Debian Linux vulnerabilities

CVE-2025-38070 [MEDIUM] CVE-2025-38070: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: sma13... In the Linux kernel, the following vulnerability has been resolved: ASoC: sma1307: Add NULL check in sma1307_setting_loaded() All varibale allocated by kzalloc and devm_kzalloc could be NULL. Multiple pointer checks and their cleanup are added. This issue is found by our static analysis tool Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: res

CVE-2025-37874 [MEDIUM] CVE-2025-37874: linux - In the Linux kernel, the following vulnerability has been resolved: net: ngbe: ... In the Linux kernel, the following vulnerability has been resolved: net: ngbe: fix memory leak in ngbe_probe() error path When ngbe_sw_init() is called, memory is allocated for wx->rss_key in wx_init_rss_key(). However, in ngbe_probe() function, the subsequent error paths after ngbe_sw_init() don't free the rss_key. Fix that by freeing it in error path along with wx

CVE-2025-37922 [MEDIUM] CVE-2025-37922: linux - In the Linux kernel, the following vulnerability has been resolved: book3s64/ra... In the Linux kernel, the following vulnerability has been resolved: book3s64/radix : Align section vmemmap start address to PAGE_SIZE A vmemmap altmap is a device-provided region used to provide backing storage for struct pages. For each namespace, the altmap should belong to that same namespace. If the namespaces are created unaligned, there is a chance that the se

CVE-2025-38405 [MEDIUM] CVE-2025-38405: linux - In the Linux kernel, the following vulnerability has been resolved: nvmet: fix ... In the Linux kernel, the following vulnerability has been resolved: nvmet: fix memory leak of bio integrity If nvmet receives commands with metadata there is a continuous memory leak of kmalloc-128 slab or more precisely bio->bi_integrity. Since commit bf4c89fc8797 ("block: don't call bio_uninit from bio_endio") each user of bio_init has to use bio_uninit as well. O

CVE-2025-39984 [LOW] CVE-2025-39984: linux - In the Linux kernel, the following vulnerability has been resolved: net: tun: U... In the Linux kernel, the following vulnerability has been resolved: net: tun: Update napi->skb after XDP process The syzbot report a UAF issue: BUG: KASAN: slab-use-after-free in skb_reset_mac_header include/linux/skbuff.h:3150 [inline] BUG: KASAN: slab-use-after-free in napi_frags_skb net/core/gro.c:723 [inline] BUG: KASAN: slab-use-after-free in napi_gro_frags+0x6e/0

CVE-2025-38525 [MEDIUM] CVE-2025-38525: linux - In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix ... In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix irq-disabled in local_bh_enable() The rxrpc_assess_MTU_size() function calls down into the IP layer to find out the MTU size for a route. When accepting an incoming call, this is called from rxrpc_new_incoming_call() which holds interrupts disabled across the code that calls down to it. U

CVE-2025-68807 [LOW] CVE-2025-68807: linux - In the Linux kernel, the following vulnerability has been resolved: block: fix ... In the Linux kernel, the following vulnerability has been resolved: block: fix race between wbt_enable_default and IO submission When wbt_enable_default() is moved out of queue freezing in elevator_change(), it can cause the wbt inflight counter to become negative (-1), leading to hung tasks in the writeback path. Tasks get stuck in wbt_wait() because the counter is in

CVE-2025-68359 [LOW] CVE-2025-68359: linux - In the Linux kernel, the following vulnerability has been resolved: btrfs: fix ... In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of qgroup record after failure to add delayed ref head In the previous code it was possible to incur into a double kfree() scenario when calling add_delayed_ref_head(). This could happen if the record was reported to already exist in the btrfs_qgroup_trace_extent_nolock() call, b

CVE-2025-71122 [HIGH] CVE-2025-71122: linux - In the Linux kernel, the following vulnerability has been resolved: iommufd/sel... In the Linux kernel, the following vulnerability has been resolved: iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED syzkaller found it could overflow math in the test infrastructure and cause a WARN_ON by corrupting the reserved interval tree. This only effects test kernels with CONFIG_IOMMUFD_TEST. Validate the user input length in the test ioctl.

