CVE-2025-21692

In the Linux kernel, the following vulnerability has been resolved:

net: sched: fix ets qdisc OOB Indexing

Haowei Yan g1042620637@gmail.com found that etsclassfromarg() can index an Out-Of-Bound class in etsclassfromarg() when passed clid of 0. The overflow may cause local privilege escalation.

[ 18.852298] ------------[ cut here ]------------ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/schets.c:93:20 [ 18.853743] index 18446744073709551615 is out of range for type 'etsclass [16]' [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 18.856532] Call Trace: [ 18.857441] <TASK> [ 18.858227] dumpstacklvl+0xc2/0xf0 [ 18.859607] dump_stack+0x10/0x20 [ 18.860908] __ubsanhandleoutofbounds+0xa7/0xf0 [ 18.864022] etsclasschange+0x3d6/0x3f0 [ 18.864322] tcctltclass+0x251/0x910 [ 18.864587] ? lock_acquire+0x5e/0x140 [ 18.865113] ? __mutex_lock+0x9c/0xe70 [ 18.866009] ? __mutexlock+0xa34/0xe70 [ 18.866401] rtnetlinkrcv_msg+0x170/0x6f0 [ 18.866806] ? __lock_acquire+0x578/0xc10 [ 18.867184] ? __pfxrtnetlinkrcvmsg+0x10/0x10 [ 18.867503] netlinkrcvskb+0x59/0x110 [ 18.867776] rtnetlinkrcv+0x15/0x30 [ 18.868159] netlinkunicast+0x1c3/0x2b0 [ 18.868440] netlinksendmsg+0x239/0x4b0 [ 18.868721] ____sys_sendmsg+0x3e2/0x410 [ 18.869012] ___syssendmsg+0x88/0xe0 [ 18.869276] ? rseqipfixup+0x198/0x260 [ 18.869563] ? rsequpdate_cpunodeid+0x10a/0x190 [ 18.869900] ? tracehardirqsoff+0x5a/0xd0 [ 18.870196] ? syscallexittousermode+0xcc/0x220 [ 18.870547] ? dosyscall64+0x93/0x150 [ 18.870821] ? __memcgslabfree_hook+0x69/0x290 [ 18.871157] __sys_sendmsg+0x69/0xd0 [ 18.871416] __x64syssendmsg+0x1d/0x30 [ 18.871699] x64syscall+0x9e2/0x2670 [ 18.871979] dosyscall64+0x87/0x150 [ 18.873280] ? dosyscall64+0x93/0x150 [ 18.874742] ? lockrelease+0x7b/0x160 [ 18.876157] ? douseraddrfault+0x5ce/0x8f0 [ 18.877833] ? irqentryexittousermode+0xc2/0x210 [ 18.879608] ? irqentryexit+0x77/0xb0 [ 18.879808] ? clearbhbloop+0x15/0x70 [ 18.880023] ? clearbhbloop+0x15/0x70 [ 18.880223] ? clearbhbloop+0x15/0x70 [ 18.880426] entrySYSCALL64afterhwframe+0x76/0x7e [ 18.880683] RIP: 0033:0x44a957 [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIGRAX: 000000000000002e [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 [ 18.888395] </TASK> [ 18.888610] ---[ end trace ]---