Debian Linux vulnerabilities

CVE-2025-38426 [MEDIUM] CVE-2025-38426: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu:... In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Add basic validation for RAS header If RAS header read from EEPROM is corrupted, it could result in trying to allocate huge memory for reading the records. Add some validation to header fields. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 6.16.3-1) sid: resolved (

CVE-2025-38096 [MEDIUM] CVE-2025-38096: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwi... In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: don't warn when if there is a FW error iwl_trans_reclaim is warning if it is called when the FW is not alive. But if it is called when there is a pending restart, i.e. after a FW error, there is no need to warn, instead - return silently. Scope: local bookworm: open bullseye: open for

CVE-2025-38645 [MEDIUM] CVE-2025-38645: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5: C... In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Check device memory pointer before usage Add a NULL check before accessing device memory to prevent a crash if dev->dm allocation in mlx5_init_once() fails. Scope: local bookworm: resolved (fixed in 6.1.148-1) bullseye: open forky: resolved (fixed in 6.16.3-1) sid: resolved (fixed in 6.16.

CVE-2025-39933 [MEDIUM] CVE-2025-39933: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: let recv_done verify data_offset, data_length and remaining_data_length This is inspired by the related server fixes. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 6.16.9-1) sid: resolved (fixed in 6.16.9-1) trixie: open

CVE-2025-38031 [MEDIUM] CVE-2025-38031: linux - In the Linux kernel, the following vulnerability has been resolved: padata: do ... In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decreme

CVE-2025-71232 [MEDIUM] CVE-2025-71232: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: qla2x... In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Free sp in error path to fix system crash System crash seen during load/unload test in a loop, [61110.449331] qla2xxx [0000:27:00.0]-0042:0: Disabled MSI-X. [61110.467494] ============================================================================= [61110.467498] BUG qla2xxx_srbs (Ta

CVE-2025-38215 [MEDIUM] CVE-2025-38215: linux - In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix ... In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in do_register_framebuffer() fails to allocate memory for fb_videomode, it will later lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered while not having the m

CVE-2025-21656 [MEDIUM] CVE-2025-21656: linux - In the Linux kernel, the following vulnerability has been resolved: hwmon: (dri... In the Linux kernel, the following vulnerability has been resolved: hwmon: (drivetemp) Fix driver producing garbage data when SCSI errors occur scsi_execute_cmd() function can return both negative (linux codes) and positive (scsi_cmnd result field) error codes. Currently the driver just passes error codes of scsi_execute_cmd() to hwmon core, which is incorrect becau

CVE-2025-38474 [MEDIUM] CVE-2025-38474: linux - In the Linux kernel, the following vulnerability has been resolved: usb: net: s... In the Linux kernel, the following vulnerability has been resolved: usb: net: sierra: check for no status endpoint The driver checks for having three endpoints and having bulk in and out endpoints, but not that the third endpoint is interrupt input. Rectify the omission. Scope: local bookworm: resolved (fixed in 6.1.147-1) bullseye: resolved (fixed in 5.10.244-1) fo

CVE-2025-37857 [MEDIUM] CVE-2025-37857: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: st: F... In the Linux kernel, the following vulnerability has been resolved: scsi: st: Fix array overflow in st_setup() Change the array size to follow parms size instead of a fixed value. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved (fixed in 5.10.237-1) forky: resolved (fixed in 6.12.25-1) sid: resolved (fixed in 6.12.25-1) trixie: resolved (fixe

CVE-2025-21673 [MEDIUM] CVE-2025-21673: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double free of TCP_Server_Info::hostname When shutting down the server in cifs_put_tcp_session(), cifsd thread might be reconnecting to multiple DFS targets before it realizes it should exit the loop, so @server->hostname can't be freed as long as cifsd thread isn't done. Otherwise

CVE-2025-21745 [MEDIUM] CVE-2025-21745: linux - In the Linux kernel, the following vulnerability has been resolved: blk-cgroup:... In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix class @block_class's subsystem refcount leakage blkcg_fill_root_iostats() iterates over @block_class's devices by class_dev_iter_(init|next)(), but does not end iterating with class_dev_iter_exit(), so causes the class's subsystem refcount leakage. Fix by ending the iterating with cl

CVE-2025-38581 [MEDIUM] CVE-2025-38581: linux - In the Linux kernel, the following vulnerability has been resolved: crypto: ccp... In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix crash when rebind ccp device for ccp.ko When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding the ccp device causes the following crash: $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind [ 204.976930] BUG: kernel NULL p

CVE-2025-23148 [MEDIUM] CVE-2025-23148: linux - In the Linux kernel, the following vulnerability has been resolved: soc: samsun... In the Linux kernel, the following vulnerability has been resolved: soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() soc_dev_attr->revision could be NULL, thus, a pointer check is added to prevent potential NULL pointer dereference. This is similar to the fix in commit 3027e7b15b02 ("ice: Fix some null pointer dereference issues in ice_pt

CVE-2025-21916 [MEDIUM] CVE-2025-21916: linux - In the Linux kernel, the following vulnerability has been resolved: usb: atm: c... In the Linux kernel, the following vulnerability has been resolved: usb: atm: cxacru: fix a flaw in existing endpoint checks Syzbot once again identified a flaw in usb endpoint checking, see [1]. This time the issue stems from a commit authored by me (2eabb655a968 ("usb: atm: cxacru: fix endpoint checking in cxacru_bind()")). While using usb_find_common_endpoints()

CVE-2025-38145 [MEDIUM] CVE-2025-38145: linux - In the Linux kernel, the following vulnerability has been resolved: soc: aspeed... In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() devm_kasprintf() returns NULL when memory allocation fails. Currently, aspeed_lpc_enable_snoop() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. [arj: Fix

CVE-2025-38034 [MEDIUM] CVE-2025-38034: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: corr... In the Linux kernel, the following vulnerability has been resolved: btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref btrfs_prelim_ref() calls the old and new reference variables in the incorrect order. This causes a NULL pointer dereference because oldref is passed as NULL to trace_btrfs_prelim_ref_insert(). Note, trace_btrfs_prelim_ref_insert()

CVE-2025-68223 [MEDIUM] CVE-2025-68223: linux - In the Linux kernel, the following vulnerability has been resolved: drm/radeon:... In the Linux kernel, the following vulnerability has been resolved: drm/radeon: delete radeon_fence_process in is_signaled, no deadlock Delete the attempt to progress the queue when checking if fence is signaled. This avoids deadlock. dma-fence_ops::signaled can be called with the fence lock in unknown state. For radeon, the fence lock is also the wait queue lock. T

CVE-2025-39857 [MEDIUM] CVE-2025-39857: linux - In the Linux kernel, the following vulnerability has been resolved: net/smc: fi... In the Linux kernel, the following vulnerability has been resolved: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() BUG: kernel NULL pointer dereference, address: 00000000000002ec PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE Tainted: [O]=OOT_MODULE, [E]=UNSI

CVE-2025-38614 [MEDIUM] CVE-2025-38614: linux - In the Linux kernel, the following vulnerability has been resolved: eventpoll: ... In the Linux kernel, the following vulnerability has been resolved: eventpoll: Fix semi-unbounded recursion Ensure that epoll instances can never form a graph deeper than EP_MAX_NESTS+1 links. Currently, ep_loop_check_proc() ensures that the graph is loop-free and does some recursion depth checks, but those recursion depth checks don't limit the depth of the resulti