CVE-2025-37752

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-37752
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37752.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-37752
Downstream
Related
Published
2025-05-01T12:55:57Z
Modified
2025-10-18T01:08:09.150230Z
Summary
net_sched: sch_sfq: move the limit validation
Details

In the Linux kernel, the following vulnerability has been resolved:

netsched: schsfq: move the limit validation

It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed.

Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations:

tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1

This fixes the following syzkaller reported crash:

------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/schsfq.c:203:6 index 65535 is out of range for type 'struct sfqhead[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: <TASK> _dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x201/0x300 lib/dumpstack.c:120 ubsanepilogue lib/ubsan.c:231 [inline] _ubsanhandleoutofbounds+0xf5/0x120 lib/ubsan.c:429 sfqlink net/sched/schsfq.c:203 [inline] sfqdec+0x53c/0x610 net/sched/schsfq.c:231 sfqdequeue+0x34e/0x8c0 net/sched/schsfq.c:493 sfqreset+0x17/0x60 net/sched/schsfq.c:518 qdiscreset+0x12e/0x600 net/sched/schgeneric.c:1035 tbfreset+0x41/0x110 net/sched/schtbf.c:339 qdiscreset+0x12e/0x600 net/sched/schgeneric.c:1035 devresetqueue+0x100/0x1b0 net/sched/schgeneric.c:1311 netdevforeachtxqueue include/linux/netdevice.h:2590 [inline] devdeactivatemany+0x7e5/0xe70 net/sched/schgeneric.c:1375

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e12f6013d0a69660e8b99bfe381b9546ae667328
Fixed
8fadc871a42933aacb7f1ce9ed9a96485e2c9cf4
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1e6d9d87626cf89eeffb4d943db12cb5b10bf961
Fixed
7d62ded97db6b7c94c891f704151f372b1ba4688
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1b562b7f9231432da40d12e19786c1bd7df653a7
Fixed
6c589aa318023690f1606c666a7fb5f4c1c9c219
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
35d0137305ae2f97260a9047f445bd4434bd6cc7
Fixed
1348214fa042a71406964097e743c87a42c85a49
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
833e9a1c27b82024db7ff5038a51651f48f05e5e
Fixed
d2718324f9e329b10ddc091fba5a0ba2b9d4d96a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7d8947f2153ee9c5ab4cb17861a11cc45f30e8c4
Fixed
f86293adce0c201cfabb283ef9d6f21292089bb8
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7fefc294204f10a3405f175f4ac2be16d63f135e
Fixed
5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
10685681bafce6febb39770f3387621bf5d67d0b
Fixed
b36a68192037d1614317a09b0d78c7814e2eecf9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
10685681bafce6febb39770f3387621bf5d67d0b
Fixed
b3bf8f63e6179076b57c9de660c9f80b5abefe70

Affected versions

v6.*

v6.1.129
v6.1.130
v6.1.131
v6.1.132
v6.1.133
v6.1.134
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.13
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.10
v6.13.11
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.13.6
v6.13.7
v6.13.8
v6.13.9
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.14.2
v6.6.76
v6.6.77
v6.6.78
v6.6.79
v6.6.80
v6.6.81
v6.6.82
v6.6.83
v6.6.84
v6.6.85
v6.6.86
v6.6.87

