Debian Linux vulnerabilities

CVE-2025-38076 [HIGH] CVE-2025-38076: linux - In the Linux kernel, the following vulnerability has been resolved: alloc_tag: ... In the Linux kernel, the following vulnerability has been resolved: alloc_tag: allocate percpu counters for module tags dynamically When a module gets unloaded it checks whether any of its tags are still in use and if so, we keep the memory containing module's allocation tags alive until all tags are unused. However percpu counters referenced by the tags are freed by

CVE-2025-38512 [LOW] CVE-2025-38512: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: preve... In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to prevent the A-MSDU spoofing vulnerability for mesh networks. The initial update to the IEEE 802.11 standard, in response to the FragAttacks, missed this case (CVE-2025-27558). It can be considered a variant of CVE-2020-24588 bu

CVE-2025-37774 [MEDIUM] CVE-2025-37774: linux - In the Linux kernel, the following vulnerability has been resolved: slab: ensur... In the Linux kernel, the following vulnerability has been resolved: slab: ensure slab->obj_exts is clear in a newly allocated slab page ktest recently reported crashes while running several buffered io tests with __alloc_tagging_slab_alloc_hook() at the top of the crash call stack. The signature indicates an invalid address dereference with low bits of slab->obj_ext

CVE-2025-40028 [LOW] CVE-2025-40028: linux - In the Linux kernel, the following vulnerability has been resolved: binder: fix... In the Linux kernel, the following vulnerability has been resolved: binder: fix double-free in dbitmap A process might fail to allocate a new bitmap when trying to expand its proc->dmap. In that case, dbitmap_grow() fails and frees the old bitmap via dbitmap_free(). However, the driver calls dbitmap_free() again when the same process terminates, leading to a double-fre

CVE-2025-38012 [MEDIUM] CVE-2025-38012: linux - In the Linux kernel, the following vulnerability has been resolved: sched_ext: ... In the Linux kernel, the following vulnerability has been resolved: sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator BPF programs may call next() and destroy() on BPF iterators even after new() returns an error value (e.g. bpf_for_each() macro ignores error returns from new()). bpf_iter_scx_dsq_new() could leave the iterator in an uninitialized st

CVE-2025-40274 [LOW] CVE-2025-40274: linux - In the Linux kernel, the following vulnerability has been resolved: KVM: guest_... In the Linux kernel, the following vulnerability has been resolved: KVM: guest_memfd: Remove bindings on memslot deletion when gmem is dying When unbinding a memslot from a guest_memfd instance, remove the bindings even if the guest_memfd file is dying, i.e. even if its file refcount has gone to zero. If the memslot is freed before the file is fully released, nullifyin

CVE-2025-38017 [MEDIUM] CVE-2025-38017: linux - In the Linux kernel, the following vulnerability has been resolved: fs/eventpol... In the Linux kernel, the following vulnerability has been resolved: fs/eventpoll: fix endless busy loop after timeout has expired After commit 0a65bc27bd64 ("eventpoll: Set epoll timeout if it's in the future"), the following program would immediately enter a busy loop in the kernel: ``` int main() { int e = epoll_create1(0); struct epoll_event event = {.events = EP

CVE-2025-71076 [MEDIUM] CVE-2025-71076: linux - In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: ... In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Limit num_syncs to prevent oversized allocations The OA open parameters did not validate num_syncs, allowing userspace to pass arbitrarily large values, potentially leading to excessive allocations. Add check to ensure that num_syncs does not exceed DRM_XE_MAX_SYNCS, returning -EINVAL whe

CVE-2025-40155 [LOW] CVE-2025-40155: linux - In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d:... In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: debugfs: Fix legacy mode page table dump logic In legacy mode, SSPTPTR is ignored if TT is not 00b or 01b. SSPTPTR maybe uninitialized or zero in that case and may cause oops like: Oops: general protection fault, probably for non-canonical address 0xf00087d3f000f000: 0000 [#1] SMP NOPTI CPU

CVE-2025-68195 [LOW] CVE-2025-68195: linux - In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD... In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode Running x86_match_min_microcode_rev() on a Zen5 CPU trips up KASAN for an out of bounds access. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2025-38189 [MEDIUM] CVE-2025-38189: linux - In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Av... In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Avoid NULL pointer dereference in `v3d_job_update_stats()` The following kernel Oops was recently reported by Mesa CI: [ 800.139824] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000588 [ 800.148619] Mem abort info: [ 800.151402] ESR = 0x0000000096000005 [ 80

CVE-2025-21670 [MEDIUM] CVE-2025-21670: linux - In the Linux kernel, the following vulnerability has been resolved: vsock/bpf: ... In the Linux kernel, the following vulnerability has been resolved: vsock/bpf: return early if transport is not assigned Some of the core functions can only be called if the transport has been assigned. As Michal reported, a socket might have the transport at NULL, for example after a failed connect(), causing the following trace: BUG: kernel NULL pointer dereferenc

CVE-2025-68793 [LOW] CVE-2025-68793: linux - In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu:... In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix a job->pasid access race in gpu recovery Avoid a possible UAF in GPU recovery due to a race between the sched timeout callback and the tdr work queue. The gpu recovery function calls drm_sched_stop() and later drm_sched_start(). drm_sched_start() restarts the tdr queue which will eventu

CVE-2025-39727 [HIGH] CVE-2025-39727: linux - In the Linux kernel, the following vulnerability has been resolved: mm: swap: f... In the Linux kernel, the following vulnerability has been resolved: mm: swap: fix potential buffer overflow in setup_clusters() In setup_swap_map(), we only ensure badpages are in range (0, last_page]. As maxpages might be = maxpages. Only call inc_cluster_info_page() for badpage which is < maxpages to fix the issue. Scope: local bookworm: resolved bullseye: resolved

CVE-2025-39921 [MEDIUM] CVE-2025-39921: linux - In the Linux kernel, the following vulnerability has been resolved: spi: microc... In the Linux kernel, the following vulnerability has been resolved: spi: microchip-core-qspi: stop checking viability of op->max_freq in supports_op callback In commit 13529647743d9 ("spi: microchip-core-qspi: Support per spi-mem operation frequency switches") the logic for checking the viability of op->max_freq in mchp_coreqspi_setup_clock() was copied into mchp_co

CVE-2025-38737 [MEDIUM] CVE-2025-38737: linux - In the Linux kernel, the following vulnerability has been resolved: cifs: Fix o... In the Linux kernel, the following vulnerability has been resolved: cifs: Fix oops due to uninitialised variable Fix smb3_init_transform_rq() to initialise buffer to NULL before calling netfs_alloc_folioq_buffer() as netfs assumes it can append to the buffer it is given. Setting it to NULL means it should start a fresh buffer, but the value is currently undefined. S

CVE-2025-38149 [MEDIUM] CVE-2025-38149: linux - In the Linux kernel, the following vulnerability has been resolved: net: phy: c... In the Linux kernel, the following vulnerability has been resolved: net: phy: clear phydev->devlink when the link is deleted There is a potential crash issue when disabling and re-enabling the network port. When disabling the network port, phy_detach() calls device_link_del() to remove the device link, but it does not clear phydev->devlink, so phydev->devlink is not

CVE-2025-21873 [MEDIUM] CVE-2025-21873: linux - In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: ... In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: bsg: Fix crash when arpmb command fails If the device doesn't support arpmb we'll crash due to copying user data in bsg_transport_sg_io_fn(). In the case where ufs_bsg_exec_advanced_rpmb_req() returns an error, do not set the job's reply_len. Memory crash backtrace: 3,1290,531166405

CVE-2025-38284 [MEDIUM] CVE-2025-38284: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89... In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: configure manual DAC mode via PCI config API only To support 36-bit DMA, configure chip proprietary bit via PCI config API or chip DBI interface. However, the PCI device mmap isn't set yet and the DBI is also inaccessible via mmap, so only if the bit can be accessible via PCI confi

CVE-2025-38176 [HIGH] CVE-2025-38176: linux - In the Linux kernel, the following vulnerability has been resolved: binder: fix... In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in binderfs_evict_inode() Running 'stress-ng --binderfs 16 --timeout 300' under KASAN-enabled kernel, I've noticed the following: BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0 Write of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699 CPU: 0