CVE-2025-38477

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_class and qfq_dump_class_stats.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/466e10194ab81caa2ee6a332d33ba16bcceeeba6	Patch
https://git.kernel.org/stable/c/5e28d5a3f774f118896aec17a3a20a9c5c9dfc64	Patch
https://git.kernel.org/stable/c/a6d735100f602c830c16d69fb6d780eebd8c9ae1	Patch
https://git.kernel.org/stable/c/aa7a22c4d678bf649fd3a1d27debec583563414d	Patch
https://git.kernel.org/stable/c/c000a3a330d97f6c073ace5aa5faf94b9adb4b79	Patch
https://git.kernel.org/stable/c/c6df794000147a3a02f79984aada4ce83f8d0a1e	Patch
https://git.kernel.org/stable/c/d841aa5518508ab195b6781ad0d73ee378d713dd	Patch
https://git.kernel.org/stable/c/fbe48f06e64134dfeafa89ad23387f66ebca3527	Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html	Third Party Advisory Mailing List
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html	Third Party Advisory Mailing List

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.16:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.16:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.16:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.16:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.16:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.16:rc6::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

23 Dec 2025, 18:28

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/466e10194ab81caa2ee6a332d33ba16bcceeeba6 -~~	() https://git.kernel.org/stable/c/466e10194ab81caa2ee6a332d33ba16bcceeeba6 - Patch
References	~~() https://git.kernel.org/stable/c/5e28d5a3f774f118896aec17a3a20a9c5c9dfc64 -~~	() https://git.kernel.org/stable/c/5e28d5a3f774f118896aec17a3a20a9c5c9dfc64 - Patch
References	~~() https://git.kernel.org/stable/c/a6d735100f602c830c16d69fb6d780eebd8c9ae1 -~~	() https://git.kernel.org/stable/c/a6d735100f602c830c16d69fb6d780eebd8c9ae1 - Patch
References	~~() https://git.kernel.org/stable/c/aa7a22c4d678bf649fd3a1d27debec583563414d -~~	() https://git.kernel.org/stable/c/aa7a22c4d678bf649fd3a1d27debec583563414d - Patch
References	~~() https://git.kernel.org/stable/c/c000a3a330d97f6c073ace5aa5faf94b9adb4b79 -~~	() https://git.kernel.org/stable/c/c000a3a330d97f6c073ace5aa5faf94b9adb4b79 - Patch
References	~~() https://git.kernel.org/stable/c/c6df794000147a3a02f79984aada4ce83f8d0a1e -~~	() https://git.kernel.org/stable/c/c6df794000147a3a02f79984aada4ce83f8d0a1e - Patch
References	~~() https://git.kernel.org/stable/c/d841aa5518508ab195b6781ad0d73ee378d713dd -~~	() https://git.kernel.org/stable/c/d841aa5518508ab195b6781ad0d73ee378d713dd - Patch
References	~~() https://git.kernel.org/stable/c/fbe48f06e64134dfeafa89ad23387f66ebca3527 -~~	() https://git.kernel.org/stable/c/fbe48f06e64134dfeafa89ad23387f66ebca3527 - Patch
References	~~() https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html -~~	() https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html - Third Party Advisory, Mailing List
References	~~() https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html -~~	() https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html - Third Party Advisory, Mailing List
CWE		CWE-362
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.7
CPE		cpe:2.3:o:linux:linux_kernel:6.16:rc6:::::: cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:o:linux:linux_kernel:6.16:rc3:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.16:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.16:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.16:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.16:rc2::::::
First Time		Linux Debian Debian debian Linux Linux linux Kernel

03 Nov 2025, 18:16

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html - () https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html -

28 Aug 2025, 15:15

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/aa7a22c4d678bf649fd3a1d27debec583563414d - () https://git.kernel.org/stable/c/c6df794000147a3a02f79984aada4ce83f8d0a1e - () https://git.kernel.org/stable/c/d841aa5518508ab195b6781ad0d73ee378d713dd -

29 Jul 2025, 14:14

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: sch_qfq: Corrección de la condición de ejecución en qfq_aggregate. Una condición de ejecución puede ocurrir cuando se modifica 'agg' en qfq_change_agg (llamado durante qfq_enqueue) mientras otros subprocesos acceden a él simultáneamente. Por ejemplo, qfq_dump_class puede desencadenar una desreferencia a NULL y qfq_delete_class puede causar un use-after-free. Este parche soluciona el problema mediante: 1. El traslado de qfq_destroy_class a la sección crítica. 2. La adición de la protección sch_tree_lock a qfq_dump_class y qfq_dump_class_stats.

28 Jul 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-28 12:15

Updated : 2025-12-23 18:28

NVD link : CVE-2025-38477

Mitre link : CVE-2025-38477

CVE.ORG link : CVE-2025-38477

JSON object : View

Products Affected

debian

debian_linux

linux

linux_kernel

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

4.7 /10