CVE-2025-38107
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2025-07-03

Last updated on: 2025-12-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-03
Last Modified
2025-12-16
Generated
2026-05-07
AI Q&A
2025-07-03
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38107
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.4.213 (inc) to 5.5 (exc)
linux linux_kernel From 5.10.142 (inc) to 5.10.239 (exc)
linux linux_kernel From 5.15.66 (inc) to 5.15.186 (exc)
linux linux_kernel From 5.19.8 (inc) to 6.0 (exc)
linux linux_kernel From 6.0.1 (inc) to 6.1.142 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.94 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.34 (exc)
linux linux_kernel From 6.13 (inc) to 6.15.3 (exc)
linux linux_kernel 6.0
linux linux_kernel 6.0
linux linux_kernel 6.0
linux linux_kernel 6.0
linux linux_kernel 6.0
linux linux_kernel 6.16
debian debian_linux 11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a race condition in the Linux kernel's ETS (Enhanced Transmission Selection) queuing discipline. It occurs when the SFQ perturb timer fires at an incorrect time, causing concurrent operations on the queue to overlap improperly. Specifically, one CPU locks and flushes the queue backlog while another CPU locks and rehashes the queue simultaneously, leading to a race that can cause the parent's queue length to underflow. The issue arises because qdisc_tree_flush_backlog() is called instead of qdisc_purge_queue(), which would purge all packets before releasing the lock and prevent the race.


How can this vulnerability impact me? :

This vulnerability can lead to an underflow of a parent's queue length in the network scheduler, potentially causing incorrect network traffic handling. This may result in network performance degradation, unexpected behavior in packet scheduling, or instability in network traffic management on affected Linux systems.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() to avoid the race condition. To mitigate this vulnerability immediately, update your Linux kernel to a version that includes this fix for the net_sched ETS component.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart