Debian Linux vulnerabilities

CVE-2025-21925 [MEDIUM] CVE-2025-21925: linux - In the Linux kernel, the following vulnerability has been resolved: llc: do not... In the Linux kernel, the following vulnerability has been resolved: llc: do not use skb_get() before dev_queue_xmit() syzbot is able to crash hosts [1], using llc and devices not supporting IFF_TX_SKB_SHARING. In this case, e1000 driver calls eth_skb_pad(), while the skb is shared. Simply replace skb_get() by skb_clone() in net/llc/llc_s_ac.c Note that e1000 driver

CVE-2025-21888 [MEDIUM] CVE-2025-21888: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: ... In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix a WARN during dereg_mr for DM type Memory regions (MR) of type DM (device memory) do not have an associated umem. In the __mlx5_ib_dereg_mr() -> mlx5_free_priv_descs() flow, the code incorrectly takes the wrong branch, attempting to call dma_unmap_single() on a DMA address that is not

CVE-2025-38203 [MEDIUM] CVE-2025-38203: linux - In the Linux kernel, the following vulnerability has been resolved: jfs: Fix nu... In the Linux kernel, the following vulnerability has been resolved: jfs: Fix null-ptr-deref in jfs_ioc_trim [ Syzkaller Report ] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000087: 0000 [#1 KASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f] CPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not tainted 6.13.0-rc6-gfb

CVE-2025-39684 [MEDIUM] CVE-2025-39684: linux - In the Linux kernel, the following vulnerability has been resolved: comedi: Fix... In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back t

CVE-2025-37800 [MEDIUM] CVE-2025-37800: linux - In the Linux kernel, the following vulnerability has been resolved: driver core... In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential NULL pointer dereference in dev_uevent() If userspace reads "uevent" device attribute at the same time as another threads unbinds the device from its driver, change to dev->driver from a valid pointer to NULL may result in crash. Fix this by using READ_ONCE() when fetching

CVE-2025-21830 [MEDIUM] CVE-2025-21830: linux - In the Linux kernel, the following vulnerability has been resolved: landlock: H... In the Linux kernel, the following vulnerability has been resolved: landlock: Handle weird files A corrupted filesystem (e.g. bcachefs) might return weird files. Instead of throwing a warning and allowing access to such file, treat them as regular files. Scope: local bookworm: resolved (fixed in 6.1.129-1) bullseye: resolved forky: resolved (fixed in 6.12.13-1) sid:

CVE-2025-37931 [MEDIUM] CVE-2025-37931: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: adju... In the Linux kernel, the following vulnerability has been resolved: btrfs: adjust subpage bit start based on sectorsize When running machines with 64k page size and a 16k nodesize we started seeing tree log corruption in production. This turned out to be because we were not writing out dirty blocks sometimes, so this in fact affects all metadata writes. When writing

CVE-2025-23140 [MEDIUM] CVE-2025-23140: linux - In the Linux kernel, the following vulnerability has been resolved: misc: pci_e... In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error After devm_request_irq() fails with error in pci_endpoint_test_request_irq(), the pci_endpoint_test_free_irq_vectors() is called assuming that all IRQs have been released. However, some requested IRQs remain unrelea

CVE-2025-39705 [MEDIUM] CVE-2025-39705: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix a Null pointer dereference vulnerability [Why] A null pointer dereference vulnerability exists in the AMD display driver's (DC module) cleanup function dc_destruct(). When display control context (dc->ctx) construction fails (due to memory allocation failure), this pointer remai

CVE-2025-71190 [MEDIUM] CVE-2025-71190: linux - In the Linux kernel, the following vulnerability has been resolved: dmaengine: ... In the Linux kernel, the following vulnerability has been resolved: dmaengine: bcm-sba-raid: fix device leak on probe Make sure to drop the reference taken when looking up the mailbox device during probe on probe failures and on driver unbind. Scope: local bookworm: resolved (fixed in 6.1.162-1) bullseye: resolved (fixed in 5.10.249-1) forky: resolved (fixed in 6.18

