Debian Linux vulnerabilities

CVE-2025-22096 [MEDIUM] CVE-2025-22096: linux - In the Linux kernel, the following vulnerability has been resolved: drm/msm/gem... In the Linux kernel, the following vulnerability has been resolved: drm/msm/gem: Fix error code msm_parse_deps() The SUBMIT_ERROR() macro turns the error code negative. This extra '-' operation turns it back to positive EINVAL again. The error code is passed to ERR_PTR() and since positive values are not an IS_ERR() it eventually will lead to an oops. Delete the '-'

CVE-2025-21771 [MEDIUM] CVE-2025-21771: linux - In the Linux kernel, the following vulnerability has been resolved: sched_ext: ... In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix incorrect autogroup migration detection scx_move_task() is called from sched_move_task() and tells the BPF scheduler that cgroup migration is being committed. sched_move_task() is used by both cgroup and autogroup migrations and scx_move_task() tried to filter out autogroup migrations

CVE-2025-37900 [MEDIUM] CVE-2025-37900: linux - In the Linux kernel, the following vulnerability has been resolved: iommu: Fix ... In the Linux kernel, the following vulnerability has been resolved: iommu: Fix two issues in iommu_copy_struct_from_user() In the review for iommu_copy_struct_to_user() helper, Matt pointed out that a NULL pointer should be rejected prior to dereferencing it: https://lore.kernel.org/all/[email protected] And Alok pointed out a typo at t

CVE-2025-39778 [HIGH] CVE-2025-39778: linux - In the Linux kernel, the following vulnerability has been resolved: objtool, nv... In the Linux kernel, the following vulnerability has been resolved: objtool, nvmet: Fix out-of-bounds stack access in nvmet_ctrl_state_show() The csts_state_names[] array only has six sparse entries, but the iteration code in nvmet_ctrl_state_show() iterates seven, resulting in a potential out-of-bounds stack read. Fix that. Fixes the following warning with an UBSAN k

CVE-2025-68377 [LOW] CVE-2025-68377: linux - In the Linux kernel, the following vulnerability has been resolved: ns: initial... In the Linux kernel, the following vulnerability has been resolved: ns: initialize ns_list_node for initial namespaces Make sure that the list is always initialized for initial namespaces. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2025-40012 [LOW] CVE-2025-40012: linux - In the Linux kernel, the following vulnerability has been resolved: net/smc: fi... In the Linux kernel, the following vulnerability has been resolved: net/smc: fix warning in smc_rx_splice() when calling get_page() smc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are later passed to get_page() in smc_rx_splice(). Since kmalloc memory is not page-backed, this triggers WARN_ON_ONCE() in get_page() and prevents holding a refcount on the

CVE-2025-38116 [HIGH] CVE-2025-38116: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: ath12... In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix uaf in ath12k_core_init() When the execution of ath12k_core_hw_group_assign() or ath12k_core_hw_group_create() fails, the registered notifier chain is not unregistered properly. Its memory is freed after rmmod, which may trigger to a use-after-free (UAF) issue if there is a subsequen

CVE-2025-40151 [LOW] CVE-2025-40151: linux - In the Linux kernel, the following vulnerability has been resolved: LoongArch: ... In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: No support of struct argument in trampoline programs The current implementation does not support struct argument. This causes a oops when running bpf selftest: $ ./test_progs -a tracing_struct Oops[#1]: CPU -1 Unable to handle kernel paging request at virtual address 0000000000000018, e

CVE-2025-38033 [MEDIUM] CVE-2025-38033: linux - In the Linux kernel, the following vulnerability has been resolved: x86/Kconfig... In the Linux kernel, the following vulnerability has been resolved: x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88 Calling core::fmt::write() from rust code while FineIBT is enabled results in a kernel panic: [ 4614.199779] kernel BUG at arch/x86/kernel/cet.c:132! [ 4614.205343] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 4614.211781] CPU

CVE-2025-39792 [MEDIUM] CVE-2025-39792: linux - In the Linux kernel, the following vulnerability has been resolved: dm: Always ... In the Linux kernel, the following vulnerability has been resolved: dm: Always split write BIOs to zoned device limits Any zoned DM target that requires zone append emulation will use the block layer zone write plugging. In such case, DM target drivers must not split BIOs using dm_accept_partial_bio() as doing so can potentially lead to deadlocks with queue freeze o

