CVE-2025-37797: net_sched: hfsc: Fix a UAF vulnerability in class handling
In the Linux kernel, the following vulnerability has been resolved:
netsched: hfsc: Fix a UAF vulnerability in class handling
This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfscchangeclass() when working with certain child qdiscs like netem or codel.
The vulnerability works as follows: 1. hfscchangeclass() checks if a class has packets (q.qlen != 0) 2. It then calls qdiscpeeklen(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free
The fix adds a second queue length check after qdiscpeeklen() to verify the queue wasn't emptied.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2025-37797?
CVE-2025-37797 has been classified as a high severity vulnerability due to its potential to allow remote code execution.
How do I fix CVE-2025-37797?
To fix CVE-2025-37797, upgrade your Linux kernel to the latest stable version where the vulnerability has been patched.
Who is affected by CVE-2025-37797?
CVE-2025-37797 affects all distributions of the Linux kernel that utilize the hfsc qdisc class handling.
What type of vulnerability is CVE-2025-37797?
CVE-2025-37797 is identified as a Use-After-Free (UAF) vulnerability, which can lead to arbitrary code execution.
Is there a workaround for CVE-2025-37797?
Currently, the best mitigation for CVE-2025-37797 is to apply the kernel patch or upgrade to a patched version.