CVE-2025-37797

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-37797
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37797.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-37797
Downstream
Related
Published
2025-05-02T15:15:48Z
Modified
2025-08-09T20:01:26Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net_sched: hfsc: Fix a UAF vulnerability in class handling

This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfscchangeclass() when working with certain child qdiscs like netem or codel.

The vulnerability works as follows: 1. hfscchangeclass() checks if a class has packets (q.qlen != 0) 2. It then calls qdiscpeeklen(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free

The fix adds a second queue length check after qdiscpeeklen() to verify the queue wasn't emptied.

References

Affected packages