Debian Linux vulnerabilities

CVE-2025-21960 [MEDIUM] CVE-2025-21960: linux - In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: ... In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: do not update checksum in bnxt_xdp_build_skb() The bnxt_rx_pkt() updates ip_summed value at the end if checksum offload is enabled. When the XDP-MB program is attached and it returns XDP_PASS, the bnxt_xdp_build_skb() is called to update skb_shared_info. The main purpose of bnxt_xdp_build

CVE-2025-39949 [MEDIUM] CVE-2025-39949: linux - In the Linux kernel, the following vulnerability has been resolved: qed: Don't ... In the Linux kernel, the following vulnerability has been resolved: qed: Don't collect too many protection override GRC elements In the protection override dump path, the firmware can return far too many GRC elements, resulting in attempting to write past the end of the previously-kmalloc'ed dump buffer. This will result in a kernel panic with reason: BUG: unable to

CVE-2025-38197 [MEDIUM] CVE-2025-38197: linux - In the Linux kernel, the following vulnerability has been resolved: platform/x8... In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell_rbu: Fix list usage Pass the correct list head to list_for_each_entry*() when looping through the packet list. Without this patch, reading the packet data via sysfs will show the data incorrectly (because it starts at the wrong packet), and clearing the packet list will result in

CVE-2025-38065 [MEDIUM] CVE-2025-38065: linux - In the Linux kernel, the following vulnerability has been resolved: orangefs: D... In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len' a size_t results in truncation to 4GiB on 32-bit systems. Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: resolved (fixed in 5.10.244-1) forky: resolved (fixed in 6.12.32-1) sid: re

CVE-2025-21634 [MEDIUM] CVE-2025-21634: linux - In the Linux kernel, the following vulnerability has been resolved: cgroup/cpus... In the Linux kernel, the following vulnerability has been resolved: cgroup/cpuset: remove kernfs active break A warning was found: WARNING: CPU: 10 PID: 3486953 at fs/kernfs/file.c:828 CPU: 10 PID: 3486953 Comm: rmdir Kdump: loaded Tainted: G RIP: 0010:kernfs_should_drain_open_files+0x1a1/0x1b0 RSP: 0018:ffff8881107ef9e0 EFLAGS: 00010202 RAX: 0000000080000002 RBX: f

CVE-2025-38546 [MEDIUM] CVE-2025-38546: linux - In the Linux kernel, the following vulnerability has been resolved: atm: clip: ... In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix memory leak of struct clip_vcc. ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to vcc->user_back. The code assumes that vcc_destroy_socket() passes NULL skb to vcc->push() when the socket is close()d, and then clip_push() frees clip_vcc. However, ioctl(ATMARPD_CTRL) sets NULL

CVE-2025-38200 [MEDIUM] CVE-2025-38200: linux - In the Linux kernel, the following vulnerability has been resolved: i40e: fix M... In the Linux kernel, the following vulnerability has been resolved: i40e: fix MMIO write access to an invalid page in i40e_clear_hw When the device sends a specific input, an integer underflow can occur, leading to MMIO write access to an invalid page. Prevent the integer underflow by changing the type of related variables. Scope: local bookworm: resolved (fixed in

CVE-2025-38195 [MEDIUM] CVE-2025-38195: linux - In the Linux kernel, the following vulnerability has been resolved: LoongArch: ... In the Linux kernel, the following vulnerability has been resolved: LoongArch: Fix panic caused by NULL-PMD in huge_pte_offset() ERROR INFO: CPU 25 Unable to handle kernel paging request at virtual address 0x0 ... Call Trace: [] huge_pte_offset+0x3c/0x58 [] hugetlb_follow_page_mask+0x74/0x438 [] __get_user_pages+0xe0/0x4c8 [] faultin_page_range+0x84/0x380 [] madvise

CVE-2025-38721 [MEDIUM] CVE-2025-38721: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: fix refcount leak on table dump There is a reference count leak in ctnetlink_dump_table(): if (res ct_general); // HERE cb->args[1] = (unsigned long)ct; ... While its very unlikely, its possible that ct == last. If this happens, then the refcount of ct was already incremented.

