Debian Linux vulnerabilities

CVE-2025-38027 [HIGH] CVE-2025-38027: linux - In the Linux kernel, the following vulnerability has been resolved: regulator: ... In the Linux kernel, the following vulnerability has been resolved: regulator: max20086: fix invalid memory access max20086_parse_regulators_dt() calls of_regulator_match() using an array of struct of_regulator_match allocated on the stack for the matches argument. of_regulator_match() calls devm_of_regulator_put_matches(), which calls devres_alloc() to allocate a str

CVE-2025-38670 [HIGH] CVE-2025-38670: linux - In the Linux kernel, the following vulnerability has been resolved: arm64/entry... In the Linux kernel, the following vulnerability has been resolved: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() `cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change to different stacks along with the Shadow Call Stack if it is enabled. Those two stack changes cannot be done atomically and both functions can be interrupted by SErrors o

CVE-2025-38201 [HIGH] CVE-2025-38201: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset. Similar to: b541ba7d1f5a ("netfilter: conntrack: clamp maximum hashtable size to INT_MAX") Scope: local b

CVE-2025-21863 [HIGH] CVE-2025-21863: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring: p... In the Linux kernel, the following vulnerability has been resolved: io_uring: prevent opcode speculation sqe->opcode is used for different tables, make sure we santitise it against speculations. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 6.12.17-1) sid: resolved (fixed in 6.12.17-1) trixie: resolved (fixed in 6.12.17-1)

CVE-2025-21756 [HIGH] CVE-2025-21756: linux - In the Linux kernel, the following vulnerability has been resolved: vsock: Keep... In the Linux kernel, the following vulnerability has been resolved: vsock: Keep the binding until socket destruction Preserve sockets bindings; this includes both resulting from an explicit bind() and those implicitly bound through autobind during connect(). Prevents socket unbinding during a transport reassignment, which fixes a use-after-free: 1. vsock_create() (ref

CVE-2025-71123 [HIGH] CVE-2025-71123: linux - In the Linux kernel, the following vulnerability has been resolved: ext4: fix s... In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce memtostr() and memtostr_pad()") provides additional information in that regard. So if this happ

CVE-2025-39859 [HIGH] CVE-2025-39859: linux - In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: f... In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog The ptp_ocp_detach() only shuts down the watchdog timer if it is pending. However, if the timer handler is already running, the timer_delete_sync() is not called. This leads to race conditions where the devlink that contains the ptp_ocp is

CVE-2025-38396 [HIGH] CVE-2025-38396: linux - In the Linux kernel, the following vulnerability has been resolved: fs: export ... In the Linux kernel, the following vulnerability has been resolved: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create anonymous inodes with proper security context. This replaces the current pattern of calling alloc_anon_inode() followed by inode_init_security_anon() for crea

CVE-2025-21945 [HIGH] CVE-2025-21945: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb2_lock If smb_lock->zero_len has value, ->llist of smb_lock is not delete and flock is old one. It will cause use-after-free on error handling routine. Scope: local bookworm: resolved (fixed in 6.1.133-1) bullseye: resolved forky: resolved (fixed in 6.12.19-1) sid: reso

CVE-2025-38226 [HIGH] CVE-2025-38226: linux - In the Linux kernel, the following vulnerability has been resolved: media: vivi... In the Linux kernel, the following vulnerability has been resolved: media: vivid: Change the siize of the composing syzkaller found a bug: BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg

CVE-2025-39883 [HIGH] CVE-2025-39883: linux - In the Linux kernel, the following vulnerability has been resolved: mm/memory-f... In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory When I did memory failure tests, below panic occurs: page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page)) kernel BUG at include/linux/page-flags.h:616! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 720 Co

CVE-2025-37778 [HIGH] CVE-2025-37778: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix dangling pointer in krb_authenticate krb_authenticate frees sess->user and does not set the pointer to NULL. It calls ksmbd_krb5_authenticate to reinitialise sess->user but that function may return without doing so. If that happens then smb2_sess_setup, which calls krb_authenticate, will be

CVE-2025-38129 [HIGH] CVE-2025-38129: linux - In the Linux kernel, the following vulnerability has been resolved: page_pool: ... In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix use-after-free in page_pool_recycle_in_ring syzbot reported a uaf in page_pool_recycle_in_ring: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943 CPU: 0 UID: 0 PID: 6943 Comm: syz.0.28

CVE-2025-21985 [HIGH] CVE-2025-21985: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix out-of-bound accesses [WHAT & HOW] hpo_stream_to_link_encoder_mapping has size MAX_HPO_DP2_ENCODERS(=4), but location can have size up to 6. As a result, it is necessary to check location against MAX_HPO_DP2_ENCODERS. Similiarly, disp_cfg_stream_location can be used as an array in

CVE-2025-71082 [HIGH] CVE-2025-71082: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of devm_kzalloc in btusb This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file"). In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This ties the lifetime of all the btusb data to the binding of a driver to one interface, INTF. I

CVE-2025-38697 [HIGH] CVE-2025-38697: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: upper ... In the Linux kernel, the following vulnerability has been resolved: jfs: upper bound check of tree index in dbAllocAG When computing the tree index in dbAllocAG, we never check if we are out of bounds realative to the size of the stree. This could happen in a scenario where the filesystem metadata are corrupted. Scope: local bookworm: resolved (fixed in 6.1.153-1) bul

CVE-2025-21692 [HIGH] CVE-2025-21692: linux - In the Linux kernel, the following vulnerability has been resolved: net: sched:... In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ets qdisc OOB Indexing Haowei Yan found that ets_class_from_arg() can index an Out-Of-Bound class in ets_class_from_arg() when passed clid of 0. The overflow may cause local privilege escalation. [ 18.852298] ------------[ cut here ]------------ [ 18.853271] UBSAN: array-index-out-of-b

CVE-2025-38627 [HIGH] CVE-2025-38627: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: compr... In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic The decompress_io_ctx may be released asynchronously after I/O completion. If this file is deleted immediately after read, and the kworker of processing post_read_wq has not been executed yet due to high workloads, It is possible that the ino

CVE-2025-39760 [HIGH] CVE-2025-39760: linux - In the Linux kernel, the following vulnerability has been resolved: usb: core: ... In the Linux kernel, the following vulnerability has been resolved: usb: core: config: Prevent OOB read in SS endpoint companion parsing usb_parse_ss_endpoint_companion() checks descriptor type before length, enabling a potentially odd read outside of the buffer size. Fix this up by checking the size first before looking at any of the fields in the descriptor. Scope:

CVE-2025-21680 [HIGH] CVE-2025-21680: linux - In the Linux kernel, the following vulnerability has been resolved: pktgen: Avo... In the Linux kernel, the following vulnerability has been resolved: pktgen: Avoid out-of-bounds access in get_imix_entries Passing a sufficient amount of imix entries leads to invalid access to the pkt_dev->imix_entries array because of the incorrect boundary check. UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24 index 20 is out of range for type 'imix_pk