CVE-2025-37992

In the Linux kernel, the following vulnerability has been resolved: net_sched: Flush gso_skb list too during ->change() Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->limit against sch->q.qlen. This patch introduces a new helper, qdisc_dequeue_internal(), which ensures both the gso_skb list and the main queue are properly flushed when trimming excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie) are updated to use this helper in their ->change() routines.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/2d3cbfd6d54a2c39ce3244f33f85c595844bd7b8	Patch
https://git.kernel.org/stable/c/a7d6e0ac0a8861f6b1027488062251a8e28150fd	Patch
https://git.kernel.org/stable/c/d1365ca80b012d8a7863e45949e413fb61fa4861	Patch
https://git.kernel.org/stable/c/d3336f746f196c6a53e0480923ae93939f047b6c	Patch
https://git.kernel.org/stable/c/d38939ebe0d992d581acb6885c1723fa83c1fb2c	Patch
https://git.kernel.org/stable/c/ea1132ccb112f51ba749c56a912f67970c2cd542	Patch
https://git.kernel.org/stable/c/fe88c7e4fc2c1cd75a278a15ffbf1689efad4e76	Patch
https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.15:rc6::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

16 Dec 2025, 20:19

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CPE		cpe:2.3:o:linux:linux_kernel:6.15:rc5:::::: cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.15:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.15:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.15:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.15:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.15:rc1::::::
First Time		Linux Debian Debian debian Linux Linux linux Kernel
CWE		CWE-476
References	~~() https://git.kernel.org/stable/c/2d3cbfd6d54a2c39ce3244f33f85c595844bd7b8 -~~	() https://git.kernel.org/stable/c/2d3cbfd6d54a2c39ce3244f33f85c595844bd7b8 - Patch
References	~~() https://git.kernel.org/stable/c/a7d6e0ac0a8861f6b1027488062251a8e28150fd -~~	() https://git.kernel.org/stable/c/a7d6e0ac0a8861f6b1027488062251a8e28150fd - Patch
References	~~() https://git.kernel.org/stable/c/d1365ca80b012d8a7863e45949e413fb61fa4861 -~~	() https://git.kernel.org/stable/c/d1365ca80b012d8a7863e45949e413fb61fa4861 - Patch
References	~~() https://git.kernel.org/stable/c/d3336f746f196c6a53e0480923ae93939f047b6c -~~	() https://git.kernel.org/stable/c/d3336f746f196c6a53e0480923ae93939f047b6c - Patch
References	~~() https://git.kernel.org/stable/c/d38939ebe0d992d581acb6885c1723fa83c1fb2c -~~	() https://git.kernel.org/stable/c/d38939ebe0d992d581acb6885c1723fa83c1fb2c - Patch
References	~~() https://git.kernel.org/stable/c/ea1132ccb112f51ba749c56a912f67970c2cd542 -~~	() https://git.kernel.org/stable/c/ea1132ccb112f51ba749c56a912f67970c2cd542 - Patch
References	~~() https://git.kernel.org/stable/c/fe88c7e4fc2c1cd75a278a15ffbf1689efad4e76 -~~	() https://git.kernel.org/stable/c/fe88c7e4fc2c1cd75a278a15ffbf1689efad4e76 - Patch
References	~~() https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html -~~	() https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html - Third Party Advisory
References	~~() https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html -~~	() https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html - Third Party Advisory

03 Nov 2025, 20:18

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html -

03 Nov 2025, 18:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html -

04 Jun 2025, 13:15

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/ea1132ccb112f51ba749c56a912f67970c2cd542 -

28 May 2025, 15:01

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net_sched: Vaciar también la lista gso_skb durante ->change(). Anteriormente, al reducir el límite de una qdisc mediante la operación ->change(), solo se recortaba la cola principal de skb, lo que podía dejar paquetes en la lista gso_skb. Esto podía provocar una desreferencia de puntero nulo al comparar únicamente sch->limit con sch->q.qlen. Este parche introduce un nuevo asistente, qdisc_dequeue_internal(), que garantiza que tanto la lista gso_skb como la cola principal se vacíen correctamente al recortar los paquetes sobrantes. Todas las qdisc relevantes (codel, fq, fq_codel, fq_pie, hhf, pie) se han actualizado para usar este asistente en sus rutinas ->change().

26 May 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-26 15:15

Updated : 2025-12-16 20:19

NVD link : CVE-2025-37992

Mitre link : CVE-2025-37992

CVE.ORG link : CVE-2025-37992

JSON object : View

Products Affected

debian

debian_linux

linux

linux_kernel

CWE

CWE-476

NULL Pointer Dereference

5.5 /10