Database specific

vanir_signatures

[
    {
        "id": "CVE-2025-37752-14a483c9",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "net/sched/sch_sfq.c"
        },
        "digest": {
            "line_hashes": [
                "28757591488293038969130805761255313741",
                "248821064266667969868613349784691052776",
                "151141669484108820527908550919743115655",
                "113854419271722784781797958269006837410",
                "148595085722002126066384819280877718903",
                "23920130729390473254096580054339352153",
                "158832190760873205036514878408751879607",
                "193063347493775447227763143944313935909",
                "208247108737294116551706722027522965082",
                "293965041930665139134565349876139259009",
                "221779049307622159456431817986558285521"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b36a68192037d1614317a09b0d78c7814e2eecf9"
    },
    {
        "id": "CVE-2025-37752-1bc25bac",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "net/sched/sch_sfq.c",
            "function": "sfq_change"
        },
        "digest": {
            "function_hash": "63375564458207847569189708481757962579",
            "length": 2477.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d2718324f9e329b10ddc091fba5a0ba2b9d4d96a"
    },
    {
        "id": "CVE-2025-37752-387381a3",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "net/sched/sch_sfq.c"
        },
        "digest": {
            "line_hashes": [
                "28757591488293038969130805761255313741",
                "248821064266667969868613349784691052776",
                "151141669484108820527908550919743115655",
                "113854419271722784781797958269006837410",
                "148595085722002126066384819280877718903",
                "23920130729390473254096580054339352153",
                "158832190760873205036514878408751879607",
                "193063347493775447227763143944313935909",
                "208247108737294116551706722027522965082",
                "293965041930665139134565349876139259009",
                "221779049307622159456431817986558285521"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d"
    },
    {
        "id": "CVE-2025-37752-4464e479",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "net/sched/sch_sfq.c"
        },
        "digest": {
            "line_hashes": [
                "28757591488293038969130805761255313741",
                "248821064266667969868613349784691052776",
                "151141669484108820527908550919743115655",
                "113854419271722784781797958269006837410",
                "148595085722002126066384819280877718903",
                "23920130729390473254096580054339352153",
                "158832190760873205036514878408751879607",
                "193063347493775447227763143944313935909",
                "208247108737294116551706722027522965082",
                "293965041930665139134565349876139259009",
                "221779049307622159456431817986558285521"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1348214fa042a71406964097e743c87a42c85a49"
    },
    {
        "id": "CVE-2025-37752-4b95732c",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "net/sched/sch_sfq.c"
        },
        "digest": {
            "line_hashes": [
                "28757591488293038969130805761255313741",
                "248821064266667969868613349784691052776",
                "151141669484108820527908550919743115655",
                "113854419271722784781797958269006837410",
                "148595085722002126066384819280877718903",
                "23920130729390473254096580054339352153",
                "158832190760873205036514878408751879607",
                "193063347493775447227763143944313935909",
                "208247108737294116551706722027522965082",
                "293965041930665139134565349876139259009",
                "221779049307622159456431817986558285521"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d2718324f9e329b10ddc091fba5a0ba2b9d4d96a"
    },
    {
        "id": "CVE-2025-37752-56719bff",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "net/sched/sch_sfq.c"
        },
        "digest": {
            "line_hashes": [
                "28757591488293038969130805761255313741",
                "248821064266667969868613349784691052776",
                "151141669484108820527908550919743115655",
                "113854419271722784781797958269006837410",
                "148595085722002126066384819280877718903",
                "23920130729390473254096580054339352153",
                "158832190760873205036514878408751879607",
                "193063347493775447227763143944313935909",
                "208247108737294116551706722027522965082",
                "293965041930665139134565349876139259009",
                "221779049307622159456431817986558285521"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6c589aa318023690f1606c666a7fb5f4c1c9c219"
    },
    {
        "id": "CVE-2025-37752-57bd6030",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "net/sched/sch_sfq.c",
            "function": "sfq_change"
        },
        "digest": {
            "function_hash": "63375564458207847569189708481757962579",
            "length": 2477.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1348214fa042a71406964097e743c87a42c85a49"
    },
    {
        "id": "CVE-2025-37752-70c40e45",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "net/sched/sch_sfq.c"
        },
        "digest": {
            "line_hashes": [
                "28757591488293038969130805761255313741",
                "248821064266667969868613349784691052776",
                "151141669484108820527908550919743115655",
                "113854419271722784781797958269006837410",
                "148595085722002126066384819280877718903",
                "23920130729390473254096580054339352153",
                "158832190760873205036514878408751879607",
                "193063347493775447227763143944313935909",
                "208247108737294116551706722027522965082",
