Debian Linux vulnerabilities

CVE-2025-21663 [MEDIUM] CVE-2025-21663: linux - In the Linux kernel, the following vulnerability has been resolved: net: stmmac... In the Linux kernel, the following vulnerability has been resolved: net: stmmac: dwmac-tegra: Read iommu stream id from device tree Nvidia's Tegra MGBE controllers require the IOMMU "Stream ID" (SID) to be written to the MGBE_WRAP_AXI_ASID0_CTRL register. The current driver is hard coded to use MGBE0's SID for all controllers. This causes softirq time outs and kerne

CVE-2025-71158 [MEDIUM] CVE-2025-71158: linux - In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse... In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: ensure worker is torn down When an IRQ worker is running, unplugging the device would cause a crash. The sealevel hardware this driver was written for was not hotpluggable, so I never realized it. This change uses a spinlock to protect a list of workers, which it tears down on disconnec

CVE-2025-40348 [LOW] CVE-2025-40348: linux - In the Linux kernel, the following vulnerability has been resolved: slab: Avoid... In the Linux kernel, the following vulnerability has been resolved: slab: Avoid race on slab->obj_exts in alloc_slab_obj_exts If two competing threads enter alloc_slab_obj_exts() and one of them fails to allocate the object extension vector, it might override the valid slab->obj_exts allocated by the other thread with OBJEXTS_ALLOC_FAIL. This will cause the thread that

CVE-2025-71115 [MEDIUM] CVE-2025-71115: linux - In the Linux kernel, the following vulnerability has been resolved: um: init cp... In the Linux kernel, the following vulnerability has been resolved: um: init cpu_tasks[] earlier This is currently done in uml_finishsetup(), but e.g. with KCOV enabled we'll crash because some init code can call into e.g. memparse(), which has coverage annotations, and then the checks in check_kcov_mode() crash because current is NULL. Simply initialize the cpu_tas

CVE-2025-39781 [MEDIUM] CVE-2025-39781: linux - In the Linux kernel, the following vulnerability has been resolved: parisc: Dro... In the Linux kernel, the following vulnerability has been resolved: parisc: Drop WARN_ON_ONCE() from flush_cache_vmap I have observed warning to occassionally trigger. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 6.16.5-1) sid: resolved (fixed in 6.16.5-1) trixie: resolved (fixed in 6.12.48-1)

CVE-2025-39722 [MEDIUM] CVE-2025-39722: linux - In the Linux kernel, the following vulnerability has been resolved: crypto: caa... In the Linux kernel, the following vulnerability has been resolved: crypto: caam - Prevent crash on suspend with iMX8QM / iMX8ULP Since the CAAM on these SoCs is managed by another ARM core, called the SECO (Security Controller) on iMX8QM and Secure Enclave on iMX8ULP, which also reserves access to register page 0 suspend operations cannot touch this page. This is s

CVE-2025-38566 [HIGH] CVE-2025-38566: linux - In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix... In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix handling of server side tls alerts Scott Mayhew discovered a security exploit in NFS over TLS in tls_alert_recv() due to its assumption it can read data from the msg iterator's kvec.. kTLS implementation splits TLS non-data record payload between the control message buffer (which includes

CVE-2025-21730 [MEDIUM] CVE-2025-21730: linux - In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89... In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: avoid to init mgnt_entry list twice when WoWLAN failed If WoWLAN failed in resume flow, the rtw89_ops_add_interface() triggered without removing the interface first. Then the mgnt_entry list init again, causing the list_empty() check in rtw89_chanctx_ops_assign_vif() useless, and list_a

CVE-2025-37784 [MEDIUM] CVE-2025-37784: linux - In the Linux kernel, the following vulnerability has been resolved: net: ti: ic... In the Linux kernel, the following vulnerability has been resolved: net: ti: icss-iep: Fix possible NULL pointer dereference for perout request The ICSS IEP driver tracks perout and pps enable state with flags. Currently when disabling pps and perout signals during icss_iep_exit(), results in NULL pointer dereference for perout. To fix the null pointer dereference i

CVE-2025-40362 [LOW] CVE-2025-40362: linux - In the Linux kernel, the following vulnerability has been resolved: ceph: fix m... In the Linux kernel, the following vulnerability has been resolved: ceph: fix multifs mds auth caps issue The mds auth caps check should also validate the fsname along with the associated caps. Not doing so would result in applying the mds auth caps of one fs on to the other fs in a multifs ceph cluster. The bug causes multiple issues w.r.t user authentication, followi

CVE-2025-21685 [MEDIUM] CVE-2025-21685: linux - In the Linux kernel, the following vulnerability has been resolved: platform/x8... In the Linux kernel, the following vulnerability has been resolved: platform/x86: lenovo-yoga-tab2-pro-1380-fastcharger: fix serdev race The yt2_1380_fc_serdev_probe() function calls devm_serdev_device_open() before setting the client ops via serdev_device_set_client_ops(). This ordering can trigger a NULL pointer dereference in the serdev controller's receive_buf h

CVE-2025-38267 [HIGH] CVE-2025-38267: linux - In the Linux kernel, the following vulnerability has been resolved: ring-buffer... In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not trigger WARN_ON() due to a commit_overrun When reading a memory mapped buffer the reader page is just swapped out with the last page written in the write buffer. If the reader page is the same as the commit buffer (the buffer that is currently being written to) it was assumed that

CVE-2025-38619 [MEDIUM] CVE-2025-38619: linux - In the Linux kernel, the following vulnerability has been resolved: media: ti: ... In the Linux kernel, the following vulnerability has been resolved: media: ti: j721e-csi2rx: fix list_del corruption If ti_csi2rx_start_dma() fails in ti_csi2rx_dma_callback(), the buffer is marked done with VB2_BUF_STATE_ERROR but is not removed from the DMA queue. This causes the same buffer to be retried in the next iteration, resulting in a double list_del() and

CVE-2025-68228 [LOW] CVE-2025-68228: linux - In the Linux kernel, the following vulnerability has been resolved: drm/plane: ... In the Linux kernel, the following vulnerability has been resolved: drm/plane: Fix create_in_format_blob() return value create_in_format_blob() is either supposed to return a valid pointer or an error, but never NULL. The caller will dereference the blob when it is not an error, and thus will oops if NULL returned. Return proper error values in the failure cases. Scope

CVE-2025-39896 [HIGH] CVE-2025-39896: linux - In the Linux kernel, the following vulnerability has been resolved: accel/ivpu:... In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Prevent recovery work from being queued during device removal Use disable_work_sync() instead of cancel_work_sync() in ivpu_dev_fini() to ensure that no new recovery work items can be queued after device removal has started. Previously, recovery work could be scheduled even after canceling

CVE-2025-38367 [HIGH] CVE-2025-38367: linux - In the Linux kernel, the following vulnerability has been resolved: LoongArch: ... In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Avoid overflow with array index The variable index is modified and reused as array index when modify register EIOINTC_ENABLE. There will be array index overflow problem. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2025-38660 [MEDIUM] CVE-2025-38660: linux - In the Linux kernel, the following vulnerability has been resolved: [ceph] pars... In the Linux kernel, the following vulnerability has been resolved: [ceph] parse_longname(): strrchr() expects NUL-terminated string ... and parse_longname() is not guaranteed that. That's the reason why it uses kmemdup_nul() to build the argument for kstrtou64(); the problem is, kstrtou64() is not the only thing that need it. Just get a NUL-terminated copy of the e

CVE-2025-21983 [HIGH] CVE-2025-21983: linux - In the Linux kernel, the following vulnerability has been resolved: mm/slab/kvf... In the Linux kernel, the following vulnerability has been resolved: mm/slab/kvfree_rcu: Switch to WQ_MEM_RECLAIM wq Currently kvfree_rcu() APIs use a system workqueue which is "system_unbound_wq" to driver RCU machinery to reclaim a memory. Recently, it has been noted that the following kernel warning can be observed: workqueue: WQ_MEM_RECLAIM nvme-wq:nvme_scan_work i

CVE-2025-37814 [MEDIUM] CVE-2025-37814: linux - In the Linux kernel, the following vulnerability has been resolved: tty: Requir... In the Linux kernel, the following vulnerability has been resolved: tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT This requirement was overeagerly loosened in commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN"), but as it turns out, (1) the logic I implemented there was inconsistent (apologies!), (2) TIOCL_SELMOUSERE

CVE-2025-39784 [MEDIUM] CVE-2025-39784: linux - In the Linux kernel, the following vulnerability has been resolved: PCI: Fix li... In the Linux kernel, the following vulnerability has been resolved: PCI: Fix link speed calculation on retrain failure When pcie_failed_link_retrain() fails to retrain, it tries to revert to the previous link speed. However it calculates that speed from the Link Control 2 register without masking out non-speed bits first. PCIE_LNKCTL2_TLS2SPEED() converts such incor