Debian Linux vulnerabilities

CVE-2025-38062 [MEDIUM] CVE-2025-38062: linux - In the Linux kernel, the following vulnerability has been resolved: genirq/msi:... In the Linux kernel, the following vulnerability has been resolved: genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie The IOMMU translation for MSI message addresses has been a 2-step process, separated in time: 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address is stored in the MSI descriptor when an MSI interrupt i

CVE-2025-38498 [MEDIUM] CVE-2025-38498: linux - In the Linux kernel, the following vulnerability has been resolved: do_change_t... In the Linux kernel, the following vulnerability has been resolved: do_change_type(): refuse to operate on unmounted/not ours mounts Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2). Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: r

CVE-2025-38735 [MEDIUM] CVE-2025-38735: linux - In the Linux kernel, the following vulnerability has been resolved: gve: preven... In the Linux kernel, the following vulnerability has been resolved: gve: prevent ethtool ops after shutdown A crash can occur if an ethtool operation is invoked after shutdown() is called. shutdown() is invoked during system shutdown to stop DMA operations without performing expensive deallocations. It is discouraged to unregister the netdev in this path, so the dev

CVE-2025-21725 [MEDIUM] CVE-2025-21725: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: fix oops due to unset link speed It isn't guaranteed that NETWORK_INTERFACE_INFO::LinkSpeed will always be set by the server, so the client must handle any values and then prevent oopses like below from happening: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID:

CVE-2025-38448 [MEDIUM] CVE-2025-38448: linux - In the Linux kernel, the following vulnerability has been resolved: usb: gadget... In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and port_usb, respective

CVE-2025-71125 [MEDIUM] CVE-2025-71125: linux - In the Linux kernel, the following vulnerability has been resolved: tracing: Do... In the Linux kernel, the following vulnerability has been resolved: tracing: Do not register unsupported perf events Synthetic events currently do not have a function to register perf events. This leads to calling the tracepoint register functions with a NULL function pointer which triggers: ------------[ cut here ]------------ WARNING: kernel/tracepoint.c:175 at tr

CVE-2025-21736 [MEDIUM] CVE-2025-21736: linux - In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix... In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix possible int overflows in nilfs_fiemap() Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result by being prepared to go through potentially maxblocks == INT_MAX blocks, the value in n may experience an overflow caused by left shift of blkbits. While it is extremely unli

CVE-2025-39923 [MEDIUM] CVE-2025-39923: linux - In the Linux kernel, the following vulnerability has been resolved: dmaengine: ... In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees When we don't have a clock specified in the device tree, we have no way to ensure the BAM is on. This is often the case for remotely-controlled or remotely-powered BAM instances. In this case, we need to read num-channels from the

CVE-2025-38084 [MEDIUM] CVE-2025-38084: linux - In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb:... In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: unshare page tables during VMA split, not before Currently, __split_vma() triggers hugetlb page table unsharing through vm_ops->may_split(). This happens before the VMA lock and rmap locks are taken - which is too early, it allows racing VMA-locked page faults in our process and racing r

CVE-2025-38716 [MEDIUM] CVE-2025-38716: linux - In the Linux kernel, the following vulnerability has been resolved: hfs: fix ge... In the Linux kernel, the following vulnerability has been resolved: hfs: fix general protection fault in hfs_find_init() The hfs_find_init() method can trigger the crash if tree pointer is NULL: [ 45.746290][ T9787] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KAI [ 45.747287][ T9787] KASAN: null-ptr-deref in r

CVE-2025-38071 [MEDIUM] CVE-2025-38071: linux - In the Linux kernel, the following vulnerability has been resolved: x86/mm: Che... In the Linux kernel, the following vulnerability has been resolved: x86/mm: Check return value from memblock_phys_alloc_range() At least with CONFIG_PHYSICAL_START=0x100000, if there is < 4 MiB of contiguous free memory available at this point, the kernel will crash and burn because memblock_phys_alloc_range() returns 0 on failure, which leads memblock_phys_free() t

