CVE-2025-37953

MEDIUM EPSS 4.8%
Published May 20, 20251y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published May 20, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: sch_htb: make htb_deactivate() idempotent Alan reported a NULL pointer dereference in htb_next_rb_node() after we made htb_qlen_notify() idempotent. It turns out in the following case it introduced some regression: htb_dequeue_tree(): |-> fq_codel_dequeue() |-> qdisc_tree_reduce_backlog() |-> htb_qlen_notify() |-> htb_deactivate() |-> htb_next_rb_node() |-> htb_deactivate() For htb_next_rb_node(), after calling the 1st htb_deactivate(), the clprio[prio]->ptr could be already set to NULL, which means htb_next_rb_node() is vulnerable here. For htb_deactivate(), although we checked qlen before calling it, in case of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again which triggers the warning inside. To fix the issues here, we need to: 1) Make htb_deactivate() idempotent, that is, simply return if we already call it before. 2) Make htb_next_rb_node() safe against ptr==NULL. Many thanks to Alan for testing and for the reproducer.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
4.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 9

VendorProductVersionRange
linuxlinux_kernel6.1.138any
linuxlinux_kernel6.6.90any
linuxlinux_kernel6.12.28any
linuxlinux_kernel6.14.6any
linuxlinux_kernel6.15any
linuxlinux_kernel6.15any
linuxlinux_kernel6.15any
linuxlinux_kernel6.15any
debiandebian_linux11.0any

References 9

  • git.kernel.org https://git.kernel.org/stable/c/31ff70ad39485698cf779f2078132d80b57f6c07
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3769478610135e82b262640252d90f6efb05be71
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/98cd7ed92753090a714f0802d4434314526fe61d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/99ff8a20fd61315bf9ae627440a5ff07d22ee153
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a9945f7cf1709adc5d2d31cb6cfc85627ce299a8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c2d25fddd867ce20a266806634eeeb5c30cb520c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c4792b9e38d2f61b07eac72f10909fa76130314b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html
    Third Party Advisory

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/31ff70ad39485698cf779f2078132d80b57f6c07
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3769478610135e82b262640252d90f6efb05be71
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/98cd7ed92753090a714f0802d4434314526fe61d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/99ff8a20fd61315bf9ae627440a5ff07d22ee153
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a9945f7cf1709adc5d2d31cb6cfc85627ce299a8
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c2d25fddd867ce20a266806634eeeb5c30cb520c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c4792b9e38d2f61b07eac72f10909fa76130314b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0
    Patch