Debian Linux vulnerabilities

CVE-2025-38248 [HIGH] CVE-2025-38248: linux - In the Linux kernel, the following vulnerability has been resolved: bridge: mca... In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a multicast router resides. The list is consulted during forwarding to ensure multicast packets are forwarded to these ports even if the ports are not member in the matching MDB

CVE-2025-21950 [HIGH] CVE-2025-21950: linux - In the Linux kernel, the following vulnerability has been resolved: drivers: vi... In the Linux kernel, the following vulnerability has been resolved: drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl In the "pmcmd_ioctl" function, three memory objects allocated by kmalloc are initialized by "hcall_get_cpu_state", which are then copied to user space. The initializer is indeed implemented in "acrn_hypercall2" (arch/x86/include/a

CVE-2025-39788 [HIGH] CVE-2025-39788: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: ... In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE On Google gs101, the number of UTP transfer request slots (nutrs) is 32, and in this case the driver ends up programming the UTRL_NEXUS_TYPE incorrectly as 0. This is because the left hand side of the shift is 1, which is of type int, i.e. 31 b

CVE-2025-22056 [HIGH] CVE-2025-22056: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix geneve_opt type confusion addition When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the parsing logic should place every geneve_opt structure one by one compactly. Hence, when deciding the next geneve_opt position, the pointer addition should be in units of cha

CVE-2025-38676 [HIGH] CVE-2025-38676: linux - In the Linux kernel, the following vulnerability has been resolved: iommu/amd: ... In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Avoid stack buffer overflow from kernel cmdline While the kernel command line is considered trusted in most environments, avoid writing 1 byte past the end of "acpiid" if the "str" argument is maximum length. Scope: local bookworm: resolved (fixed in 6.1.153-1) bullseye: resolved (fixed in

CVE-2025-21727 [HIGH] CVE-2025-21727: linux - In the Linux kernel, the following vulnerability has been resolved: padata: fix... In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_paral

CVE-2025-38416 [HIGH] CVE-2025-38416: linux - In the Linux kernel, the following vulnerability has been resolved: NFC: nci: u... In the Linux kernel, the following vulnerability has been resolved: NFC: nci: uart: Set tty->disc_data only in success path Setting tty->disc_data before opening the NCI device means we need to clean it up on error paths. This also opens some short window if device starts sending data, even before NCIUARTSETDRIVER IOCTL succeeded (broken hardware?). Close the window b

CVE-2025-38443 [HIGH] CVE-2025-38443: linux - In the Linux kernel, the following vulnerability has been resolved: nbd: fix ua... In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104) block nbd6: shutting down sockets ================================================================== BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/b

CVE-2025-37879 [HIGH] CVE-2025-37879: linux - In the Linux kernel, the following vulnerability has been resolved: 9p/net: fix... In the Linux kernel, the following vulnerability has been resolved: 9p/net: fix improper handling of bogus negative read/write replies In p9_client_write() and p9_client_read_once(), if the server incorrectly replies with success but a negative write/read count then we would consider written (negative) 3) Scope: local bookworm: resolved (fixed in 6.1.137-1) bullseye:

CVE-2025-38227 [HIGH] CVE-2025-38227: linux - In the Linux kernel, the following vulnerability has been resolved: media: vidt... In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Terminating the subsequent process of initialization failure syzbot reported a slab-use-after-free Read in vidtv_mux_init. [1] After PSI initialization fails, the si member is accessed again, resulting in this uaf. After si initialization fails, the subsequent process needs to be exited.

CVE-2025-22040 [HIGH] CVE-2025-22040: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix session use-after-free in multichannel connection There is a race condition between session setup and ksmbd_sessions_deregister. The session can be freed before the connection is added to channel list of session. This patch check reference count of session before freeing it. Scope: local bo

CVE-2025-21791 [HIGH] CVE-2025-21791: linux - In the Linux kernel, the following vulnerability has been resolved: vrf: use RC... In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF. Scope: local bookworm: resolved (

CVE-2025-37822 [HIGH] CVE-2025-37822: linux - In the Linux kernel, the following vulnerability has been resolved: riscv: upro... In the Linux kernel, the following vulnerability has been resolved: riscv: uprobes: Add missing fence.i after building the XOL buffer The XOL (execute out-of-line) buffer is used to single-step the replaced instruction(s) for uprobes. The RISC-V port was missing a proper fence.i (i$ flushing) after constructing the XOL buffer, which can result in incorrect execution o

CVE-2025-21782 [HIGH] CVE-2025-21782: linux - In the Linux kernel, the following vulnerability has been resolved: orangefs: f... In the Linux kernel, the following vulnerability has been resolved: orangefs: fix a oob in orangefs_debug_write I got a syzbot report: slab-out-of-bounds Read in orangefs_debug_write... several people suggested fixes, I tested Al Viro's suggestion and made this patch. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved (fixed in 5.10.237-1) forky:

CVE-2025-23142 [HIGH] CVE-2025-23142: linux - In the Linux kernel, the following vulnerability has been resolved: sctp: detec... In the Linux kernel, the following vulnerability has been resolved: sctp: detect and prevent references to a freed transport in sendmsg sctp_sendmsg() re-uses associations and transports when possible by doing a lookup based on the socket endpoint and the message destination address, and then sctp_sendmsg_to_asoc() sets the selected transport in all the message chunks

CVE-2025-38415 [HIGH] CVE-2025-38415: linux - In the Linux kernel, the following vulnerability has been resolved: Squashfs: c... In the Linux kernel, the following vulnerability has been resolved: Squashfs: check return result of sb_min_blocksize Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug. Syzkaller forks multiple processes which after mounting the Squashfs filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000). Now if this ioctl occurs at the sam

CVE-2025-38722 [HIGH] CVE-2025-38722: linux - In the Linux kernel, the following vulnerability has been resolved: habanalabs:... In the Linux kernel, the following vulnerability has been resolved: habanalabs: fix UAF in export_dmabuf() As soon as we'd inserted a file reference into descriptor table, another thread could close it. That's fine for the case when all we are doing is returning that descriptor to userland (it's a race, but it's a userland race and there's nothing the kernel can do ab

CVE-2025-71136 [HIGH] CVE-2025-71136: linux - In the Linux kernel, the following vulnerability has been resolved: media: adv7... In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() It's possible for cp_read() and hdmi_read() to return -EIO. Those values are further used as indexes for accessing arrays. Fix that by checking return values where it's needed. Found by Linux Verification Center (li

CVE-2025-38212 [HIGH] CVE-2025-38212: linux - In the Linux kernel, the following vulnerability has been resolved: ipc: fix to... In the Linux kernel, the following vulnerability has been resolved: ipc: fix to protect IPCS lookups using RCU syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/[email protected]/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical regi

CVE-2025-39841 [HIGH] CVE-2025-39841: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc:... In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/clear order in deferred receive path Fix a use-after-free window by correcting the buffer release sequence in the deferred receive path. The code freed the RQ buffer first and only then cleared the context pointer under the lock. Concurrent paths (e.g., ABTS and the repost