Debian Linux vulnerabilities

CVE-2025-37815 [MEDIUM] CVE-2025-37815: linux - In the Linux kernel, the following vulnerability has been resolved: misc: micro... In the Linux kernel, the following vulnerability has been resolved: misc: microchip: pci1xxxx: Fix Kernel panic during IRQ handler registration Resolve kernel panic while accessing IRQ handler associated with the generated IRQ. This is done by acquiring the spinlock and storing the current interrupt state before handling the interrupt request using generic_handle_ir

CVE-2025-38231 [MEDIUM] CVE-2025-38231: linux - In the Linux kernel, the following vulnerability has been resolved: nfsd: Initi... In the Linux kernel, the following vulnerability has been resolved: nfsd: Initialize ssc before laundromat_work to prevent NULL dereference In nfs4_state_start_net(), laundromat_work may access nfsd_ssc through nfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized, this can cause NULL pointer dereference. Normally the delayed start of laundromat_

CVE-2025-22043 [MEDIUM] CVE-2025-22043: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: add ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: add bounds check for durable handle context Add missing bounds check for durable handle context. Scope: local bookworm: open bullseye: resolved forky: resolved (fixed in 6.12.25-1) sid: resolved (fixed in 6.12.25-1) trixie: resolved (fixed in 6.12.25-1)

CVE-2025-21649 [MEDIUM] CVE-2025-21649: linux - In the Linux kernel, the following vulnerability has been resolved: net: hns3: ... In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash when 1588 is sent on HIP08 devices Currently, HIP08 devices does not register the ptp devices, so the hdev->ptp is NULL. But the tx process would still try to set hardware time stamp info with SKBTX_HW_TSTAMP flag and cause a kernel crash. [ 128.087798] Unable to handle k

CVE-2025-22063 [MEDIUM] CVE-2025-22063: linux - In the Linux kernel, the following vulnerability has been resolved: netlabel: F... In the Linux kernel, the following vulnerability has been resolved: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets When calling netlbl_conn_setattr(), addr->sa_family is used to determine the function behavior. If sk is an IPv4 socket, but the connect function is called with an IPv6 address, the function calipso_sock_setattr() is triggered. I

CVE-2025-22042 [MEDIUM] CVE-2025-22042: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: add ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: add bounds check for create lease context Add missing bounds check for create lease context. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved forky: resolved (fixed in 6.12.25-1) sid: resolved (fixed in 6.12.25-1) trixie: resolved (fixed in 6.12.25-1)

CVE-2025-71180 [MEDIUM] CVE-2025-71180: linux - In the Linux kernel, the following vulnerability has been resolved: counter: in... In the Linux kernel, the following vulnerability has been resolved: counter: interrupt-cnt: Drop IRQF_NO_THREAD flag An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as CONFIG_PROVE_RAW_LOCK_NESTING warns: ============================= [ BUG: Invalid wait context ] 6.18.0-rc1+git... #1 ----------------------------- some-user-space-process/1251 is t

CVE-2025-21660 [MEDIUM] CVE-2025-21660: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix unexpectedly changed path in ksmbd_vfs_kern_path_locked When `ksmbd_vfs_kern_path_locked` met an error and it is not the last entry, it will exit without restoring changed path buffer. But later this buffer may be used as the filename for creation. Scope: local bookworm: resolved (fixed i

CVE-2025-38124 [MEDIUM] CVE-2025-38124: linux - In the Linux kernel, the following vulnerability has been resolved: net: fix ud... In the Linux kernel, the following vulnerability has been resolved: net: fix udp gso skb_segment after pull from frag_list Commit a1e40ac5b5e9 ("net: gso: fix udp gso fraglist segmentation after pull from frag_list") detected invalid geometry in frag_list skbs and redirects them from skb_segment_list to more robust skb_segment. But some packets with modified geometr

CVE-2025-38561 [MEDIUM] CVE-2025-38561: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase. Scope: loca

