CVE-2025-37890

HIGH EPSS 6.1%
Published May 16, 20251y ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published May 16, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted the class in the vttree or eltree (which is not true for the netem duplicate case). This patch checks the n_active class variable to make sure that the code won't insert the class in the vttree or eltree twice, catering for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
6.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 19

VendorProductVersionRange
linuxlinux_kernel*≥5.0.1  –  <5.4.294
linuxlinux_kernel*≥5.5  –  <5.10.238
linuxlinux_kernel*≥5.11  –  <5.15.182
linuxlinux_kernel*≥5.16  –  <6.1.138
linuxlinux_kernel*≥6.2  –  <6.6.90
linuxlinux_kernel*≥6.7  –  <6.12.28
linuxlinux_kernel*≥6.13  –  <6.14.6
linuxlinux_kernel5.0any
linuxlinux_kernel5.0any
linuxlinux_kernel5.0any
linuxlinux_kernel5.0any
linuxlinux_kernel5.0any
linuxlinux_kernel5.0any
linuxlinux_kernel5.0any
linuxlinux_kernel6.15any
linuxlinux_kernel6.15any
linuxlinux_kernel6.15any
linuxlinux_kernel6.15any
debiandebian_linux11.0any

References 10

  • git.kernel.org https://git.kernel.org/stable/c/141d34391abbb315d68556b7c67ad97885407547
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/273bbcfa53541cde38b2003ad88a59b770306421
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2e7093c7a8aba5d4f8809f271488e5babe75e202
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6082a87af4c52f58150d40dec1716011d871ac21
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8df7d37d626430035b413b97cee18396b3450bef
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ac39fd4a757584d78ed062d4f6fd913f83bd98b5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e0cf8ee23e1915431f262a7b2dee0c7a7d699af0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e3e949a39a91d1f829a4890e7dfe9417ac72e4d0
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html
    Mailing List
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
    Mailing List

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/141d34391abbb315d68556b7c67ad97885407547
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/273bbcfa53541cde38b2003ad88a59b770306421
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2e7093c7a8aba5d4f8809f271488e5babe75e202
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6082a87af4c52f58150d40dec1716011d871ac21
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8df7d37d626430035b413b97cee18396b3450bef
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ac39fd4a757584d78ed062d4f6fd913f83bd98b5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e0cf8ee23e1915431f262a7b2dee0c7a7d699af0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e3e949a39a91d1f829a4890e7dfe9417ac72e4d0
    Patch