Debian Linux vulnerabilities

CVE-2025-39744 [HIGH] CVE-2025-39744: linux - In the Linux kernel, the following vulnerability has been resolved: rcu: Fix rc... In the Linux kernel, the following vulnerability has been resolved: rcu: Fix rcu_read_unlock() deadloop due to IRQ work During rcu_read_unlock_special(), if this happens during irq_exit(), we can lockup if an IPI is issued. This is because the IPI itself triggers the irq_exit() path causing a recursive lock up. This is precisely what Xiongfeng found when invoking a BP

CVE-2025-21934 [HIGH] CVE-2025-21934: linux - In the Linux kernel, the following vulnerability has been resolved: rapidio: fi... In the Linux kernel, the following vulnerability has been resolved: rapidio: fix an API misues when rio_add_net() fails rio_add_net() calls device_register() and fails when device_register() fails. Thus, put_device() should be used rather than kfree(). Add "mport->net = NULL;" to avoid a use after free issue. Scope: local bookworm: resolved (fixed in 6.1.133-1) bullse

CVE-2025-38385 [HIGH] CVE-2025-38385: linux - In the Linux kernel, the following vulnerability has been resolved: net: usb: l... In the Linux kernel, the following vulnerability has been resolved: net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect Remove redundant netif_napi_del() call from disconnect path. A WARN may be triggered in __netif_napi_del_locked() during USB device disconnect: WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350 This h

CVE-2025-38107 [HIGH] CVE-2025-38107: linux - In the Linux kernel, the following vulnerability has been resolved: net_sched: ... In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_redu

CVE-2025-39687 [HIGH] CVE-2025-39687: linux - In the Linux kernel, the following vulnerability has been resolved: iio: light:... In the Linux kernel, the following vulnerability has been resolved: iio: light: as73211: Ensure buffer holes are zeroed Given that the buffer is copied to a kfifo that ultimately user space can read, ensure we zero it. Scope: local bookworm: resolved (fixed in 6.1.153-1) bullseye: resolved (fixed in 5.10.244-1) forky: resolved (fixed in 6.16.5-1) sid: resolved (fixed

CVE-2025-21704 [HIGH] CVE-2025-21704: linux - In the Linux kernel, the following vulnerability has been resolved: usb: cdc-ac... In the Linux kernel, the following vulnerability has been resolved: usb: cdc-acm: Check control transfer buffer size before access If the first fragment is shorter than struct usb_cdc_notification, we can't calculate an expected_size. Log an error and discard the notification instead of reading lengths from memory outside the received data, which can lead to memory co

CVE-2025-38715 [HIGH] CVE-2025-38715: linux - In the Linux kernel, the following vulnerability has been resolved: hfs: fix sl... In the Linux kernel, the following vulnerability has been resolved: hfs: fix slab-out-of-bounds in hfs_bnode_read() This patch introduces is_bnode_offset_valid() method that checks the requested offset value. Also, it introduces check_and_correct_requested_length() method that checks and correct the requested length (if it is necessary). These methods are used in hfs_

CVE-2025-38005 [MEDIUM] CVE-2025-38005: linux - In the Linux kernel, the following vulnerability has been resolved: dmaengine: ... In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma: Add missing locking Recent kernels complain about a missing lock in k3-udma.c when the lock validator is enabled: [ 4.128073] WARNING: CPU: 0 PID: 746 at drivers/dma/ti/../virt-dma.h:169 udma_start.isra.0+0x34/0x238 [ 4.137352] CPU: 0 UID: 0 PID: 746 Comm: kworker/0:3 Not tai

CVE-2025-38332 [MEDIUM] CVE-2025-38332: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc:... In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Use memcpy() for BIOS version The strlcat() with FORTIFY support is triggering a panic because it thinks the target buffer will overflow although the correct target buffer size is passed in. Anyway, instead of memset() with 0 followed by a strlcat(), just use memcpy() and ensure that the

