Debian Linux vulnerabilities

CVE-2025-37958 [MEDIUM] CVE-2025-37958: linux - In the Linux kernel, the following vulnerability has been resolved: mm/huge_mem... In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: fix dereferencing invalid pmd migration entry When migrating a THP, concurrent access to the PMD migration entry during a deferred split scan can lead to an invalid address access, as illustrated below. To prevent this invalid access, it is necessary to check the PMD migration entry

CVE-2025-38063 [MEDIUM] CVE-2025-38063: linux - In the Linux kernel, the following vulnerability has been resolved: dm: fix unc... In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO throttle caused by REQ_PREFLUSH When a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush() generates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC, which causes the flush_bio to be throttled by wbt_wait(). An example from v5.4, similar problem also exist

CVE-2025-39676 [MEDIUM] CVE-2025-39676: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: qla4x... In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() function is supposed to return NULL on error, but qla4xxx_ep_connect() returns error pointers. Propagating the error pointers will lead to an Oops in the caller, so change the error pointers to NULL. Scope: local

CVE-2025-21904 [MEDIUM] CVE-2025-21904: linux - In the Linux kernel, the following vulnerability has been resolved: caif_virtio... In the Linux kernel, the following vulnerability has been resolved: caif_virtio: fix wrong pointer check in cfv_probe() del_vqs() frees virtqueues, therefore cfv->vq_tx pointer should be checked for NULL before calling it, not cfv->vdev. Also the current implementation is redundant because the pointer cfv->vdev is dereferenced before it is checked for NULL. Fix this

CVE-2025-21907 [MEDIUM] CVE-2025-21907: linux - In the Linux kernel, the following vulnerability has been resolved: mm: memory-... In the Linux kernel, the following vulnerability has been resolved: mm: memory-failure: update ttu flag inside unmap_poisoned_folio Patch series "mm: memory_failure: unmap poisoned folio during migrate properly", v3. Fix two bugs during folio migration if the folio is poisoned. This patch (of 3): Commit 6da6b1d4a7df ("mm/hwpoison: convert TTU_IGNORE_HWPOISON to TTU_

CVE-2025-37787 [MEDIUM] CVE-2025-37787: linux - In the Linux kernel, the following vulnerability has been resolved: net: dsa: m... In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered Russell King reports that a system with mv88e6xxx dereferences a NULL pointer when unbinding this driver: https://lore.kernel.org/netdev/[email protected]/ The crash seems to be in devlink_regio

CVE-2025-38382 [MEDIUM] CVE-2025-38382: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: fix ... In the Linux kernel, the following vulnerability has been resolved: btrfs: fix iteration of extrefs during log replay At __inode_add_ref() when processing extrefs, if we jump into the next label we have an undefined value of victim_name.len, since we haven't initialized it before we did the goto. This results in an invalid memory access in the next iteration of the

CVE-2025-38064 [MEDIUM] CVE-2025-38064: linux - In the Linux kernel, the following vulnerability has been resolved: virtio: bre... In the Linux kernel, the following vulnerability has been resolved: virtio: break and reset virtio devices on device_shutdown() Hongyu reported a hang on kexec in a VM. QEMU reported invalid memory accesses during the hang. Invalid read at addr 0x102877002, size 2, region '(null)', reason: rejected Invalid write at addr 0x102877A44, size 2, region '(null)', reason:

CVE-2025-38058 [MEDIUM] CVE-2025-38058: linux - In the Linux kernel, the following vulnerability has been resolved: __legitimiz... In the Linux kernel, the following vulnerability has been resolved: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock ... or we risk stealing final mntput from sync umount - raising mnt_count after umount(2) has verified that victim is not busy, but before it has set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see that it's safe t

CVE-2025-23159 [MEDIUM] CVE-2025-23159: linux - In the Linux kernel, the following vulnerability has been resolved: media: venu... In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi: add a check to handle OOB in sfr region sfr->buf_size is in shared memory and can be modified by malicious user. OOB write is possible when the size is made higher than actual sfr data buffer. Cap the size to allocated size for such cases. Scope: local bookworm: resolved (fixed in