CVE-2025-21982 [MEDIUM] CVE-2025-21982: linux - In the Linux kernel, the following vulnerability has been resolved: pinctrl: nu... In the Linux kernel, the following vulnerability has been resolved: pinctrl: nuvoton: npcm8xx: Add NULL check in npcm8xx_gpio_fw devm_kasprintf() calls can return null pointers on failure. But the return values were not checked in npcm8xx_gpio_fw(). Add NULL check in npcm8xx_gpio_fw(), to handle kernel NULL pointer dereference error. Scope: local bookworm: resolved

CVE-2025-40217 [LOW] CVE-2025-40217: linux - In the Linux kernel, the following vulnerability has been resolved: pidfs: vali... In the Linux kernel, the following vulnerability has been resolved: pidfs: validate extensible ioctls Validate extensible ioctls stricter than we do now. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.17.6-1) sid: resolved (fixed in 6.17.6-1) trixie: open

CVE-2025-40302 [LOW] CVE-2025-40302: linux - In the Linux kernel, the following vulnerability has been resolved: media: vide... In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: forbid remove_bufs when legacy fileio is active vb2_ioctl_remove_bufs() call manipulates queue internal buffer list, potentially overwriting some pointers used by the legacy fileio access mode. Forbid that ioctl when fileio is active to protect internal queue state between subsequent

CVE-2025-38655 [MEDIUM] CVE-2025-38655: linux - In the Linux kernel, the following vulnerability has been resolved: pinctrl: ca... In the Linux kernel, the following vulnerability has been resolved: pinctrl: canaan: k230: add NULL check in DT parse Add a NULL check for the return value of of_get_property() when retrieving the "pinmux" property in the group parser. This avoids a potential NULL pointer dereference if the property is missing from the device tree node. Also fix a typo ("sintenel")

CVE-2025-38526 [MEDIUM] CVE-2025-38526: linux - In the Linux kernel, the following vulnerability has been resolved: ice: add NU... In the Linux kernel, the following vulnerability has been resolved: ice: add NULL check in eswitch lag check The function ice_lag_is_switchdev_running() is being called from outside of the LAG event handler code. This results in the lag->upper_netdev being NULL sometimes. To avoid a NULL-pointer dereference, there needs to be a check before it is dereferenced. Scope

CVE-2025-21751 [HIGH] CVE-2025-21751: linux - In the Linux kernel, the following vulnerability has been resolved: net/mlx5: H... In the Linux kernel, the following vulnerability has been resolved: net/mlx5: HWS, change error flow on matcher disconnect Currently, when firmware failure occurs during matcher disconnect flow, the error flow of the function reconnects the matcher back and returns an error, which continues running the calling function and eventually frees the matcher that is being di

CVE-2025-40037 [LOW] CVE-2025-40037: linux - In the Linux kernel, the following vulnerability has been resolved: fbdev: simp... In the Linux kernel, the following vulnerability has been resolved: fbdev: simplefb: Fix use after free in simplefb_detach_genpds() The pm_domain cleanup can not be devres managed as it uses struct simplefb_par which is allocated within struct fb_info by framebuffer_alloc(). This allocation is explicitly freed by unregister_framebuffer() in simplefb_remove(). Devres ma

CVE-2025-38297 [MEDIUM] CVE-2025-38297: linux - In the Linux kernel, the following vulnerability has been resolved: PM: EM: Fix... In the Linux kernel, the following vulnerability has been resolved: PM: EM: Fix potential division-by-zero error in em_compute_costs() When the device is of a non-CPU type, table[i].performance won't be initialized in the previous em_init_performance(), resulting in division by zero when calculating costs in em_compute_costs(). Since the 'cost' algorithm is only use

CVE-2025-68198 [LOW] CVE-2025-68198: linux - In the Linux kernel, the following vulnerability has been resolved: crash: fix ... In the Linux kernel, the following vulnerability has been resolved: crash: fix crashkernel resource shrink When crashkernel is configured with a high reservation, shrinking its value below the low crashkernel reservation causes two issues: 1. Invalid crashkernel resource objects 2. Kernel crash if crashkernel shrinking is done twice For example, with crashkernel=200M,h

CVE-2025-40014 [HIGH] CVE-2025-40014: linux - In the Linux kernel, the following vulnerability has been resolved: objtool, sp... In the Linux kernel, the following vulnerability has been resolved: objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq() If speed_hz < AMD_SPI_MIN_HZ, amd_set_spi_freq() iterates over the entire amd_spi_freq array without breaking out early, causing 'i' to go beyond the array bounds. Fix that by stopping the loop when it gets to the last entry, so t