Debian Linux vulnerabilities

CVE-2025-71222 [MEDIUM] CVE-2025-71222: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: wlcor... In the Linux kernel, the following vulnerability has been resolved: wifi: wlcore: ensure skb headroom before skb_push This avoids occasional skb_under_panic Oops from wl1271_tx_work. In this case, headroom is less than needed (typically 110 - 94 = 16 bytes). Scope: local bookworm: resolved (fixed in 6.1.164-1) bullseye: resolved (fixed in 5.10.251-1) forky: resolved

CVE-2025-21655 [MEDIUM] CVE-2025-21655: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring/ev... In the Linux kernel, the following vulnerability has been resolved: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period io_eventfd_do_signal() is invoked from an RCU callback, but when dropping the reference to the io_ev_fd, it calls io_eventfd_free() directly if the refcount drops to zero. This isn't correct, as any potential freeing of the io_ev

CVE-2025-39940 [MEDIUM] CVE-2025-39940: linux - In the Linux kernel, the following vulnerability has been resolved: dm-stripe: ... In the Linux kernel, the following vulnerability has been resolved: dm-stripe: fix a possible integer overflow There's a possible integer overflow in stripe_io_hints if we have too large chunk size. Test if the overflow happened, and if it did, don't set limits->io_min and limits->io_opt; Scope: local bookworm: open bullseye: open forky: resolved (fixed in 6.16.9-1)

CVE-2025-38234 [MEDIUM] CVE-2025-38234: linux - In the Linux kernel, the following vulnerability has been resolved: sched/rt: F... In the Linux kernel, the following vulnerability has been resolved: sched/rt: Fix race in push_rt_task Overview ======== When a CPU chooses to call push_rt_task and picks a task to push to another CPU's runqueue then it will call find_lock_lowest_rq method which would take a double lock on both CPUs' runqueues. If one of the locks aren't readily available, it may le

CVE-2025-21684 [MEDIUM] CVE-2025-21684: linux - In the Linux kernel, the following vulnerability has been resolved: gpio: xilin... In the Linux kernel, the following vulnerability has been resolved: gpio: xilinx: Convert gpio_lock to raw spinlock irq_chip functions may be called in raw spinlock context. Therefore, we must also use a raw spinlock for our own internal locking. This fixes the following lockdep splat: [ 5.349336] ============================= [ 5.353349] [ BUG: Invalid wait context

CVE-2025-39925 [MEDIUM] CVE-2025-39925: linux - In the Linux kernel, the following vulnerability has been resolved: can: j1939:... In the Linux kernel, the following vulnerability has been resolved: can: j1939: implement NETDEV_UNREGISTER notification handler syzbot is reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 problem, for j1939 protocol did not have NETDEV_UNREGISTER notification handler for undoing changes made by j1939_sk_bind(). Commit 25fe97cb7620 ("

CVE-2025-71109 [MEDIUM] CVE-2025-71109: linux - In the Linux kernel, the following vulnerability has been resolved: MIPS: ftrac... In the Linux kernel, the following vulnerability has been resolved: MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Since commit e424054000878 ("MIPS: Tracing: Reduce the overhead of dynamic Function Tracer"), the macro UASM_i_LA_mostly has been used, and this macro can generate more than 2 instructions. At the same time, the code in ftrace

CVE-2025-38057 [MEDIUM] CVE-2025-38057: linux - In the Linux kernel, the following vulnerability has been resolved: espintcp: f... In the Linux kernel, the following vulnerability has been resolved: espintcp: fix skb leaks A few error paths are missing a kfree_skb. Scope: local bookworm: resolved (fixed in 6.1.159-1) bullseye: open forky: resolved (fixed in 6.12.32-1) sid: resolved (fixed in 6.12.32-1) trixie: resolved (fixed in 6.12.32-1)

CVE-2025-71087 [MEDIUM] CVE-2025-71087: linux - In the Linux kernel, the following vulnerability has been resolved: iavf: fix o... In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"), the loop upp