CVE-2025-21894 [MEDIUM] CVE-2025-21894: linux - In the Linux kernel, the following vulnerability has been resolved: net: enetc:... In the Linux kernel, the following vulnerability has been resolved: net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC Actually ENETC VFs do not support HWTSTAMP_TX_ONESTEP_SYNC because only ENETC PF can access PMa_SINGLE_STEP registers. And there will be a crash if VFs are used to test one-step timestamp, the crash log as follows. [ 129.110909] Unable to handl

CVE-2025-38487 [MEDIUM] CVE-2025-38487: linux - In the Linux kernel, the following vulnerability has been resolved: soc: aspeed... In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Mitigate e.g. the following: # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind ... [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write [ 120.373866] [00000

CVE-2025-39844 [MEDIUM] CVE-2025-39844: linux - In the Linux kernel, the following vulnerability has been resolved: mm: move pa... In the Linux kernel, the following vulnerability has been resolved: mm: move page table sync declarations to linux/pgtable.h During our internal testing, we started observing intermittent boot failures when the machine uses 4-level paging and has a large amount of persistent memory: BUG: unable to handle page fault for address: ffffe70000000034 #PF: supervisor write

CVE-2025-38261 [MEDIUM] CVE-2025-38261: linux - In the Linux kernel, the following vulnerability has been resolved: riscv: save... In the Linux kernel, the following vulnerability has been resolved: riscv: save the SR_SUM status over switches When threads/tasks are switched we need to ensure the old execution's SR_SUM state is saved and the new thread has the old SR_SUM state restored. The issue was seen under heavy load especially with the syz-stress tool running, with crashes as follows in sc

CVE-2025-22008 [MEDIUM] CVE-2025-22008: linux - In the Linux kernel, the following vulnerability has been resolved: regulator: ... In the Linux kernel, the following vulnerability has been resolved: regulator: check that dummy regulator has been probed before using it Due to asynchronous driver probing there is a chance that the dummy regulator hasn't already been probed when first accessing it. Scope: local bookworm: resolved (fixed in 6.1.133-1) bullseye: resolved (fixed in 5.10.237-1) forky:

CVE-2025-38275 [MEDIUM] CVE-2025-38275: linux - In the Linux kernel, the following vulnerability has been resolved: phy: qcom-q... In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug The qmp_usb_iomap() helper function currently returns the raw result of devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return a NULL pointer and the caller only checks error pointers with IS_ERR(), NULL could bypass the check and le

CVE-2025-21678 [MEDIUM] CVE-2025-21678: linux - In the Linux kernel, the following vulnerability has been resolved: gtp: Destro... In the Linux kernel, the following vulnerability has been resolved: gtp: Destroy device along with udp socket's netns dismantle. gtp_newlink() links the device to a list in dev_net(dev) instead of src_net, where a udp tunnel socket is created. Even when src_net is removed, the device stays alive on dev_net(dev). Then, removing src_net triggers the splat below. [0] I

CVE-2025-37940 [MEDIUM] CVE-2025-37940: linux - In the Linux kernel, the following vulnerability has been resolved: ftrace: Add... In the Linux kernel, the following vulnerability has been resolved: ftrace: Add cond_resched() to ftrace_graph_set_hash() When the kernel contains a large number of functions that can be traced, the loop in ftrace_graph_set_hash() may take a lot of time to execute. This may trigger the softlockup watchdog. Add cond_resched() within the loop to allow the kernel to re

CVE-2025-21768 [MEDIUM] CVE-2025-21768: linux - In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ... In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels Some lwtunnels have a dst cache for post-transformation dst. If the packet destination did not change we may end up recording a reference to the lwtunnel in its own cache, and the lwtunnel state will never be freed. Discovered by the ioam

CVE-2025-38711 [MEDIUM] CVE-2025-38711: linux - In the Linux kernel, the following vulnerability has been resolved: smb/server:... In the Linux kernel, the following vulnerability has been resolved: smb/server: avoid deadlock when linking with ReplaceIfExists If smb2_create_link() is called with ReplaceIfExists set and the name does exist then a deadlock will happen. ksmbd_vfs_kern_path_locked() will return with success and the parent directory will be locked. ksmbd_vfs_remove_file() will then