CVE-2025-38337 [MEDIUM] CVE-2025-38337: linux - In the Linux kernel, the following vulnerability has been resolved: jbd2: fix d... In the Linux kernel, the following vulnerability has been resolved: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Since handle->h_transaction may be a NULL pointer, so we should change it to call is_handle_aborted(handle) first before dereferencing it. And the following data-race was reported in my fuzzer: ==================================

CVE-2025-38560 [MEDIUM] CVE-2025-38560: linux - In the Linux kernel, the following vulnerability has been resolved: x86/sev: Ev... In the Linux kernel, the following vulnerability has been resolved: x86/sev: Evict cache lines during SNP memory validation An SNP cache coherency vulnerability requires a cache line eviction mitigation when validating memory after a page state change to private. The specific mitigation is to touch the first and last byte of each 4K page that is being validated. The

CVE-2025-38588 [MEDIUM] CVE-2025-38588: linux - In the Linux kernel, the following vulnerability has been resolved: ipv6: preve... In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent infinite loop in rt6_nlmsg_size() While testing prior patch, I was able to trigger an infinite loop in rt6_nlmsg_size() in the following place: list_for_each_entry_rcu(sibling, &f6i->fib6_siblings, fib6_siblings) { rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len); } This is because fi

CVE-2025-39931 [MEDIUM] CVE-2025-39931: linux - In the Linux kernel, the following vulnerability has been resolved: crypto: af_... In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Set merge to zero early in af_alg_sendmsg If an error causes af_alg_sendmsg to abort, ctx->merge may contain a garbage value from the previous loop. This may then trigger a crash on the next entry into af_alg_sendmsg when it attempts to do a merge that can't be done. Fix this by set

CVE-2025-21688 [MEDIUM] CVE-2025-21688: linux - In the Linux kernel, the following vulnerability has been resolved: drm/v3d: As... In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Assign job pointer to NULL before signaling the fence In commit e4b5ccd392b9 ("drm/v3d: Ensure job pointer is set to NULL after job completion"), we introduced a change to assign the job pointer to NULL after completing a job, indicating job completion. However, this approach created a race

CVE-2025-23147 [MEDIUM] CVE-2025-23147: linux - In the Linux kernel, the following vulnerability has been resolved: i3c: Add NU... In the Linux kernel, the following vulnerability has been resolved: i3c: Add NULL pointer check in i3c_master_queue_ibi() The I3C master driver may receive an IBI from a target device that has not been probed yet. In such cases, the master calls `i3c_master_queue_ibi()` to queue an IBI work task, leading to "Unable to handle kernel read from unreadable memory" and r

CVE-2025-21820 [MEDIUM] CVE-2025-21820: linux - In the Linux kernel, the following vulnerability has been resolved: tty: xilinx... In the Linux kernel, the following vulnerability has been resolved: tty: xilinx_uartps: split sysrq handling lockdep detects the following circular locking dependency: CPU 0 CPU 1 ========================== ============================ cdns_uart_isr() printk() uart_port_lock(port) console_lock() cdns_uart_console_write() if (!port->sysrq) uart_port_lock(port) uart_h

CVE-2025-21646 [MEDIUM] CVE-2025-21646: linux - In the Linux kernel, the following vulnerability has been resolved: afs: Fix th... In the Linux kernel, the following vulnerability has been resolved: afs: Fix the maximum cell name length The kafs filesystem limits the maximum length of a cell to 256 bytes, but a problem occurs if someone actually does that: kafs tries to create a directory under /proc/net/afs/ with the name of the cell, but that fails with a warning: WARNING: CPU: 0 PID: 9 at fs

CVE-2025-38214 [MEDIUM] CVE-2025-38214: linux - In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix ... In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in fb_set_var() fails to allocate memory for fb_videomode, later it may lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered while not having the mode in modelist that is exp