Debian Linux vulnerabilities

CVE-2025-38311 [MEDIUM] CVE-2025-38311: linux - In the Linux kernel, the following vulnerability has been resolved: iavf: get r... In the Linux kernel, the following vulnerability has been resolved: iavf: get rid of the crit lock Get rid of the crit lock. That frees us from the error prone logic of try_locks. Thanks to netdev_lock() by Jakub it is now easy, and in most cases we were protected by it already - replace crit lock by netdev lock when it was not the case. Lockdep reports that we shou

CVE-2025-21825 [MEDIUM] CVE-2025-21825: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Cancel... In the Linux kernel, the following vulnerability has been resolved: bpf: Cancel the running bpf_timer through kworker for PREEMPT_RT During the update procedure, when overwrite element in a pre-allocated htab, the freeing of old_element is protected by the bucket lock. The reason why the bucket lock is necessary is that the old_element has already been stashed in ht

CVE-2025-37953 [MEDIUM] CVE-2025-37953: linux - In the Linux kernel, the following vulnerability has been resolved: sch_htb: ma... In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_deactivate() idempotent Alan reported a NULL pointer dereference in htb_next_rb_node() after we made htb_qlen_notify() idempotent. It turns out in the following case it introduced some regression: htb_dequeue_tree(): |-> fq_codel_dequeue() |-> qdisc_tree_reduce_backlog() |-> htb_ql

CVE-2025-38048 [MEDIUM] CVE-2025-38048: linux - In the Linux kernel, the following vulnerability has been resolved: virtio_ring... In the Linux kernel, the following vulnerability has been resolved: virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN syzbot reports a data-race when accessing the event_triggered, here is the simplified stack when the issue occurred: ================================================================== BUG: KCSAN: data-race in virtqueue_disable_c

CVE-2025-38147 [MEDIUM] CVE-2025-38147: linux - In the Linux kernel, the following vulnerability has been resolved: calipso: Do... In the Linux kernel, the following vulnerability has been resolved: calipso: Don't call calipso functions for AF_INET sk. syzkaller reported a null-ptr-deref in txopt_get(). [0] The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo, so struct ipv6_pinfo was NULL there. However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6 is always set in i

CVE-2025-22028 [MEDIUM] CVE-2025-22028: linux - In the Linux kernel, the following vulnerability has been resolved: media: vimc... In the Linux kernel, the following vulnerability has been resolved: media: vimc: skip .s_stream() for stopped entities Syzbot reported [1] a warning prompted by a check in call_s_stream() that checks whether .s_stream() operation is warranted for unstarted or stopped subdevs. Add a simple fix in vimc_streamer_pipeline_terminate() ensuring that entities skip a call t

CVE-2025-37748 [MEDIUM] CVE-2025-37748: linux - In the Linux kernel, the following vulnerability has been resolved: iommu/media... In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: Fix NULL pointer deference in mtk_iommu_device_group Currently, mtk_iommu calls during probe iommu_device_register before the hw_list from driver data is initialized. Since iommu probing issue fix, it leads to NULL pointer dereference in mtk_iommu_device_group when hw_list is accesse

CVE-2025-38399 [MEDIUM] CVE-2025-38399: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: targe... In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() The function core_scsi3_decode_spec_i_port(), in its error code path, unconditionally calls core_scsi3_lunacl_undepend_item() passing the dest_se_deve pointer, which may be NULL. This can lead to a NULL pointer dereference

CVE-2025-21861 [MEDIUM] CVE-2025-21861: linux - In the Linux kernel, the following vulnerability has been resolved: mm/migrate_... In the Linux kernel, the following vulnerability has been resolved: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_d

CVE-2025-37858 [MEDIUM] CVE-2025-37858: linux - In the Linux kernel, the following vulnerability has been resolved: fs/jfs: Pre... In the Linux kernel, the following vulnerability has been resolved: fs/jfs: Prevent integer overflow in AG size calculation The JFS filesystem calculates allocation group (AG) size using 1 2TB aggregates on 32-bit systems), this 32-bit shift operation causes undefined behavior and improper AG sizing. On 32-bit architectures: - Left-shifting 1 by 32+ bits results in

