Vulnerabilities (CVE)

Filtered by vendor Debian Subscribe
Filtered by product Debian Linux
Total 9133 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-42720 3 Debian, Fedoraproject, Linux 3 Debian Linux, Fedora, Linux Kernel 2025-05-15 N/A 7.8 HIGH
Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-free conditions to potentially execute code.
CVE-2022-42719 3 Debian, Fedoraproject, Linux 3 Debian Linux, Fedora, Linux Kernel 2025-05-15 N/A 8.8 HIGH
A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code.
CVE-2021-36369 2 Debian, Dropbear Ssh Project 2 Debian Linux, Dropbear Ssh 2025-05-15 N/A 7.5 HIGH
An issue was discovered in Dropbear through 2020.81. Due to a non-RFC-compliant check of the available authentication methods in the client-side SSH code, it is possible for an SSH server to change the login process in its favor. This attack can bypass additional security measures such as FIDO2 tokens or SSH-Askpass. Thus, it allows an attacker to abuse a forwarded agent for logging on to another server unnoticed.
CVE-2024-20926 3 Debian, Netapp, Oracle 8 Debian Linux, Cloud Insights Acquisition Unit, Cloud Insights Storage Workload Security Agent and 5 more 2025-05-15 N/A 5.9 MEDIUM
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2022-42906 2 Debian, Powerline Gitstatus Project 2 Debian Linux, Powerline Gitstatus 2025-05-15 N/A 7.8 HIGH
powerline-gitstatus (aka Powerline Gitstatus) before 1.3.2 allows arbitrary code execution. git repositories can contain per-repository configuration that changes the behavior of git, including running arbitrary commands. When using powerline-gitstatus, changing to a directory automatically runs git commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory to one controlled by the attacker, such as in a shared filesystem or extracted archive, powerline-gitstatus will run arbitrary commands under the attacker's control. NOTE: this is similar to CVE-2022-20001.
CVE-2022-42902 2 Debian, Linaro 2 Debian Linux, Lava 2025-05-15 N/A 8.8 HIGH
In Linaro Automated Validation Architecture (LAVA) before 2022.10, there is dynamic code execution in lava_server/lavatable.py. Due to improper input sanitization, an anonymous user can force the lava-server-gunicorn service to execute user-provided code on the server.
CVE-2022-41674 3 Debian, Fedoraproject, Linux 3 Debian Linux, Fedora, Linux Kernel 2025-05-15 N/A 8.1 HIGH
An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c.
CVE-2022-2850 4 Debian, Fedoraproject, Port389 and 1 more 5 Debian Linux, Fedora, 389-ds-base and 2 more 2025-05-15 N/A 6.5 MEDIUM
A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated attacker to cause a denial of service. This CVE is assigned against an incomplete fix of CVE-2021-3514.
CVE-2022-41751 3 Debian, Fedoraproject, Jhead Project 3 Debian Linux, Fedora, Jhead 2025-05-13 N/A 7.8 HIGH
Jhead 3.06.0.1 allows attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50 option.
CVE-2022-3517 3 Debian, Fedoraproject, Minimatch Project 3 Debian Linux, Fedora, Minimatch 2025-05-13 N/A 7.5 HIGH
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
CVE-2025-3891 3 Apache, Debian, Redhat 3 Http Server, Debian Linux, Enterprise Linux 2025-05-12 N/A 5.3 MEDIUM
A flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability.
CVE-2016-1000343 2 Bouncycastle, Debian 2 Bc-java, Debian Linux 2025-05-12 5.0 MEDIUM 7.5 HIGH
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.
CVE-2016-1000339 2 Bouncycastle, Debian 2 Bc-java, Debian Linux 2025-05-12 5.0 MEDIUM 5.3 MEDIUM
In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.
CVE-2016-1000345 2 Bouncycastle, Debian 2 Bc-java, Debian Linux 2025-05-12 4.3 MEDIUM 5.9 MEDIUM
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.
CVE-2016-1000346 2 Bouncycastle, Debian 2 Bc-java, Debian Linux 2025-05-12 4.3 MEDIUM 3.7 LOW
In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.
CVE-2018-1000180 5 Bouncycastle, Debian, Netapp and 2 more 21 Bc-java, Fips Java Api, Debian Linux and 18 more 2025-05-12 5.0 MEDIUM 7.5 HIGH
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
CVE-2016-1000341 2 Bouncycastle, Debian 2 Bc-java, Debian Linux 2025-05-12 4.3 MEDIUM 5.9 MEDIUM
In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.
CVE-2016-1000342 2 Bouncycastle, Debian 2 Bc-java, Debian Linux 2025-05-12 5.0 MEDIUM 7.5 HIGH
In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
CVE-2021-28831 3 Busybox, Debian, Fedoraproject 3 Busybox, Debian Linux, Fedora 2025-05-09 5.0 MEDIUM 7.5 HIGH
decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
CVE-2021-26937 3 Debian, Fedoraproject, Gnu 3 Debian Linux, Fedora, Screen 2025-05-09 7.5 HIGH 9.8 CRITICAL
encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.