CVE-2025-38270 [HIGH] CVE-2025-38270: linux - In the Linux kernel, the following vulnerability has been resolved: net: drv: n... In the Linux kernel, the following vulnerability has been resolved: net: drv: netdevsim: don't napi_complete() from netpoll netdevsim supports netpoll. Make sure we don't call napi_complete() from it, since it may not be scheduled. Breno reports hitting a warning in napi_complete_done(): WARNING: CPU: 14 PID: 104 at net/core/dev.c:6592 napi_complete_done+0x2cc/0x560 _

CVE-2025-38686 [MEDIUM] CVE-2025-38686: linux - In the Linux kernel, the following vulnerability has been resolved: userfaultfd... In the Linux kernel, the following vulnerability has been resolved: userfaultfd: fix a crash in UFFDIO_MOVE when PMD is a migration entry When UFFDIO_MOVE encounters a migration PMD entry, it proceeds with obtaining a folio and accessing it even though the entry is swp_entry_t. Add the missing check and let split_huge_pmd() handle migration entries. While at it also

CVE-2025-38308 [MEDIUM] CVE-2025-38308: linux - In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel... In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Fix possible null-ptr-deref when initing hw Search result of avs_dai_find_path_template() shall be verified before being used. As 'template' is already known when avs_hw_constraints_init() is fired, drop the search entirely. Scope: local bookworm: resolved bullseye: resolved forky:

CVE-2025-38171 [MEDIUM] CVE-2025-38171: linux - In the Linux kernel, the following vulnerability has been resolved: power: supp... In the Linux kernel, the following vulnerability has been resolved: power: supply: max77705: Fix workqueue error handling in probe The create_singlethread_workqueue() doesn't return error pointers, it returns NULL. Also cleanup the workqueue on the error paths. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2025-68178 [LOW] CVE-2025-68178: linux - In the Linux kernel, the following vulnerability has been resolved: blk-cgroup:... In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix possible deadlock while configuring policy Following deadlock can be triggered easily by lockdep: WARNING: possible circular locking dependency detected 6.17.0-rc3-00124-ga12c2658ced0 #1665 Not tainted ------------------------------------------------------ check/1334 is trying to acquir

CVE-2025-39741 [MEDIUM] CVE-2025-39741: linux - In the Linux kernel, the following vulnerability has been resolved: drm/xe/migr... In the Linux kernel, the following vulnerability has been resolved: drm/xe/migrate: don't overflow max copy size With non-page aligned copy, we need to use 4 byte aligned pitch, however the size itself might still be close to our maximum of ~8M, and so the dimensions of the copy can easily exceed the S16_MAX limit of the copy command leading to the following assert:

CVE-2025-68208 [LOW] CVE-2025-68208: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: accoun... In the Linux kernel, the following vulnerability has been resolved: bpf: account for current allocated stack depth in widen_imprecise_scalars() The usage pattern for widen_imprecise_scalars() looks as follows: prev_st = find_prev_entry(env, ...); queued_st = push_stack(...); widen_imprecise_scalars(env, prev_st, queued_st); Where prev_st is an ancestor of the queued_st

CVE-2025-38596 [HIGH] CVE-2025-38596: linux - In the Linux kernel, the following vulnerability has been resolved: drm/panthor... In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code The object is potentially already gone after the drm_gem_object_put(). In general the object should be fully constructed before calling drm_gem_handle_create(), except the debugfs tracking uses a separate lock and list and separate

CVE-2025-38547 [MEDIUM] CVE-2025-38547: linux - In the Linux kernel, the following vulnerability has been resolved: iio: adc: a... In the Linux kernel, the following vulnerability has been resolved: iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps The AXP717 ADC channel maps is missing a sentinel entry at the end. This causes a KASAN warning. Add the missing sentinel entry. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.16.3-1) sid: resolved

CVE-2025-21852 [MEDIUM] CVE-2025-21852: linux - In the Linux kernel, the following vulnerability has been resolved: net: Add rx... In the Linux kernel, the following vulnerability has been resolved: net: Add rx_skb of kfree_skb to raw_tp_null_args[]. Yan Zhai reported a BPF prog could trigger a null-ptr-deref [0] in trace_kfree_skb if the prog does not check if rx_sk is NULL. Commit c53795d48ee8 ("net: add rx_sk to trace_kfree_skb") added rx_sk to trace_kfree_skb, but rx_sk is optional and coul

CVE-2025-68747 [LOW] CVE-2025-68747: linux - In the Linux kernel, the following vulnerability has been resolved: drm/panthor... In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix UAF on kernel BO VA nodes If the MMU is down, panthor_vm_unmap_range() might return an error. We expect the page table to be updated still, and if the MMU is blocked, the rest of the GPU should be blocked too, so no risk of accessing physical memory returned to the system (which the cu