CVE-2025-38468
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38468
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38468.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38468
- Downstream
- Related
- Published
- 2025-07-28T12:15:28Z
- Modified
- 2025-08-13T12:50:01.060841Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Return NULL when htblookupleaf encounters an empty rbtree
htblookupleaf has a BUG_ON that can trigger with the following:
tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2:1 handle 3: blackhole ping -I lo -c1 -W0.001 127.0.0.1
The root cause is the following:
- htbdequeue calls htbdequeue_tree which calls the dequeue handler on the selected leaf qdisc
- netem_dequeue calls enqueue on the child qdisc
- blackholeenqueue drops the packet and returns a value that is not just NETXMIT_SUCCESS
- Because of this, netemdequeue calls qdisctreereducebacklog, and since qlen is now 0, it calls htbqlennotify -> htbdeactivate -> htbdeactiviateprios -> htbremoveclassfromrow -> htbsaferberase
- As this is the only class in the selected hprio rbtree, _rbchangechild in _rberaseaugmented sets the rb_root pointer to NULL
- Because blackholedequeue returns NULL, netemdequeue returns NULL, which causes htbdequeuetree to call htblookupleaf with the same hprio rbtree, and fail the BUG_ON
The function graph for this scenario is shown here: 0) | htbenqueue() { 0) + 13.635 us | netemenqueue(); 0) 4.719 us | htbactivateprios(); 0) # 2249.199 us | } 0) | htbdequeue() { 0) 2.355 us | htblookupleaf(); 0) | netemdequeue() { 0) + 11.061 us | blackholeenqueue(); 0) | qdisctreereducebacklog() { 0) | qdisclookuprcu() { 0) 1.873 us | qdiscmatchfromroot(); 0) 6.292 us | } 0) 1.894 us | htbsearch(); 0) | htbqlennotify() { 0) 2.655 us | htbdeactivateprios(); 0) 6.933 us | } 0) + 25.227 us | } 0) 1.983 us | blackholedequeue(); 0) + 86.553 us | } 0) # 2932.761 us | qdiscwarnnonwc(); 0) | htblookupleaf() { 0) | BUGON();
The full original bug report can be seen here [1].
We can fix this just by returning NULL instead of the BUGON, as htbdequeuetree returns NULL when htblookup_leaf returns NULL.
[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/
- References
-
- https://git.kernel.org/stable/c/0e1d5d9b5c5966e2e42e298670808590db5ed628
- https://git.kernel.org/stable/c/3691f84269a23f7edd263e9b6edbc27b7ae332f4
- https://git.kernel.org/stable/c/7ff2d83ecf2619060f30ecf9fad4f2a700fca344
- https://git.kernel.org/stable/c/890a5d423ef0a7bd13447ceaffad21189f557301
- https://git.kernel.org/stable/c/e5c480dc62a3025b8428d4818e722da30ad6804f
- https://security-tracker.debian.org/tracker/CVE-2025-38468
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.147-1
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected