CVE-2025-38108
Severity CVSS v4.0:
Pending analysis
Type:
CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Publication date:
03/07/2025
Last modified:
16/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net_sched: red: fix a race in __red_change()<br />
<br />
Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer<br />
fires at the wrong time.<br />
<br />
The race is as follows:<br />
<br />
CPU 0 CPU 1<br />
[1]: lock root<br />
[2]: qdisc_tree_flush_backlog()<br />
[3]: unlock root<br />
|<br />
| [5]: lock root<br />
| [6]: rehash<br />
| [7]: qdisc_tree_reduce_backlog()<br />
|<br />
[4]: qdisc_put()<br />
<br />
This can be abused to underflow a parent&#39;s qlen.<br />
<br />
Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()<br />
should fix the race, because all packets will be purged from the qdisc<br />
before releasing the lock.
Impact
Base Score 3.x
7.00
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.0 (including) | 5.4.295 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.239 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.186 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.142 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.94 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.34 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.15.3 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/110a47efcf23438ff8d31dbd9c854fae2a48bf98
- https://git.kernel.org/stable/c/2790c4ec481be45a80948d059cd7c9a06bc37493
- https://git.kernel.org/stable/c/2a71924ca4af59ffc00f0444732b6cd54b153d0e
- https://git.kernel.org/stable/c/444ad445df5496a785705019268a8a84b84484bb
- https://git.kernel.org/stable/c/4b755305b2b0618e857fdadb499365b5f2e478d1
- https://git.kernel.org/stable/c/85a3e0ede38450ea3053b8c45d28cf55208409b8
- https://git.kernel.org/stable/c/a1bf6a4e9264a685b0e642994031f9c5aad72414
- https://git.kernel.org/stable/c/f569984417a4e12c67366e69bdcb752970de921d
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html