CVE-2025-37890

net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF case when an hfsc class
has a netem child qdisc. The crux of the issue is that hfsc is assuming
that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted
the class in the vttree or eltree (which is not true for the netem
duplicate case). This patch checks the n_active class variable to make sure that the code
won't insert the class in the vttree or eltree twice, catering for the
reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/

In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted the class in the vttree or eltree (which is not true for the netem duplicate case). This patch checks the n_active class variable to make sure that the code won't insert the class in the vttree or eltree twice, catering for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-04-16 CVE Reserved
2025-05-16 CVE Published
2025-06-04 CVE Updated
2025-06-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (9)

URL	Tag	Source
https://git.kernel.org/stable/c/37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/273bbcfa53541cde38b2003ad88a59b770306421	2025-06-04
https://git.kernel.org/stable/c/e0cf8ee23e1915431f262a7b2dee0c7a7d699af0	2025-06-04
https://git.kernel.org/stable/c/e3e949a39a91d1f829a4890e7dfe9417ac72e4d0	2025-05-09
https://git.kernel.org/stable/c/8df7d37d626430035b413b97cee18396b3450bef	2025-05-09
https://git.kernel.org/stable/c/6082a87af4c52f58150d40dec1716011d871ac21	2025-05-09
https://git.kernel.org/stable/c/2e7093c7a8aba5d4f8809f271488e5babe75e202	2025-05-09
https://git.kernel.org/stable/c/ac39fd4a757584d78ed062d4f6fd913f83bd98b5	2025-05-09
https://git.kernel.org/stable/c/141d34391abbb315d68556b7c67ad97885407547	2025-04-28

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 5.4.294 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 5.4.294"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 5.10.238 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 5.10.238"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 5.15.182 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 5.15.182"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 6.1.138 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 6.1.138"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 6.6.90 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 6.6.90"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 6.12.28 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 6.12.28"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 6.14.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 6.14.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.0 < 6.15 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.0 < 6.15"		en		Affected