CVE-2025-37890: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc
In the Linux kernel, the following vulnerability has been resolved:
netsched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc
As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted the class in the vttree or eltree (which is not true for the netem duplicate case).
This patch checks the nactive class variable to make sure that the code won't insert the class in the vttree or eltree twice, catering for the reentrant case.
[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
Affected Software
Remediation
Event History
Peer vulnerabilities
Found alongside the following vulnerabilities.
Frequently Asked Questions
What is the severity of CVE-2025-37890?
CVE-2025-37890 is classified as a medium severity vulnerability due to the potential for user-after-free issues in the Linux kernel.
How do I fix CVE-2025-37890?
To fix CVE-2025-37890, update your Linux kernel to the latest version that addresses this vulnerability.
What components are affected by CVE-2025-37890?
CVE-2025-37890 affects the hfsc scheduling class when it has a netem child queuing discipline in the Linux kernel.
What type of vulnerability is CVE-2025-37890?
CVE-2025-37890 is a user-after-free (UAF) vulnerability in the Linux kernel.
Is CVE-2025-37890 exploitable?
Yes, CVE-2025-37890 is exploitable under certain conditions, potentially allowing an attacker to manipulate kernel memory.