SB2026070739 - Debian update for linux



SB2026070739 - Debian update for linux

Published: July 7, 2026

Security Bulletin ID SB2026070739
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 25
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 4% Low 96%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 25 vulnerabilities.


1) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-53139)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper handling of zero-valued workgroup counts in v3d compute shader dispatch handling when processing an indirect CSD job. A local user can submit a crafted indirect CSD job with a zeroed workgroup dimension to cause a denial of service.

A zero value in any workgroup dimension is interpreted by the hardware as 65536 instead of a no-op.


2) Out-of-bounds write (CVE-ID: CVE-2026-53362)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to corrupt kernel memory.

The vulnerability exists due to an out-of-bounds write in __ip6_append_data() when processing UDPv6 socket data with MSG_MORE and MSG_SPLICE_PAGES on the paged allocation path. A local user can send crafted data through a UDPv6 socket to corrupt kernel memory.

The issue occurs when fraggap is non-zero and the paged-allocation branch is taken, causing writes past skb->end into trailing skb_shared_info.


3) Race condition (CVE-ID: CVE-2026-53361)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a race condition in unix_gc() and unix_peek_fpl() in the af_unix garbage collection logic when processing MSG_PEEK operations during garbage collection scheduling. A local user can trigger concurrent garbage collection activity to cause a denial of service.

The issue occurs because gc_in_progress may be false while unix_gc() is running, which can confuse garbage collection by MSG_PEEK.


4) Use-after-free (CVE-ID: CVE-2026-53359)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in the KVM x86 shadow paging logic when changing a PDE mapping from outside the guest and deleting a memslot. A local user can trigger stale rmap entries and subsequent dereference of a freed sptep to cause a denial of service.

The issue occurs when a modified PDE points to a non-leaf page, causing a role mismatch between reused shadow pages for large 2MB mappings and new 4KB mappings.


5) Use-after-free (CVE-ID: CVE-2026-53341)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in may_decode_fh() when handling open_by_handle_at requests during concurrent mount namespace teardown. A local user can trigger a race condition to cause a denial of service.

The issue is reachable only on systems with CONFIG_PREEMPTION or CONFIG_RCU_STRICT_GRACE_PERIOD enabled.


6) Improper locking (CVE-ID: CVE-2026-53327)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper lock state handling in debugobjects fill_pool logic in lib/debugobjects.c when refilling the debug object pool on RT-enabled kernels while the current task is blocked on an rt_mutex. A local user can trigger the vulnerable code path to cause a denial of service.

Only RT-enabled kernel configurations are affected.


7) Improper handling of exceptional conditions (CVE-ID: CVE-2026-53325)

CWE-ID: CWE-755 - Improper Handling of Exceptional Conditions

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper exception handling in agp_amd64_probe() in the AMD64 AGP driver when probing for AMD northbridge hardware in a virtualized environment without a physical AMD northbridge. A local user can trigger driver initialization to cause a denial of service.

The issue occurs because a negative error from cache_nbs() is not handled correctly, allowing initialization to continue until a NULL pointer is dereferenced in amd64_fetch_size().


8) Out-of-bounds read (CVE-ID: CVE-2026-53179)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an out-of-bounds read in rtw_update_protection when processing an ies buffer with a pointer offset but an unadjusted length. A local user can trigger the vulnerable code path to disclose sensitive information.


9) Use of uninitialized resource (CVE-ID: CVE-2026-53167)

CWE-ID: CWE-908 - Use of Uninitialized Resource

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to an exposure of uninitialized memory in FUSE_NOTIFY_RETRIEVE in fs/fuse/dev.c when retrieving data from page cache folios. A local user can trigger FUSE_NOTIFY_RETRIEVE on a non-uptodate folio to disclose sensitive information.

This has security impact only on systems that do not enable automatic zero-initialization of page allocations.


10) NULL pointer dereference (CVE-ID: CVE-2026-53163)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a null pointer dereference in remove_waiter() in the rtmutex futex proxy locking path when handling FUTEX_CMP_REQUEUE_PI operations during deadlock detection or proxy lock acquisition. A local user can invoke crafted futex operations to cause a denial of service.


11) Use-after-free (CVE-ID: CVE-2026-53157)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to use-after-free in phonet_device_destroy() when walking the per-net phonet device list with RCU readers after device removal. A local user can trigger destruction of a phonet_device while concurrent readers still hold a stale pointer to cause a denial of service.

The issue arises because the object is removed with RCU list semantics but may be freed before the RCU grace period has elapsed.


12) Out-of-bounds read (CVE-ID: CVE-2026-53151)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in rxrpc_input_soft_acks() when parsing the SACK table from a fragmented UDP packet. A remote attacker can send a deliberately fragmented packet to cause a denial of service.

The issue affects AF_RXRPC extended ACK parsing, and exploitation likely requires a deliberately pre-generated fragmented packet.


13) NULL pointer dereference (CVE-ID: CVE-2026-53142)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a NULL pointer dereference in the xe display initialization and cleanup logic when handling suspend or shutdown on systems without display hardware present. A local user can trigger suspend or shutdown processing to cause a denial of service.

The issue occurs when display support is probed but display hardware is later determined to be unavailable or disabled at runtime initialization.


14) NULL pointer dereference (CVE-ID: CVE-2025-23131)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the new_lockspace() function in fs/dlm/lockspace.c. A local user can perform a denial of service (DoS) attack.


15) Deadlock (CVE-ID: CVE-2026-53101)

CWE-ID: CWE-833 - Deadlock

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a deadlock condition in mt7921_roc_abort_sync when canceling roc_work during station removal. A local user can trigger station removal while roc_work is running to cause a denial of service.


16) Race condition (CVE-ID: CVE-2026-53070)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper synchronization in SCTP over UDP transmission handling in net/sctp/ipv6.c and net/sctp/protocol.c when transmitting SCTP packets over UDP. A local user can trigger SCTP over UDP traffic to cause a denial of service.

Exploitation requires SCTP over UDP to be enabled.


17) Race condition (CVE-ID: CVE-2026-52975)

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a data race in the bonding 802.3ad port-to-aggregator handling code when processing netlink requests and concurrent bonding state changes. A local user can send crafted netlink messages to trigger the race and cause a denial of service.

The issue was reported by Kernel Concurrency Sanitizer and affects access to the port->aggregator pointer in the bonding subsystem.


18) Improper locking (CVE-ID: CVE-2026-46252)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper locking in regulator_resolve_supply() in the regulator core when handling a failed late enable of a supply regulator. A local user can trigger this error path to cause a denial of service.


19) Use-after-free (CVE-ID: CVE-2026-46242)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause memory corruption.

The vulnerability exists due to a use-after-free in ep_remove() in fs/eventpoll.c when removing epoll file references during a race with file release handling. A local user can trigger a race condition to cause memory corruption.

The issue involves the epoll-watches-epoll case and a concurrent __fput() path that can lead to operations on freed structures.


20) Improper access control (CVE-ID: CVE-2026-46054)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to bypass SELinux access controls.

The vulnerability exists due to improper access control in SELinux overlayfs mmap() and mprotect() access checks when handling mmap() and mprotect() operations on overlayfs filesystems. A local user can map or change protections on an overlayfs file to bypass SELinux access controls.


21) Improper resource shutdown or release (CVE-ID: CVE-2026-43355)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource shutdown or release in the bh1780 light sensor driver when handling read operations that encounter an error. A local user can trigger an error during a read operation to cause a denial of service.


22) Improper locking (CVE-ID: CVE-2026-43216)

CWE-ID: CWE-667 - Improper Locking

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper locking in skb_may_tx_timestamp() when processing transmit timestamps in interrupt context. A local user can trigger transmit timestamp handling to cause a deadlock.

The issue occurs when a driver completes the transmit timestamp from a dedicated interrupt handler while the same lock is already write-locked on the same CPU.


23) Improper input validation (CVE-ID: CVE-2026-43010)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in bpf_kprobe_multi_link_attach() when attaching a sleepable kprobe_multi program. A local user can attach a sleepable program that invokes sleepable helpers from a non-sleepable context to cause a denial of service.

The issue is triggered because kprobe.multi programs run in atomic/RCU context and cannot sleep.


24) Double free (CVE-ID: CVE-2026-31732)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a double free in gpiochip_add_data_with_key() when handling error paths after device initialization. A local user can trigger an error condition to cause a denial of service.


25) Use-after-free (CVE-ID: CVE-2026-31419)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to a use-after-free in bond_xmit_broadcast() when transmitting broadcast packets during concurrent slave enslave or release operations. A local user can trigger concurrent network interface state changes and packet transmission to cause a denial of service.

The issue arises because the determination of the last slave can change during RCU-protected iteration, leading to double consumption and double free of the original skb.


Remediation

Install update from vendor's website.