Debian Linux vulnerabilities

CVE-2025-38591 [MEDIUM] CVE-2025-38591: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Reject... In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = *(u8 *)(r1 + 169); exit; With pointer field sk being at offset 168 in __sk_buff. This access is detected as a narrower read in bpf_skb_is_valid_access because

CVE-2025-21835 [MEDIUM] CVE-2025-21835: linux - In the Linux kernel, the following vulnerability has been resolved: usb: gadget... In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_midi: fix MIDI Streaming descriptor lengths While the MIDI jacks are configured correctly, and the MIDIStreaming endpoint descriptors are filled with the correct information, bNumEmbMIDIJack and bLength are set incorrectly in these descriptors. This does not matter when the numbers of

CVE-2025-21728 [MEDIUM] CVE-2025-21728: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Send s... In the Linux kernel, the following vulnerability has been resolved: bpf: Send signals asynchronously if !preemptible BPF programs can execute in all kinds of contexts and when a program running in a non-preemptible context uses the bpf_send_signal() kfunc, it will cause issues because this kfunc can sleep. Change `irqs_disabled()` to `!preemptible()`. Scope: local b

CVE-2025-38136 [MEDIUM] CVE-2025-38136: linux - In the Linux kernel, the following vulnerability has been resolved: usb: renesa... In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Reorder clock handling and power management in probe Reorder the initialization sequence in `usbhs_probe()` to enable runtime PM before accessing registers, preventing potential crashes due to uninitialized clocks. Currently, in the probe path, registers are accessed before enabl

CVE-2025-21975 [MEDIUM] CVE-2025-21975: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5: h... In the Linux kernel, the following vulnerability has been resolved: net/mlx5: handle errors in mlx5_chains_create_table() In mlx5_chains_create_table(), the return value of mlx5_get_fdb_sub_ns() and mlx5_get_flow_namespace() must be checked to prevent NULL pointer dereferences. If either function fails, the function should log error message with mlx5_core_warn() and

CVE-2025-38418 [MEDIUM] CVE-2025-38418: linux - In the Linux kernel, the following vulnerability has been resolved: remoteproc:... In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Release rproc->clean_table after rproc_attach() fails When rproc->state = RPROC_DETACHED is attached to remote processor through rproc_attach(), if rproc_handle_resources() returns failure, then the clean table should be released, otherwise the following memory leak will occur. unr

CVE-2025-37860 [MEDIUM] CVE-2025-37860: linux - In the Linux kernel, the following vulnerability has been resolved: sfc: fix NU... In the Linux kernel, the following vulnerability has been resolved: sfc: fix NULL dereferences in ef100_process_design_param() Since cited commit, ef100_probe_main() and hence also ef100_check_design_params() run before efx->net_dev is created; consequently, we cannot netif_set_tso_max_size() or _segs() at this point. Move those netif calls to ef100_probe_netdev(),

CVE-2025-38007 [MEDIUM] CVE-2025-38007: linux - In the Linux kernel, the following vulnerability has been resolved: HID: uclogi... In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Add NULL check in uclogic_input_configured() devm_kasprintf() returns NULL when memory allocation fails. Currently, uclogic_input_configured() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. Scope:

CVE-2025-38528 [MEDIUM] CVE-2025-38528: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Reject... In the Linux kernel, the following vulnerability has been resolved: bpf: Reject %p% format string in bprintf-like helpers static const char fmt[] = "%p%"; bpf_trace_printk(fmt, sizeof(fmt)); The above BPF program isn't rejected and causes a kernel warning at runtime: Please remove unsupported %\x00 in format string WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 fo

CVE-2025-21669 [MEDIUM] CVE-2025-21669: linux - In the Linux kernel, the following vulnerability has been resolved: vsock/virti... In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: discard packets if the transport changes If the socket has been de-assigned or assigned to another transport, we must discard any packets received because they are not expected and would cause issues when we access vsk->transport. A possible scenario is described by Hyunwoo Kim in the

