Debian Linux vulnerabilities

CVE-2026-31788 [HIGH] CVE-2026-31788: linux - In the Linux kernel, the following vulnerability has been resolved: xen/privcmd... In the Linux kernel, the following vulnerability has been resolved: xen/privcmd: restrict usage in unprivileged domU The Xen privcmd driver allows to issue arbitrary hypercalls from user space processes. This is normally no problem, as access is usually limited to root and the hypervisor will deny any hypercalls affecting other domains. In case the guest is booted usi

CVE-2026-23236 [HIGH] CVE-2026-23236: linux - In the Linux kernel, the following vulnerability has been resolved: fbdev: smsc... In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: properly copy ioctl memory to kernelspace The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from userspace to kernelspace, and instead directly references the memory, which can cause problems if invalid data is passed from userspace. Fix this all up by correctly copying the

CVE-2026-23364 [HIGH] CVE-2026-23364: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: Comp... In the Linux kernel, the following vulnerability has been resolved: ksmbd: Compare MACs in constant time To prevent timing attacks, MAC comparisons need to be constant-time. Replace the memcmp() with the correct function, crypto_memneq(). Scope: local bookworm: open bullseye: resolved forky: resolved (fixed in 6.19.8-1) sid: resolved (fixed in 6.19.8-1) trixie: open

CVE-2026-23410 [HIGH] CVE-2026-23410: linux - In the Linux kernel, the following vulnerability has been resolved: apparmor: f... In the Linux kernel, the following vulnerability has been resolved: apparmor: fix race on rawdata dereference There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata files, and at the same time remove the last reference to this rawdata (by removing the corresp

CVE-2026-23198 [HIGH] CVE-2026-23198: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: Don't ... In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routing type when deassigning irqfd When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI. Instead, to handle a concurrent ro

CVE-2026-23271 [HIGH] CVE-2026-23271: linux - In the Linux kernel, the following vulnerability has been resolved: perf: Fix _... In the Linux kernel, the following vulnerability has been resolved: perf: Fix __perf_event_overflow() vs perf_remove_from_context() race Make sure that __perf_event_overflow() runs with IRQs disabled for all possible callchains. Specifically the software events can end up running it with only preemption disabled. This opens up a race vs perf_event_exit_event() and fri

CVE-2026-23278 [HIGH] CVE-2026-23278: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: always walk all pending catchall elements During transaction processing we might have more than one catchall element: 1 live catchall element and 1 pending element that is coming as part of the new batch. If the map holding the catchall elements is also going away, its required t

CVE-2026-23306 [HIGH] CVE-2026-23306: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: pm800... In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free in pm8001_queue_command() Commit e29c47fe8946 ("scsi: pm8001: Simplify pm8001_task_exec()") refactors pm8001_queue_command(), however it introduces a potential cause of a double free scenario when it changes the function to return -ENODEV in case of phy down/device gon

CVE-2026-23242 [HIGH] CVE-2026-23242: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: F... In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix potential NULL pointer dereference in header processing If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may lead to a NULL pointer deref. Only check

CVE-2026-23378 [HIGH] CVE-2026-23378: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: Fix metalist update behavior Whenever an ife action replace changes the metalist, instead of replacing the old data on the metalist, the current ife code is appending the new metadata. Aside from being innapropriate behavior, this may lead to an unbounded addition of metadata to th

CVE-2026-23208 [HIGH] CVE-2026-23208: linux - In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-a... In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Prevent excessive number of frames In this case, the user constructed the parameters with maxpacksize 40 for rate 22050 / pps 1000, and packsize[0] 22 packsize[1] 23. The buffer size for each data URB is maxpacksize * packets, which in this example is 40 * 6 = 240; When the user perfo

CVE-2026-23187 [HIGH] CVE-2026-23187: linux - In the Linux kernel, the following vulnerability has been resolved: pmdomain: i... In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains Fix out-of-range access of bc->domains in imx8m_blk_ctrl_remove(). Scope: local bookworm: resolved (fixed in 6.1.164-1) bullseye: resolved forky: resolved (fixed in 6.18.10-1) sid: resolved (fixed in 6.18.10-1) trixie: resolved (fixed in

CVE-2026-23078 [HIGH] CVE-2026-23078: linux - In the Linux kernel, the following vulnerability has been resolved: ALSA: scarl... In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Fix buffer overflow in config retrieval The scarlett2_usb_get_config() function has a logic error in the endianness conversion code that can cause buffer overflows when count > 1. The code checks `if (size == 2)` where `size` is the total buffer size in bytes, then loops `count` times

CVE-2026-23245 [HIGH] CVE-2026-23245: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: act_gate: snapshot parameters with RCU on replace The gate action can be replaced while the hrtimer callback or dump path is walking the schedule list. Convert the parameters to an RCU-protected snapshot and swap updates under tcf_lock, freeing the previous snapshot via call_rcu(). When REP

CVE-2026-22984 [HIGH] CVE-2026-22984: linux - In the Linux kernel, the following vulnerability has been resolved: libceph: pr... In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ idryomov: changelog ] Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved forky: resolved (fixed in 6.18.8

CVE-2026-23221 [HIGH] CVE-2026-23221: linux - In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc... In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix use-after-free in driver_override_show() The driver_override_show() function reads the driver_override string without holding the device_lock. However, driver_override_store() uses driver_set_override(), which modifies and frees the string while holding the device_lock. This can resul

CVE-2026-23393 [HIGH] CVE-2026-23393: linux - In the Linux kernel, the following vulnerability has been resolved: bridge: cfm... In the Linux kernel, the following vulnerability has been resolved: bridge: cfm: Fix race condition in peer_mep deletion When a peer MEP is being deleted, cancel_delayed_work_sync() is called on ccm_rx_dwork before freeing. However, br_cfm_frame_rx() runs in softirq context under rcu_read_lock (without RTNL) and can re-schedule ccm_rx_dwork via ccm_rx_timer_start() be

CVE-2026-23111 [HIGH] CVE-2026-23111: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the

CVE-2026-22998 [HIGH] CVE-2026-22998: linux - In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: f... In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's d

CVE-2026-23228 [MEDIUM] CVE-2026-23228: linux - In the Linux kernel, the following vulnerability has been resolved: smb: server... In the Linux kernel, the following vulnerability has been resolved: smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection() On kthread_run() failure in ksmbd_tcp_new_connection(), the transport is freed via free_transport(), which does not decrement active_num_conn, leaking this counter. Replace free_transport() with ksmbd_tcp_disconnect(). Scope: loc