CVE-2025-38457

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-38457
In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803 Patch
https://git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8e Patch
https://git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af Patch
https://git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602a Patch
https://git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339f Patch
https://git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1e Patch
https://git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eea Patch
https://git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963 Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
History

22 Dec 2025, 21:49

Type Values Removed Values Added
CWE NVD-CWE-noinfo
References () https://git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803 - () https://git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803 - Patch
References () https://git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8e - () https://git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8e - Patch
References () https://git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af - () https://git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af - Patch
References () https://git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602a - () https://git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602a - Patch
References () https://git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339f - () https://git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339f - Patch
References () https://git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1e - () https://git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1e - Patch
References () https://git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eea - () https://git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eea - Patch
References () https://git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963 - () https://git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963 - Patch
References () https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html - () https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html - Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html - () https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html - Third Party Advisory
CPE cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5
First Time Linux
Debian
Debian debian Linux
Linux linux Kernel

03 Nov 2025, 18:16

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html -
  • () https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html -

29 Jul 2025, 14:14

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: Abort __tc_modify_qdisc si la clase padre no existe. El parche de Lion [1] reveló un error antiguo en la API de qdisc. Siempre que un usuario crea o modifica una qdisc que especifica otra qdisc como padre, la API de qdisc detecta, durante el injerto, que el usuario no intenta asociarse a una clase y lo rechaza. Sin embargo, el injerto se realiza después de ejecutar qdisc_create (y, por lo tanto, la devolución de llamada de inicio de la qdisc). En las qdisc que eventualmente llaman a qdisc_tree_reduce_backlog durante la inicialización o el cambio (como fq, hhf, choke, etc.), surge un problema. Por ejemplo, al ejecutar los siguientes comandos: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Las Qdisc como fq, hhf, choke, etc., invocan incondicionalmente qdisc_tree_reduce_backlog() en su ruta de control init() o change(), lo que provoca un error al no encontrar la clase hija; sin embargo, esto no detiene la invocación incondicional de qlen_notify de la qdisc hija asumida con una clase nula. Todas estas qdisc asumen que la clase no es nula. La solución es garantizar que qdisc_leaf(), que busca la clase padre y se invoca antes que qdisc_create(), devuelva un error al no encontrar la clase. En este parche, aprovechamos qdisc_leaf para devolver ERR_PTR siempre que el parentid no corresponda a una clase, de modo que podamos detectarlo antes y abortar antes de que se llame a qdisc_create. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/

25 Jul 2025, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-25 16:15

Updated : 2025-12-22 21:49

NVD link : CVE-2025-38457

Mitre link : CVE-2025-38457

CVE.ORG link : CVE-2025-38457

JSON object : View

Products Affected

debian

  • debian_linux

linux

  • linux_kernel
CWE
NVD-CWE-noinfo