CVE-2025-39715 [MEDIUM] CVE-2025-39715: linux - In the Linux kernel, the following vulnerability has been resolved: parisc: Rev... In the Linux kernel, the following vulnerability has been resolved: parisc: Revise gateway LWS calls to probe user read access We use load and stbys,e instructions to trigger memory reference interruptions without writing to memory. Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The ke

CVE-2025-40251 [MEDIUM] CVE-2025-40251: linux - In the Linux kernel, the following vulnerability has been resolved: devlink: ra... In the Linux kernel, the following vulnerability has been resolved: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy The function devl_rate_nodes_destroy is documented to "Unset parent for all rate objects". However, it was only calling the driver-specific `rate_leaf_parent_set` or `rate_node_parent_set` ops and decrementing the parent's refcount, with

CVE-2025-38507 [MEDIUM] CVE-2025-38507: linux - In the Linux kernel, the following vulnerability has been resolved: HID: ninten... In the Linux kernel, the following vulnerability has been resolved: HID: nintendo: avoid bluetooth suspend/resume stalls Ensure we don't stall or panic the kernel when using bluetooth-connected controllers. This was reported as an issue on android devices using kernel 6.6 due to the resume hook which had been added for usb joycons. First, set a new state value to JO

CVE-2025-71127 [MEDIUM] CVE-2025-71127: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: mac80... In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Discard Beacon frames to non-broadcast address Beacon frames are required to be sent to the broadcast address, see IEEE Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame shall be set to the broadcast address"). A unicast Beacon frame might be used as a targeted a

CVE-2025-38193 [MEDIUM] CVE-2025-38193: linux - In the Linux kernel, the following vulnerability has been resolved: net_sched: ... In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: reject invalid perturb period Gerrard Tai reported that SFQ perturb_period has no range check yet, and this can be used to trigger a race condition fixed in a separate patch. We want to make sure ctl->perturb_period * HZ will not overflow and is positive. tc qd add dev lo root sf

CVE-2025-39764 [MEDIUM] CVE-2025-39764: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: remove refcounting in expectation dumpers Same pattern as previous patch: do not keep the expectation object alive via refcount, only store a cookie value and then use that as the skip hint for dump resumption. AFAICS this has the same issue as the one resolved in the conntrack

CVE-2025-39746 [MEDIUM] CVE-2025-39746: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath10... In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: shutdown driver when hardware is unreliable In rare cases, ath10k may lose connection with the PCIe bus due to some unknown reasons, which could further lead to system crashes during resuming due to watchdog timeout: ath10k_pci 0000:01:00.0: wmi command 20486 timeout, restarting hardwa

CVE-2025-37740 [MEDIUM] CVE-2025-37740: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: add sa... In the Linux kernel, the following vulnerability has been resolved: jfs: add sanity check for agwidth in dbMount The width in dmapctl of the AG is zero, it trigger a divide error when calculating the control page level in dbAllocAG. To avoid this issue, add a check for agwidth in dbAllocAG. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved (fix

CVE-2025-37970 [MEDIUM] CVE-2025-37970: linux - In the Linux kernel, the following vulnerability has been resolved: iio: imu: s... In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo Prevent st_lsm6dsx_read_fifo from falling in an infinite loop in case pattern_len is equal to zero and the device FIFO is not empty. Scope: local bookworm: resolved (fixed in 6.1.140-1) bullseye: resolved (fixed in 5.10.244-1) forky:

CVE-2025-21766 [MEDIUM] CVE-2025-21766: linux - In the Linux kernel, the following vulnerability has been resolved: ipv4: use R... In the Linux kernel, the following vulnerability has been resolved: ipv4: use RCU protection in __ip_rt_update_pmtu() __ip_rt_update_pmtu() must use RCU protection to make sure the net structure it reads does not disappear. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: open forky: resolved (fixed in 6.12.16-1) sid: resolved (fixed in 6.12.16-1) trix

CVE-2025-21651 [MEDIUM] CVE-2025-21651: linux - In the Linux kernel, the following vulnerability has been resolved: net: hns3: ... In the Linux kernel, the following vulnerability has been resolved: net: hns3: don't auto enable misc vector Currently, there is a time window between misc irq enabled and service task inited. If an interrupte is reported at this time, it will cause warning like below: [ 16.324639] Call trace: [ 16.324641] __queue_delayed_work+0xb8/0xe0 [ 16.324643] mod_delayed_work