CVE-2025-38350
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-19

Last updated on: 2025-12-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-19
Last Modified
2025-12-16
Generated
2026-05-07
AI Q&A
2025-07-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38350
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.4.294 (inc) to 5.4.296 (exc)
linux linux_kernel From 5.10.238 (inc) to 5.10.240 (exc)
linux linux_kernel From 5.15.185 (inc) to 5.15.187 (exc)
linux linux_kernel From 6.1.141 (inc) to 6.1.144 (exc)
linux linux_kernel From 6.6.93 (inc) to 6.6.97 (exc)
linux linux_kernel From 6.12.31 (inc) to 6.12.37 (exc)
linux linux_kernel From 6.14.9 (inc) to 6.15 (exc)
linux linux_kernel From 6.15.1 (inc) to 6.15.6 (exc)
linux linux_kernel 6.15
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel 6.16
linux linux_kernel 6.16
debian debian_linux 11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's network scheduler (net/sched) involves certain classful queueing disciplines (qdiscs) that may invoke their classes' dequeue handler during an enqueue operation. This can unexpectedly empty a child qdisc and make an in-flight class passive via qlen_notify(). Since most qdiscs do not expect this behavior, they may re-activate the class, leading to a use-after-free condition where the system accesses memory that has already been freed. The issue arises from backlog accounting problems and was addressed by ensuring that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty, preventing stale pointers and use-after-free errors.


How can this vulnerability impact me? :

This vulnerability can lead to use-after-free conditions in the Linux kernel's network scheduling code, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting the memory corruption. Such impacts can affect the reliability and security of systems running vulnerable Linux kernel versions.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by reproducing the conditions that trigger the use-after-free in the Linux kernel's network scheduler. The following commands demonstrate the issue and can be used to test if your system is vulnerable: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 If these commands cause a kernel crash or unexpected behavior, your system is vulnerable.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves updating the Linux kernel to a version that includes the patch fixing this vulnerability. The patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty, preventing use-after-free conditions. Until you can update, avoid using the affected classful qdiscs configurations that may trigger this issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart