SB20260513122 - Debian update for linux

Description

This security bulletin contains information about 7 vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2025-38584)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the EXPORT_SYMBOL(), padata_find_next(), padata_do_serial(), padata_alloc_pd() and padata_free_shell() functions in kernel/padata.c. A local user can escalate privileges on the system.

2) Improper input validation (CVE-ID: CVE-2026-23468)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the amdgpu BO list handling when processing the bo_number field from userspace. A local user can supply an excessive number of BO list entries to cause a denial of service.

The issue can lead to excessive memory allocation and unnecessarily long list processing times.

3) Use-after-free (CVE-ID: CVE-2026-31419)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in bond_xmit_broadcast() when transmitting broadcast packets during concurrent slave enslave or release operations. A local user can trigger concurrent network interface state changes and packet transmission to cause a denial of service.

The issue arises because the determination of the last slave can change during RCU-protected iteration, leading to double consumption and double free of the original skb.

4) Out-of-bounds read (CVE-ID: CVE-2026-31709)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in cifsacl DACL rewrite helpers when processing a server-supplied truncated DACL. A remote attacker can send a malformed ACL response to cause a denial of service.

The issue occurs because the incoming DACL body and each ACE were not structurally validated before chmod/chown security descriptor rebuild paths walked the ACE list.

5) Use-after-free (CVE-ID: CVE-2026-31715)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in f2fs_write_end_io() and f2fs_in_warm_node_list() when handling concurrent write completion and unmount operations. A local user can trigger the race condition to cause a denial of service.

The issue can lead to a NULL pointer dereference and kernel panic during processing of F2FS checkpoint data pages.

6) Resource management error (CVE-ID: CVE-2026-43284)

The vulnerability allows a local user to escalate privileges on the system.

The xfrm-ESP Page-Cache Write vulnerability exists due to improper management of internal resources in esp_input() function in net/ipv4/esp4.c and esp6_input() function in net/ipv6/esp6.c. A local user can execute arbitrary code with root privileges. 

Note, this is one of two vulnerabilities reported as Dirty Frag.

7) Resource management error (CVE-ID: CVE-2026-43500)

The vulnerability allows a local user to escalate privileges on the system.

The RxRPC Page-Cache Write vulnerability exists due to improper management of internal resources. A local user can execute arbitrary code with root privileges.

Note, this vulnerability is one of two issues described as Dirty Frag.

Remediation

Install update from vendor's website.

References

• https://lists.debian.org/debian-security-announce/2026/msg00164.html