Debian Linux vulnerabilities

CVE-2025-21885 [MEDIUM] CVE-2025-21885: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_r... In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers While using nvme target with use_srq on, below kernel panic is noticed. [ 549.698111] bnxt_en 0000:41:00.0 enp65s0np0: FEC autoneg off encoding: Clause 91 RS(544,514) [ 566.393619] Oops: divide error: 0000 [#1] PREEMPT SMP NO

CVE-2025-21787 [MEDIUM] CVE-2025-21787: linux - In the Linux kernel, the following vulnerability has been resolved: team: bette... In the Linux kernel, the following vulnerability has been resolved: team: better TEAM_OPTION_TYPE_STRING validation syzbot reported following splat [1] Make sure user-provided data contains one nul byte. [1] BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline] BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714 string_nocheck lib/vspr

CVE-2025-39731 [MEDIUM] CVE-2025-39731: linux - In the Linux kernel, the following vulnerability has been resolved: f2fs: vm_un... In the Linux kernel, the following vulnerability has been resolved: f2fs: vm_unmap_ram() may be called from an invalid context When testing F2FS with xfstests using UFS backed virtual disks the kernel complains sometimes that f2fs_release_decomp_mem() calls vm_unmap_ram() from an invalid context. Example trace from f2fs/007 test: f2fs/007 5s ... [12:59:38][ 8.902525

CVE-2025-21666 [MEDIUM] CVE-2025-21666: linux - In the Linux kernel, the following vulnerability has been resolved: vsock: prev... In the Linux kernel, the following vulnerability has been resolved: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Recent reports have shown how we sometimes call vsock_*_has_data() when a vsock socket has been de-assigned from a transport (see attached links), but we shouldn't. Previous commits should have solved the real problems, but we may have mor

CVE-2025-38723 [MEDIUM] CVE-2025-38723: linux - In the Linux kernel, the following vulnerability has been resolved: LoongArch: ... In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Fix jump offset calculation in tailcall The extra pass of bpf_int_jit_compile() skips JIT context initialization which essentially skips offset calculation leaving out_offset = -1, so the jmp_offset in emit_bpf_tail_call is calculated by "#define jmp_offset (out_offset - (cur_offset)

CVE-2025-71120 [MEDIUM] CVE-2025-71120: linux - In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svc... In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NULL even when the cop

CVE-2025-71138 [MEDIUM] CVE-2025-71138: linux - In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu... In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add missing NULL pointer check for pingpong interface It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a single place the check is missing. Also use convenient locals instead of phys_enc->* where available. Patchwork: https://patchwork.freedesktop.org/patch/693860/

CVE-2025-38524 [MEDIUM] CVE-2025-38524: linux - In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix ... In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recv-recv race of completed call If a call receives an event (such as incoming data), the call gets placed on the socket's queue and a thread in recvmsg can be awakened to go and process it. Once the thread has picked up the call off of the queue, further events will cause it to be requeu

CVE-2025-71088 [MEDIUM] CVE-2025-71088: linux - In the Linux kernel, the following vulnerability has been resolved: mptcp: fall... In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simult connection Syzkaller reports a simult-connect race leading to inconsistent fallback status: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Modules linked in: CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tai

CVE-2025-21878 [MEDIUM] CVE-2025-21878: linux - In the Linux kernel, the following vulnerability has been resolved: i2c: npcm: ... In the Linux kernel, the following vulnerability has been resolved: i2c: npcm: disable interrupt enable bit before devm_request_irq The customer reports that there is a soft lockup issue related to the i2c driver. After checking, the i2c module was doing a tx transfer and the bmc machine reboots in the middle of the i2c transaction, the i2c module keeps the status w

CVE-2025-21748 [MEDIUM] CVE-2025-21748: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix integer overflows on 32 bit systems On 32bit systems the addition operations in ipc_msg_alloc() can potentially overflow leading to memory corruption. Add bounds checking using KSMBD_IPC_MAX_PAYLOAD to avoid overflow. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved

