Debian Linux vulnerabilities

CVE-2026-22992 [MEDIUM] CVE-2026-22992: linux - In the Linux kernel, the following vulnerability has been resolved: libceph: re... In the Linux kernel, the following vulnerability has been resolved: libceph: return the handler error from mon_handle_auth_done() Currently any error from ceph_auth_handle_reply_done() is propagated via finish_auth() but isn't returned from mon_handle_auth_done(). This results in higher layers learning that (despite the monitor considering us to be successfully auth

CVE-2026-23006 [MEDIUM] CVE-2026-23006: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv32... In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adcx140_priv". Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved forky: resolved (fixed in 6.18.8-1

CVE-2026-23090 [MEDIUM] CVE-2026-23090: linux - In the Linux kernel, the following vulnerability has been resolved: slimbus: co... In the Linux kernel, the following vulnerability has been resolved: slimbus: core: fix device reference leak on report present Slimbus devices can be allocated dynamically upon reception of report-present messages. Make sure to drop the reference taken when looking up already registered devices. Note that this requires taking an extra reference in case the device ha

CVE-2026-23087 [MEDIUM] CVE-2026-23087: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: xen: ... In the Linux kernel, the following vulnerability has been resolved: scsi: xen: scsiback: Fix potential memory leak in scsiback_remove() Memory allocated for struct vscsiblk_info in scsiback_probe() is not freed in scsiback_remove() leading to potential memory leaks on remove, as well as in the scsiback_probe() error paths. Fix that by freeing it in scsiback_remove()

CVE-2026-23003 [MEDIUM] CVE-2026-23003: linux - In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel:... In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Blamed commit did not take care of VLAN encapsulations as spotted by syzbot [1]. Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMS

CVE-2026-23128 [MEDIUM] CVE-2026-23128: linux - In the Linux kernel, the following vulnerability has been resolved: arm64: Set ... In the Linux kernel, the following vulnerability has been resolved: arm64: Set __nocfi on swsusp_arch_resume() A DABT is reported[1] on an android based system when resume from hiberate. This happens because swsusp_arch_suspend_exit() is marked with SYM_CODE_*() and does not have a CFI hash, but swsusp_arch_resume() will attempt to verify the CFI hash when calling a

CVE-2026-23021 [MEDIUM] CVE-2026-23021: linux - In the Linux kernel, the following vulnerability has been resolved: net: usb: p... In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: fix memory leak in update_eth_regs_async() When asynchronously writing to the device registers and if usb_submit_urb() fail, the code fail to release allocated to this point resources. Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved (fixed in 5.10.249-1) fo

CVE-2026-23157 [MEDIUM] CVE-2026-23157: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: do n... In the Linux kernel, the following vulnerability has been resolved: btrfs: do not strictly require dirty metadata threshold for metadata writepages [BUG] There is an internal report that over 1000 processes are waiting at the io_schedule_timeout() of balance_dirty_pages(), causing a system hang and trigger a kernel coredump. The kernel is v6.4 kernel based, but the

CVE-2026-23121 [MEDIUM] CVE-2026-23121: linux - In the Linux kernel, the following vulnerability has been resolved: mISDN: anno... In the Linux kernel, the following vulnerability has been resolved: mISDN: annotate data-race around dev->work dev->work can re read locklessly in mISDN_read() and mISDN_poll(). Add READ_ONCE()/WRITE_ONCE() annotations. BUG: KCSAN: data-race in mISDN_ioctl / mISDN_read write to 0xffff88812d848280 of 4 bytes by task 10864 on cpu 1: misdn_add_timer drivers/isdn/mISDN/

CVE-2026-23084 [MEDIUM] CVE-2026-23084: linux - In the Linux kernel, the following vulnerability has been resolved: be2net: Fix... In the Linux kernel, the following vulnerability has been resolved: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is set to false, the driver may request the PMAC_ID from the firmware of the network card, and this function will store that PMAC_ID at the provided address pmac_i

CVE-2026-22997 [MEDIUM] CVE-2026-22997: linux - In the Linux kernel, the following vulnerability has been resolved: net: can: j... In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we cancelled the timer. Othe

CVE-2026-22977 [MEDIUM] CVE-2026-22977: linux - In the Linux kernel, the following vulnerability has been resolved: net: sock: ... In the Linux kernel, the following vulnerability has been resolved: net: sock: fix hardened usercopy panic in sock_recv_errqueue skbuff_fclone_cache was created without defining a usercopy region, [1] unlike skbuff_head_cache which properly whitelists the cb[] field. [2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is enabled and the kernel attempts to

CVE-2026-23220 [MEDIUM] CVE-2026-23220: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths The problem occurs when a signed request fails smb2 signature verification check. In __process_request(), if check_sign_req() returns an error, set_smb2_rsp_status(work, STATUS_ACCESS_DENIED) is called. set_smb2_rsp_status

CVE-2026-23086 [MEDIUM] CVE-2026-23086: linux - In the Linux kernel, the following vulnerability has been resolved: vsock/virti... In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: cap TX credit to local buffer size The virtio transports derives its TX credit directly from peer_buf_alloc, which is set from the remote endpoint's SO_VM_SOCKETS_BUFFER_SIZE value. On the host side this means that the amount of data we are willing to queue for a connection is scaled b

CVE-2026-23168 [MEDIUM] CVE-2026-23168: linux - In the Linux kernel, the following vulnerability has been resolved: flex_propor... In the Linux kernel, the following vulnerability has been resolved: flex_proportions: make fprop_new_period() hardirq safe Bernd has reported a lockdep splat from flexible proportions code that is essentially complaining about the following race: run_timer_softirq - we are in softirq context call_timer_fn writeout_period fprop_new_period write_seqcount_begin(&p->seq

CVE-2026-23133 [MEDIUM] CVE-2026-23133: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath10... In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: fix dma_free_coherent() pointer dma_alloc_coherent() allocates a DMA mapped buffer and stores the addresses in XXX_unaligned fields. Those should be reused when freeing the buffer rather than the aligned addresses. Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved

CVE-2026-23110 [MEDIUM] CVE-2026-23110: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: core:... In the Linux kernel, the following vulnerability has been resolved: scsi: core: Wake up the error handler when final completions race against each other The fragile ordering between marking commands completed or failed so that the error handler only wakes when the last running command completes or times out has race conditions. These race conditions can cause the SC

CVE-2026-23142 [MEDIUM] CVE-2026-23142: linux - In the Linux kernel, the following vulnerability has been resolved: mm/damon/sy... In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure When a DAMOS-scheme DAMON sysfs directory setup fails after setup of access_pattern/ directory, subdirectories of access_pattern/ directory are not cleaned up. As a result, DAMON sysfs interface is nearly broken until

CVE-2026-23150 [MEDIUM] CVE-2026-23150: linux - In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: ... In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). syzbot reported various memory leaks related to NFC, struct nfc_llcp_sock, sk_buff, nfc_dev, etc. [0] The leading log hinted that nfc_llcp_send_ui_frame() failed to allocate skb due to sock_error(sk) being -ENXIO. ENXIO is set by nfc_llcp_socket_re

CVE-2026-23004 [MEDIUM] CVE-2026-23004: linux - In the Linux kernel, the following vulnerability has been resolved: dst: fix ra... In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()/INIT_LIST_HEAD() while writing list->prev, while the prior write on list->next went well. static inline