Debian Linux vulnerabilities

CVE-2025-37859 [MEDIUM] CVE-2025-37859: linux - In the Linux kernel, the following vulnerability has been resolved: page_pool: ... In the Linux kernel, the following vulnerability has been resolved: page_pool: avoid infinite loop to schedule delayed worker We noticed the kworker in page_pool_release_retry() was waken up repeatedly and infinitely in production because of the buggy driver causing the inflight less than 0 and warning us in page_pool_inflight()[1]. Since the inflight value goes neg

CVE-2025-21877 [MEDIUM] CVE-2025-21877: linux - In the Linux kernel, the following vulnerability has been resolved: usbnet: gl6... In the Linux kernel, the following vulnerability has been resolved: usbnet: gl620a: fix endpoint checking in genelink_bind() Syzbot reports [1] a warning in usb_submit_urb() triggered by inconsistencies between expected and actually present endpoints in gl620a driver. Since genelink_bind() does not properly verify whether specified eps are in fact provided by the de

CVE-2025-38100 [MEDIUM] CVE-2025-38100: linux - In the Linux kernel, the following vulnerability has been resolved: x86/iopl: C... In the Linux kernel, the following vulnerability has been resolved: x86/iopl: Cure TIF_IO_BITMAP inconsistencies io_bitmap_exit() is invoked from exit_thread() when a task exists or when a fork fails. In the latter case the exit_thread() cleans up resources which were allocated during fork(). io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up in

CVE-2025-39932 [MEDIUM] CVE-2025-39932: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: let smbd_destroy() call disable_work_sync(&info->post_send_credits_work) In smbd_destroy() we may destroy the memory so we better wait until post_send_credits_work is no longer pending and will never be started again. I actually just hit the case using rxe: WARNING: CPU: 0 PID: 138 at d

CVE-2025-71191 [MEDIUM] CVE-2025-71191: linux - In the Linux kernel, the following vulnerability has been resolved: dmaengine: ... In the Linux kernel, the following vulnerability has been resolved: dmaengine: at_hdmac: fix device leak on of_dma_xlate() Make sure to drop the reference taken when looking up the DMA platform device during of_dma_xlate() when releasing channel resources. Note that commit 3832b78b3ec2 ("dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate()") fixed th

CVE-2025-37951 [MEDIUM] CVE-2025-37951: linux - In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Ad... In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Add job to pending list if the reset was skipped When a CL/CSD job times out, we check if the GPU has made any progress since the last timeout. If so, instead of resetting the hardware, we skip the reset and let the timer get rearmed. This gives long-running jobs a chance to complete. Howev

CVE-2025-38468 [MEDIUM] CVE-2025-38468: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree htb_lookup_leaf has a BUG_ON that can trigger with the following: tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add dev lo parent 1:1 h

CVE-2025-38590 [MEDIUM] CVE-2025-38590: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: ... In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Remove skb secpath if xfrm state is not found Hardware returns a unique identifier for a decrypted packet's xfrm state, this state is looked up in an xarray. However, the state might have been freed by the time of this lookup. Currently, if the state is not found, only a counter is increm

CVE-2025-21848 [MEDIUM] CVE-2025-21848: linux - In the Linux kernel, the following vulnerability has been resolved: nfp: bpf: A... In the Linux kernel, the following vulnerability has been resolved: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() Add check for the return value of nfp_app_ctrl_msg_alloc() in nfp_bpf_cmsg_alloc() to prevent null pointer dereference. Scope: local bookworm: resolved (fixed in 6.1.133-1) bullseye: resolved (fixed in 5.10.237-1) forky: resolved (fixed in 6.12.17-1)

CVE-2025-38562 [MEDIUM] CVE-2025-38562: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer dereference error in generate_encryptionkey If client send two session setups with krb5 authenticate to ksmbd, null pointer dereference error in generate_encryptionkey could happen. sess->Preauth_HashValue is set to NULL if session is valid. So this patch skip generate encryp

