CVE-2025-38457
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-25

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/[email protected]/
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-25
Last Modified
2025-11-03
Generated
2026-05-06
AI Q&A
2025-07-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-38457
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an ancient bug in the Linux kernel's qdisc (queueing discipline) API. When a user tries to create or modify a qdisc specifying a parent qdisc that does not exist, the system attempts to graft the new qdisc after the creation callback has already run. Some qdiscs (like fq, hhf, choke) call a function that assumes the parent class exists, but if it doesn't, this leads to a failure because the code unconditionally calls a notification function on a null class. The patch fixes this by making the lookup for the parent class fail earlier, aborting the operation before the problematic qdisc creation happens.


How can this vulnerability impact me? :

This vulnerability can cause failures or unexpected behavior in the Linux kernel's network traffic control subsystem when manipulating qdiscs with invalid parent references. It may lead to kernel errors or instability when certain qdiscs are created or modified incorrectly, potentially affecting network performance or reliability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to create or modify qdiscs with invalid parent classes, similar to the example commands that trigger the issue. For instance, running the following commands on a Linux system may reveal the vulnerability if it is present: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq If the system fails or behaves unexpectedly during these commands, it may indicate the presence of the vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation is to apply the patch that ensures qdisc_leaf() returns failure when the parent class does not exist, thereby aborting the qdisc modification early. Until the patch is applied, avoid creating or modifying qdiscs with invalid or non-existent parent classes to prevent triggering the vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart