CVE-2025-38457

MEDIUM EPSS 5.8%
Published Jul 25, 202511mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jul 25, 2025 11mo ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
5.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 13

VendorProductVersionRange
linuxlinux_kernel*≥2.6.20  –  <5.4.296
linuxlinux_kernel*≥5.5  –  <5.10.240
linuxlinux_kernel*≥5.11  –  <5.15.189
linuxlinux_kernel*≥5.16  –  <6.1.146
linuxlinux_kernel*≥6.2  –  <6.6.99
linuxlinux_kernel*≥6.7  –  <6.12.39
linuxlinux_kernel*≥6.13  –  <6.15.7
linuxlinux_kernel6.16any
linuxlinux_kernel6.16any
linuxlinux_kernel6.16any
linuxlinux_kernel6.16any
linuxlinux_kernel6.16any
debiandebian_linux11.0any

References 11

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-082556.html
  • git.kernel.org https://git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eea
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
    Third Party Advisory
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
    Third Party Advisory

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eea
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963
    Patch