CVE-2025-68288 [MEDIUM] CVE-2025-68288: linux - In the Linux kernel, the following vulnerability has been resolved: usb: storag... In the Linux kernel, the following vulnerability has been resolved: usb: storage: Fix memory leak in USB bulk transport A kernel memory leak was identified by the 'ioctl_sg01' test from Linux Test Project (LTP). The following bytes were mainly observed: 0x53425355. When USB storage devices incorrectly skip the data phase with status data, the code extracts/validates

CVE-2025-37792 [MEDIUM] CVE-2025-37792: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: Prevent potential NULL dereference The btrtl_initialize() function checks that rtl_load_file() either had an error or it loaded a zero length file. However, if it loaded a zero length file then the error code is not set correctly. It results in an error pointer vs NULL bug, followe

CVE-2025-37812 [MEDIUM] CVE-2025-37812: linux - In the Linux kernel, the following vulnerability has been resolved: usb: cdns3:... In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: Fix deadlock when using NCM gadget The cdns3 driver has the same NCM deadlock as fixed in cdnsp by commit 58f2fcb3a845 ("usb: cdnsp: Fix deadlock issue during using NCM gadget"). Under PREEMPT_RT the deadlock can be readily triggered by heavy network traffic, for example using "iperf --b

CVE-2025-38324 [MEDIUM] CVE-2025-38324: linux - In the Linux kernel, the following vulnerability has been resolved: mpls: Use r... In the Linux kernel, the following vulnerability has been resolved: mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). As syzbot reported [0], mpls_route_input_rcu() can be called from mpls_getroute(), where is under RTNL. net->mpls.platform_label is only updated under RTNL. Let's use rcu_dereference_rtnl() in mpls_route_input_rcu() to silence the splat. [0

CVE-2025-21758 [MEDIUM] CVE-2025-21758: linux - In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast... In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: add RCU protection to mld_newpack() mld_newpack() can be called without RTNL or RCU being held. Note that we no longer can use sock_alloc_send_skb() because ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep. Instead use alloc_skb() and charge the net->ipv6.igmp_sk socket under RC

CVE-2025-37961 [MEDIUM] CVE-2025-37961: linux - In the Linux kernel, the following vulnerability has been resolved: ipvs: fix u... In the Linux kernel, the following vulnerability has been resolved: ipvs: fix uninit-value for saddr in do_output_route4 syzbot reports for uninit-value for the saddr argument [1]. commit 4754957f04f5 ("ipvs: do not use random local source address for tunnels") already implies that the input value of saddr should be ignored but the code is still reading it which can

CVE-2025-37912 [MEDIUM] CVE-2025-37912: linux - In the Linux kernel, the following vulnerability has been resolved: ice: Check ... In the Linux kernel, the following vulnerability has been resolved: ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() As mentioned in the commit baeb705fd6a7 ("ice: always check VF VSI pointer values"), we need to perform a null pointer check on the return value of ice_get_vf_vsi() before using it. Scope: local bookworm: resolved (fixed in 6.1.140-1) bullsey

CVE-2025-39703 [MEDIUM] CVE-2025-39703: linux - In the Linux kernel, the following vulnerability has been resolved: net, hsr: r... In the Linux kernel, the following vulnerability has been resolved: net, hsr: reject HSR frame if skb can't hold tag Receiving HSR frame with insufficient space to hold HSR tag in the skb can result in a crash (kernel BUG): [ 45.390915] skbuff: skb_under_panic: text:ffffffff86f32cac len:26 put:14 head:ffff888042418000 data:ffff888042417ff4 tail:0xe end:0x180 dev:bri

CVE-2025-38575 [MEDIUM] CVE-2025-38575: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: use ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: use aead_request_free to match aead_request_alloc Use aead_request_free() instead of kfree() to properly free memory allocated by aead_request_alloc(). This ensures sensitive crypto data is zeroed before being freed. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved fork