CVE-2025-38132 [MEDIUM] CVE-2025-38132: linux - In the Linux kernel, the following vulnerability has been resolved: coresight: ... In the Linux kernel, the following vulnerability has been resolved: coresight: holding cscfg_csdev_lock while removing cscfg from csdev There'll be possible race scenario for coresight config: CPU0 CPU1 (perf enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_loc

CVE-2025-22125 [MEDIUM] CVE-2025-22125: linux - In the Linux kernel, the following vulnerability has been resolved: md/raid1,ra... In the Linux kernel, the following vulnerability has been resolved: md/raid1,raid10: don't ignore IO flags If blk-wbt is enabled by default, it's found that raid write performance is quite bad because all IO are throttled by wbt of underlying disks, due to flag REQ_IDLE is ignored. And turns out this behaviour exist since blk-wbt is introduced. Other than REQ_IDLE,

CVE-2025-38671 [MEDIUM] CVE-2025-38671: linux - In the Linux kernel, the following vulnerability has been resolved: i2c: qup: j... In the Linux kernel, the following vulnerability has been resolved: i2c: qup: jump out of the loop in case of timeout Original logic only sets the return value but doesn't jump out of the loop if the bus is kept active by a client. This is not expected. A malicious or buggy i2c client can hang the kernel in this case and should be avoided. This is observed during a

CVE-2025-21961 [MEDIUM] CVE-2025-21961: linux - In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: ... In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: fix truesize for mb-xdp-pass case When mb-xdp is set and return is XDP_PASS, packet is converted from xdp_buff to sk_buff with xdp_update_skb_shared_info() in bnxt_xdp_build_skb(). bnxt_xdp_build_skb() passes incorrect truesize argument to xdp_update_skb_shared_info(). The truesize is cal

CVE-2025-71114 [MEDIUM] CVE-2025-71114: linux - In the Linux kernel, the following vulnerability has been resolved: via_wdt: fi... In the Linux kernel, the following vulnerability has been resolved: via_wdt: fix critical boot hang due to unnamed resource allocation The VIA watchdog driver uses allocate_resource() to reserve a MMIO region for the watchdog control register. However, the allocated resource was not given a name, which causes the kernel resource tree to contain an entry marked as ""

CVE-2025-38695 [MEDIUM] CVE-2025-38695: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc:... In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may occur before sli4_hba.hdwqs are allocated. This may result in a null pointer derefe

CVE-2025-38664 [MEDIUM] CVE-2025-38664: linux - In the Linux kernel, the following vulnerability has been resolved: ice: Fix a ... In the Linux kernel, the following vulnerability has been resolved: ice: Fix a null pointer dereference in ice_copy_and_init_pkg() Add check for the return value of devm_kmemdup() to prevent potential null pointer dereference. Scope: local bookworm: resolved (fixed in 6.1.148-1) bullseye: resolved (fixed in 5.10.244-1) forky: resolved (fixed in 6.16.3-1) sid: resolv

CVE-2025-23144 [MEDIUM] CVE-2025-23144: linux - In the Linux kernel, the following vulnerability has been resolved: backlight: ... In the Linux kernel, the following vulnerability has been resolved: backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Lockdep detects the following issue on led-backlight removal: [ 142.315935] ------------[ cut here ]------------ [ 142.315954] WARNING: CPU: 2 PID: 292 at drivers/leds/led-core.c:455 led_sysfs_enable+0x54/0x80 ... [ 142.500725]

CVE-2025-71111 [MEDIUM] CVE-2025-71111: linux - In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83... In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU The macro FAN_FROM_REG evaluates its arguments multiple times. When used in lockless contexts involving shared driver data, this leads to Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially causing divide-by-zero errors. Con

CVE-2025-22057 [MEDIUM] CVE-2025-22057: linux - In the Linux kernel, the following vulnerability has been resolved: net: decrea... In the Linux kernel, the following vulnerability has been resolved: net: decrease cached dst counters in dst_release Upstream fix ac888d58869b ("net: do not delay dst_entries_add() in dst_release()") moved decrementing the dst count from dst_destroy to dst_release to avoid accessing already freed data in case of netns dismantle. However in case CONFIG_DST_CACHE is e