Debian Linux vulnerabilities

CVE-2025-39759 [HIGH] CVE-2025-39759: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: qgro... In the Linux kernel, the following vulnerability has been resolved: btrfs: qgroup: fix race between quota disable and quota rescan ioctl There's a race between a task disabling quotas and another running the rescan ioctl that can result in a use-after-free of qgroup records from the fs_info->qgroup_tree rbtree. This happens as follows: 1) Task A enters btrfs_ioctl_quo

CVE-2025-23157 [HIGH] CVE-2025-23157: linux - In the Linux kernel, the following vulnerability has been resolved: media: venu... In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi_parser: add check to avoid out of bound access There is a possibility that init_codecs is invoked multiple times during manipulated payload from video firmware. In such case, if codecs_count can get incremented to value more than MAX_CODEC_NUM, there can be OOB access. Reset the coun

CVE-2025-37840 [HIGH] CVE-2025-37840: linux - In the Linux kernel, the following vulnerability has been resolved: mtd: rawnan... In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: brcmnand: fix PM resume warning Fixed warning on PM resume as shown below caused due to uninitialized struct nand_operation that checks chip select field : WARN_ON(op->cs >= nanddev_ntargets(&chip->base) [ 14.588522] ------------[ cut here ]------------ [ 14.588529] WARNING: CPU: 0 PID:

CVE-2025-38584 [HIGH] CVE-2025-38584: linux - In the Linux kernel, the following vulnerability has been resolved: padata: Fix... In the Linux kernel, the following vulnerability has been resolved: padata: Fix pd UAF once and for all There is a race condition/UAF in padata_reorder that goes back to the initial commit. A reference count is taken at the start of the process in padata_do_parallel, and released at the end in padata_serial_worker. This reference count is (and only is) required for pa

CVE-2025-21702 [HIGH] CVE-2025-21702: linux - In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_... In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finall

CVE-2025-37785 [HIGH] CVE-2025-37785: linux - In the Linux kernel, the following vulnerability has been resolved: ext4: fix O... In the Linux kernel, the following vulnerability has been resolved: ext4: fix OOB read when checking dotdot dir Mounting a corrupted filesystem with directory which contains '.' dir entry with rec_len == block size results in out-of-bounds read (later on, when the corrupted directory is removed). ext4_empty_dir() assumes every ext4 directory contains at least '.' and

CVE-2025-39913 [HIGH] CVE-2025-39913: linux - In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: Ca... In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. syzbot reported the splat below. [0] The repro does the following: 1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes) 2. Attach the prog to a SOCKMAP 3. Add a socket to the SOCKMAP 4. Activate faul

CVE-2025-22107 [HIGH] CVE-2025-22107: linux - In the Linux kernel, the following vulnerability has been resolved: net: dsa: s... In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() There are actually 2 problems: - deleting the last element doesn't require the memmove of elements [i + 1, end) over it. Actually, element i+1 is out of bounds. - The memmove itself should move size - i - 1 elements, be

CVE-2025-38131 [HIGH] CVE-2025-38131: linux - In the Linux kernel, the following vulnerability has been resolved: coresight: ... In the Linux kernel, the following vulnerability has been resolved: coresight: prevent deactivate active config while enabling the config While enable active config via cscfg_csdev_enable_active_config(), active config could be deactivated via configfs' sysfs interface. This could make UAF issue in below scenario: CPU0 CPU1 (sysfs enable) load module cscfg_load_config

CVE-2025-38159 [HIGH] CVE-2025-38159: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88... In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds Set the size to 6 instead of 2, since 'para' array is passed to 'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads 5 bytes: void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) { ... SET_BT_WIFI_CONTR

CVE-2025-38257 [HIGH] CVE-2025-38257: linux - In the Linux kernel, the following vulnerability has been resolved: s390/pkey: ... In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of t

CVE-2025-38004 [HIGH] CVE-2025-38004: linux - In the Linux kernel, the following vulnerability has been resolved: can: bcm: a... In the Linux kernel, the following vulnerability has been resolved: can: bcm: add locking for bcm_op runtime updates The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via hrtimer. The content and also the length of the sequence can be changed resp reduced at runtime where the 'currframe' counter is then set to zero. Although this appeared to be a s

CVE-2025-38425 [HIGH] CVE-2025-38425: linux - In the Linux kernel, the following vulnerability has been resolved: i2c: tegra:... In the Linux kernel, the following vulnerability has been resolved: i2c: tegra: check msg length in SMBUS block read For SMBUS block read, do not continue to read if the message length passed from the device is '0' or greater than the maximum allowed bytes. Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: resolved forky: resolved (fixed in 6.12.35-1) sid

CVE-2025-38459 [HIGH] CVE-2025-38459: linux - In the Linux kernel, the following vulnerability has been resolved: atm: clip: ... In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later, when the socket is cl

CVE-2025-21762 [HIGH] CVE-2025-21762: linux - In the Linux kernel, the following vulnerability has been resolved: arp: use RC... In the Linux kernel, the following vulnerability has been resolved: arp: use RCU protection in arp_xmit() arp_xmit() can be called without RTNL or RCU protection. Use RCU protection to avoid potential UAF. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved (fixed in 5.10.237-1) forky: resolved (fixed in 6.12.16-1) sid: resolved (fixed in 6.12.16-1

CVE-2025-39853 [HIGH] CVE-2025-39853: linux - In the Linux kernel, the following vulnerability has been resolved: i40e: Fix p... In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid access when MAC list is empty list_first_entry() never returns NULL - if the list is empty, it still returns a pointer to an invalid object, leading to potential invalid memory access when dereferenced. Fix this by using list_first_entry_or_null instead of list_first_entry.

CVE-2025-37903 [HIGH] CVE-2025-37903: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free in hdcp The HDCP code in amdgpu_dm_hdcp.c copies pointers to amdgpu_dm_connector objects without incrementing the kref reference counts. When using a USB-C dock, and the dock is unplugged, the corresponding amdgpu_dm_connector objects are freed, creating dangli

CVE-2025-37823 [HIGH] CVE-2025-37823: linux - In the Linux kernel, the following vulnerability has been resolved: net_sched: ... In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Similarly to the previous patch, we need to safe guard hfsc_dequeue() too. But for this one, we don't have a reliable reproducer. Scope: local bookworm: resolved (fixed in 6.1.137-1) bullseye: resolved (fixed in 5.10.237-1) forky: resolved (fi

CVE-2025-21991 [HIGH] CVE-2025-21991: linux - In the Linux kernel, the following vulnerability has been resolved: x86/microco... In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memor

CVE-2025-37979 [HIGH] CVE-2025-37979: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom:... In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: Fix sc7280 lpass potential buffer overflow Case values introduced in commit 5f78e1fb7a3e ("ASoC: qcom: Add driver support for audioreach solution") cause out of bounds access in arrays of sc7280 driver data (e.g. in case of RX_CODEC_DMA_RX_0 in sc7280_snd_hw_params()). Redefine LPASS_MAX_P