CVE-2025-37890
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
16/05/2025
Last modified:
17/11/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc<br />
<br />
As described in Gerrard&#39;s report [1], we have a UAF case when an hfsc class<br />
has a netem child qdisc. The crux of the issue is that hfsc is assuming<br />
that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn&#39;t inserted<br />
the class in the vttree or eltree (which is not true for the netem<br />
duplicate case).<br />
<br />
This patch checks the n_active class variable to make sure that the code<br />
won&#39;t insert the class in the vttree or eltree twice, catering for the<br />
reentrant case.<br />
<br />
[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.0.1 (including) | 5.4.294 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.238 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.182 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.138 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.90 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.28 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.14.6 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.0:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.0:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.0:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.0:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.0:rc7:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.0:rc8:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/141d34391abbb315d68556b7c67ad97885407547
- https://git.kernel.org/stable/c/273bbcfa53541cde38b2003ad88a59b770306421
- https://git.kernel.org/stable/c/2e7093c7a8aba5d4f8809f271488e5babe75e202
- https://git.kernel.org/stable/c/6082a87af4c52f58150d40dec1716011d871ac21
- https://git.kernel.org/stable/c/8df7d37d626430035b413b97cee18396b3450bef
- https://git.kernel.org/stable/c/ac39fd4a757584d78ed062d4f6fd913f83bd98b5
- https://git.kernel.org/stable/c/e0cf8ee23e1915431f262a7b2dee0c7a7d699af0
- https://git.kernel.org/stable/c/e3e949a39a91d1f829a4890e7dfe9417ac72e4d0
- https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html