Debian Linux vulnerabilities

CVE-2025-22007 [MEDIUM] CVE-2025-22007: linux - In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ... In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix error code in chan_alloc_skb_cb() The chan_alloc_skb_cb() function is supposed to return error pointers on error. Returning NULL will lead to a NULL dereference. Scope: local bookworm: resolved (fixed in 6.1.133-1) bullseye: resolved (fixed in 5.10.237-1) forky: resolved (fixed in 6.1

CVE-2025-21712 [MEDIUM] CVE-2025-21712: linux - In the Linux kernel, the following vulnerability has been resolved: md/md-bitma... In the Linux kernel, the following vulnerability has been resolved: md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime After commit ec6bb299c7c3 ("md/md-bitmap: add 'sync_size' into struct md_bitmap_stats"), following panic is reported: Oops: general protection fault, probably for non-canonical address RIP: 0010:bitmap_get_stats+0x2b/0xa0 Call Trace:

CVE-2025-38037 [MEDIUM] CVE-2025-38037: linux - In the Linux kernel, the following vulnerability has been resolved: vxlan: Anno... In the Linux kernel, the following vulnerability has been resolved: vxlan: Annotate FDB data races The 'used' and 'updated' fields in the FDB entry structure can be accessed concurrently by multiple threads, leading to reports such as [1]. Can be reproduced using [2]. Suppress these reports by annotating these accesses using READ_ONCE() / WRITE_ONCE(). [1] BUG: KCSA

CVE-2025-38151 [MEDIUM] CVE-2025-38151: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: F... In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work The cited commit fixed a crash when cma_netevent_callback was called for a cma_id while work on that id from a previous call had not yet started. The work item was re-initialized in the second call, which corrupted the work item curre

CVE-2025-37937 [MEDIUM] CVE-2025-37937: linux - In the Linux kernel, the following vulnerability has been resolved: objtool, me... In the Linux kernel, the following vulnerability has been resolved: objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() If dib8000_set_dds()'s call to dib8000_read32() returns zero, the result is a divide-by-zero. Prevent that from happening. Fixes the following warning with an UBSAN kernel: drivers/media/dvb-frontends/dib8000.o: warning: objtool: d

CVE-2025-37867 [MEDIUM] CVE-2025-37867: linux - In the Linux kernel, the following vulnerability has been resolved: RDMA/core: ... In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Silence oversized kvmalloc() warning syzkaller triggered an oversized kvmalloc() warning. Silence it by adding __GFP_NOWARN. syzkaller log: WARNING: CPU: 7 PID: 518 at mm/util.c:665 __kvmalloc_node_noprof+0x175/0x180 CPU: 7 UID: 0 PID: 518 Comm: c_repro Not tainted 6.11.0-rc6+ #6 Hardware

CVE-2025-38122 [MEDIUM] CVE-2025-38122: linux - In the Linux kernel, the following vulnerability has been resolved: gve: add mi... In the Linux kernel, the following vulnerability has been resolved: gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo() did not check for this case before dereferencing the returned pointer. Add a missing NULL check to prevent a potential NULL pointer dereference when allocation fa

CVE-2025-38264 [MEDIUM] CVE-2025-38264: linux - In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: s... In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: sanitize request list handling Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of any list, otherwise a malicious R2T PDU might inject a loop in request list processing. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 6.12.37-1) sid: resolved (fix

CVE-2025-21776 [MEDIUM] CVE-2025-21776: linux - In the Linux kernel, the following vulnerability has been resolved: USB: hub: I... In the Linux kernel, the following vulnerability has been resolved: USB: hub: Ignore non-compliant devices with too many configs or interfaces Robert Morris created a test program which can cause usb_hub_to_struct_hub() to dereference a NULL or inappropriate pointer: Oops: general protection fault, probably for non-canonical address 0xcccccccccccccccc: 0000 [#1] SMP

CVE-2025-37930 [MEDIUM] CVE-2025-37930: linux - In the Linux kernel, the following vulnerability has been resolved: drm/nouveau... In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() Nouveau is mostly designed in a way that it's expected that fences only ever get signaled through nouveau_fence_signal(). However, in at least one other place, nouveau_fence_done(), can signal fences, too. If that happens (race) a signaled fen

CVE-2025-71160 [MEDIUM] CVE-2025-71160: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: avoid chain re-validation if possible Hamza Mahfooz reports cpu soft lock-ups in nft_chain_validate(): watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547] [..] RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables] [..] nft_immediate_validate+0x36/0x50 [nf_ta

CVE-2025-37757 [MEDIUM] CVE-2025-37757: linux - In the Linux kernel, the following vulnerability has been resolved: tipc: fix m... In the Linux kernel, the following vulnerability has been resolved: tipc: fix memory leak in tipc_link_xmit In case the backlog transmit queue for system-importance messages is overloaded, tipc_link_xmit() returns -ENOBUFS but the skb list is not purged. This leads to memory leak and failure when a skb is allocated. This commit fixes this issue by purging the skb li

CVE-2025-22124 [MEDIUM] CVE-2025-22124: linux - In the Linux kernel, the following vulnerability has been resolved: md/md-bitma... In the Linux kernel, the following vulnerability has been resolved: md/md-bitmap: fix wrong bitmap_limit for clustermd when write sb In clustermd, separate write-intent-bitmaps are used for each cluster node: 0 4k 8k 12k ------------------------------------------------------------------- | idle | md super | bm super [0] + bits | | bm bits[0, contd] | bm super[1] + b

CVE-2025-38266 [MEDIUM] CVE-2025-38266: linux - In the Linux kernel, the following vulnerability has been resolved: pinctrl: me... In the Linux kernel, the following vulnerability has been resolved: pinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms Commit 3ef9f710efcb ("pinctrl: mediatek: Add EINT support for multiple addresses") introduced an access to the 'soc' field of struct mtk_pinctrl in mtk_eint_do_init() and for that an include of pinctrl-mtk-common-v2.h. However

CVE-2025-39875 [MEDIUM] CVE-2025-39875: linux - In the Linux kernel, the following vulnerability has been resolved: igb: Fix NU... In the Linux kernel, the following vulnerability has been resolved: igb: Fix NULL pointer dereference in ethtool loopback test The igb driver currently causes a NULL pointer dereference when executing the ethtool loopback test. This occurs because there is no associated q_vector for the test ring when it is set up, as interrupts are typically not added to the test r

CVE-2025-40046 [LOW] CVE-2025-40046: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring/zc... In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix overshooting recv limit It's reported that sometimes a zcrx request can receive more than was requested. It's caused by io_zcrx_recv_skb() adjusting desc->count for all received buffers including frag lists, but then doing recursive calls to process frag list skbs, which leads to des

CVE-2025-38255 [MEDIUM] CVE-2025-38255: linux - In the Linux kernel, the following vulnerability has been resolved: lib/group_c... In the Linux kernel, the following vulnerability has been resolved: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() While testing null_blk with configfs, echo 0 > poll_queues will trigger following panic: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 27 UID: 0 PID: 920 Comm: bash Not tainte

CVE-2025-38726 [MEDIUM] CVE-2025-38726: linux - In the Linux kernel, the following vulnerability has been resolved: net: ftgmac... In the Linux kernel, the following vulnerability has been resolved: net: ftgmac100: fix potential NULL pointer access in ftgmac100_phy_disconnect After the call to phy_disconnect() netdev->phydev is reset to NULL. So fixed_phy_unregister() would be called with a NULL pointer as argument. Therefore cache the phy_device before this call. Scope: local bookworm: resolve

CVE-2025-22032 [MEDIUM] CVE-2025-22032: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: mt76:... In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix kernel panic due to null pointer dereference Address a kernel panic caused by a null pointer dereference in the `mt792x_rx_get_wcid` function. The issue arises because the `deflink` structure is not properly initialized with the `sta` context. This patch ensures that the `def

CVE-2025-21752 [MEDIUM] CVE-2025-21752: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: don'... In the Linux kernel, the following vulnerability has been resolved: btrfs: don't use btrfs_set_item_key_safe on RAID stripe-extents Don't use btrfs_set_item_key_safe() to modify the keys in the RAID stripe-tree, as this can lead to corruption of the tree, which is caught by the checks in btrfs_set_item_key_safe(): BTRFS info (device nvme1n1): leaf 49168384 gen 15 to