                "293965041930665139134565349876139259009",
                "221779049307622159456431817986558285521"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8fadc871a42933aacb7f1ce9ed9a96485e2c9cf4"
    },
    {
        "id": "CVE-2025-37752-857b94c9",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "net/sched/sch_sfq.c",
            "function": "sfq_change"
        },
        "digest": {
            "function_hash": "63375564458207847569189708481757962579",
            "length": 2477.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7d62ded97db6b7c94c891f704151f372b1ba4688"
    },
    {
        "id": "CVE-2025-37752-9699a667",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "net/sched/sch_sfq.c",
            "function": "sfq_change"
        },
        "digest": {
            "function_hash": "63375564458207847569189708481757962579",
            "length": 2477.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b36a68192037d1614317a09b0d78c7814e2eecf9"
    },
    {
        "id": "CVE-2025-37752-b611eb34",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "net/sched/sch_sfq.c"
        },
        "digest": {
            "line_hashes": [
                "28757591488293038969130805761255313741",
                "248821064266667969868613349784691052776",
                "151141669484108820527908550919743115655",
                "113854419271722784781797958269006837410",
                "148595085722002126066384819280877718903",
                "23920130729390473254096580054339352153",
                "158832190760873205036514878408751879607",
                "193063347493775447227763143944313935909",
                "208247108737294116551706722027522965082",
                "293965041930665139134565349876139259009",
                "221779049307622159456431817986558285521"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f86293adce0c201cfabb283ef9d6f21292089bb8"
    },
    {
        "id": "CVE-2025-37752-bdfe7973",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "net/sched/sch_sfq.c",
            "function": "sfq_change"
        },
        "digest": {
            "function_hash": "63375564458207847569189708481757962579",
            "length": 2477.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5e5e1fcc1b8ed57f902c424c5d9b328a3a19073d"
    },
    {
        "id": "CVE-2025-37752-bfa3cec1",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "net/sched/sch_sfq.c",
            "function": "sfq_change"
        },
        "digest": {
            "function_hash": "63375564458207847569189708481757962579",
            "length": 2477.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f86293adce0c201cfabb283ef9d6f21292089bb8"
    },
    {
        "id": "CVE-2025-37752-c0ff1420",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "net/sched/sch_sfq.c",
            "function": "sfq_change"
        },
        "digest": {
            "function_hash": "63375564458207847569189708481757962579",
            "length": 2477.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8fadc871a42933aacb7f1ce9ed9a96485e2c9cf4"
    },
    {
        "id": "CVE-2025-37752-c5c1ac68",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "net/sched/sch_sfq.c"
        },
        "digest": {
            "line_hashes": [
                "28757591488293038969130805761255313741",
                "248821064266667969868613349784691052776",
                "151141669484108820527908550919743115655",
                "113854419271722784781797958269006837410",
                "148595085722002126066384819280877718903",
                "23920130729390473254096580054339352153",
                "158832190760873205036514878408751879607",
                "193063347493775447227763143944313935909",
                "208247108737294116551706722027522965082",
                "293965041930665139134565349876139259009",
                "221779049307622159456431817986558285521"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b3bf8f63e6179076b57c9de660c9f80b5abefe70"
    },
    {
        "id": "CVE-2025-37752-ebc745ec",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Line",
        "target": {
            "file": "net/sched/sch_sfq.c"
        },
        "digest": {
            "line_hashes": [
                "28757591488293038969130805761255313741",
                "248821064266667969868613349784691052776",
                "151141669484108820527908550919743115655",
                "113854419271722784781797958269006837410",
                "148595085722002126066384819280877718903",
                "23920130729390473254096580054339352153",
                "158832190760873205036514878408751879607",
                "193063347493775447227763143944313935909",
                "208247108737294116551706722027522965082",
                "293965041930665139134565349876139259009",
                "221779049307622159456431817986558285521"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7d62ded97db6b7c94c891f704151f372b1ba4688"
    },
    {
        "id": "CVE-2025-37752-f98aa62f",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "net/sched/sch_sfq.c",
            "function": "sfq_change"
        },
        "digest": {
            "function_hash": "63375564458207847569189708481757962579",
            "length": 2477.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6c589aa318023690f1606c666a7fb5f4c1c9c219"
    },
    {
        "id": "CVE-2025-37752-f9fc38e6",
        "deprecated": false,
        "signature_version": "v1",
        "signature_type": "Function",
        "target": {
            "file": "net/sched/sch_sfq.c",
            "function": "sfq_change"
        },
        "digest": {
            "function_hash": "63375564458207847569189708481757962579",
            "length": 2477.0
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b3bf8f63e6179076b57c9de660c9f80b5abefe70"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.135
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.88
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.24
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.13.12
Type
ECOSYSTEM
Events
Introduced
6.14.0
Fixed
6.14.3