CVE-2025-71096 [MEDIUM] CVE-2025-71096: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/core: ... In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs array and then direct

CVE-2025-38410 [MEDIUM] CVE-2025-38410: linux - In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fi... In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix a fence leak in submit error path In error paths, we could unref the submit without calling drm_sched_entity_push_job(), so msm_job_free() will never get called. Since drm_sched_job_cleanup() will NULL out the s_fence, we can use that to detect this case. Patchwork: https://patchwork.fr

CVE-2025-38650 [MEDIUM] CVE-2025-38650: linux - In the Linux kernel, the following vulnerability has been resolved: hfsplus: re... In the Linux kernel, the following vulnerability has been resolved: hfsplus: remove mutex_lock check in hfsplus_free_extents Syzbot reported an issue in hfsplus filesystem: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346 hfsplus_free_extents+0x700/0xad0 Call Trace: hfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606

CVE-2025-38449 [MEDIUM] CVE-2025-38449: linux - In the Linux kernel, the following vulnerability has been resolved: drm/gem: Ac... In the Linux kernel, the following vulnerability has been resolved: drm/gem: Acquire references on GEM handles for framebuffers A GEM handle can be released while the GEM buffer object is attached to a DRM framebuffer. This leads to the release of the dma-buf backing the buffer object, if any. [1] Trying to use the framebuffer in further mode-setting operations lead

CVE-2025-38345 [MEDIUM] CVE-2025-38345: linux - In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix... In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi operand cache leak in dswstate.c ACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 I found an ACPI cache leak in ACPI early termination and boot continuing case. When early termination occurs due to malicious ACPI table, Linux kernel terminates ACPI function and continues to bo

CVE-2025-38018 [MEDIUM] CVE-2025-38018: linux - In the Linux kernel, the following vulnerability has been resolved: net/tls: fi... In the Linux kernel, the following vulnerability has been resolved: net/tls: fix kernel panic when alloc_page failed We cannot set frag_list to NULL pointer when alloc_page failed. It will be used in tls_strp_check_queue_ok when the next time tls_strp_read_sock is called. This is because we don't reset full_len in tls_strp_flush_anchor_copy() so the recv path will t

CVE-2025-37853 [MEDIUM] CVE-2025-37853: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd:... In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: debugfs hang_hws skip GPU with MES debugfs hang_hws is used by GPU reset test with HWS, for MES this crash the kernel with NULL pointer access because dqm->packet_mgr is not setup for MES path. Skip GPU with MES for now, MES hang_hws debugfs interface will be supported later. Scope: loca

CVE-2025-39927 [MEDIUM] CVE-2025-39927: linux - In the Linux kernel, the following vulnerability has been resolved: ceph: fix r... In the Linux kernel, the following vulnerability has been resolved: ceph: fix race condition validating r_parent before applying state Add validation to ensure the cached parent directory inode matches the directory info in MDS replies. This prevents client-side race conditions where concurrent operations (e.g. rename) cause r_parent to become stale between request

CVE-2025-39798 [MEDIUM] CVE-2025-39798: linux - In the Linux kernel, the following vulnerability has been resolved: NFS: Fix th... In the Linux kernel, the following vulnerability has been resolved: NFS: Fix the setting of capabilities when automounting a new filesystem Capabilities cannot be inherited when we cross into a new filesystem. They need to be reset to the minimal defaults, and then probed for again. Scope: local bookworm: resolved (fixed in 6.1.153-1) bullseye: resolved (fixed in 5.

CVE-2025-37938 [MEDIUM] CVE-2025-37938: linux - In the Linux kernel, the following vulnerability has been resolved: tracing: Ve... In the Linux kernel, the following vulnerability has been resolved: tracing: Verify event formats that have "%*p.." The trace event verifier checks the formats of trace events to make sure that they do not point at memory that is not in the trace event itself or in data that will never be freed. If an event references data that was allocated when the event triggered