CVE-2025-38107
Severity CVSS v4.0:
Pending analysis
Type:
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Publication date:
03/07/2025
Last modified:
16/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net_sched: ets: fix a race in ets_qdisc_change()<br />
<br />
Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer<br />
fires at the wrong time.<br />
<br />
The race is as follows:<br />
<br />
CPU 0 CPU 1<br />
[1]: lock root<br />
[2]: qdisc_tree_flush_backlog()<br />
[3]: unlock root<br />
|<br />
| [5]: lock root<br />
| [6]: rehash<br />
| [7]: qdisc_tree_reduce_backlog()<br />
|<br />
[4]: qdisc_put()<br />
<br />
This can be abused to underflow a parent&#39;s qlen.<br />
<br />
Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()<br />
should fix the race, because all packets will be purged from the qdisc<br />
before releasing the lock.
Impact
Base Score 3.x
7.00
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4.213 (including) | 5.5 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.142 (including) | 5.10.239 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.66 (including) | 5.15.186 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.19.8 (including) | 6.0 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.0.1 (including) | 6.1.142 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.94 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.34 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.15.3 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.0:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.0:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.0:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.0:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.0:rc7:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0383b25488a545be168744336847549d4a2d3d6c
- https://git.kernel.org/stable/c/073f64c03516bcfaf790f8edc772e0cfb8a84ec3
- https://git.kernel.org/stable/c/0b479d0aa488cb478eb2e1d8868be946ac8afb4f
- https://git.kernel.org/stable/c/347867cb424edae5fec1622712c8dd0a2c42918f
- https://git.kernel.org/stable/c/d92adacdd8c2960be856e0b82acc5b7c5395fddb
- https://git.kernel.org/stable/c/eb7b74e9754e1ba2088f914ad1f57a778b11894b
- https://git.kernel.org/stable/c/fed94bd51d62d2e0e006aa61480e94e5cd0582b0
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html