Debian Linux vulnerabilities

CVE-2025-39929 [MEDIUM] CVE-2025-39929: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path During tests of another unrelated patch I was able to trigger this error: Objects remaining on __kmem_cache_shutdown() Scope: local bookworm: resolved (fixed in 6.1.158-1) bullseye: open forky: resolved (fixed in 6.16.9-1) sid: r

CVE-2025-71113 [MEDIUM] CVE-2025-71113: linux - In the Linux kernel, the following vulnerability has been resolved: crypto: af_... In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - zero initialize memory allocated via sock_kmalloc Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly. This resulted in the use of uninitialized data in certain error paths or when new field

CVE-2025-23129 [MEDIUM] CVE-2025-23129: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath11... In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path If a shared IRQ is used by the driver due to platform limitation, then the IRQ affinity hint is set right after the allocation of IRQ vectors in ath11k_pci_alloc_msi(). This does no harm unless one of the functions

CVE-2025-37864 [MEDIUM] CVE-2025-37864: linux - In the Linux kernel, the following vulnerability has been resolved: net: dsa: c... In the Linux kernel, the following vulnerability has been resolved: net: dsa: clean up FDB, MDB, VLAN entries on unbind As explained in many places such as commit b117e1e8a86d ("net: dsa: delete dsa_legacy_fdb_add and dsa_legacy_fdb_del"), DSA is written given the assumption that higher layers have balanced additions/deletions. As such, it only makes sense to be ext

CVE-2025-38531 [MEDIUM] CVE-2025-38531: linux - In the Linux kernel, the following vulnerability has been resolved: iio: common... In the Linux kernel, the following vulnerability has been resolved: iio: common: st_sensors: Fix use of uninitialize device structs Throughout the various probe functions &indio_dev->dev is used before it is initialized. This caused a kernel panic in st_sensors_power_enable() when the call to devm_regulator_bulk_get_enable() fails and then calls dev_err_probe() with

CVE-2025-38066 [MEDIUM] CVE-2025-38066: linux - In the Linux kernel, the following vulnerability has been resolved: dm cache: p... In the Linux kernel, the following vulnerability has been resolved: dm cache: prevent BUG_ON by blocking retries on failed device resumes A cache device failing to resume due to mapping errors should not be retried, as the failure leaves a partially initialized policy object. Repeating the resume operation risks triggering BUG_ON when reloading cache mappings into t

CVE-2025-38040 [MEDIUM] CVE-2025-38040: linux - In the Linux kernel, the following vulnerability has been resolved: serial: mct... In the Linux kernel, the following vulnerability has been resolved: serial: mctrl_gpio: split disable_ms into sync and no_sync APIs The following splat has been observed on a SAMA5D27 platform using atmel_serial: BUG: sleeping function called from invalid context at kernel/irq/manage.c:738 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 27, name: kworker/u5

CVE-2025-21917 [MEDIUM] CVE-2025-21917: linux - In the Linux kernel, the following vulnerability has been resolved: usb: renesa... In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Flush the notify_hotplug_work When performing continuous unbind/bind operations on the USB drivers available on the Renesas RZ/G2L SoC, a kernel crash with the message "Unable to handle kernel NULL pointer dereference at virtual address" may occur. This issue points to the usbhsc

CVE-2025-39693 [MEDIUM] CVE-2025-39693: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid a NULL pointer dereference [WHY] Although unlikely drm_atomic_get_new_connector_state() or drm_atomic_get_old_connector_state() can return NULL. [HOW] Check returns before dereference. (cherry picked from commit 1e5e8d672fec9f2ab352be121be971877bff2af9) Scope: local bookworm:

CVE-2025-37768 [MEDIUM] CVE-2025-37768: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm:... In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Prevent division by zero The user can set any speed value. If speed is greater than UINT_MAX/8, division by zero is possible. Found by Linux Verification Center (linuxtesting.org) with SVACE. Scope: local bookworm: resolved (fixed in 6.1.135-1) bullseye: resolved (fixed in 5.10.237-1) fo

CVE-2025-38404 [MEDIUM] CVE-2025-38404: linux - In the Linux kernel, the following vulnerability has been resolved: usb: typec:... In the Linux kernel, the following vulnerability has been resolved: usb: typec: displayport: Fix potential deadlock The deadlock can occur due to a recursive lock acquisition of `cros_typec_altmode_data::mutex`. The call chain is as follows: 1. cros_typec_altmode_work() acquires the mutex 2. typec_altmode_vdm() -> dp_altmode_vdm() -> 3. typec_altmode_exit() -> cros_

