Debian Linux vulnerabilities

CVE-2025-40047 [LOW] CVE-2025-40047: linux - In the Linux kernel, the following vulnerability has been resolved: io_uring/wa... In the Linux kernel, the following vulnerability has been resolved: io_uring/waitid: always prune wait queue entry in io_waitid_wait() For a successful return, always remove our entry from the wait queue entry list. Previously this was skipped if a cancelation was in progress, but this can race with another invocation of the wait queue entry callback. Scope: local book

CVE-2025-40091 [LOW] CVE-2025-40091: linux - In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix ... In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix too early devlink_free() in ixgbe_remove() Since ixgbe_adapter is embedded in devlink, calling devlink_free() prematurely in the ixgbe_remove() path can lead to UAF. Move devlink_free() to the end. KASAN report: BUG: KASAN: use-after-free in ixgbe_reset_interrupt_capability+0x140/0x180 [ixgb

CVE-2025-40002 [LOW] CVE-2025-40002: linux - In the Linux kernel, the following vulnerability has been resolved: thunderbolt... In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Fix use-after-free in tb_dp_dprx_work The original code relies on cancel_delayed_work() in tb_dp_dprx_stop(), which does not ensure that the delayed work item tunnel->dprx_work has fully completed if it was already running. This leads to use-after-free scenarios where tb_tunnel is dealloca

CVE-2025-39936 [MEDIUM] CVE-2025-39936: linux - In the Linux kernel, the following vulnerability has been resolved: crypto: ccp... In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Always pass in an error pointer to __sev_platform_shutdown_locked() When 9770b428b1a2 ("crypto: ccp - Move dev_info/err messages for SEV/SNP init and shutdown") moved the error messages dumping so that they don't need to be issued by the callers, it missed the case where __sev_firmware

CVE-2025-22064 [MEDIUM] CVE-2025-22064: linux - In the Linux kernel, the following vulnerability has been resolved: netfilter: ... In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't unregister hook when table is dormant When nf_tables_updchain encounters an error, hook registration needs to be rolled back. This should only be done if the hook has been registered, which won't happen when the table is flagged as dormant (inactive). Just move the assign

CVE-2025-68374 [LOW] CVE-2025-68374: linux - In the Linux kernel, the following vulnerability has been resolved: md: fix rcu... In the Linux kernel, the following vulnerability has been resolved: md: fix rcu protection in md_wakeup_thread We attempted to use RCU to protect the pointer 'thread', but directly passed the value when calling md_wakeup_thread(). This means that the RCU pointer has been acquired before rcu_read_lock(), which renders rcu_read_lock() ineffective and could lead to a use-

CVE-2025-38607 [MEDIUM] CVE-2025-38607: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: handle... In the Linux kernel, the following vulnerability has been resolved: bpf: handle jset (if a & b ...) as a jump in CFG computation BPF_JSET is a conditional jump and currently verifier.c:can_jump() does not know about that. This can lead to incorrect live registers and SCC computation. E.g. in the following example: 1: r0 = 1; 2: r2 = 2; 3: if r1 & 0x7 goto +1; 4: exi

CVE-2025-38640 [MEDIUM] CVE-2025-38640: linux - In the Linux kernel, the following vulnerability has been resolved: bpf: Disabl... In the Linux kernel, the following vulnerability has been resolved: bpf: Disable migration in nf_hook_run_bpf(). syzbot reported that the netfilter bpf prog can be called without migration disabled in xmit path. Then the assertion in __bpf_prog_run() fails, triggering the splat below. [0] Let's use bpf_prog_run_pin_on_cpu() in nf_hook_run_bpf(). [0]: BUG: assuming n

CVE-2025-39814 [MEDIUM] CVE-2025-39814: linux - In the Linux kernel, the following vulnerability has been resolved: ice: fix NU... In the Linux kernel, the following vulnerability has been resolved: ice: fix NULL pointer dereference in ice_unplug_aux_dev() on reset Issuing a reset when the driver is loaded without RDMA support, will results in a crash as it attempts to remove RDMA's non-existent auxbus device: echo 1 > /sys/class/net//device/reset BUG: kernel NULL pointer dereference, address:

CVE-2025-23137 [MEDIUM] CVE-2025-23137: linux - In the Linux kernel, the following vulnerability has been resolved: cpufreq/amd... In the Linux kernel, the following vulnerability has been resolved: cpufreq/amd-pstate: Add missing NULL ptr check in amd_pstate_update Check if policy is NULL before dereferencing it in amd_pstate_update. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.12.35-1) sid: resolved (fixed in 6.12.35-1) trixie: resolved (fixed in 6.12.35-1)

CVE-2025-68348 [LOW] CVE-2025-68348: linux - In the Linux kernel, the following vulnerability has been resolved: block: fix ... In the Linux kernel, the following vulnerability has been resolved: block: fix memory leak in __blkdev_issue_zero_pages Move the fatal signal check before bio_alloc() to prevent a memory leak when BLKDEV_ZERO_KILLABLE is set and a fatal signal is pending. Previously, the bio was allocated before checking for a fatal signal. If a signal was pending, the code would break

CVE-2025-38654 [MEDIUM] CVE-2025-38654: linux - In the Linux kernel, the following vulnerability has been resolved: pinctrl: ca... In the Linux kernel, the following vulnerability has been resolved: pinctrl: canaan: k230: Fix order of DT parse and pinctrl register Move DT parse before pinctrl register. This ensures that device tree parsing is done before calling devm_pinctrl_register() to prevent using uninitialized pin resources. Scope: local bookworm: resolved bullseye: resolved forky: resolv

CVE-2025-38651 [MEDIUM] CVE-2025-38651: linux - In the Linux kernel, the following vulnerability has been resolved: landlock: F... In the Linux kernel, the following vulnerability has been resolved: landlock: Fix warning from KUnit tests get_id_range() expects a positive value as first argument but get_random_u8() can return 0. Fix this by clamping it. Validated by running the test in a for loop for 1000 times. Note that MAX() is wrong as it is only supposed to be used for constants, but max()

CVE-2025-39711 [HIGH] CVE-2025-39711: linux - In the Linux kernel, the following vulnerability has been resolved: media: ivsc... In the Linux kernel, the following vulnerability has been resolved: media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls Both the ACE and CSI driver are missing a mei_cldev_disable() call in their remove() function. This causes the mei_cl client to stay part of the mei_device->file_list list even though its memory is freed by mei_cl_bus_dev_rele

CVE-2025-68213 [LOW] CVE-2025-68213: linux - In the Linux kernel, the following vulnerability has been resolved: idpf: fix p... In the Linux kernel, the following vulnerability has been resolved: idpf: fix possible vport_config NULL pointer deref in remove Attempting to remove the driver will cause a crash in cases where the vport failed to initialize. Following trace is from an instance where the driver failed during an attempt to create a VF: [ 1661.543624] idpf 0000:84:00.7: Device HW Reset

CVE-2025-40098 [LOW] CVE-2025-40098: linux - In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: ... In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status o

CVE-2025-39960 [HIGH] CVE-2025-39960: linux - In the Linux kernel, the following vulnerability has been resolved: gpiolib: ac... In the Linux kernel, the following vulnerability has been resolved: gpiolib: acpi: initialize acpi_gpio_info struct Since commit 7c010d463372 ("gpiolib: acpi: Make sure we fill struct acpi_gpio_info"), uninitialized acpi_gpio_info struct are passed to __acpi_find_gpio() and later in the call stack info->quirks is used in acpi_populate_gpio_lookup. This breaks the i2c_

CVE-2025-40316 [LOW] CVE-2025-40316: linux - In the Linux kernel, the following vulnerability has been resolved: drm/mediate... In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been added by commit 80805b62ea5b ("drm/mediatek: Fix kobject put for component sub-drivers"). This r

CVE-2025-21995 [MEDIUM] CVE-2025-21995: linux - In the Linux kernel, the following vulnerability has been resolved: drm/sched: ... In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix fence reference count leak The last_scheduled fence leaks when an entity is being killed and adding the cleanup callback fails. Decrement the reference count of prev when dma_fence_add_callback() fails, ensuring proper balance. [phasta: add git tag info for stable kernel] Scope: local

CVE-2025-37855 [MEDIUM] CVE-2025-37855: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amd/dis... In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Guard Possible Null Pointer Dereference [WHY] In some situations, dc->res_pool may be null. [HOW] Check if pointer is null before dereference. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved