CVE-2025-38177
BaseFortify
Publication date: 2025-07-04
Last updated on: 2025-12-18
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | to 5.4.297 (exc) |
| linux | linux_kernel | From 5.5 (inc) to 5.10.241 (exc) |
| linux | linux_kernel | From 5.11 (inc) to 5.15.190 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.138 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.90 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.28 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.14.6 (exc) |
| linux | linux_kernel | 6.15 |
| debian | debian_linux | 11.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-459 | The product does not properly "clean up" and remove temporary or supporting resources after they have been used. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
Because hfsc_qlen_notify() was not idempotent, repeated or improper calls could lead to inconsistent kernel behavior or errors in network traffic scheduling. This could potentially affect system stability or network performance on Linux systems using the HFSC queuing discipline.
Can you explain this vulnerability to me?
This vulnerability involves the Linux kernel's sch_hfsc component, specifically the hfsc_qlen_notify() function. The function was not idempotent, meaning repeated calls could cause unintended side effects or errors. The fix makes hfsc_qlen_notify() idempotent to ensure it behaves safely when called multiple times, improving stability and reliability in related kernel functions like fq_codel_dequeue() and qdisc_tree_reduce_backlog().