CVE-2025-71066

{"id": "CVE-2025-71066", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 0.8}]}, "published": "2026-01-13T16:16:05.960", "references": [{"url": "https://git.kernel.org/stable/c/062d5d544e564473450d72e6af83077c2b2ff7c3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/06bfb66a7c8b45e3fed01351a4b087410ae5ef39", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/45466141da3c98a0c5fa88be0bc14b4b6a4bd75c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9987cda315c08f63a02423fa2f9a1f6602c861a0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a75d617a4ef08682f5cfaadc01d5141c87e019c9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c7f6e7cc14df72b997258216e99d897d2df0dbbd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ce052b9402e461a9aded599f5b47e76bc727f7de", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Always remove class from active list before deleting in ets_qdisc_change\n\nzdi-disclosures@trendmicro.com says:\n\nThe vulnerability is a race condition between `ets_qdisc_dequeue` and\n`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.\nAttacker requires the capability to create new user and network namespace\nin order to trigger the bug.\nSee my additional commentary at the end of the analysis.\n\nAnalysis:\n\nstatic int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,\n struct netlink_ext_ack *extack)\n{\n...\n\n // (1) this lock is preventing .change handler (`ets_qdisc_change`)\n //to race with .dequeue handler (`ets_qdisc_dequeue`)\n sch_tree_lock(sch);\n\n for (i = nbands; i < oldbands; i++) {\n if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)\n list_del_init(&q->classes[i].alist);\n qdisc_purge_queue(q->classes[i].qdisc);\n }\n\n WRITE_ONCE(q->nbands, nbands);\n for (i = nstrict; i < q->nstrict; i++) {\n if (q->classes[i].qdisc->q.qlen) {\n\t\t // (2) the class is added to the q->active\n list_add_tail(&q->classes[i].alist, &q->active);\n q->classes[i].deficit = quanta[i];\n }\n }\n WRITE_ONCE(q->nstrict, nstrict);\n memcpy(q->prio2band, priomap, sizeof(priomap));\n\n for (i = 0; i < q->nbands; i++)\n WRITE_ONCE(q->classes[i].quantum, quanta[i]);\n\n for (i = oldbands; i < q->nbands; i++) {\n q->classes[i].qdisc = queues[i];\n if (q->classes[i].qdisc != &noop_qdisc)\n qdisc_hash_add(q->classes[i].qdisc, true);\n }\n\n // (3) the qdisc is unlocked, now dequeue can be called in parallel\n // to the rest of .change handler\n sch_tree_unlock(sch);\n\n ets_offload_change(sch);\n for (i = q->nbands; i < oldbands; i++) {\n\t // (4) we're reducing the refcount for our class's qdisc and\n\t // freeing it\n qdisc_put(q->classes[i].qdisc);\n\t // (5) If we call .dequeue between (4) and (5), we will have\n\t // a strong UAF and we can control RIP\n q->classes[i].qdisc = NULL;\n WRITE_ONCE(q->classes[i].quantum, 0);\n q->classes[i].deficit = 0;\n gnet_stats_basic_sync_init(&q->classes[i].bstats);\n memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));\n }\n return 0;\n}\n\nComment:\nThis happens because some of the classes have their qdiscs assigned to\nNULL, but remain in the active list. This commit fixes this issue by always\nremoving the class from the active list before deleting and freeing its\nassociated qdisc\n\nReproducer Steps\n(trimmed version of what was sent by zdi-disclosures@trendmicro.com)\n\n```\nDEV=\"${DEV:-lo}\"\nROOT_HANDLE=\"${ROOT_HANDLE:-1:}\"\nBAND2_HANDLE=\"${BAND2_HANDLE:-20:}\" # child under 1:2\nPING_BYTES=\"${PING_BYTES:-48}\"\nPING_COUNT=\"${PING_COUNT:-200000}\"\nPING_DST=\"${PING_DST:-127.0.0.1}\"\n\nSLOW_TBF_RATE=\"${SLOW_TBF_RATE:-8bit}\"\nSLOW_TBF_BURST=\"${SLOW_TBF_BURST:-100b}\"\nSLOW_TBF_LAT=\"${SLOW_TBF_LAT:-1s}\"\n\ncleanup() {\n tc qdisc del dev \"$DEV\" root 2>/dev/null\n}\ntrap cleanup EXIT\n\nip link set \"$DEV\" up\n\ntc qdisc del dev \"$DEV\" root 2>/dev/null || true\n\ntc qdisc add dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\n\ntc qdisc add dev \"$DEV\" parent 1:2 handle \"$BAND2_HANDLE\" \\\n tbf rate \"$SLOW_TBF_RATE\" burst \"$SLOW_TBF_BURST\" latency \"$SLOW_TBF_LAT\"\n\ntc filter add dev \"$DEV\" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2\ntc -s qdisc ls dev $DEV\n\nping -I \"$DEV\" -f -c \"$PING_COUNT\" -s \"$PING_BYTES\" -W 0.001 \"$PING_DST\" \\\n >/dev/null 2>&1 &\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 0\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\ntc -s qdisc ls dev $DEV\ntc qdisc del dev \"$DEV\" parent \n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet/sched: ets: Siempre eliminar la clase de la lista activa antes de eliminar en ets_qdisc_change\n\nzdi-disclosures@trendmicro.com dice:\n\nLa vulnerabilidad es una condici\u00f3n de carrera entre 'ets_qdisc_dequeue' y\n'ets_qdisc_change'. Conduce a UAF en el objeto 'struct Qdisc'.\nEl atacante requiere la capacidad de crear un nuevo usuario y un espacio de nombres de red\npara activar el error.\nVer mi comentario adicional al final del an\u00e1lisis.\n\nAn\u00e1lisis:\n\nstatic int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,\n struct netlink_ext_ack *extack)\n{\n...\n\n // (1) este bloqueo est\u00e1 evitando que el manejador .change ('ets_qdisc_change')\n //compita con el manejador .dequeue ('ets_qdisc_dequeue')\n sch_tree_lock(sch);\n\n for (i = nbands; i &lt; oldbands; i++) {\n if (i &gt;= q-&gt;nstrict &amp;&amp; q-&gt;classes[i].qdisc-&gt;q.qlen)\n list_del_init(&amp;q-&gt;classes[i].alist);\n qdisc_purge_queue(q-&gt;classes[i].qdisc);\n }\n\n WRITE_ONCE(q-&gt;nbands, nbands);\n for (i = nstrict; i &lt; q-&gt;nstrict; i++) {\n if (q-&gt;classes[i].qdisc-&gt;q.qlen) {\n\t\t // (2) la clase se a\u00f1ade a q-&gt;active\n list_add_tail(&amp;q-&gt;classes[i].alist, &amp;q-&gt;active);\n q-&gt;classes[i].deficit = quanta[i];\n }\n }\n WRITE_ONCE(q-&gt;nstrict, nstrict);\n memcpy(q-&gt;prio2band, priomap, sizeof(priomap));\n\n for (i = 0; i &lt; q-&gt;nbands; i++)\n WRITE_ONCE(q-&gt;classes[i].quantum, quanta[i]);\n\n for (i = oldbands; i &lt; q-&gt;nbands; i++) {\n q-&gt;classes[i].qdisc = queues[i];\n if (q-&gt;classes[i].qdisc != &amp;noop_qdisc)\n qdisc_hash_add(q-&gt;classes[i].qdisc, true);\n }\n\n // (3) el qdisc se desbloquea, ahora dequeue puede ser llamado en paralelo\n // al resto del manejador .change\n sch_tree_unlock(sch);\n\n ets_offload_change(sch);\n for (i = q-&gt;nbands; i &lt; oldbands; i++) {\n\t // (4) estamos reduciendo el contador de referencias para el qdisc de nuestra clase y\n\t // liber\u00e1ndolo\n qdisc_put(q-&gt;classes[i].qdisc);\n\t // (5) Si llamamos a .dequeue entre (4) y (5), tendremos\n\t // un UAF fuerte y podremos controlar RIP\n q-&gt;classes[i].qdisc = NULL;\n WRITE_ONCE(q-&gt;classes[i].quantum, 0);\n q-&gt;classes[i].deficit = 0;\n gnet_stats_basic_sync_init(&amp;q-&gt;classes[i].bstats);\n memset(&amp;q-&gt;classes[i].qstats, 0, sizeof(q-&gt;classes[i].qstats));\n }\n return 0;\n}\n\nComentario:\nEsto sucede porque algunas de las clases tienen sus qdiscs asignados a\nNULL, pero permanecen en la lista activa. Este commit soluciona este problema al siempre\neliminar la clase de la lista activa antes de eliminar y liberar su\nqdisc asociado.\n\nPasos para Reproducir\n(versi\u00f3n recortada de lo que fue enviado por zdi-disclosures@trendmicro.com)\n\n```\nDEV=\"${DEV:-lo}\"\nROOT_HANDLE=\"${ROOT_HANDLE:-1:}\"\nBAND2_HANDLE=\"${BAND2_HANDLE:-20:}\" # child under 1:2\nPING_BYTES=\"${PING_BYTES:-48}\"\nPING_COUNT=\"${PING_COUNT:-200000}\"\nPING_DST=\"${PING_DST:-127.0.0.1}\"\n\nSLOW_TBF_RATE=\"${SLOW_TBF_RATE:-8bit}\"\nSLOW_TBF_BURST=\"${SLOW_TBF_BURST:-100b}\"\nSLOW_TBF_LAT=\"${SLOW_TBF_LAT:-1s}\"\n\ncleanup() {\n tc qdisc del dev \"$DEV\" root 2&gt;/dev/null\n}\ntrap cleanup EXIT\n\nip link set \"$DEV\" up\n\ntc qdisc del dev \"$DEV\" root 2&gt;/dev/null || true\n\ntc qdisc add dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\n\ntc qdisc add dev \"$DEV\" parent 1:2 handle \"$BAND2_HANDLE\" \\\n tbf rate \"$SLOW_TBF_RATE\" burst \"$SLOW_TBF_BURST\" latency \"$SLOW_TBF_LAT\"\n\ntc filter add dev \"$DEV\" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2\ntc -s qdisc ls dev $DEV\n\nping -I \"$DEV\" -f -c \"$PING_COUNT\" -s \"$PING_BYTES\" -W 0.001 \"$PING_DST\" \\\n &gt;/dev/null 2&gt;&amp;1 &amp;\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 0\nt"}], "lastModified": "2026-05-22T14:16:24.707", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}