Debian Linux vulnerabilities

CVE-2025-38177 [MEDIUM] CVE-2025-38177: linux - In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: m... In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: make hfsc_qlen_notify() idempotent hfsc_qlen_notify() is not idempotent either and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers' life: 1. update_vf() decreases cl->cl_nactive, so we can check whether it is non-ze

CVE-2025-39681 [MEDIUM] CVE-2025-39681: linux - In the Linux kernel, the following vulnerability has been resolved: x86/cpu/hyg... In the Linux kernel, the following vulnerability has been resolved: x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Since 923f3a2b48bd ("x86/resctrl: Query LLC monitoring properties once during boot") resctrl_cpu_detect() has been moved from common CPU initialization code to the vendor-specific BSP init helper, while Hygon didn't put that call in

CVE-2025-21711 [MEDIUM] CVE-2025-21711: linux - In the Linux kernel, the following vulnerability has been resolved: net/rose: p... In the Linux kernel, the following vulnerability has been resolved: net/rose: prevent integer overflows in rose_setsockopt() In case of possible unpredictably large arguments passed to rose_setsockopt() and multiplied by extra values on top of that, integer overflows may occur. Do the safest minimum and fix these issues by checking the contents of 'opt' and returnin

CVE-2025-38344 [MEDIUM] CVE-2025-38344: linux - In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix... In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi parse and parseext cache leaks ACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5 I'm Seunghun Han, and I work for National Security Research Institute of South Korea. I have been doing a research on ACPI and found an ACPI cache leak in ACPI early abort cases. Boot log of ACPI c

CVE-2025-21699 [MEDIUM] CVE-2025-21699: linux - In the Linux kernel, the following vulnerability has been resolved: gfs2: Trunc... In the Linux kernel, the following vulnerability has been resolved: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Truncate an inode's address space when flipping the GFS2_DIF_JDATA flag: depending on that flag, the pages in the address space will either use buffer heads or iomap_folio_state structs, and we cannot mix the two. Scope: local bookworm:

CVE-2025-23160 [MEDIUM] CVE-2025-23160: linux - In the Linux kernel, the following vulnerability has been resolved: media: medi... In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization On Mediatek devices with a system companion processor (SCP) the mtk_scp structure has to be removed explicitly to avoid a resource leak. Free the structure in case the allocation of the firmware structure fai

CVE-2025-38119 [MEDIUM] CVE-2025-38119: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: core:... In the Linux kernel, the following vulnerability has been resolved: scsi: core: ufs: Fix a hang in the error handler ufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter function can only succeed if UFSHCD_EH_IN_PROGRESS is not set because resuming involves submitting a SCSI command and ufshcd_queuecommand() returns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_

CVE-2025-39850 [MEDIUM] CVE-2025-39850: linux - In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix ... In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects When the "proxy" option is enabled on a VXLAN device, the device will suppress ARP requests and IPv6 Neighbor Solicitation messages if it is able to reply on behalf of the remote host. That is, if a matching and valid neighbor entry i

CVE-2025-37911 [MEDIUM] CVE-2025-37911: linux - In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fi... In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix out-of-bound memcpy() during ethtool -w When retrieving the FW coredump using ethtool, it can sometimes cause memory corruption: BUG: KFENCE: memory corruption in __bnxt_get_coredump+0x3ef/0x670 [bnxt_en] Corrupted memory at 0x000000008f0f30e8 [ ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ] (in kfe

CVE-2025-21792 [MEDIUM] CVE-2025-21792: linux - In the Linux kernel, the following vulnerability has been resolved: ax25: Fix r... In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt If an AX25 device is bound to a socket by setting the SO_BINDTODEVICE socket option, a refcount leak will occur in ax25_release(). Commit 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") added decrement of device refc

CVE-2025-71083 [MEDIUM] CVE-2025-71083: linux - In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Av... In the Linux kernel, the following vulnerability has been resolved: drm/ttm: Avoid NULL pointer deref for evicted BOs It is possible for a BO to exist that is not currently associated with a resource, e.g. because it has been evicted. When devcoredump tries to read the contents of all BOs for dumping, we need to expect this as well -- in this case, ENODATA is record

CVE-2025-38544 [MEDIUM] CVE-2025-38544: linux - In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix ... In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix bug due to prealloc collision When userspace is using AF_RXRPC to provide a server, it has to preallocate incoming calls and assign to them call IDs that will be used to thread related recvmsg() and sendmsg() together. The preallocated call IDs will automatically be attached to calls as t

CVE-2025-39843 [MEDIUM] CVE-2025-39843: linux - In the Linux kernel, the following vulnerability has been resolved: mm: slub: a... In the Linux kernel, the following vulnerability has been resolved: mm: slub: avoid wake up kswapd in set_track_prepare set_track_prepare() can incur lock recursion. The issue is that it is called from hrtimer_start_range_ns holding the per_cpu(hrtimer_bases)[n].lock, but when enabled CONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_prepare, and try to h

CVE-2025-38400 [MEDIUM] CVE-2025-38400: linux - In the Linux kernel, the following vulnerability has been resolved: nfs: Clean ... In the Linux kernel, the following vulnerability has been resolved: nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. syzbot reported a warning below [1] following a fault injection in nfs_fs_proc_net_init(). [0] When nfs_fs_proc_net_init() fails, /proc/net/rpc/nfs is not removed. Later, rpc_proc_exit() tries to remove /proc/net/rpc, and the warning

CVE-2025-37775 [MEDIUM] CVE-2025-37775: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix the warning from __kernel_write_iter [ 2110.972290] ------------[ cut here ]------------ [ 2110.972301] WARNING: CPU: 3 PID: 735 at fs/read_write.c:599 __kernel_write_iter+0x21b/0x280 This patch doesn't allow writing to directory. Scope: local bookworm: resolved (fixed in 6.1.135-1) bulls

CVE-2025-39787 [MEDIUM] CVE-2025-39787: linux - In the Linux kernel, the following vulnerability has been resolved: soc: qcom: ... In the Linux kernel, the following vulnerability has been resolved: soc: qcom: mdt_loader: Ensure we don't read past the ELF header When the MDT loader is used in remoteproc, the ELF header is sanitized beforehand, but that's not necessary the case for other clients. Validate the size of the firmware buffer to ensure that we don't read past the end as we iterate ove

CVE-2025-38478 [MEDIUM] CVE-2025-38478: linux - In the Linux kernel, the following vulnerability has been resolved: comedi: Fix... In the Linux kernel, the following vulnerability has been resolved: comedi: Fix initialization of data for instructions that write to subdevice Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocate at least `MIN_SAM

CVE-2025-71150 [MEDIUM] CVE-2025-71150: linux - In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix ... In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2_SESSION_VALID, It indicates that no valid session was found, but it is missing to decrement the reference count acquired by the session lookup, which results in a reference coun

CVE-2025-38074 [MEDIUM] CVE-2025-38074: linux - In the Linux kernel, the following vulnerability has been resolved: vhost-scsi:... In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used v

CVE-2025-39747 [MEDIUM] CVE-2025-39747: linux - In the Linux kernel, the following vulnerability has been resolved: drm/msm: Ad... In the Linux kernel, the following vulnerability has been resolved: drm/msm: Add error handling for krealloc in metadata setup Function msm_ioctl_gem_info_set_metadata() now checks for krealloc failure and returns -ENOMEM, avoiding potential NULL pointer dereference. Explicitly avoids __GFP_NOFAIL due to deadlock risks and allocation constraints. Patchwork: https://