CVE-2025-71105 [MEDIUM] CVE-2025-71105: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: use g... In the Linux kernel, the following vulnerability has been resolved: f2fs: use global inline_xattr_slab instead of per-sb slab cache As Hong Yun reported in mailing list: loop7: detected capacity change from 0 to 131072 ------------[ cut here ]------------ kmem_cache of name 'f2fs_xattr_entry-7:7' already exists WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem

CVE-2025-37756 [MEDIUM] CVE-2025-37756: linux - In the Linux kernel, the following vulnerability has been resolved: net: tls: e... In the Linux kernel, the following vulnerability has been resolved: net: tls: explicitly disallow disconnect syzbot discovered that it can disconnect a TLS socket and then run into all sort of unexpected corner cases. I have a vague recollection of Eric pointing this out to us a long time ago. Supporting disconnect is really hard, for one thing if offload is enabled

CVE-2025-38310 [MEDIUM] CVE-2025-38310: linux - In the Linux kernel, the following vulnerability has been resolved: seg6: Fix v... In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop addresses The kernel currently validates that the length of the provided nexthop address does not exceed the specified length. This can lead to the kernel reading uninitialized memory if user space provided a shorter length than the specified one. Fix by validating th

CVE-2025-38364 [MEDIUM] CVE-2025-38364: linux - In the Linux kernel, the following vulnerability has been resolved: maple_tree:... In the Linux kernel, the following vulnerability has been resolved: maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Temporarily clear the preallocation flag when explicitly requesting allocations. Pre-existing allocations are already counted against the request through mas_node_count_gfp(), but the allocations will not happen if the MA_STATE_PREALLOC fla

CVE-2025-21705 [MEDIUM] CVE-2025-21705: linux - In the Linux kernel, the following vulnerability has been resolved: mptcp: hand... In the Linux kernel, the following vulnerability has been resolved: mptcp: handle fastopen disconnect correctly Syzbot was able to trigger a data stream corruption: WARNING: CPU: 0 PID: 9846 at net/mptcp/protocol.c:1024 __mptcp_clean_una+0xddb/0xff0 net/mptcp/protocol.c:1024 Modules linked in: CPU: 0 UID: 0 PID: 9846 Comm: syz-executor351 Not tainted 6.13.0-rc2-syzk

CVE-2025-38467 [MEDIUM] CVE-2025-38467: linux - In the Linux kernel, the following vulnerability has been resolved: drm/exynos:... In the Linux kernel, the following vulnerability has been resolved: drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling If there's support for another console device (such as a TTY serial), the kernel occasionally panics during boot. The panic message and a relevant snippet of the call stack is as follows: Unable to handle kernel NULL pointer dereference

CVE-2025-71227 [MEDIUM] CVE-2025-71227: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: mac80... In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't WARN for connections on invalid channels It's not clear (to me) how exactly syzbot managed to hit this, but it seems conceivable that e.g. regulatory changed and has disabled a channel between scanning (channel is checked to be usable by cfg80211_get_ies_channel_number) and con

CVE-2025-38305 [MEDIUM] CVE-2025-38305: linux - In the Linux kernel, the following vulnerability has been resolved: ptp: remove... In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() There is no disagreement that we should check both ptp->is_virtual_clock and ptp->n_vclocks to check if the ptp virtual clock is in use. However, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in ptp_vclock_in_use(), we observe

CVE-2025-21708 [MEDIUM] CVE-2025-21708: linux - In the Linux kernel, the following vulnerability has been resolved: net: usb: r... In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: enable basic endpoint checking Syzkaller reports [1] encountering a common issue of utilizing a wrong usb endpoint type during URB submitting stage. This, in turn, triggers a warning shown below. For now, enable simple endpoint checking (specifically, bulk and interrupt eps, testi

CVE-2025-37992 [MEDIUM] CVE-2025-37992: linux - In the Linux kernel, the following vulnerability has been resolved: net_sched: ... In the Linux kernel, the following vulnerability has been resolved: net_sched: Flush gso_skb list too during ->change() Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->limit against sch->q