CVE-2025-21703
netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child
qdisc becomes empty, therefore we need to reduce the backlog of the
child qdisc before calling it. Otherwise it would miss the opportunity
to call cops->qlen_notify(), in the case of DRR, it resulted in UAF
since DRR uses ->qlen_notify() to maintain its active list.
In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-12-29 CVE Reserved
- 2025-02-18 CVE Published
- 2025-02-18 CVE Updated
- 2025-02-19 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-416: Use After Free
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/3824c5fad18eeb7abe0c4fc966f29959552dca3e | Vuln. Introduced | |
| https://git.kernel.org/stable/c/356078a5c55ec8d2061fcc009fb8599f5b0527f9 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/f8d4bc455047cf3903cd6f85f49978987dbb3027 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/216509dda290f6db92c816dd54b83c1df9da9e76 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/c2047b0e216c8edce227d7c42f99ac2877dad0e4 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/10df49cfca73dfbbdb6c4150d859f7e8926ae427 | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.6.67 < 6.6.78 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.67 < 6.6.78" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.12.6 < 6.12.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.12.6 < 6.12.14" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.13 < 6.13.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.13 < 6.13.3" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.13 < 6.14-rc2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.13 < 6.14-rc2" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.4.288 Search vendor "Linux" for product "Linux Kernel" and version "5.4.288" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.10.232 Search vendor "Linux" for product "Linux Kernel" and version "5.10.232" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.15.175 Search vendor "Linux" for product "Linux Kernel" and version "5.15.175" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.1.121 Search vendor "Linux" for product "Linux Kernel" and version "6.1.121" | en |
Affected
| ||||||