CVE-2025-39713 [MEDIUM] CVE-2025-39713: linux - In the Linux kernel, the following vulnerability has been resolved: media: rain... In the Linux kernel, the following vulnerability has been resolved: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() In the interrupt handler rain_interrupt(), the buffer full check on rain->buf_len is performed before acquiring rain->buf_lock. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as rain->buf_len is concurrently a

CVE-2025-21802 [MEDIUM] CVE-2025-21802: linux - In the Linux kernel, the following vulnerability has been resolved: net: hns3: ... In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix oops when unload drivers paralleling When unload hclge driver, it tries to disable sriov first for each ae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at the time, because it removes all the ae_dev nodes, and it may cause oops. But we can't simply use hnae3_common_loc

CVE-2025-21891 [MEDIUM] CVE-2025-21891: linux - In the Linux kernel, the following vulnerability has been resolved: ipvlan: ens... In the Linux kernel, the following vulnerability has been resolved: ipvlan: ensure network headers are in skb linear part syzbot found that ipvlan_process_v6_outbound() was assuming the IPv6 network header isis present in skb->head [1] Add the needed pskb_network_may_pull() calls for both IPv4 and IPv6 handlers. [1] BUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/

CVE-2025-38602 [MEDIUM] CVE-2025-38602: linux - In the Linux kernel, the following vulnerability has been resolved: iwlwifi: Ad... In the Linux kernel, the following vulnerability has been resolved: iwlwifi: Add missing check for alloc_ordered_workqueue Add check for the return value of alloc_ordered_workqueue since it may return NULL pointer. Scope: local bookworm: resolved (fixed in 6.1.148-1) bullseye: resolved (fixed in 5.10.244-1) forky: resolved (fixed in 6.16.3-1) sid: resolved (fixed in

CVE-2025-37905 [MEDIUM] CVE-2025-37905: linux - In the Linux kernel, the following vulnerability has been resolved: firmware: a... In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Balance device refcount when destroying devices Using device_find_child() to lookup the proper SCMI device to destroy causes an unbalance in device refcount, since device_find_child() calls an implicit get_device(): this, in turns, inhibits the call of the provided release method

CVE-2025-38335 [MEDIUM] CVE-2025-38335: linux - In the Linux kernel, the following vulnerability has been resolved: Input: gpio... In the Linux kernel, the following vulnerability has been resolved: Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT When enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in hard irq context, but the input_event() takes a spin_lock, which isn't allowed there as it is converted to a rt_spin_lock(). [ 4054.289999] BUG: sleeping function called f

CVE-2025-38691 [MEDIUM] CVE-2025-38691: linux - In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix u... In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix uninited ptr deref in block/scsi layout The error occurs on the third attempt to encode extents. When function ext_tree_prepare_commit() reallocates a larger buffer to retry encoding extents, the "layoutupdate_pages" page array is initialized only after the retry loop. But ext_tree_free_co

CVE-2025-38678 [MEDIUM] CVE-2025-38678: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject duplicate device on updates A chain/flowtable update with duplicated devices in the same batch is possible. Unfortunately, netdev event path only removes the first device that is found, leaving unregistered the hook of the duplicated device. Check if a duplicated device

CVE-2025-71147 [MEDIUM] CVE-2025-71147: linux - In the Linux kernel, the following vulnerability has been resolved: KEYS: trust... In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix a memory leak in tpm2_load_cmd 'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode' but it is not freed in the failure paths. Address this by wrapping the blob into with a cleanup helper. Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved

CVE-2025-21814 [MEDIUM] CVE-2025-21814: linux - In the Linux kernel, the following vulnerability has been resolved: ptp: Ensure... In the Linux kernel, the following vulnerability has been resolved: ptp: Ensure info->enable callback is always set The ioctl and sysfs handlers unconditionally call the ->enable callback. Not all drivers implement that callback, leading to NULL dereferences. Example of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c. Instead use a dummy callback if no bet