Debian Linux vulnerabilities

CVE-2025-22062 [MEDIUM] CVE-2025-22062: linux - In the Linux kernel, the following vulnerability has been resolved: sctp: add m... In the Linux kernel, the following vulnerability has been resolved: sctp: add mutual exclusion in proc_sctp_do_udp_port() We must serialize calls to sctp_udp_sock_stop() and sctp_udp_sock_start() or risk a crash as syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in

CVE-2025-37842 [MEDIUM] CVE-2025-37842: linux - In the Linux kernel, the following vulnerability has been resolved: spi: fsl-qs... In the Linux kernel, the following vulnerability has been resolved: spi: fsl-qspi: use devm function instead of driver remove Driver use devm APIs to manage clk/irq/resources and register the spi controller, but the legacy remove function will be called first during device detach and trigger kernel panic. Drop the remove function and use devm_add_action_or_reset() f

CVE-2025-21683 [MEDIUM] CVE-2025-21683: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Fix bp... In the Linux kernel, the following vulnerability has been resolved: bpf: Fix bpf_sk_select_reuseport() memory leak As pointed out in the original comment, lookup in sockmap can return a TCP ESTABLISHED socket. Such TCP socket may have had SO_ATTACH_REUSEPORT_EBPF set before it was ESTABLISHED. In other words, a non-NULL sk_reuseport_cb does not imply a non-refcounte

CVE-2025-37925 [MEDIUM] CVE-2025-37925: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: reject... In the Linux kernel, the following vulnerability has been resolved: jfs: reject on-disk inodes of an unsupported type Syzbot has reported the following BUG: kernel BUG at fs/inode.c:668! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 3 UID: 0 PID: 139 Comm: jfsCommit Not tainted 6.12.0-rc4-syzkaller-00085-g4e46774408d9 #0 Hardware name: QEMU Standard PC

CVE-2025-22045 [MEDIUM] CVE-2025-22045: linux - In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix... In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs On the following path, flush_tlb_range() can be used for zapping normal PMD entries (PMD entries that point to page tables) together with the PTE entries in the pointed-to page table: collapse_pte_mapped_thp pmdp_collapse_flush flush_tl

CVE-2025-23163 [MEDIUM] CVE-2025-23163: linux - In the Linux kernel, the following vulnerability has been resolved: net: vlan: ... In the Linux kernel, the following vulnerability has been resolved: net: vlan: don't propagate flags on open With the device instance lock, there is now a possibility of a deadlock: [ 1.211455] ============================================ [ 1.211571] WARNING: possible recursive locking detected [ 1.211687] 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 Not tainted [ 1.2118

CVE-2025-21981 [MEDIUM] CVE-2025-21981: linux - In the Linux kernel, the following vulnerability has been resolved: ice: fix me... In the Linux kernel, the following vulnerability has been resolved: ice: fix memory leak in aRFS after reset Fix aRFS (accelerated Receive Flow Steering) structures memory leak by adding a checker to verify if aRFS memory is already allocated while configuring VSI. aRFS objects are allocated in two cases: - as part of VSI initialization (at probe), and - as part of

CVE-2025-22111 [MEDIUM] CVE-2025-22111: linux - In the Linux kernel, the following vulnerability has been resolved: net: Remove... In the Linux kernel, the following vulnerability has been resolved: net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to br_ioctl_call(), which causes unnecessary RTNL dance and the splat below [0] under RTNL pressure. Let's say Thread A is trying to detach a device from a bridge and Thread B is tr

CVE-2025-38412 [MEDIUM] CVE-2025-38412: linux - In the Linux kernel, the following vulnerability has been resolved: platform/x8... In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks After retrieving WMI data blocks in sysfs callbacks, check for the validity of them before dereferencing their content. Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: resolved forky: resolved (fixed in 6.1

CVE-2025-21716 [MEDIUM] CVE-2025-21716: linux - In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix ... In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix uninit-value in vxlan_vnifilter_dump() KMSAN reported an uninit-value access in vxlan_vnifilter_dump() [1]. If the length of the netlink message payload is less than sizeof(struct tunnel_msg), vxlan_vnifilter_dump() accesses bytes beyond the message. This can lead to uninit-value access.

