Debian Linux vulnerabilities

CVE-2025-38704 [HIGH] CVE-2025-38704: linux - In the Linux kernel, the following vulnerability has been resolved: rcu/nocb: F... In the Linux kernel, the following vulnerability has been resolved: rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access In the preparation stage of CPU online, if the corresponding the rdp's->nocb_cb_kthread does not exist, will be created, there is a situation where the rdp's rcuop kthreads creation fails, and then de-offload this CPU's rdp, does not

CVE-2025-37749 [HIGH] CVE-2025-37749: linux - In the Linux kernel, the following vulnerability has been resolved: net: ppp: A... In the Linux kernel, the following vulnerability has been resolved: net: ppp: Add bound checking for skb data on ppp_sync_txmung Ensure we have enough data in linear buffer from skb before accessing initial bytes. This prevents potential out-of-bounds accesses when processing short packets. When ppp_sync_txmung receives an incoming package with an empty payload: (remo

CVE-2025-22104 [HIGH] CVE-2025-22104: linux - In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Us... In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Use kernel helpers for hex dumps Previously, when the driver was printing hex dumps, the buffer was cast to an 8 byte long and printed using string formatters. If the buffer size was not a multiple of 8 then a read buffer overflow was possible. Therefore, create a new ibmvnic function that lo

CVE-2025-38389 [HIGH] CVE-2025-38389: linux - In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt... In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix timeline left held on VMA alloc error The following error has been reported sporadically by CI when a test unbinds the i915 driver on a ring submission platform: [239.330153] ------------[ cut here ]------------ [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv->mm.shrink_cou

CVE-2025-22035 [HIGH] CVE-2025-22035: linux - In the Linux kernel, the following vulnerability has been resolved: tracing: Fi... In the Linux kernel, the following vulnerability has been resolved: tracing: Fix use-after-free in print_graph_function_flags during tracer switching Kairui reported a UAF issue in print_graph_function_flags() during ftrace stress testing [1]. This issue can be reproduced if puting a 'mdelay(10)' after 'mutex_unlock(&trace_types_lock)' in s_start(), and executing the

CVE-2025-21796 [HIGH] CVE-2025-21796: linux - In the Linux kernel, the following vulnerability has been resolved: nfsd: clear... In the Linux kernel, the following vulnerability has been resolved: nfsd: clear acl_access/acl_default after releasing them If getting acl_default fails, acl_access and acl_default will be released simultaneously. However, acl_access will still retain a pointer pointing to the released posix_acl, which will trigger a WARNING in nfs3svc_release_getacl like this: ------

CVE-2025-37798 [HIGH] CVE-2025-37798: linux - In the Linux kernel, the following vulnerability has been resolved: codel: remo... In the Linux kernel, the following vulnerability has been resolved: codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() After making all ->qlen_notify() callbacks idempotent, now it is safe to remove the check of qlen!=0 from both fq_codel_dequeue() and codel_qdisc_dequeue(). Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved (fixed

CVE-2025-39945 [HIGH] CVE-2025-39945: linux - In the Linux kernel, the following vulnerability has been resolved: cnic: Fix u... In the Linux kernel, the following vulnerability has been resolved: cnic: Fix use-after-free bugs in cnic_delete_task The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(), which does not guarantee that the delayed work item 'delete_task' has fully completed if it was already running. Additionally, the delayed work item is cyclic, the flush_workqueue

CVE-2025-39864 [HIGH] CVE-2025-39864: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80... In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_free() quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding 'hidden_beacon_bss'

CVE-2025-39951 [HIGH] CVE-2025-39951: linux - In the Linux kernel, the following vulnerability has been resolved: um: virtio_... In the Linux kernel, the following vulnerability has been resolved: um: virtio_uml: Fix use-after-free after put_device in probe When register_virtio_device() fails in virtio_uml_probe(), the code sets vu_dev->registered = 1 even though the device was not successfully registered. This can lead to use-after-free or other issues. Scope: local bookworm: resolved (fixed i

