CVE-2025-38107 (GCVE-0-2025-38107)
Vulnerability from cvelistv5
Published
2025-07-03 08:35
Modified
2025-07-28 04:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net_sched: ets: fix a race in ets_qdisc_change()
Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer
fires at the wrong time.
The race is as follows:
CPU 0 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
|
| [5]: lock root
| [6]: rehash
| [7]: qdisc_tree_reduce_backlog()
|
[4]: qdisc_put()
This can be abused to underflow a parent's qlen.
Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ► | Linux | Linux |
Version: 699d82e9a6db29d509a71f1f2f4316231e6232e6 Version: ce881ddbdc028fb1988b66e40e45ca0529c23b46 Version: b05972f01e7d30419987a1f221b5593668fd6448 Version: b05972f01e7d30419987a1f221b5593668fd6448 Version: b05972f01e7d30419987a1f221b5593668fd6448 Version: b05972f01e7d30419987a1f221b5593668fd6448 Version: b05972f01e7d30419987a1f221b5593668fd6448 Version: fffa19b5e58c34004a0d6f642d9c24b11d213994 Version: fb155f6597cd7bc3aeed668c3bb15fc3b7cb257d |
|
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "eb7b74e9754e1ba2088f914ad1f57a778b11894b",
"status": "affected",
"version": "699d82e9a6db29d509a71f1f2f4316231e6232e6",
"versionType": "git"
},
{
"lessThan": "0b479d0aa488cb478eb2e1d8868be946ac8afb4f",
"status": "affected",
"version": "ce881ddbdc028fb1988b66e40e45ca0529c23b46",
"versionType": "git"
},
{
"lessThan": "347867cb424edae5fec1622712c8dd0a2c42918f",
"status": "affected",
"version": "b05972f01e7d30419987a1f221b5593668fd6448",
"versionType": "git"
},
{
"lessThan": "0383b25488a545be168744336847549d4a2d3d6c",
"status": "affected",
"version": "b05972f01e7d30419987a1f221b5593668fd6448",
"versionType": "git"
},
{
"lessThan": "073f64c03516bcfaf790f8edc772e0cfb8a84ec3",
"status": "affected",
"version": "b05972f01e7d30419987a1f221b5593668fd6448",
"versionType": "git"
},
{
"lessThan": "fed94bd51d62d2e0e006aa61480e94e5cd0582b0",
"status": "affected",
"version": "b05972f01e7d30419987a1f221b5593668fd6448",
"versionType": "git"
},
{
"lessThan": "d92adacdd8c2960be856e0b82acc5b7c5395fddb",
"status": "affected",
"version": "b05972f01e7d30419987a1f221b5593668fd6448",
"versionType": "git"
},
{
"status": "affected",
"version": "fffa19b5e58c34004a0d6f642d9c24b11d213994",
"versionType": "git"
},
{
"status": "affected",
"version": "fb155f6597cd7bc3aeed668c3bb15fc3b7cb257d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_ets.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.239",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.186",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.142",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.94",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.34",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.239",
"versionStartIncluding": "5.10.142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.186",
"versionStartIncluding": "5.15.66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.142",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.94",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.34",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.3",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.4.213",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: ets: fix a race in ets_qdisc_change()\n\nGerrard Tai reported a race condition in ETS, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n | [5]: lock root\n | [6]: rehash\n | [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent\u0027s qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock."
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T04:12:22.514Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/eb7b74e9754e1ba2088f914ad1f57a778b11894b"
},
{
"url": "https://git.kernel.org/stable/c/0b479d0aa488cb478eb2e1d8868be946ac8afb4f"
},
{
"url": "https://git.kernel.org/stable/c/347867cb424edae5fec1622712c8dd0a2c42918f"
},
{
"url": "https://git.kernel.org/stable/c/0383b25488a545be168744336847549d4a2d3d6c"
},
{
"url": "https://git.kernel.org/stable/c/073f64c03516bcfaf790f8edc772e0cfb8a84ec3"
},
{
"url": "https://git.kernel.org/stable/c/fed94bd51d62d2e0e006aa61480e94e5cd0582b0"
},
{
"url": "https://git.kernel.org/stable/c/d92adacdd8c2960be856e0b82acc5b7c5395fddb"
}
],
"title": "net_sched: ets: fix a race in ets_qdisc_change()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38107",
"datePublished": "2025-07-03T08:35:17.487Z",
"dateReserved": "2025-04-16T04:51:23.985Z",
"dateUpdated": "2025-07-28T04:12:22.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-38107\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-03T09:15:24.273\",\"lastModified\":\"2025-07-03T15:13:53.147\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet_sched: ets: fix a race in ets_qdisc_change()\\n\\nGerrard Tai reported a race condition in ETS, whenever SFQ perturb timer\\nfires at the wrong time.\\n\\nThe race is as follows:\\n\\nCPU 0 CPU 1\\n[1]: lock root\\n[2]: qdisc_tree_flush_backlog()\\n[3]: unlock root\\n |\\n | [5]: lock root\\n | [6]: rehash\\n | [7]: qdisc_tree_reduce_backlog()\\n |\\n[4]: qdisc_put()\\n\\nThis can be abused to underflow a parent\u0027s qlen.\\n\\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\\nshould fix the race, because all packets will be purged from the qdisc\\nbefore releasing the lock.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net_sched: ets: corrige una ejecuci\u00f3n en ets_qdisc_change() Gerrard Tai inform\u00f3 de una condici\u00f3n de ejecuci\u00f3n en ETS, siempre que el temporizador de perturbaci\u00f3n SFQ se dispara en el momento equivocado. La ejecuci\u00f3n es la siguiente: CPU 0 CPU 1 [1]: ra\u00edz de bloqueo [2]: qdisc_tree_flush_backlog() [3]: ra\u00edz de desbloqueo | | [5]: ra\u00edz de bloqueo | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() Esto se puede abusar para desbordar el qlen de un padre. Llamar a qdisc_purge_queue() en lugar de qdisc_tree_flush_backlog() deber\u00eda corregir la ejecuci\u00f3n, porque todos los paquetes se purgar\u00e1n del qdisc antes de liberar el bloqueo.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0383b25488a545be168744336847549d4a2d3d6c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/073f64c03516bcfaf790f8edc772e0cfb8a84ec3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/0b479d0aa488cb478eb2e1d8868be946ac8afb4f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/347867cb424edae5fec1622712c8dd0a2c42918f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d92adacdd8c2960be856e0b82acc5b7c5395fddb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/eb7b74e9754e1ba2088f914ad1f57a778b11894b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fed94bd51d62d2e0e006aa61480e94e5cd0582b0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…