CVE-2025-37890
- Source
- https://cve.org/CVERecord?id=CVE-2025-37890
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37890.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-37890
- Downstream
- Related
- Published
- 2025-05-16T13:01:12.798Z
- Modified
- 2026-03-20T12:42:32.222280Z
- Summary
- net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc
As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted the class in the vttree or eltree (which is not true for the netem duplicate case).
This patch checks the n_active class variable to make sure that the code won't insert the class in the vttree or eltree twice, catering for the reentrant case.
[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37890.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/141d34391abbb315d68556b7c67ad97885407547
- https://git.kernel.org/stable/c/273bbcfa53541cde38b2003ad88a59b770306421
- https://git.kernel.org/stable/c/2e7093c7a8aba5d4f8809f271488e5babe75e202
- https://git.kernel.org/stable/c/6082a87af4c52f58150d40dec1716011d871ac21
- https://git.kernel.org/stable/c/8df7d37d626430035b413b97cee18396b3450bef
- https://git.kernel.org/stable/c/ac39fd4a757584d78ed062d4f6fd913f83bd98b5
- https://git.kernel.org/stable/c/e0cf8ee23e1915431f262a7b2dee0c7a7d699af0
- https://git.kernel.org/stable/c/e3e949a39a91d1f829a4890e7dfe9417ac72e4d0
- https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37890.json
- https://nvd.nist.gov/vuln/detail/CVE-2025-37890
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced37d9cf1a3ce35de3df6f7d209bfb1f50cf188ceaFixed273bbcfa53541cde38b2003ad88a59b770306421Fixede0cf8ee23e1915431f262a7b2dee0c7a7d699af0Fixede3e949a39a91d1f829a4890e7dfe9417ac72e4d0Fixed8df7d37d626430035b413b97cee18396b3450befFixed6082a87af4c52f58150d40dec1716011d871ac21Fixed2e7093c7a8aba5d4f8809f271488e5babe75e202Fixedac39fd4a757584d78ed062d4f6fd913f83bd98b5Fixed141d34391abbb315d68556b7c67ad97885407547