CVE-2025-38086 [MEDIUM] CVE-2025-38086: linux - In the Linux kernel, the following vulnerability has been resolved: net: ch9200... In the Linux kernel, the following vulnerability has been resolved: net: ch9200: fix uninitialised access during mii_nway_restart In mii_nway_restart() the code attempts to call mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() utilises a local buffer called "buff", which is initialised with control_read(). However "buff" is conditionally initialised in

CVE-2025-21701 [MEDIUM] CVE-2025-21701: linux - In the Linux kernel, the following vulnerability has been resolved: net: avoid ... In the Linux kernel, the following vulnerability has been resolved: net: avoid race between device unregistration and ethnl ops The following trace can be seen if a device is being unregistered while its number of channels are being modified. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 3754 at kernel/locking/mutex.c:564 __mutex_lock+0xc8a/0x1120 CP

CVE-2025-38166 [MEDIUM] CVE-2025-38166: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: fix kt... In the Linux kernel, the following vulnerability has been resolved: bpf: fix ktls panic with sockmap [ 2172.936997] ------------[ cut here ]------------ [ 2172.936999] kernel BUG at lib/iov_iter.c:629! ...... [ 2172.944996] PKRU: 55555554 [ 2172.945155] Call Trace: [ 2172.945299] [ 2172.945428] ? die+0x36/0x90 [ 2172.945601] ? do_trap+0xdd/0x100 [ 2172.945795] ? iov

CVE-2025-38712 [MEDIUM] CVE-2025-38712: linux - In the Linux kernel, the following vulnerability has been resolved: hfsplus: do... In the Linux kernel, the following vulnerability has been resolved: hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() When the volume header contains erroneous values that do not reflect the actual state of the filesystem, hfsplus_fill_super() assumes that the attributes file is not yet created, which later results in hitting BUG_ON() when hfsplus_crea

CVE-2025-38097 [MEDIUM] CVE-2025-38097: linux - In the Linux kernel, the following vulnerability has been resolved: espintcp: r... In the Linux kernel, the following vulnerability has been resolved: espintcp: remove encap socket caching to avoid reference leak The current scheme for caching the encap socket can lead to reference leaks when we try to delete the netns. The reference chain is: xfrm_state -> enacp_sk -> netns Since the encap socket is a userspace socket, it holds a reference on the

CVE-2025-22053 [MEDIUM] CVE-2025-22053: linux - In the Linux kernel, the following vulnerability has been resolved: net: ibmvet... In the Linux kernel, the following vulnerability has been resolved: net: ibmveth: make veth_pool_store stop hanging v2: - Created a single error handling unlock and exit in veth_pool_store - Greatly expanded commit message with previous explanatory-only text Summary: Use rtnl_mutex to synchronize veth_pool_store with itself, ibmveth_close and ibmveth_open, preventin

CVE-2025-38576 [MEDIUM] CVE-2025-38576: linux - In the Linux kernel, the following vulnerability has been resolved: powerpc/eeh... In the Linux kernel, the following vulnerability has been resolved: powerpc/eeh: Make EEH driver device hotplug safe Multiple race conditions existed between the PCIe hotplug driver and the EEH driver, leading to a variety of kernel oopses of the same general nature: A second class of oops is also seen when the underlying bus disappears during device recovery. Refac

CVE-2025-39726 [MEDIUM] CVE-2025-39726: linux - In the Linux kernel, the following vulnerability has been resolved: s390/ism: f... In the Linux kernel, the following vulnerability has been resolved: s390/ism: fix concurrency management in ism_cmd() The s390x ISM device data sheet clearly states that only one request-response sequence is allowable per ISM function at any point in time. Unfortunately as of today the s390/ism driver in Linux does not honor that requirement. This patch aims to rect

CVE-2025-21721 [MEDIUM] CVE-2025-21721: linux - In the Linux kernel, the following vulnerability has been resolved: nilfs2: han... In the Linux kernel, the following vulnerability has been resolved: nilfs2: handle errors that nilfs_prepare_chunk() may return Patch series "nilfs2: fix issues with rename operations". This series fixes BUG_ON check failures reported by syzbot around rename operations, and a minor behavioral issue where the mtime of a child directory changes when it is renamed inst