_dirty() An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching. CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO

CVE-2025-38652 [HIGH] CVE-2025-38652: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix t... In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid out-of-boundary access in devs.path - touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123 - truncate -s $((1024*1024*1024)) \ /mnt/f2fs/012345678901234567890123456789012345678901234567890123 - touch /mnt/f2fs/file - truncate -s $((1024*1024*1024)) /mnt/f2fs/file -

CVE-2025-38320 [HIGH] CVE-2025-38320: linux - In the Linux kernel, the following vulnerability has been resolved: arm64/ptrac... In the Linux kernel, the following vulnerability has been resolved: arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() KASAN reports a stack-out-of-bounds read in regs_get_kernel_stack_nth(). Call Trace: [ 97.283505] BUG: KASAN: stack-out-of-bounds in regs_get_kernel_stack_nth+0xa8/0xc8 [ 97.284677] Read of size 8 at addr ffff800089277c10 by tas

CVE-2025-21967 [HIGH] CVE-2025-21967: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_free_work_struct ->interim_entry of ksmbd_work could be deleted after oplock is freed. We don't need to manage it with linked list. The interim request could be immediately sent whenever a oplock break wait is needed. Scope: local bookworm: open bullseye: resolved fo

CVE-2025-21785 [HIGH] CVE-2025-21785: linux - In the Linux kernel, the following vulnerability has been resolved: arm64: cach... In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array The loop that detects/populates cache information already has a bounds check on the array size but does not account for cache levels with separate data/instructions cache. Fix this by incrementing the index for any populated leaf (instead

CVE-2025-39743 [HIGH] CVE-2025-39743: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: trunca... In the Linux kernel, the following vulnerability has been resolved: jfs: truncate good inode pages when hard link is 0 The fileset value of the inode copy from the disk by the reproducer is AGGR_RESERVED_I. When executing evict, its hard link number is 0, so its inode pages are not truncated. This causes the bugon to be triggered when executing clear_inode() because n

CVE-2025-38183 [HIGH] CVE-2025-38183: linux - In the Linux kernel, the following vulnerability has been resolved: net: lan743... In the Linux kernel, the following vulnerability has been resolved: net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() Before calling lan743x_ptp_io_event_clock_get(), the 'channel' value is checked against the maximum value of PCI11X1X_PTP_IO_MAX_CHANNELS(8). This seems correct and aligns with the PTP interrupt status register (PTP_IN

CVE-2025-38685 [HIGH] CVE-2025-38685: linux - In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix ... In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix vmalloc out-of-bounds write in fast_imageblit This issue triggers when a userspace program does an ioctl FBIOPUT_CON2FBMAP by passing console number and frame buffer number. Ideally this maps console to frame buffer and updates the screen if console is visible. As part of mapping it has to

CVE-2025-38666 [HIGH] CVE-2025-38666: linux - In the Linux kernel, the following vulnerability has been resolved: net: applet... In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a u

CVE-2025-38403 [HIGH] CVE-2025-38403: linux - In the Linux kernel, the following vulnerability has been resolved: vsock/vmci:... In the Linux kernel, the following vulnerability has been resolved: vsock/vmci: Clear the vmci transport packet properly when initializing it In vmci_transport_packet_init memset the vmci_transport_packet before populating the fields to avoid any uninitialised data being left in the structure. Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: resolved (fi

CVE-2025-71133 [HIGH] CVE-2025-71133: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma:... In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: avoid invalid read in irdma_net_event irdma_net_event() should not dereference anything from "neigh" (alias "ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE. Other events come with different structures pointed to by "ptr" and they may be smaller than struct neighbour. Mo

CVE-2025-38713 [HIGH] CVE-2025-38713: linux - In the Linux kernel, the following vulnerability has been resolved: hfsplus: fi... In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() The hfsplus_readdir() method is capable to crash by calling hfsplus_uni2asc(): [ 667.121659][ T9805] ================================================================== [ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x90