Debian Linux vulnerabilities

CVE-2025-68358 [MEDIUM] CVE-2025-68358: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: fix ... In the Linux kernel, the following vulnerability has been resolved: btrfs: fix racy bitfield write in btrfs_clear_space_info_full() From the memory-barriers.txt document regarding memory barrier ordering guarantees: (*) These guarantees do not apply to bitfields, because compilers often generate code to modify these using non-atomic read-modify-write sequences. Do n

CVE-2025-37862 [MEDIUM] CVE-2025-37862: linux - In the Linux kernel, the following vulnerability has been resolved: HID: pidff:... In the Linux kernel, the following vulnerability has been resolved: HID: pidff: Fix null pointer dereference in pidff_find_fields This function triggered a null pointer dereference if used to search for a report that isn't implemented on the device. This happened both for optional and required reports alike. The same logic was applied to pidff_find_special_field and

CVE-2025-39756 [MEDIUM] CVE-2025-39756: linux - In the Linux kernel, the following vulnerability has been resolved: fs: Prevent... In the Linux kernel, the following vulnerability has been resolved: fs: Prevent file descriptor table allocations exceeding INT_MAX When sysctl_nr_open is set to a very high value (for example, 1073741816 as set by systemd), processes attempting to use file descriptors near the limit can trigger massive memory allocation attempts that exceed INT_MAX, resulting in a

CVE-2025-22086 [MEDIUM] CVE-2025-22086: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: ... In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow When cur_qp isn't NULL, in order to avoid fetching the QP from the radix tree again we check if the next cqe QP is identical to the one we already have. The bug however is that we are checking if the QP is identical by checking the QP number inside t

CVE-2025-38639 [MEDIUM] CVE-2025-38639: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_nfacct: don't assume acct name is null-terminated BUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721 Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851 [..] string+0x231/0x2b0 lib/vsprintf.c:721 vsnprintf+0x739/0xf00 lib/vsprintf.c:2874 [..] nfacct_mt_checkentry+

CVE-2025-38020 [MEDIUM] CVE-2025-38020: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: ... In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Disable MACsec offload for uplink representor profile MACsec offload is not supported in switchdev mode for uplink representors. When switching to the uplink representor profile, the MACsec offload feature must be cleared from the netdevice's features. If left enabled, attempts to add off

CVE-2025-22071 [MEDIUM] CVE-2025-22071: linux - In the Linux kernel, the following vulnerability has been resolved: spufs: fix ... In the Linux kernel, the following vulnerability has been resolved: spufs: fix a leak in spufs_create_context() Leak fixes back in 2008 missed one case - if we are trying to set affinity and spufs_mkdir() fails, we need to drop the reference to neighbor. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: open forky: resolved (fixed in 6.12.25-1) sid: res

CVE-2025-37968 [MEDIUM] CVE-2025-37968: linux - In the Linux kernel, the following vulnerability has been resolved: iio: light:... In the Linux kernel, the following vulnerability has been resolved: iio: light: opt3001: fix deadlock due to concurrent flag access The threaded IRQ function in this driver is reading the flag twice: once to lock a mutex and once to unlock it. Even though the code setting the flag is designed to prevent it, there are subtle cases where the flag could be true at the

CVE-2025-22115 [MEDIUM] CVE-2025-22115: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: fix ... In the Linux kernel, the following vulnerability has been resolved: btrfs: fix block group refcount race in btrfs_create_pending_block_groups() Block group creation is done in two phases, which results in a slightly unintuitive property: a block group can be allocated/deallocated from after btrfs_make_block_group() adds it to the space_info with btrfs_add_bg_to_spac

CVE-2025-38363 [MEDIUM] CVE-2025-38363: linux - In the Linux kernel, the following vulnerability has been resolved: drm/tegra: ... In the Linux kernel, the following vulnerability has been resolved: drm/tegra: Fix a possible null pointer dereference In tegra_crtc_reset(), new memory is allocated with kzalloc(), but no check is performed. Before calling __drm_atomic_helper_crtc_reset, state should be checked to prevent possible null pointer dereference. Scope: local bookworm: resolved (fixed in

CVE-2025-71104 [MEDIUM] CVE-2025-71104: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: x86: F... In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest's APIC timer in periodic mode, set the expiration to "now" if the target expiration is in the past (similar to what is done in update_target_expiration()). Blindly adding

CVE-2025-38334 [MEDIUM] CVE-2025-38334: linux - In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Pr... In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Prevent attempts to reclaim poisoned pages TL;DR: SGX page reclaim touches the page to copy its contents to secondary storage. SGX instructions do not gracefully handle machine checks. Despite this, the existing SGX code will try to reclaim pages that it _knows_ are poisoned. Avoid even try

CVE-2025-38687 [MEDIUM] CVE-2025-38687: linux - In the Linux kernel, the following vulnerability has been resolved: comedi: fix... In the Linux kernel, the following vulnerability has been resolved: comedi: fix race between polling and detaching syzbot reports a use-after-free in comedi in the below link, which is due to comedi gladly removing the allocated async area even though poll requests are still active on the wait_queue_head inside of it. This can cause a use-after-free when the poll en

CVE-2025-37963 [MEDIUM] CVE-2025-37963: linux - In the Linux kernel, the following vulnerability has been resolved: arm64: bpf:... In the Linux kernel, the following vulnerability has been resolved: arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users Support for eBPF programs loaded by unprivileged users is typically disabled. This means only cBPF programs need to be mitigated for BHB. In addition, only mitigate cBPF programs that were loaded by an unprivileged user. Privileged

CVE-2025-38113 [MEDIUM] CVE-2025-38113: linux - In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC:... In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Fix NULL pointer dereference when nosmp is used With nosmp in cmdline, other CPUs are not brought up, leaving their cpc_desc_ptr NULL. CPU0's iteration via for_each_possible_cpu() dereferences these NULL pointers, causing panic. Panic backtrace: [ 0.401123] Unable to handle kernel NULL p

CVE-2025-21658 [MEDIUM] CVE-2025-21658: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: avoi... In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid extent tree [BUG] Syzbot reported a crash with the following call trace: BTRFS info (device loop0): scrub: started on devid 1 BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0

CVE-2025-71161 [MEDIUM] CVE-2025-71161: linux - In the Linux kernel, the following vulnerability has been resolved: dm-verity: ... In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive forward error correction There are two problems with the recursive correction: 1. It may cause denial-of-service. In fec_read_bufs, there is a loop that has 253 iterations. For each iteration, we may call verity_hash_for_block recursively. There is a limit of 4 nested re

CVE-2025-38513 [MEDIUM] CVE-2025-38513: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: zd121... In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For example, the following is possible: T0 T1 zd_mac_tx_to_dev() /* len == skb_queue_len(q) */ while (len > ZD_MAC_MAX_ACK_WAITERS) { filter_ack() spin_lo

CVE-2025-38553 [MEDIUM] CVE-2025-38553: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: Restrict conditions for adding duplicating netems to qdisc tree netem_enqueue's duplication prevention logic breaks when a netem resides in a qdisc tree with other netems - this can lead to a soft lockup and OOM loop in netem_dequeue, as seen in [1]. Ensure that a duplicating netem cannot

CVE-2025-21865 [MEDIUM] CVE-2025-21865: linux - In the Linux kernel, the following vulnerability has been resolved: gtp: Suppre... In the Linux kernel, the following vulnerability has been resolved: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). Brad Spengler reported the list_del() corruption splat in gtp_net_exit_batch_rtnl(). [0] Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl(