Debian Linux vulnerabilities

CVE-2025-38431 [MEDIUM] CVE-2025-38431: linux - In the Linux kernel, the following vulnerability has been resolved: smb: client... In the Linux kernel, the following vulnerability has been resolved: smb: client: fix regression with native SMB symlinks Some users and customers reported that their backup/copy tools started to fail when the directory being copied contained symlink targets that the client couldn't parse - even when those symlinks weren't followed. Fix this by allowing lstat(2) and

CVE-2025-22100 [MEDIUM] CVE-2025-22100: linux - In the Linux kernel, the following vulnerability has been resolved: drm/panthor... In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix race condition when gathering fdinfo group samples Commit e16635d88fa0 ("drm/panthor: add DRM fdinfo support") failed to protect access to groups with an xarray lock, which could lead to use-after-free errors. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: r

CVE-2025-38101 [HIGH] CVE-2025-38101: linux - In the Linux kernel, the following vulnerability has been resolved: ring-buffer... In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set() Enlarge the critical section in ring_buffer_subbuf_order_set() to ensure that error handling takes place with per-buffer mutex held, thus preventing list corruption and other concurrency-related issues. Scope: local bookworm: resolved b

CVE-2025-22118 [HIGH] CVE-2025-22118: linux - In the Linux kernel, the following vulnerability has been resolved: ice: valida... In the Linux kernel, the following vulnerability has been resolved: ice: validate queue quanta parameters to prevent OOB access Add queue wraparound prevention in quanta configuration. Ensure end_qid does not overflow by validating start_qid and num_queues. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2025-21810 [MEDIUM] CVE-2025-21810: linux - In the Linux kernel, the following vulnerability has been resolved: driver core... In the Linux kernel, the following vulnerability has been resolved: driver core: class: Fix wild pointer dereferences in API class_dev_iter_next() There are a potential wild pointer dereferences issue regarding APIs class_dev_iter_(init|next|exit)(), as explained by below typical usage: // All members of @iter are wild pointers. struct class_dev_iter iter; // class_

CVE-2025-68207 [LOW] CVE-2025-68207: linux - In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc:... In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Synchronize Dead CT worker with unbind Cancel and wait for any Dead CT worker to complete before continuing with device unbinding. Else the worker will end up using resources freed by the undind operation. (cherry picked from commit 492671339114e376aaa38626d637a2751cdef263) Scope: local boo

CVE-2025-21841 [MEDIUM] CVE-2025-21841: linux - In the Linux kernel, the following vulnerability has been resolved: cpufreq/amd... In the Linux kernel, the following vulnerability has been resolved: cpufreq/amd-pstate: Fix cpufreq_policy ref counting amd_pstate_update_limits() takes a cpufreq_policy reference but doesn't decrement the refcount in one of the exit paths, fix that. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.12.16-1) sid: resolved (fixed in 6.12.

CVE-2025-38209 [HIGH] CVE-2025-38209: linux - In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: r... In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: remove tag set when second admin queue config fails Commit 104d0e2f6222 ("nvme-fabrics: reset admin connection for secure concatenation") modified nvme_tcp_setup_ctrl() to call nvme_tcp_configure_admin_queue() twice. The first call prepares for DH-CHAP negotitation, and the second call is re

CVE-2025-39740 [HIGH] CVE-2025-39740: linux - In the Linux kernel, the following vulnerability has been resolved: drm/xe/migr... In the Linux kernel, the following vulnerability has been resolved: drm/xe/migrate: prevent potential UAF If we hit the error path, the previous fence (if there is one) has already been put() prior to this, so doing a fence_wait could lead to UAF. Tweak the flow to do to the put() until after we do the wait. (cherry picked from commit 9b7ca35ed28fe5fad86e9d9c24ebd1271

CVE-2025-39964 [LOW] CVE-2025-39964: linux - In the Linux kernel, the following vulnerability has been resolved: crypto: af_... In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->wri

CVE-2025-37986 [MEDIUM] CVE-2025-37986: linux - In the Linux kernel, the following vulnerability has been resolved: usb: typec:... In the Linux kernel, the following vulnerability has been resolved: usb: typec: class: Invalidate USB device pointers on partner unregistration To avoid using invalid USB device pointers after a Type-C partner disconnects, this patch clears the pointers upon partner unregistration. This ensures a clean state for future connections. Scope: local bookworm: resolved bu

