CVE-2025-38001
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2025-06-06

Last updated on: 2026-03-07

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks the cl->cl_nactive field to determine whether it is the first insertion or not [2], but this field is only incremented by init_vf [3]. By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the check and insert the class twice in the eltree. Under normal conditions, this would lead to an infinite loop in hfsc_dequeue for the reasons we already explained in this report [5]. However, if TBF is added as root qdisc and it is configured with a very low rate, it can be utilized to prevent packets from being dequeued. This behavior can be exploited to perform subsequent insertions in the HFSC eltree and cause a UAF." To fix both the UAF and the infinite loop, with netem as an hfsc child, check explicitly in hfsc_enqueue whether the class is already in the eltree whenever the HFSC_RSC flag is set. [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 [5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-06
Last Modified
2026-03-07
Generated
2026-05-07
AI Q&A
2025-06-06
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38001
Affected Vendors & Products
Showing 17 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.0.1 (inc) to 5.4.294 (exc)
linux linux_kernel From 5.5 (inc) to 5.10.238 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.185 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.141 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.93 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.32 (exc)
linux linux_kernel From 6.13 (inc) to 6.14.10 (exc)
linux linux_kernel From 6.15 (inc) to 6.15.1 (exc)
linux linux_kernel 5.0
linux linux_kernel 5.0
linux linux_kernel 5.0
linux linux_kernel 5.0
linux linux_kernel 5.0
linux linux_kernel 5.0
linux linux_kernel 5.0
debian debian_linux 11.0
debian debian_linux 12.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can lead to a use-after-free condition or an infinite loop in the Linux kernel's network scheduling code. Exploiting this could cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by manipulating network traffic scheduling.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version that includes the fix which explicitly checks in hfsc_enqueue whether the class is already in the eltree whenever the HFSC_RSC flag is set. This patch prevents the use-after-free and infinite loop issues when HFSC is used with NETEM. Until the update is applied, avoid using HFSC with NETEM and TBF configured with very low rates as root qdisc to reduce the risk of exploitation.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's net_sched subsystem, specifically in the HFSC (Hierarchical Fair Service Curve) queuing discipline. A recent patch intended to fix an issue can be bypassed, allowing a use-after-free (UAF) condition when HFSC is used with NETEM. The problem arises because the patch only checks a certain field (cl->cl_nactive) to prevent inserting a class twice into a data structure called eltree, but this check can be bypassed using HFSC_RSC, which uses a different initialization method. This can cause the class to be inserted twice, potentially leading to an infinite loop or a UAF when combined with certain configurations like TBF with a very low rate.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart