CVE-2025-37953

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-37953
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37953.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-37953
Downstream
Related
Published
2025-05-20T16:01:47.818Z
Modified
2026-03-11T07:47:09.629854Z
Summary
sch_htb: make htb_deactivate() idempotent
Details

In the Linux kernel, the following vulnerability has been resolved:

schhtb: make htbdeactivate() idempotent

Alan reported a NULL pointer dereference in htbnextrbnode() after we made htbqlen_notify() idempotent.

It turns out in the following case it introduced some regression:

htbdequeuetree(): |-> fqcodeldequeue() |-> qdisctreereducebacklog() |-> htbqlennotify() |-> htbdeactivate() |-> htbnextrbnode() |-> htbdeactivate()

For htbnextrbnode(), after calling the 1st htbdeactivate(), the clprio[prio]->ptr could be already set to NULL, which means htbnextrb_node() is vulnerable here.

For htbdeactivate(), although we checked qlen before calling it, in case of qlen==0 after qdisctreereducebacklog(), we may call it again which triggers the warning inside.

To fix the issues here, we need to:

1) Make htbdeactivate() idempotent, that is, simply return if we already call it before. 2) Make htbnextrbnode() safe against ptr==NULL.

Many thanks to Alan for testing and for the reproducer.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37953.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e6b45f4de763b00dc1c55e685e2dd1aaf525d3c1
Fixed
99ff8a20fd61315bf9ae627440a5ff07d22ee153
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
32ae12ce6a9f6bace186ca7335220ff59b6cc3cd
Fixed
a9945f7cf1709adc5d2d31cb6cfc85627ce299a8
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
967955c9e57f8eebfccc298037d4aaf3d42bc1c9
Fixed
c2d25fddd867ce20a266806634eeeb5c30cb520c
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
73cf6af13153d62f9b76eff422eea79dbc70f15e
Fixed
c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
bbbf5e0f87078b715e7a665d662a2c0e77f044ae
Fixed
31ff70ad39485698cf779f2078132d80b57f6c07
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0a188c0e197383683fd093ab1ea6ce9a5869a6ea
Fixed
98cd7ed92753090a714f0802d4434314526fe61d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a61f1b5921761fbaf166231418bc1db301e5bf59
Fixed
c4792b9e38d2f61b07eac72f10909fa76130314b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5ba8b837b522d7051ef81bacf3d95383ff8edce5
Fixed
3769478610135e82b262640252d90f6efb05be71

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37953.json"