Debian Linux vulnerabilities

CVE-2026-22990 [MEDIUM] CVE-2026-22990: linux - In the Linux kernel, the following vulnerability has been resolved: libceph: re... In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid. Scope: local bookworm: resolved (

CVE-2026-23164 [MEDIUM] CVE-2026-23164: linux - In the Linux kernel, the following vulnerability has been resolved: rocker: fix... In the Linux kernel, the following vulnerability has been resolved: rocker: fix memory leak in rocker_world_port_post_fini() In rocker_world_port_pre_init(), rocker_port->wpriv is allocated with kzalloc(wops->port_priv_size, GFP_KERNEL). However, in rocker_world_port_post_fini(), the memory is only freed when wops->port_post_fini callback is set: if (!wops->port_pos

CVE-2026-23013 [HIGH] CVE-2026-23013: linux - In the Linux kernel, the following vulnerability has been resolved: net: octeon... In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id set to 'oct', which does not match the original dev_id and may leave the irqa

CVE-2026-23369 [LOW] CVE-2026-23369: linux - In the Linux kernel, the following vulnerability has been resolved: i2c: i801: ... In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Revert "i2c: i801: replace acpi_lock with I2C bus lock" This reverts commit f707d6b9e7c18f669adfdb443906d46cfbaaa0c1. Under rare circumstances, multiple udev threads can collect i801 device info on boot and walk i801_acpi_io_handler somewhat concurrently. The first will note the area is rese

CVE-2026-23338 [LOW] CVE-2026-23338: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/... In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings Userspace can either deliberately pass in the too small num_fences, or the required number can legitimately grow between the two calls to the userq wait ioctl. In both cases we do not want the emit the kernel warning backtrace

CVE-2026-23337 [LOW] CVE-2026-23337: linux - In the Linux kernel, the following vulnerability has been resolved: pinctrl: pi... In the Linux kernel, the following vulnerability has been resolved: pinctrl: pinconf-generic: Fix memory leak in pinconf_generic_parse_dt_config() In pinconf_generic_parse_dt_config(), if parse_dt_cfg() fails, it returns directly. This bypasses the cleanup logic and results in a memory leak of the cfg buffer. Fix this by jumping to the out label on failure, ensuring kf

CVE-2026-23196 [MEDIUM] CVE-2026-23196: linux - In the Linux kernel, the following vulnerability has been resolved: HID: Intel-... In the Linux kernel, the following vulnerability has been resolved: HID: Intel-thc-hid: Intel-thc: Add safety check for reading DMA buffer Add DMA buffer readiness check before reading DMA buffer to avoid unexpected NULL pointer accessing. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.18.10-1) sid: resolved (fixed in 6.18.10-1) trixi

CVE-2026-23186 [MEDIUM] CVE-2026-23186: linux - In the Linux kernel, the following vulnerability has been resolved: hwmon: (acp... In the Linux kernel, the following vulnerability has been resolved: hwmon: (acpi_power_meter) Fix deadlocks related to acpi_power_meter_notify() The acpi_power_meter driver's .notify() callback function, acpi_power_meter_notify(), calls hwmon_device_unregister() under a lock that is also acquired by callbacks in sysfs attributes of the device being unregistered whic

CVE-2026-23325 [LOW] CVE-2026-23325: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: mt76:... In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211() Check frame length before accessing the mgmt fields in mt7996_mac_write_txwi_80211 in order to avoid a possible oob access. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.19.8-1) sid: resolved (

CVE-2026-23072 [MEDIUM] CVE-2026-23072: linux - In the Linux kernel, the following vulnerability has been resolved: l2tp: Fix m... In the Linux kernel, the following vulnerability has been resolved: l2tp: Fix memleak in l2tp_udp_encap_recv(). syzbot reported memleak of struct l2tp_session, l2tp_tunnel, sock, etc. [0] The cited commit moved down the validation of the protocol version in l2tp_udp_encap_recv(). The new place requires an extra error handling to avoid the memleak. Let's call l2tp_se

CVE-2026-23246 [HIGH] CVE-2026-23246: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: mac80... In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration link_id is taken from the ML Reconfiguration element (control & 0x000f), so it can be 0..15. link_removal_timeout[] has IEEE80211_MLD_MAX_NUM_LINKS (15) elements, so index 15 is out-of-bounds. Skip subelements with link_id >= IEEE802

CVE-2026-23441 [LOW] CVE-2026-23441: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: ... In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Prevent concurrent access to IPSec ASO context The query or updating IPSec offload object is through Access ASO WQE. The driver uses a single mlx5e_ipsec_aso struct for each PF, which contains a shared DMA-mapped context for all ASO operations. A race condition exists because the ASO spinloc

CVE-2026-23092 [HIGH] CVE-2026-23092: linux - In the Linux kernel, the following vulnerability has been resolved: iio: dac: a... In the Linux kernel, the following vulnerability has been resolved: iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source When simple_write_to_buffer() succeeds, it returns the number of bytes actually copied to the buffer. The code incorrectly uses 'count' as the index for null termination instead of the actual bytes copied. If count exceeds th

CVE-2026-23218 [MEDIUM] CVE-2026-23218: linux - In the Linux kernel, the following vulnerability has been resolved: gpio: loong... In the Linux kernel, the following vulnerability has been resolved: gpio: loongson-64bit: Fix incorrect NULL check after devm_kcalloc() Fix incorrect NULL check in loongson_gpio_init_irqchip(). The function checks chip->parent instead of chip->irq.parents. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.18.10-1) sid: resolved (fixed in

CVE-2026-23195 [HIGH] CVE-2026-23195: linux - In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem... In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: avoid pool UAF An UAF issue was observed: BUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150 Write of size 8 at addr ffff888106715440 by task insmod/527 CPU: 4 UID: 0 PID: 527 Comm: insmod 6.19.0-rc7-next-20260129+ #11 Tainted: [O]=OOT_MODULE Call Trace: dump_stack_lvl+0x

CVE-2026-23023 [MEDIUM] CVE-2026-23023: linux - In the Linux kernel, the following vulnerability has been resolved: idpf: fix m... In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak in idpf_vport_rel() Free vport->rx_ptype_lkup in idpf_vport_rel() to avoid leaking memory during a reset. Reported by kmemleak: unreferenced object 0xff450acac838a000 (size 4096): comm "kworker/u258:5", pid 7732, jiffies 4296830044 hex dump (first 32 bytes): 00 00 00 00 00 10 0

CVE-2026-23433 [LOW] CVE-2026-23433: linux - In the Linux kernel, the following vulnerability has been resolved: arm_mpam: F... In the Linux kernel, the following vulnerability has been resolved: arm_mpam: Fix null pointer dereference when restoring bandwidth counters When an MSC supporting memory bandwidth monitoring is brought offline and then online, mpam_restore_mbwu_state() calls __ris_msmon_read() via ipi to restore the configuration of the bandwidth counters. It doesn't care about the va

CVE-2026-23149 [MEDIUM] CVE-2026-23149: linux - In the Linux kernel, the following vulnerability has been resolved: drm: Do not... In the Linux kernel, the following vulnerability has been resolved: drm: Do not allow userspace to trigger kernel warnings in drm_gem_change_handle_ioctl() Since GEM bo handles are u32 in the uapi and the internal implementation uses idr_alloc() which uses int ranges, passing a new handle larger than INT_MAX trivially triggers a kernel warning: idr_alloc(): ... if (

CVE-2026-23148 [HIGH] CVE-2026-23148: linux - In the Linux kernel, the following vulnerability has been resolved: nvmet: fix ... In the Linux kernel, the following vulnerability has been resolved: nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference There is a race condition in nvmet_bio_done() that can cause a NULL pointer dereference in blk_cgroup_bio_start(): 1. nvmet_bio_done() is called when a bio completes 2. nvmet_req_complete() is called, which invokes req->ops->queue

CVE-2026-23380 [LOW] CVE-2026-23380: linux - In the Linux kernel, the following vulnerability has been resolved: tracing: Fi... In the Linux kernel, the following vulnerability has been resolved: tracing: Fix WARN_ON in tracing_buffers_mmap_close When a process forks, the child process copies the parent's VMAs but the user_mapped reference count is not incremented. As a result, when both the parent and child processes exit, tracing_buffers_mmap_close() is called twice. On the second call, user_