CVE-2025-38295 [HIGH] CVE-2025-38295: linux - In the Linux kernel, the following vulnerability has been resolved: perf/amlogi... In the Linux kernel, the following vulnerability has been resolved: perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create() The Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly uses smp_processor_id(), which assumes disabled preemption. This leads to kernel warnings during module loading because meson_ddr_pmu_cr

CVE-2025-22065 [MEDIUM] CVE-2025-22065: linux - In the Linux kernel, the following vulnerability has been resolved: idpf: fix a... In the Linux kernel, the following vulnerability has been resolved: idpf: fix adapter NULL pointer dereference on reboot With SRIOV enabled, idpf ends up calling into idpf_remove() twice. First via idpf_shutdown() and then again when idpf_remove() calls into sriov_disable(), because the VF devices use the idpf driver, hence the same remove routine. When that happens

CVE-2025-40241 [LOW] CVE-2025-40241: linux - In the Linux kernel, the following vulnerability has been resolved: erofs: fix ... In the Linux kernel, the following vulnerability has been resolved: erofs: fix crafted invalid cases for encoded extents Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15: - The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0.

CVE-2025-38554 [HIGH] CVE-2025-38554: linux - In the Linux kernel, the following vulnerability has been resolved: mm: fix a U... In the Linux kernel, the following vulnerability has been resolved: mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped By inducing delays in the right places, Jann Horn created a reproducer for a hard to hit UAF issue that became possible after VMAs were allowed to be recycled by adding SLAB_TYPESAFE_BY_RCU to their cache. Race description is borrowe

CVE-2025-38564 [MEDIUM] CVE-2025-38564: linux - In the Linux kernel, the following vulnerability has been resolved: perf/core: ... In the Linux kernel, the following vulnerability has been resolved: perf/core: Handle buffer mapping fail correctly in perf_mmap() After successful allocation of a buffer or a successful attachment to an existing buffer perf_mmap() tries to map the buffer read only into the page table. If that fails, the already set up page table entries are zapped, but the other pe

CVE-2025-39793 [HIGH] CVE-2025-39793: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring/me... In the Linux kernel, the following vulnerability has been resolved: io_uring/memmap: cast nr_pages to size_t before shifting If the allocated size exceeds UINT_MAX, then it's necessary to cast the mr->nr_pages value to size_t to prevent it from overflowing. In practice this isn't much of a concern as the required memory size will have been validated upfront, and accou

CVE-2025-37987 [MEDIUM] CVE-2025-37987: linux - In the Linux kernel, the following vulnerability has been resolved: pds_core: P... In the Linux kernel, the following vulnerability has been resolved: pds_core: Prevent possible adminq overflow/stuck condition The pds_core's adminq is protected by the adminq_lock, which prevents more than 1 command to be posted onto it at any one time. This makes it so the client drivers cannot simultaneously post adminq commands. However, the completions happen i

CVE-2025-37966 [MEDIUM] CVE-2025-37966: linux - In the Linux kernel, the following vulnerability has been resolved: riscv: Fix ... In the Linux kernel, the following vulnerability has been resolved: riscv: Fix kernel crash due to PR_SET_TAGGED_ADDR_CTRL When userspace does PR_SET_TAGGED_ADDR_CTRL, but Supm extension is not available, the kernel crashes: Oops - illegal instruction [#1] [snip] epc : set_tagged_addr_ctrl+0x112/0x15a ra : set_tagged_addr_ctrl+0x74/0x15a epc : ffffffff80011ace ra :

CVE-2025-38625 [MEDIUM] CVE-2025-38625: linux - In the Linux kernel, the following vulnerability has been resolved: vfio/pds: F... In the Linux kernel, the following vulnerability has been resolved: vfio/pds: Fix missing detach_ioas op When CONFIG_IOMMUFD is enabled and a device is bound to the pds_vfio_pci driver, the following WARN_ON() trace is seen and probe fails: WARNING: CPU: 0 PID: 5040 at drivers/vfio/vfio_main.c:317 __vfio_register_dev+0x130/0x140 [vfio] pds_vfio_pci 0000:08:00.1: pro