CVE-2025-38000: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
In the Linux kernel, the following vulnerability has been resolved:
schhfsc: Fix qlen accounting bug when using peek in hfscenqueue()
When enqueuing the first packet to an HFSC class, hfscenqueue() calls the child qdisc's peek() operation before incrementing sch->q.qlen and sch->qstats.backlog. If the child qdisc uses qdiscpeekdequeued(), this may trigger an immediate dequeue and potential packet drop. In such cases, qdisctreereducebacklog() is called, but the HFSC qdisc's qlen and backlog have not yet been updated, leading to inconsistent queue accounting. This can leave an empty HFSC class in the active list, causing further consequences like use-after-free.
This patch fixes the bug by moving the increment of sch->q.qlen and sch->qstats.backlog before the call to the child qdisc's peek() operation. This ensures that queue length and backlog are always accurate when packet drops or dequeues are triggered during the peek.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2025-38000?
CVE-2025-38000 has a moderate severity level due to its potential impact on packet handling in the Linux kernel.
How do I fix CVE-2025-38000?
To fix CVE-2025-38000, update the Linux kernel to the latest patched version provided by your distribution.
What systems are affected by CVE-2025-38000?
CVE-2025-38000 affects specific versions of the Linux kernel that implement the HFSC scheduling class.
What is the impact of CVE-2025-38000 on systems?
The impact of CVE-2025-38000 can lead to incorrect queue length accounting which could affect traffic scheduling performance.
When was CVE-2025-38000 discovered?
CVE-2025-38000 was reported as a vulnerability in the Linux kernel, with fixes released in late 2025.