Debian Linux vulnerabilities

CVE-2025-38154 [HIGH] CVE-2025-38154: linux - In the Linux kernel, the following vulnerability has been resolved: bpf, sockma... In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Avoid using sk_socket after free when sending The sk->sk_socket is not locked or referenced in backlog thread, and during the call to skb_send_sock(), there is a race condition with the release of sk_socket. All types of sockets(tcp/udp/unix/vsock) will be affected. Race conditions: '''

CVE-2025-22020 [HIGH] CVE-2025-22020: linux - In the Linux kernel, the following vulnerability has been resolved: memstick: r... In the Linux kernel, the following vulnerability has been resolved: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] Read of size 8 at addr ffff888136335380 by task

CVE-2025-21811 [HIGH] CVE-2025-21811: linux - In the Linux kernel, the following vulnerability has been resolved: nilfs2: pro... In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect access to buffers with no active references nilfs_lookup_dirty_data_buffers(), which iterates through the buffers attached to dirty data folios/pages, accesses the attached buffers without locking the folios/pages. For data cache, nilfs_clear_folio_dirty() may be called asynchronously

CVE-2025-21764 [HIGH] CVE-2025-21764: linux - In the Linux kernel, the following vulnerability has been resolved: ndisc: use ... In the Linux kernel, the following vulnerability has been resolved: ndisc: use RCU protection in ndisc_alloc_skb() ndisc_alloc_skb() can be called without RTNL or RCU being held. Add RCU protection to avoid possible UAF. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved (fixed in 5.10.237-1) forky: resolved (fixed in 6.12.16-1) sid: resolved (fix

CVE-2025-38103 [HIGH] CVE-2025-38103: linux - In the Linux kernel, the following vulnerability has been resolved: HID: usbhid... In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory

CVE-2025-39880 [HIGH] CVE-2025-39880: linux - In the Linux kernel, the following vulnerability has been resolved: libceph: fi... In the Linux kernel, the following vulnerability has been resolved: libceph: fix invalid accesses to ceph_connection_v1_info There is a place where generic code in messenger.c is reading and another place where it is writing to con->v1 union member without checking that the union member is active (i.e. msgr1 is in use). On 64-bit systems, con->v1.auth_retry overlaps w

CVE-2025-38677 [HIGH] CVE-2025-38677: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix t... In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid out-of-boundary access in dnode page As Jiaming Zhang reported: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x17e/0x800 mm/kasan/report.c:480 kasan_report+0x147/0x180

CVE-2025-38593 [HIGH] CVE-2025-38593: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()' Function 'hci_discovery_filter_clear()' frees 'uuids' array and then sets it to NULL. There is a tiny chance of the following race: 'hci_cmd_sync_work()' 'update_passive_scan_sync()' 'hci_update_passive_scan_sync()' 'hci_discovery_

CVE-2025-38445 [HIGH] CVE-2025-38445: linux - In the Linux kernel, the following vulnerability has been resolved: md/raid1: F... In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic. Example acces

CVE-2025-38556 [HIGH] CVE-2025-38556: linux - In the Linux kernel, the following vulnerability has been resolved: HID: core: ... In the Linux kernel, the following vulnerability has been resolved: HID: core: Harden s32ton() against conversion to 0 bits Testing by the syzbot fuzzer showed that the HID core gets a shift-out-of-bounds exception when it tries to convert a 32-bit quantity to a 0-bit quantity. Ideally this should never occur, but there are buggy devices and some might have a report f

CVE-2025-38502 [HIGH] CVE-2025-38502: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oo... In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup local storage Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size, and one program doing a tail call into the other. The verifier will vali

CVE-2025-38245 [HIGH] CVE-2025-38245: linux - In the Linux kernel, the following vulnerability has been resolved: atm: Releas... In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). syzbot reported a warning below during atm_dev_register(). [0] Before creating a new device and procfs/sysfs for it, atm_dev_register() looks up a duplicated device by __atm_dev_lookup(). These operations are done under atm_dev_

CVE-2025-38401 [HIGH] CVE-2025-38401: linux - In the Linux kernel, the following vulnerability has been resolved: mtk-sd: Pre... In the Linux kernel, the following vulnerability has been resolved: mtk-sd: Prevent memory corruption from DMA map failure If msdc_prepare_data() fails to map the DMA region, the request is not prepared for data receiving, but msdc_start_data() proceeds the DMA with previous setting. Since this will lead a memory corruption, we have to stop the request operation soon

CVE-2025-39863 [HIGH] CVE-2025-39863: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: brcmf... In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to false. This creates critical race conditions: 1.If

CVE-2025-38527 [HIGH] CVE-2025-38527: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in cifs_oplock_break A race condition can occur in cifs_oplock_break() leading to a use-after-free of the cinode structure when unmounting: cifs_oplock_break() _cifsFileInfo_put(cfile) cifsFileInfo_put_final() cifs_sb_deactive() [last ref, start releasing sb] kill_sb()

CVE-2025-38239 [HIGH] CVE-2025-38239: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: megar... In the Linux kernel, the following vulnerability has been resolved: scsi: megaraid_sas: Fix invalid node index On a system with DRAM interleave enabled, out-of-bound access is detected: megaraid_sas 0000:3f:00.0: requested/available msix 128/128 poll_queue 0 ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:2

CVE-2025-38550 [HIGH] CVE-2025-38550: linux - In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast... In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Delay put pmc->idev in mld_del_delrec() pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec() does, the reference should be put after ip6_mc_clear_src() return. Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: resolved forky: resolved (fixed in 6.16.3-1) si

CVE-2025-21760 [HIGH] CVE-2025-21760: linux - In the Linux kernel, the following vulnerability has been resolved: ndisc: exte... In the Linux kernel, the following vulnerability has been resolved: ndisc: extend RCU protection in ndisc_send_skb() ndisc_send_skb() can be called without RTNL or RCU held. Acquire rcu_read_lock() earlier, so that we can use dev_net_rcu() and avoid a potential UAF. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved (fixed in 5.10.237-1) forky: re

CVE-2025-39682 [HIGH] CVE-2025-39682: linux - In the Linux kernel, the following vulnerability has been resolved: tls: fix ha... In the Linux kernel, the following vulnerability has been resolved: tls: fix handling of zero-length records on the rx_list Each recvmsg() call must process either - only contiguous DATA records (any number of them) - one non-DATA record If the next record has different type than what has already been processed we break out of the main processing loop. If the record h

CVE-2025-37947 [HIGH] CVE-2025-37947: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: prev... In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent out-of-bounds stream writes by validating *pos ksmbd_vfs_stream_write() did not validate whether the write offset (*pos) was within the bounds of the existing stream data length (v_len). If *pos was greater than or equal to v_len, this could lead to an out-of-bounds memory write. This p