CVE-2025-37752: net_sched: sch_sfq: move the limit validation
In the Linux kernel, the following vulnerability has been resolved:
netsched: schsfq: move the limit validation
It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed.
Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations:
tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1
This fixes the following syzkaller reported crash:
------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/schsfq.c:203:6 index 65535 is out of range for type 'struct sfqhead[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: <TASK> dumpstack lib/dumpstack.c:94 [inline] dumpstacklvl+0x201/0x300 lib/dumpstack.c:120 ubsanepilogue lib/ubsan.c:231 [inline] ubsanhandleoutofbounds+0xf5/0x120 lib/ubsan.c:429 sfqlink net/sched/schsfq.c:203 [inline] sfqdec+0x53c/0x610 net/sched/schsfq.c:231 sfqdequeue+0x34e/0x8c0 net/sched/schsfq.c:493 sfqreset+0x17/0x60 net/sched/schsfq.c:518 qdiscreset+0x12e/0x600 net/sched/schgeneric.c:1035 tbfreset+0x41/0x110 net/sched/schtbf.c:339 qdiscreset+0x12e/0x600 net/sched/schgeneric.c:1035 devresetqueue+0x100/0x1b0 net/sched/schgeneric.c:1311 netdevforeachtxqueue include/linux/netdevice.h:2590 [inline] devdeactivatemany+0x7e5/0xe70 net/sched/schgeneric.c:1375
Affected Software
Remediation
Event History
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2026-5291
- CVE-2026-4679
- CVE-2026-4449
- CVE-2026-4674
- CVE-2026-4442
- CVE-2026-4451
- CVE-2026-5292
- CVE-2026-5282
- CVE-2026-3922
- CVE-2026-5280
- CVE-2026-4458
- CVE-2026-3923
- CVE-2026-4462
- CVE-2026-4454
- CVE-2026-4675
- CVE-2025-37756
- CVE-2025-37797
- CVE-2025-37890
- CVE-2025-37997
- CVE-2025-38000
- CVE-2025-38001
- CVE-2025-38083
- CVE-2025-38177
- CVE-2025-38350
- CVE-2025-38477
- CVE-2025-38616
- CVE-2025-38617
- CVE-2025-38618
Frequently Asked Questions
What is the severity of CVE-2025-37752?
CVE-2025-37752 has been classified with a moderate severity level in the Linux kernel.
How do I fix CVE-2025-37752?
To fix CVE-2025-37752, ensure that you update to the latest version of the Linux kernel where the vulnerability has been patched.
What impact does CVE-2025-37752 have on system security?
CVE-2025-37752 could potentially allow unauthorized access or modification of kernel parameters, affecting system stability and security.
Which versions of the Linux kernel are affected by CVE-2025-37752?
CVE-2025-37752 affects various versions of the Linux kernel prior to the fix being applied.
Is there a workaround for CVE-2025-37752?
Currently, there are no widely recommended workarounds for CVE-2025-37752 other than applying the kernel update.