CVE-2025-38583 [MEDIUM] CVE-2025-38583: linux - In the Linux kernel, the following vulnerability has been resolved: clk: xilinx... In the Linux kernel, the following vulnerability has been resolved: clk: xilinx: vcu: unregister pll_post only if registered correctly If registration of pll_post is failed, it will be set to NULL or ERR, unregistering same will fail with following call trace: Unable to handle kernel NULL pointer dereference at virtual address 008 pc : clk_hw_unregister+0xc/0x20 lr

CVE-2025-37852 [MEDIUM] CVE-2025-37852: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu:... In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() Add error handling to propagate amdgpu_cgs_create_device() failures to the caller. When amdgpu_cgs_create_device() fails, release hwmgr and return -ENOMEM to prevent null pointer dereference. [v1]->[v2]: Change error code

CVE-2025-21629 [MEDIUM] CVE-2025-21629: linux - In the Linux kernel, the following vulnerability has been resolved: net: reenab... In the Linux kernel, the following vulnerability has been resolved: net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets The blamed commit disabled hardware offoad of IPv6 packets with extension headers on devices that advertise NETIF_F_IPV6_CSUM, based on the definition of that feature in skbuff.h: * * - %NETIF_F_IPV6_CSUM * - Driver (device) is only able to

CVE-2025-21996 [MEDIUM] CVE-2025-21996: linux - In the Linux kernel, the following vulnerability has been resolved: drm/radeon:... In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon

CVE-2025-71202 [MEDIUM] CVE-2025-71202: linux - In the Linux kernel, the following vulnerability has been resolved: iommu/sva: ... In the Linux kernel, the following vulnerability has been resolved: iommu/sva: invalidate stale IOTLB entries for kernel address space Introduce a new IOMMU interface to flush IOTLB paging cache entries for the CPU kernel address space. This interface is invoked from the x86 architecture code that manages combined user and kernel page tables, specifically before any

CVE-2025-38174 [MEDIUM] CVE-2025-38174: linux - In the Linux kernel, the following vulnerability has been resolved: thunderbolt... In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequeue a configuration request Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0 Call

CVE-2025-39847 [MEDIUM] CVE-2025-39847: linux - In the Linux kernel, the following vulnerability has been resolved: ppp: fix me... In the Linux kernel, the following vulnerability has been resolved: ppp: fix memory leak in pad_compress_skb If alloc_skb() fails in pad_compress_skb(), it returns NULL without releasing the old skb. The caller does: skb = pad_compress_skb(ppp, skb); if (!skb) goto drop; drop: kfree_skb(skb); When pad_compress_skb() returns NULL, the reference to the old skb is lost

CVE-2025-39942 [MEDIUM] CVE-2025-39942: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbd... In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size This is inspired by the check for data_offset + data_length. Scope: local bookworm: resolved (fixed in 6.1.158-1) bullseye: resolved forky: resolved (fixed in 6.16.9-1) sid: resolved (fixed in 6.16.9-1) trixie: resolved

CVE-2025-38393 [MEDIUM] CVE-2025-38393: linux - In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS:... In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN We found a few different systems hung up in writeback waiting on the same page lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in pnfs_update_layout(), however the pnfs_layout_hdr's plh_outstanding count was zero. It seems most likely that th

CVE-2025-37820 [MEDIUM] CVE-2025-37820: linux - In the Linux kernel, the following vulnerability has been resolved: xen-netfron... In the Linux kernel, the following vulnerability has been resolved: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame() The function xdp_convert_buff_to_frame() may return NULL if it fails to correctly convert the XDP buffer into an XDP frame due to memory constraints, internal errors, or invalid data. Failing to check for NULL may lead to a NULL point

CVE-2025-38430 [MEDIUM] CVE-2025-38430: linux - In the Linux kernel, the following vulnerability has been resolved: nfsd: nfsd4... In the Linux kernel, the following vulnerability has been resolved: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request If the request being processed is not a v4 compound request, then examining the cstate can have undefined results. This patch adds a check that the rpc procedure being executed (rq_procinfo) is the NFSPROC4_COMPOUND procedure. Sco