CVE-2025-21971

net_sched: Prevent creation of classes with TC_H_ROOT

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: net_sched: Prevent creation of classes with TC_H_ROOT The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination
condition when traversing up the qdisc tree to update parent backlog
counters. However, if a class is created with classid TC_H_ROOT, the
traversal terminates prematurely at this class instead of reaching the
actual root qdisc, causing parent statistics to be incorrectly maintained.
In case of DRR, this could lead to a crash as reported by Mingi Cho. Prevent the creation of any Qdisc class with classid TC_H_ROOT
(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.

In the Linux kernel, the following vulnerability has been resolved: net_sched: Prevent creation of classes with TC_H_ROOT The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination condition when traversing up the qdisc tree to update parent backlog counters. However, if a class is created with classid TC_H_ROOT, the traversal terminates prematurely at this class instead of reaching the actual root qdisc, causing parent statistics to be incorrectly maintained. In case of DRR, this could lead to a crash as reported by Mingi Cho. Prevent the creation of any Qdisc class with classid TC_H_ROOT (0xFFFFFFFF) across all qdisc types, as suggested by Jamal.

Chenyuan Yang discovered that the CEC driver driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Attila Sz�sz discovered that the HFS+ file system implementation in the Linux Kernel contained a heap overflow vulnerability. An attacker could use a specially crafted file system image that, when mounted, could cause a denial of service or possibly execute arbitrary code.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-12-29 CVE Reserved
2025-04-01 CVE Published
2025-05-04 CVE Updated
2025-06-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/066a3b5b2346febf9a655b444567b7138e3bb939	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/e05d9938b1b0ac40b6054cc5fa0ccbd9afd5ed4c	2025-04-10
https://git.kernel.org/stable/c/7a82fe67a9f4d7123d8e5ba8f0f0806c28695006	2025-04-10
https://git.kernel.org/stable/c/003d92c91cdb5a64b25a9a74cb8543aac9a8bb48	2025-04-10
https://git.kernel.org/stable/c/e5ee00607bbfc97ef1526ea95b6b2458ac9e7cb7	2025-03-28
https://git.kernel.org/stable/c/78533c4a29ac3aeddce4b481770beaaa4f3bfb67	2025-03-22
https://git.kernel.org/stable/c/5c3ca9cb48b51bd72bf76b8b05e24f3cd53db5e7	2025-03-22
https://git.kernel.org/stable/c/94edfdfb9505ab608e86599d1d1e38c83816fc1c	2025-03-22
https://git.kernel.org/stable/c/0c3057a5a04d07120b3d0ec9c79568fceb9c921e	2025-03-12

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.25 < 5.4.292 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.25 < 5.4.292"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.25 < 5.10.236 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.25 < 5.10.236"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.25 < 5.15.180 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.25 < 5.15.180"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.25 < 6.1.132 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.25 < 6.1.132"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.25 < 6.6.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.25 < 6.6.84"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.25 < 6.12.20 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.25 < 6.12.20"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.25 < 6.13.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.25 < 6.13.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.25 < 6.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.25 < 6.14"		en		Affected