Debian Linux vulnerabilities

CVE-2025-21912 [MEDIUM] CVE-2025-21912: linux - In the Linux kernel, the following vulnerability has been resolved: gpio: rcar:... In the Linux kernel, the following vulnerability has been resolved: gpio: rcar: Use raw_spinlock to protect register access Use raw_spinlock in order to fix spurious messages about invalid context when spinlock debugging is enabled. The lock is only used to serialize register access. [ 4.239592] ============================= [ 4.239595] [ BUG: Invalid wait context ]

CVE-2025-37881 [MEDIUM] CVE-2025-37881: linux - In the Linux kernel, the following vulnerability has been resolved: usb: gadget... In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() The variable d->name, returned by devm_kasprintf(), could be NULL. A pointer check is added to prevent potential NULL pointer dereference. This is similar to the fix in commit 3027e7b15b02 ("ice: Fix some null pointer dereference iss

CVE-2025-38444 [MEDIUM] CVE-2025-38444: linux - In the Linux kernel, the following vulnerability has been resolved: raid10: cle... In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid10_make_request If raid10_read_request or raid10_write_request registers a new request and the REQ_NOWAIT flag is set, the code does not free the malloc from the mempool. unreferenced object 0xffff8884802c3200 (size 192): comm "fio", pid 9197, jiffies 4298078271 hex du

CVE-2025-39851 [MEDIUM] CVE-2025-39851: linux - In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix ... In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix NPD when refreshing an FDB entry with a nexthop object VXLAN FDB entries can point to either a remote destination or an FDB nexthop group. The latter is usually used in EVPN deployments where learning is disabled. However, when learning is enabled, an incoming packet might try to refresh

CVE-2025-38495 [MEDIUM] CVE-2025-38495: linux - In the Linux kernel, the following vulnerability has been resolved: HID: core: ... In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated report buffer can contain the reserved report ID When the report ID is not used, the low level transport drivers expect the first byte to be 0. However, currently the allocated buffer not account for that extra byte, meaning that instead of having 8 guaranteed bytes f

CVE-2025-38043 [MEDIUM] CVE-2025-38043: linux - In the Linux kernel, the following vulnerability has been resolved: firmware: a... In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Set dma_mask for ffa devices Set dma_mask for FFA devices, otherwise DMA allocation using the device pointer lead to following warning: WARNING: CPU: 1 PID: 1 at kernel/dma/mapping.c:597 dma_alloc_attrs+0xe0/0x124 Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: reso

CVE-2025-38067 [MEDIUM] CVE-2025-38067: linux - In the Linux kernel, the following vulnerability has been resolved: rseq: Fix s... In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field does

CVE-2025-38608 [MEDIUM] CVE-2025-38608: linux - In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: ... In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls When sending plaintext data, we initially calculated the corresponding ciphertext length. However, if we later reduced the plaintext data length via socket policy, we failed to recalculate the ciphertext length. This results in tra

CVE-2025-22050 [MEDIUM] CVE-2025-22050: linux - In the Linux kernel, the following vulnerability has been resolved: usbnet:fix ... In the Linux kernel, the following vulnerability has been resolved: usbnet:fix NPE during rx_complete Missing usbnet_going_away Check in Critical Path. The usb_submit_urb function lacks a usbnet_going_away validation, whereas __usbnet_queue_skb includes this check. This inconsistency creates a race condition where: A URB request may succeed, but the corresponding SK

CVE-2025-39789 [MEDIUM] CVE-2025-39789: linux - In the Linux kernel, the following vulnerability has been resolved: crypto: x86... In the Linux kernel, the following vulnerability has been resolved: crypto: x86/aegis - Add missing error checks The skcipher_walk functions can allocate memory and can fail, so checking for errors is necessary. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 6.16.5-1) sid: resolved (fixed in 6.16.5-1) trixie: open

CVE-2025-22081 [MEDIUM] CVE-2025-22081: linux - In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: F... In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix a couple integer overflows on 32bit systems On 32bit systems the "off + sizeof(struct NTFS_DE)" addition can have an integer wrapping issue. Fix it by using size_add(). Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved forky: resolved (fixed in 6.12.25-1) sid: res

CVE-2025-21948 [MEDIUM] CVE-2025-21948: linux - In the Linux kernel, the following vulnerability has been resolved: HID: applei... In the Linux kernel, the following vulnerability has been resolved: HID: appleir: Fix potential NULL dereference at raw event handle Syzkaller reports a NULL pointer dereference issue in input_event(). BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instr

CVE-2025-21846 [MEDIUM] CVE-2025-21846: linux - In the Linux kernel, the following vulnerability has been resolved: acct: perfo... In the Linux kernel, the following vulnerability has been resolved: acct: perform last write from workqueue In [1] it was reported that the acct(2) system call can be used to trigger NULL deref in cases where it is set to write to a file that triggers an internal lookup. This can e.g., happen when pointing acc(2) to /sys/power/resume. At the point the where the writ

CVE-2025-39865 [MEDIUM] CVE-2025-39865: linux - In the Linux kernel, the following vulnerability has been resolved: tee: fix NU... In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereference in tee_shm_put tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to handle kernel paging r

CVE-2025-38477 [MEDIUM] CVE-2025-38477: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-f

CVE-2025-21662 [MEDIUM] CVE-2025-21662: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5: F... In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix variable not being completed when function returns When cmd_alloc_index(), fails cmd_work_handler() needs to complete ent->slotted before returning early. Otherwise the task which issued the command may hang: mlx5_core 0000:01:00.0: cmd_work_handler:877:(pid 3880418): failed to allocat

CVE-2025-37920 [MEDIUM] CVE-2025-37920: linux - In the Linux kernel, the following vulnerability has been resolved: xsk: Fix ra... In the Linux kernel, the following vulnerability has been resolved: xsk: Fix race condition in AF_XDP generic RX path Move rx_lock from xsk_socket to xsk_buff_pool. Fix synchronization for shared umem mode in generic RX path where multiple sockets share single xsk_buff_pool. RX queue is exclusive to xsk_socket, while FILL queue can be shared between multiple sockets

CVE-2025-71183 [MEDIUM] CVE-2025-71183: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: alwa... In the Linux kernel, the following vulnerability has been resolved: btrfs: always detect conflicting inodes when logging inode refs After rename exchanging (either with the rename exchange operation or regular renames in multiple non-atomic steps) two inodes and at least one of them is a directory, we can end up with a log tree that contains only of the inodes and a

CVE-2025-38439 [MEDIUM] CVE-2025-38439: linux - In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Se... In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x15

CVE-2025-38406 [MEDIUM] CVE-2025-38406: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath6k... In the Linux kernel, the following vulnerability has been resolved: wifi: ath6kl: remove WARN on bad firmware input If the firmware gives bad input, that's nothing to do with the driver's stack at this point etc., so the WARN_ON() doesn't add any value. Additionally, this is one of the top syzbot reports now. Just print a message, and as an added bonus, print the si