CVE-2025-37766 [MEDIUM] CVE-2025-37766: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm:... In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Prevent division by zero The user can set any speed value. If speed is greater than UINT_MAX/8, division by zero is possible. Found by Linux Verification Center (linuxtesting.org) with SVACE. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved (fixed in 5.10.237-1) fo

CVE-2025-21723 [MEDIUM] CVE-2025-21723: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3m... In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix possible crash when setting up bsg fails If bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value. Consequently, in mpi3mr_bsg_exit(), the condition "if(!mrioc->bsg_queue)" will not be satisfied, preventing execution from entering bsg_remove_queue(), which could lead

CVE-2025-38362 [MEDIUM] CVE-2025-38362: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check for get_first_active_display() The function mod_hdcp_hdcp1_enable_encryption() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lead to a null pointer

CVE-2025-39805 [MEDIUM] CVE-2025-39805: linux - In the Linux kernel, the following vulnerability has been resolved: net: macb: ... In the Linux kernel, the following vulnerability has been resolved: net: macb: fix unregister_netdev call order in macb_remove() When removing a macb device, the driver calls phy_exit() before unregister_netdev(). This leads to a WARN from kernfs: ------------[ cut here ]------------ kernfs: can not remove 'attached_dev', no directory WARNING: CPU: 1 PID: 27146 at f

CVE-2025-38038 [MEDIUM] CVE-2025-38038: linux - In the Linux kernel, the following vulnerability has been resolved: cpufreq: am... In the Linux kernel, the following vulnerability has been resolved: cpufreq: amd-pstate: Remove unnecessary driver_lock in set_boost set_boost is a per-policy function call, hence a driver wide lock is unnecessary. Also this mutex_acquire can collide with the mutex_acquire from the mode-switch path in status_store(), which can lead to a deadlock. So, remove it. Scop

CVE-2025-38041 [MEDIUM] CVE-2025-38041: linux - In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-... In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: h616: Reparent GPU clock during frequency changes The H616 manual does not state that the GPU PLL supports dynamic frequency configuration, so we must take extra care when changing the frequency. Currently any attempt to do device DVFS on the GPU lead to panfrost various ooops, and GP

CVE-2025-37741 [MEDIUM] CVE-2025-37741: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: Preven... In the Linux kernel, the following vulnerability has been resolved: jfs: Prevent copying of nlink with value 0 from disk inode syzbot report a deadlock in diFree. [1] When calling "ioctl$LOOP_SET_STATUS64", the offset value passed in is 4, which does not match the mounted loop device, causing the mapping of the mounted loop device to be invalidated. When creating th

CVE-2025-39910 [MEDIUM] CVE-2025-39910: linux - In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc,... In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc, mm/kasan: respect gfp mask in kasan_populate_vmalloc() kasan_populate_vmalloc() and its helpers ignore the caller's gfp_mask and always allocate memory using the hardcoded GFP_KERNEL flag. This makes them inconsistent with vmalloc(), which was recently extended to support GFP_NOFS and GF

CVE-2025-68823 [MEDIUM] CVE-2025-68823: linux - In the Linux kernel, the following vulnerability has been resolved: ublk: fix d... In the Linux kernel, the following vulnerability has been resolved: ublk: fix deadlock when reading partition table When one process(such as udev) opens ublk block device (e.g., to read the partition table via bdev_open()), a deadlock[1] can occur: 1. bdev_open() grabs disk->open_mutex 2. The process issues read I/O to ublk backend to read partition table 3. In __ub

CVE-2025-37758 [MEDIUM] CVE-2025-37758: linux - In the Linux kernel, the following vulnerability has been resolved: ata: pata_p... In the Linux kernel, the following vulnerability has been resolved: ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() devm_ioremap() returns NULL on error. Currently, pxa_ata_probe() does not check for this case, which can result in a NULL pointer dereference. Add NULL check after devm_ioremap() to prevent this issue. Scope: local bookworm: re