CVE-2025-37750 [HIGH] CVE-2025-37750: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in decryption with multichannel After commit f7025d861694 ("smb: client: allocate crypto only for primary server") and commit b0abcd65ec54 ("smb: client: fix UAF in async decryption"), the channels started reusing AEAD TFM from primary channel to perform synchronous decryption, bu

CVE-2025-37803 [HIGH] CVE-2025-37803: linux - In the Linux kernel, the following vulnerability has been resolved: udmabuf: fi... In the Linux kernel, the following vulnerability has been resolved: udmabuf: fix a buf size overflow issue during udmabuf creation by casting size_limit_mb to u64 when calculate pglimit. Scope: local bookworm: resolved (fixed in 6.1.137-1) bullseye: resolved (fixed in 5.10.237-1) forky: resolved (fixed in 6.16.3-1) sid: resolved (fixed in 6.16.3-1) trixie: resolved (f

CVE-2025-38259 [HIGH] CVE-2025-38259: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: codec... In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd9335: Fix missing free of regulator supplies Driver gets and enables all regulator supplies in probe path (wcd9335_parse_dt() and wcd9335_power_on_reset()), but does not cleanup in final error paths and in unbind (missing remove() callback). This leads to leaked memory and unbalanced

CVE-2025-38000 [HIGH] CVE-2025-38000: linux - In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: F... In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the child qdisc's peek() operation before incrementing sch->q.qlen and sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may trigger an imme

CVE-2025-37786 [HIGH] CVE-2025-37786: linux - In the Linux kernel, the following vulnerability has been resolved: net: dsa: f... In the Linux kernel, the following vulnerability has been resolved: net: dsa: free routing table on probe failure If complete = true in dsa_tree_setup(), it means that we are the last switch of the tree which is successfully probing, and we should be setting up all switches from our probe path. After "complete" becomes true, dsa_tree_setup_cpu_ports() or any subsequen

CVE-2025-21867 [HIGH] CVE-2025-21867: linux - In the Linux kernel, the following vulnerability has been resolved: bpf, test_r... In the Linux kernel, the following vulnerability has been resolved: bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() KMSAN reported a use-after-free issue in eth_skb_pkt_type()[1]. The cause of the issue was that eth_skb_pkt_type() accessed skb's data that didn't contain an Ethernet header. This occurs when bpf_prog_test_run_xdp() passes an invalid value

CVE-2025-38456 [HIGH] CVE-2025-38456: linux - In the Linux kernel, the following vulnerability has been resolved: ipmi:msghan... In the Linux kernel, the following vulnerability has been resolved: ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() The "intf" list iterator is an invalid pointer if the correct "intf->intf_num" is not found. Calling atomic_dec(&intf->nr_users) on and invalid pointer will lead to memory corruption. We don't really need to call atomic_dec() if we

CVE-2025-37839 [HIGH] CVE-2025-37839: linux - In the Linux kernel, the following vulnerability has been resolved: jbd2: remov... In the Linux kernel, the following vulnerability has been resolved: jbd2: remove wrong sb->s_sequence check Journal emptiness is not determined by sb->s_sequence == 0 but rather by sb->s_start == 0 (which is set a few lines above). Furthermore 0 is a valid transaction ID so the check can spuriously trigger. Remove the invalid WARN_ON. Scope: local bookworm: resolved (

CVE-2025-21919 [HIGH] CVE-2025-21919: linux - In the Linux kernel, the following vulnerability has been resolved: sched/fair:... In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq. This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list, making the conversion invalid and potentially leading to memory corruption. Depending on the r

CVE-2025-37892 [HIGH] CVE-2025-37892: linux - In the Linux kernel, the following vulnerability has been resolved: mtd: inftlc... In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check for inftl_read_oob() In INFTL_findwriteunit(), the return value of inftl_read_oob() need to be checked. A proper implementation can be found in INFTL_deleteblock(). The status will be set as SECTOR_IGNORE to break from the while-loop correctly if the inftl_read_oob() fa