CVE-2025-71225 [MEDIUM] CVE-2025-71225: linux - In the Linux kernel, the following vulnerability has been resolved: md: suspend... In the Linux kernel, the following vulnerability has been resolved: md: suspend array while updating raid_disks via sysfs In raid1_reshape(), freeze_array() is called before modifying the r1bio memory pool (conf->r1bio_pool) and conf->raid_disks, and unfreeze_array() is called after the update is completed. However, freeze_array() only waits until nr_sync_pending an

CVE-2025-23141 [MEDIUM] CVE-2025-23141: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: x86: A... In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case where "accepting" APIC events, i.e. processing pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU is in

CVE-2025-23145 [MEDIUM] CVE-2025-23145: linux - In the Linux kernel, the following vulnerability has been resolved: mptcp: fix ... In the Linux kernel, the following vulnerability has been resolved: mptcp: fix NULL pointer in can_accept_new_subflow When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL. Call trace: mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./ne

CVE-2025-39675 [MEDIUM] CVE-2025-39675: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() The function mod_hdcp_hdcp1_create_session() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lead to a null pointe

CVE-2025-21910 [MEDIUM] CVE-2025-21910: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80... In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: regulatory: improve invalid hints checking Syzbot keeps reporting an issue [1] that occurs when erroneous symbols sent from userspace get through into user_alpha2[] via regulatory_hint_user() call. Such invalid regulatory hints should be rejected. While a sanity check from commit 47c

CVE-2025-38359 [MEDIUM] CVE-2025-38359: linux - In the Linux kernel, the following vulnerability has been resolved: s390/mm: Fi... In the Linux kernel, the following vulnerability has been resolved: s390/mm: Fix in_atomic() handling in do_secure_storage_access() Kernel user spaces accesses to not exported pages in atomic context incorrectly try to resolve the page fault. With debug options enabled call traces like this can be seen: BUG: sleeping function called from invalid context at kernel/lo

CVE-2025-22044 [MEDIUM] CVE-2025-22044: linux - In the Linux kernel, the following vulnerability has been resolved: acpi: nfit:... In the Linux kernel, the following vulnerability has been resolved: acpi: nfit: fix narrowing conversion in acpi_nfit_ctl Syzkaller has reported a warning in to_nfit_bus_uuid(): "only secondary bus families can be translated". This warning is emited if the argument is equal to NVDIMM_BUS_FAMILY_NFIT == 0. Function acpi_nfit_ctl() first verifies that a user-provided

CVE-2025-38429 [MEDIUM] CVE-2025-38429: linux - In the Linux kernel, the following vulnerability has been resolved: bus: mhi: e... In the Linux kernel, the following vulnerability has been resolved: bus: mhi: ep: Update read pointer only after buffer is written Inside mhi_ep_ring_add_element, the read pointer (rd_offset) is updated before the buffer is written, potentially causing race conditions where the host sees an updated read pointer before the buffer is actually written. Updating rd_offs

CVE-2025-21804 [MEDIUM] CVE-2025-21804: linux - In the Linux kernel, the following vulnerability has been resolved: PCI: rcar-e... In the Linux kernel, the following vulnerability has been resolved: PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region() The rcar_pcie_parse_outbound_ranges() uses the devm_request_mem_region() macro to request a needed resource. A string variable that lives on the stack is then used to store a dynamically computed resource name, which is

CVE-2025-38461 [MEDIUM] CVE-2025-38461: linux - In the Linux kernel, the following vulnerability has been resolved: vsock: Fix ... In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_* TOCTOU Transport assignment may race with module unload. Protect new_transport from becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport(); add a lockdep assert. BUG: unable to handle page fault for address: fffffbfff8056000 Oops: Oop

CVE-2025-37772 [MEDIUM] CVE-2025-37772: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: F... In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix workqueue crash in cma_netevent_work_handler struct rdma_cm_id has member "struct work_struct net_work" that is reused for enqueuing cma_netevent_work_handler()s onto cma_wq. Below crash[1] can occur if more than one call to cma_netevent_callback() occurs in quick succession, which fur