Debian Linux vulnerabilities

CVE-2026-23097 [MEDIUM] CVE-2026-23097: linux - In the Linux kernel, the following vulnerability has been resolved: migrate: co... In the Linux kernel, the following vulnerability has been resolved: migrate: correct lock ordering for hugetlb file folios Syzbot has found a deadlock (analyzed by Lance Yang): 1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock). 2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire folio_lock. migrate_pages() -> migrate_h

CVE-2026-23212 [MEDIUM] CVE-2026-23212: linux - In the Linux kernel, the following vulnerability has been resolved: bonding: an... In the Linux kernel, the following vulnerability has been resolved: bonding: annotate data-races around slave->last_rx slave->last_rx and slave->target_last_arp_rx[...] can be read and written locklessly. Add READ_ONCE() and WRITE_ONCE() annotations. syzbot reported: BUG: KCSAN: data-race in bond_rcv_validate / bond_rcv_validate write to 0xffff888149f0d428 of 8 byte

CVE-2026-23214 [MEDIUM] CVE-2026-23214: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: reje... In the Linux kernel, the following vulnerability has been resolved: btrfs: reject new transactions if the fs is fully read-only [BUG] There is a bug report where a heavily fuzzed fs is mounted with all rescue mount options, which leads to the following warnings during unmount: BTRFS: Transaction aborted (error -22) Modules linked in: CPU: 0 UID: 0 PID: 9758 Comm: re

CVE-2026-22991 [MEDIUM] CVE-2026-22991: linux - In the Linux kernel, the following vulnerability has been resolved: libceph: ma... In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_m

CVE-2026-23238 [MEDIUM] CVE-2026-23238: linux - In the Linux kernel, the following vulnerability has been resolved: romfs: chec... In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using io

CVE-2026-23205 [MEDIUM] CVE-2026-23205: linux - In the Linux kernel, the following vulnerability has been resolved: smb/client:... In the Linux kernel, the following vulnerability has been resolved: smb/client: fix memory leak in smb2_open_file() Reproducer: 1. server: directories are exported read-only 2. client: mount -t cifs //${server_ip}/export /mnt 3. client: dd if=/dev/zero of=/mnt/file bs=512 count=1000 oflag=direct 4. client: umount /mnt 5. client: sleep 1 6. client: modprobe -r cifs T

CVE-2026-23124 [MEDIUM] CVE-2026-23124: linux - In the Linux kernel, the following vulnerability has been resolved: ipv6: annot... In the Linux kernel, the following vulnerability has been resolved: ipv6: annotate data-race in ndisc_router_discovery() syzbot found that ndisc_router_discovery() could read and write in6_dev->ra_mtu without holding a lock [1] This looks fine, IFLA_INET6_RA_MTU is best effort. Add READ_ONCE()/WRITE_ONCE() to document the race. Note that we might also reject illegal

CVE-2026-23141 [MEDIUM] CVE-2026-23141: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: send... In the Linux kernel, the following vulnerability has been resolved: btrfs: send: check for inline extents in range_is_hole_in_parent() Before accessing the disk_bytenr field of a file extent item we need to check if we are dealing with an inline extent. This is because for inline extents their data starts at the offset of the disk_bytenr field. So accessing the disk

CVE-2026-23145 [MEDIUM] CVE-2026-23145: linux - In the Linux kernel, the following vulnerability has been resolved: ext4: fix i... In the Linux kernel, the following vulnerability has been resolved: ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref The error branch for ext4_xattr_inode_update_ref forget to release the refcount for iloc.bh. Find this when review code. Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved (fixed in 5.10.249-1) forky: resolved (fixed in 6.18.

CVE-2026-23064 [MEDIUM] CVE-2026-23064: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: avoid possible NULL deref tcf_ife_encode() must make sure ife_encode() does not return NULL. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000

CVE-2026-22999 [MEDIUM] CVE-2026-22999: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF. Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved (fixed in 5.10.249-

CVE-2026-23207 [MEDIUM] CVE-2026-23207: linux - In the Linux kernel, the following vulnerability has been resolved: spi: tegra2... In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer check in IRQ handler Now that all other accesses to curr_xfer are done under the lock, protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the spinlock. Without this protection, the following race can occur: CPU0 (ISR thread) CPU1 (timeout path) ---

CVE-2026-23005 [MEDIUM] CVE-2026-23005: linux - In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Cl... In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for features tha

CVE-2026-23154 [MEDIUM] CVE-2026-23154: linux - In the Linux kernel, the following vulnerability has been resolved: net: fix se... In the Linux kernel, the following vulnerability has been resolved: net: fix segmentation of forwarding fraglist GRO This patch enhances GSO segment handling by properly checking the SKB_GSO_DODGY flag for frag_list GSO packets, addressing low throughput issues observed when a station accesses IPv4 servers via hotspots with an IPv6-only upstream interface. Specifica

CVE-2026-23126 [MEDIUM] CVE-2026-23126: linux - In the Linux kernel, the following vulnerability has been resolved: netdevsim: ... In the Linux kernel, the following vulnerability has been resolved: netdevsim: fix a race issue related to the operation on bpf_bound_progs list The netdevsim driver lacks a protection mechanism for operations on the bpf_bound_progs list. When the nsim_bpf_create_prog() performs list_add_tail, it is possible that nsim_bpf_destroy_prog() is simultaneously performs li

CVE-2026-22982 [MEDIUM] CVE-2026-22982: linux - In the Linux kernel, the following vulnerability has been resolved: net: mscc: ... In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix crash when adding interface under a lag Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag") fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic an

CVE-2026-23202 [MEDIUM] CVE-2026-23202: linux - In the Linux kernel, the following vulnerability has been resolved: spi: tegra2... In the Linux kernel, the following vulnerability has been resolved: spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. When clearing curr_xfer in the combined sequence transfer loop, protect it with the spinlock to prevent a race with the

CVE-2026-23190 [MEDIUM] CVE-2026-23190: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: ... In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: fix memory leak in acp3x pdm dma ops Scope: local bookworm: resolved (fixed in 6.1.164-1) bullseye: resolved (fixed in 5.10.251-1) forky: resolved (fixed in 6.18.10-1) sid: resolved (fixed in 6.18.10-1) trixie: resolved (fixed in 6.12.73-1)

CVE-2026-23091 [MEDIUM] CVE-2026-23091: linux - In the Linux kernel, the following vulnerability has been resolved: intel_th: f... In the Linux kernel, the following vulnerability has been resolved: intel_th: fix device leak on output open() Make sure to drop the reference taken when looking up the th device during output device open() on errors and on close(). Note that a recent commit fixed the leak in a couple of open() error paths but not all of them, and the reference is still leaking on s

CVE-2026-23144 [MEDIUM] CVE-2026-23144: linux - In the Linux kernel, the following vulnerability has been resolved: mm/damon/sy... In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure When a context DAMON sysfs directory setup is failed after setup of attrs/ directory, subdirectories of attrs/ directory are not cleaned up. As a result, DAMON sysfs interface is nearly broken until the system reboots, and the memory