Debian Linux vulnerabilities

CVE-2025-37819 [HIGH] CVE-2025-37819: linux - In the Linux kernel, the following vulnerability has been resolved: irqchip/gic... In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() With ACPI in place, gicv2m_get_fwnode() is registered with the pci subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime during a PCI host bridge probe. But, the call back is wrongly marked as __init, causing it to be free

CVE-2025-21731 [HIGH] CVE-2025-21731: linux - In the Linux kernel, the following vulnerability has been resolved: nbd: don't ... In the Linux kernel, the following vulnerability has been resolved: nbd: don't allow reconnect after disconnect Following process can cause nbd_config UAF: 1) grab nbd_config temporarily; 2) nbd_genl_disconnect() flush all recv_work() and release the initial reference: nbd_genl_disconnect nbd_disconnect_and_put nbd_disconnect flush_workqueue(nbd->recv_workq) if (test_

CVE-2025-40364 [HIGH] CVE-2025-40364: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring: f... In the Linux kernel, the following vulnerability has been resolved: io_uring: fix io_req_prep_async with provided buffers io_req_prep_async() can import provided buffers, commit the ring state by giving up on that before, it'll be reimported later if needed. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved forky: resolved (fixed in 6.12.15-1) si

CVE-2025-71116 [HIGH] CVE-2025-71116: linux - In the Linux kernel, the following vulnerability has been resolved: libceph: ma... In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there

CVE-2025-39957 [HIGH] CVE-2025-39957: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: mac80... In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: increase scan_ies_len for S1G Currently the S1G capability element is not taken into account for the scan_ies_len, which leads to a buffer length validation failure in ieee80211_prep_hw_scan() and subsequent WARN in __ieee80211_start_scan(). This prevents hw scanning from functioning.

CVE-2025-21946 [HIGH] CVE-2025-21946: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bounds in parse_sec_desc() If osidoffset, gsidoffset and dacloffset could be greater than smb_ntsd struct size. If it is smaller, It could cause slab-out-of-bounds. And when validating sid, It need to check it included subauth array size. Scope: local bookworm: resolved (fixed in 6.1

CVE-2025-38102 [HIGH] CVE-2025-38102: linux - In the Linux kernel, the following vulnerability has been resolved: VMCI: fix r... In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify During our test, it is found that a warning can be trigger in try_grab_folio as follow: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 Modules linked in: CPU: 0 UID: 0 PID

CVE-2025-38118 [HIGH] CVE-2025-38118: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x5

CVE-2025-39911 [HIGH] CVE-2025-39911: linux - In the Linux kernel, the following vulnerability has been resolved: i40e: fix I... In the Linux kernel, the following vulnerability has been resolved: i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration later than the first, the error path wants to free the IRQs requested so far. However, it uses the wrong dev_id argument for free_irq(), so it does not free the IRQs corr

CVE-2025-38204 [HIGH] CVE-2025-38204: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: fix ar... In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds read in add_missing_indices stbl is s8 but it must contain offsets into slot which can go from 0 to 127. Added a bound check for that error and return -EIO if the check fails. Also make jfs_readdir return with error if add_missing_indices returns with an error. Scope

CVE-2025-38494 [HIGH] CVE-2025-38494: linux - In the Linux kernel, the following vulnerability has been resolved: HID: core: ... In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw_raw_request hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used. Scope: local bookworm: resolved (fixed in 6.1.1

CVE-2025-71220 [HIGH] CVE-2025-71220: linux - In the Linux kernel, the following vulnerability has been resolved: smb/server:... In the Linux kernel, the following vulnerability has been resolved: smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe() When ksmbd_iov_pin_rsp() fails, we should call ksmbd_session_rpc_close(). Scope: local bookworm: resolved (fixed in 6.1.164-1) bullseye: resolved forky: resolved (fixed in 6.18.10-1) sid: resolved (fixed in 6.18.10-1) trixi

CVE-2025-38595 [HIGH] CVE-2025-38595: linux - In the Linux kernel, the following vulnerability has been resolved: xen: fix UA... In the Linux kernel, the following vulnerability has been resolved: xen: fix UAF in dmabuf_exp_from_pages() [dma_buf_fd() fixes; no preferences regarding the tree it goes through - up to xen folks] As soon as we'd inserted a file reference into descriptor table, another thread could close it. That's fine for the case when all we are doing is returning that descriptor

CVE-2025-37817 [HIGH] CVE-2025-37817: linux - In the Linux kernel, the following vulnerability has been resolved: mcb: fix a ... In the Linux kernel, the following vulnerability has been resolved: mcb: fix a double free bug in chameleon_parse_gdd() In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev' would be released in mcb_device_register() via put_device(). Thus, goto 'err' label and free 'mdev' again causes a double free. Just return if mcb_device_register() fails. Scope: local

CVE-2025-21647 [HIGH] CVE-2025-21647: linux - In the Linux kernel, the following vulnerability has been resolved: sched: sch_... In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: add bounds checks to host bulk flow fairness counts Even though we fixed a logic error in the commit cited below, syzbot still managed to trigger an underflow of the per-host bulk flow counters, leading to an out of bounds memory access. To avoid any such logic errors causing out of b

CVE-2025-21693 [HIGH] CVE-2025-21693: linux - In the Linux kernel, the following vulnerability has been resolved: mm: zswap: ... In the Linux kernel, the following vulnerability has been resolved: mm: zswap: properly synchronize freeing resources during CPU hotunplug In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the current CPU at the beginning of the operation is retrieved and used throughout. However, since neither preemption nor migration are disabled, it is possible t

CVE-2025-21719 [HIGH] CVE-2025-21719: linux - In the Linux kernel, the following vulnerability has been resolved: ipmr: do no... In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to "struct sk_buff_head unresolved", which contain two pointers. This code never worked, lets remove it. [1] Un

CVE-2025-38352 [HIGH] CVE-2025-38352: linux - In the Linux kernel, the following vulnerability has been resolved: posix-cpu-t... In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_c

CVE-2025-38572 [HIGH] CVE-2025-38572: linux - In the Linux kernel, the following vulnerability has been resolved: ipv6: rejec... In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets in ipv6_gso_segment() syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_transport_header_careful() helper and use it from ipv6_gso_segment() WARNING

CVE-2025-38117 [HIGH] CVE-2025-38117: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Protect mgmt_pending list with its own lock This uses a mutex to protect from concurrent access of mgmt_pending list which can cause crashes like: ================================================================== BUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/b