CVE-2025-37909 [MEDIUM] CVE-2025-37909: linux - In the Linux kernel, the following vulnerability has been resolved: net: lan743... In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Fix memleak issue when GSO enabled Always map the `skb` to the LS descriptor. Previously skb was mapped to EXT descriptor when the number of fragments is zero with GSO enabled. Mapping the skb to EXT descriptor prevents it from being freed, leading to a memory leak Scope: local bookwor

CVE-2025-38365 [MEDIUM] CVE-2025-38365: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: fix ... In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a race between renames and directory logging We have a race between a rename and directory inode logging that if it happens and we crash/power fail before the rename completes, the next time the filesystem is mounted, the log replay code will end up deleting the file that was being rename

CVE-2025-21640 [MEDIUM] CVE-2025-21640: linux - In the Linux kernel, the following vulnerability has been resolved: sctp: sysct... In the Linux kernel, the following vulnerability has been resolved: sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons: - Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns. - current->n

CVE-2025-71130 [MEDIUM] CVE-2025-71130: linux - In the Linux kernel, the following vulnerability has been resolved: drm/i915/ge... In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Initialize the eb.vma array with values of 0 when the eb structure is first set up. In particular, this sets the eb->vma[i].vma pointers to NULL, simplifying cleanup and getting rid of the bug described below. During the execut

CVE-2025-71235 [MEDIUM] CVE-2025-71235: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: qla2x... In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Delay module unload while fabric scan in progress System crash seen during load/unload test in a loop. [105954.384919] RBP: ffff914589838dc0 R08: 0000000000000000 R09: 0000000000000086 [105954.384920] R10: 000000000000000f R11: ffffa31240904be5 R12: ffff914605f868e0 [105954.384921] R1

CVE-2025-38617 [MEDIUM] CVE-2025-38617: linux - In the Linux kernel, the following vulnerability has been resolved: net/packet:... In the Linux kernel, the following vulnerability has been resolved: net/packet: fix a race in packet_set_ring() and packet_notifier() When packet_set_ring() releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This race and the fix are both similar to that of commit 15fe076edea7 ("net/packet: fix a race in packet_bind() an

CVE-2025-21862 [MEDIUM] CVE-2025-21862: linux - In the Linux kernel, the following vulnerability has been resolved: drop_monito... In the Linux kernel, the following vulnerability has been resolved: drop_monitor: fix incorrect initialization order Syzkaller reports the following bug: BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 lock: 0xffff88805303f3e0, .magic: 00000000, .owner: /-1, .owner_cpu: 0 CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1 Hardware name: VMware, In

CVE-2025-38333 [MEDIUM] CVE-2025-38333: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: fix t... In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to bail out in get_new_segment() ------------[ cut here ]------------ WARNING: CPU: 3 PID: 579 at fs/f2fs/segment.c:2832 new_curseg+0x5e8/0x6dc pc : new_curseg+0x5e8/0x6dc Call trace: new_curseg+0x5e8/0x6dc f2fs_allocate_data_block+0xa54/0xe28 do_write_page+0x6c/0x194 f2fs_do_write_node_pa

CVE-2025-39721 [MEDIUM] CVE-2025-39721: linux - In the Linux kernel, the following vulnerability has been resolved: crypto: qat... In the Linux kernel, the following vulnerability has been resolved: crypto: qat - flush misc workqueue during device shutdown Repeated loading and unloading of a device specific QAT driver, for example qat_4xxx, in a tight loop can lead to a crash due to a use-after-free scenario. This occurs when a power management (PM) interrupt triggers just before the device-spe

CVE-2025-38304 [MEDIUM] CVE-2025-38304: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer deference on eir_get_service_data The len parameter is considered optional so it can be NULL so it cannot be used for skipping to next entry of EIR_SERVICE_DATA. Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: resolved forky: resolved (fixed in 6.12.35-1) s