CVE-2025-38083: net_sched: prio: fix a race in prio_tune()

Published Jun 20, 2025
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

netsched: prio: fix a race in priotune()

Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time.

The race is as follows:

CPU 0 CPU 1 [1]: lock root [2]: qdisctreeflushbacklog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisctreereducebacklog() | [4]: qdiscput()

This can be abused to underflow a parent's qlen.

Calling qdiscpurgequeue() instead of qdisctreeflushbacklog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.

Affected Software

12 affected componentsFixes available
Linux Linux kernel
Linux Linux kernel>=5.0<5.4.295
Linux Linux kernel>=5.5<5.10.239
Linux Linux kernel>=5.11<5.15.186
Linux Linux kernel>=5.16<6.1.142
Linux Linux kernel>=6.2<6.6.94
Linux Linux kernel>=6.7<6.12.34
Linux Linux kernel>=6.13<6.15.3
Linux Linux kernel=6.16-rc1
Debian Debian Linux=11.0
Microsoft azl3 kernel 6.6.92.2-2
Patch available
Microsoft azl3 kernel 6.6.96.1-1
Patch available

Remediation

Patch Available

https://git.kernel.org/stable/c/20f68e6a9e41693cb0e55e5b9ebbcb40983a4b8f

Patch Available

https://git.kernel.org/stable/c/3aaa7c01cf19d9b9bb64b88b65c3a6fd05da2eb4

Patch Available

https://git.kernel.org/stable/c/4483d8b9127591c60c4eb789d6cab953bc4522a9

Patch Available

https://git.kernel.org/stable/c/46c15c9d0f65c9ba857d63f53264f4b17e8a715f

Patch Available

https://git.kernel.org/stable/c/53d11560e957d53ee87a0653d258038ce12361b7

Patch Available

https://git.kernel.org/stable/c/93f9eeb678d4c9c1abf720b3615fa8299a490845

Patch Available

https://git.kernel.org/stable/c/d35acc1be3480505b5931f17e4ea9b7617fea4d3

Patch Available

https://git.kernel.org/stable/c/e3f6745006dc9423d2b065b90f191cfa11b1b584

Event History

Jun 20, 2025
CVE Published
via MITRE·11:21 AM
Data Sourced
via MITRE·11:21 AM
Description
Data Sourced
via NVD·12:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Aug 7, 2025
Data Sourced
via Microsoft·07:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
DescriptionSeverity
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-38083?

CVE-2025-38083 has been classified with a critical severity due to its potential exploitation leading to system instability.

2

How do I fix CVE-2025-38083?

To fix CVE-2025-38083, update your Linux kernel to the latest version where the vulnerability has been addressed.

3

What systems are affected by CVE-2025-38083?

CVE-2025-38083 affects various versions of the Linux kernel, particularly those using the PRIO scheduler.

4

Can CVE-2025-38083 be exploited remotely?

CVE-2025-38083 is not directly exploitable remotely, but it may lead to denial-of-service conditions under specific circumstances.

5

Who reported CVE-2025-38083?

CVE-2025-38083 was reported by security researcher Gerrard Tai.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203