Debian Linux vulnerabilities

CVE-2025-22109 [MEDIUM] CVE-2025-22109: linux - In the Linux kernel, the following vulnerability has been resolved: ax25: Remov... In the Linux kernel, the following vulnerability has been resolved: ax25: Remove broken autobind Binding AX25 socket by using the autobind feature leads to memory leaks in ax25_connect() and also refcount leaks in ax25_release(). Memory leak was detected with kmemleak: ================================================================ unreferenced object 0xffff8880253

CVE-2025-38125 [MEDIUM] CVE-2025-38125: linux - In the Linux kernel, the following vulnerability has been resolved: net: stmmac... In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring EST If the ptp_rate recorded earlier in the driver happens to be 0, this bogus value will propagate up to EST configuration, where it will trigger a division by 0. Prevent this division by 0 by adding the corresponding check and error

CVE-2025-39737 [MEDIUM] CVE-2025-39737: linux - In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak... In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() A soft lockup warning was observed on a relative small system x86-64 system with 16 GB of memory when running a debug kernel with kmemleak enabled. watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134] The test system was runnin

CVE-2025-21665 [MEDIUM] CVE-2025-21665: linux - In the Linux kernel, the following vulnerability has been resolved: filemap: av... In the Linux kernel, the following vulnerability has been resolved: filemap: avoid truncating 64-bit offset to 32 bits On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a 64-bit value to 32 bits, leading to a possible infinite loop when writing to an xfs filesystem. Scope: local bookworm: resolved (fixed in 6.1.128-1) bullseye: resolved forky: r

CVE-2025-38061 [MEDIUM] CVE-2025-38061: linux - In the Linux kernel, the following vulnerability has been resolved: net: pktgen... In the Linux kernel, the following vulnerability has been resolved: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer). Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: resolved (fixed in 5.10.

CVE-2025-39779 [MEDIUM] CVE-2025-39779: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: subp... In the Linux kernel, the following vulnerability has been resolved: btrfs: subpage: keep TOWRITE tag until folio is cleaned btrfs_subpage_set_writeback() calls folio_start_writeback() the first time a folio is written back, and it also clears the PAGECACHE_TAG_TOWRITE tag even if there are still dirty blocks in the folio. This can break ordering guarantees, such as

CVE-2025-37983 [MEDIUM] CVE-2025-37983: linux - In the Linux kernel, the following vulnerability has been resolved: qibfs: fix ... In the Linux kernel, the following vulnerability has been resolved: qibfs: fix _another_ leak failure to allocate inode => leaked dentry... this one had been there since the initial merge; to be fair, if we are that far OOM, the odds of failing at that particular allocation are low... Scope: local bookworm: resolved (fixed in 6.1.137-1) bullseye: resolved (fixed in

CVE-2025-21871 [MEDIUM] CVE-2025-21871: linux - In the Linux kernel, the following vulnerability has been resolved: tee: optee:... In the Linux kernel, the following vulnerability has been resolved: tee: optee: Fix supplicant wait loop OP-TEE supplicant is a user-space daemon and it's possible for it be hung or crashed or killed in the middle of processing an OP-TEE RPC call. It becomes more complicated when there is incorrect shutdown ordering of the supplicant process vs the OP-TEE client app

CVE-2025-22033 [MEDIUM] CVE-2025-22033: linux - In the Linux kernel, the following vulnerability has been resolved: arm64: Don'... In the Linux kernel, the following vulnerability has been resolved: arm64: Don't call NULL in do_compat_alignment_fixup() do_alignment_t32_to_handler() only fixes up alignment faults for specific instructions; it returns NULL otherwise (e.g. LDREX). When that's the case, signal to the caller that it needs to proceed with the regular alignment fault handling (i.e. SI

CVE-2025-38465 [MEDIUM] CVE-2025-38465: linux - In the Linux kernel, the following vulnerability has been resolved: netlink: Fi... In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e ("udp: Fix multiple wraparounds of sk->sk_rmem_alloc.")

CVE-2025-22113 [MEDIUM] CVE-2025-22113: linux - In the Linux kernel, the following vulnerability has been resolved: ext4: avoid... In the Linux kernel, the following vulnerability has been resolved: ext4: avoid journaling sb update on error if journal is destroying Presently we always BUG_ON if trying to start a transaction on a journal marked with JBD2_UNMOUNT, since this should never happen. However, while ltp running stress tests, it was observed that in case of some error handling paths, it

CVE-2025-40005 [MEDIUM] CVE-2025-40005: linux - In the Linux kernel, the following vulnerability has been resolved: spi: cadenc... In the Linux kernel, the following vulnerability has been resolved: spi: cadence-quadspi: Implement refcount to handle unbind during busy driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation. However force device removal(removal) is still available to root superuser. Unbinding driver during operation cau

CVE-2025-21976 [MEDIUM] CVE-2025-21976: linux - In the Linux kernel, the following vulnerability has been resolved: fbdev: hype... In the Linux kernel, the following vulnerability has been resolved: fbdev: hyperv_fb: Allow graceful removal of framebuffer When a Hyper-V framebuffer device is unbind, hyperv_fb driver tries to release the framebuffer forcefully. If this framebuffer is in use it produce the following WARN and hence this framebuffer is never released. [ 44.111220] WARNING: CPU: 35 P

CVE-2025-38684 [MEDIUM] CVE-2025-38684: linux - In the Linux kernel, the following vulnerability has been resolved: net/sched: ... In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: use old 'nbands' while purging unused classes Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify() after recent changes from Lion [2]. The problem is: in ets_qdisc_change() we purge unused DWRR queues; the value of 'q->nbands' is the new one, and the cleanup shou

CVE-2025-37980 [MEDIUM] CVE-2025-37980: linux - In the Linux kernel, the following vulnerability has been resolved: block: fix ... In the Linux kernel, the following vulnerability has been resolved: block: fix resource leak in blk_register_queue() error path When registering a queue fails after blk_mq_sysfs_register() is successful but the function later encounters an error, we need to clean up the blk_mq_sysfs resources. Add the missing blk_mq_sysfs_unregister() call in the error path to prope

CVE-2025-38441 [MEDIUM] CVE-2025-38441: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() Blamed commit forgot the Ethernet header. BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_flo

CVE-2025-39716 [MEDIUM] CVE-2025-39716: linux - In the Linux kernel, the following vulnerability has been resolved: parisc: Rev... In the Linux kernel, the following vulnerability has been resolved: parisc: Revise __get_user() to probe user read access Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel executes at privilege level 0, so __get_user() never triggers a read access interruption (code 26). Thus,

CVE-2025-21875 [MEDIUM] CVE-2025-21875: linux - In the Linux kernel, the following vulnerability has been resolved: mptcp: alwa... In the Linux kernel, the following vulnerability has been resolved: mptcp: always handle address removal under msk socket lock Syzkaller reported a lockdep splat in the PM control path: WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mp

CVE-2025-21870 [MEDIUM] CVE-2025-21870: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ... In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers Other, non DAI copier widgets could have the same stream name (sname) as the ALH copier and in that case the copier->data is NULL, no alh_data is attached, which could lead to NULL pointer dereference. We could check for this NULL poi

CVE-2025-37897 [MEDIUM] CVE-2025-37897: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: plfxl... In the Linux kernel, the following vulnerability has been resolved: wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release plfxlc_mac_release() asserts that mac->lock is held. This assertion is incorrect, because even if it was possible, it would not be the valid behaviour. The function is used when probe fails or after the device is disconnected. In both cases