CVE-2025-38468 (GCVE-0-2025-38468)
Vulnerability from cvelistv5
Published
2025-07-28 11:12
Modified
2025-07-28 11:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree
htb_lookup_leaf has a BUG_ON that can trigger with the following:
tc qdisc del dev lo root
tc qdisc add dev lo root handle 1: htb default 1
tc class add dev lo parent 1: classid 1:1 htb rate 64bit
tc qdisc add dev lo parent 1:1 handle 2: netem
tc qdisc add dev lo parent 2:1 handle 3: blackhole
ping -I lo -c1 -W0.001 127.0.0.1
The root cause is the following:
1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on
the selected leaf qdisc
2. netem_dequeue calls enqueue on the child qdisc
3. blackhole_enqueue drops the packet and returns a value that is not
just NET_XMIT_SUCCESS
4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and
since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate ->
htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase
5. As this is the only class in the selected hprio rbtree,
__rb_change_child in __rb_erase_augmented sets the rb_root pointer to
NULL
6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,
which causes htb_dequeue_tree to call htb_lookup_leaf with the same
hprio rbtree, and fail the BUG_ON
The function graph for this scenario is shown here:
0) | htb_enqueue() {
0) + 13.635 us | netem_enqueue();
0) 4.719 us | htb_activate_prios();
0) # 2249.199 us | }
0) | htb_dequeue() {
0) 2.355 us | htb_lookup_leaf();
0) | netem_dequeue() {
0) + 11.061 us | blackhole_enqueue();
0) | qdisc_tree_reduce_backlog() {
0) | qdisc_lookup_rcu() {
0) 1.873 us | qdisc_match_from_root();
0) 6.292 us | }
0) 1.894 us | htb_search();
0) | htb_qlen_notify() {
0) 2.655 us | htb_deactivate_prios();
0) 6.933 us | }
0) + 25.227 us | }
0) 1.983 us | blackhole_dequeue();
0) + 86.553 us | }
0) # 2932.761 us | qdisc_warn_nonwc();
0) | htb_lookup_leaf() {
0) | BUG_ON();
------------------------------------------
The full original bug report can be seen here [1].
We can fix this just by returning NULL instead of the BUG_ON,
as htb_dequeue_tree returns NULL when htb_lookup_leaf returns
NULL.
[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/
References
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/sched/sch_htb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "890a5d423ef0a7bd13447ceaffad21189f557301",
"status": "affected",
"version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
"versionType": "git"
},
{
"lessThan": "7ff2d83ecf2619060f30ecf9fad4f2a700fca344",
"status": "affected",
"version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
"versionType": "git"
},
{
"lessThan": "e5c480dc62a3025b8428d4818e722da30ad6804f",
"status": "affected",
"version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
"versionType": "git"
},
{
"lessThan": "3691f84269a23f7edd263e9b6edbc27b7ae332f4",
"status": "affected",
"version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
"versionType": "git"
},
{
"lessThan": "0e1d5d9b5c5966e2e42e298670808590db5ed628",
"status": "affected",
"version": "512bb43eb5422ee69a1be05ea0d89dc074fac9a2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/sched/sch_htb.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "2.6.29"
},
{
"lessThan": "2.6.29",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.147",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.100",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.40",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.15.*",
"status": "unaffected",
"version": "6.15.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.16",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.147",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.100",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.40",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.15.8",
"versionStartIncluding": "2.6.29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.16",
"versionStartIncluding": "2.6.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree\n\nhtb_lookup_leaf has a BUG_ON that can trigger with the following:\n\ntc qdisc del dev lo root\ntc qdisc add dev lo root handle 1: htb default 1\ntc class add dev lo parent 1: classid 1:1 htb rate 64bit\ntc qdisc add dev lo parent 1:1 handle 2: netem\ntc qdisc add dev lo parent 2:1 handle 3: blackhole\nping -I lo -c1 -W0.001 127.0.0.1\n\nThe root cause is the following:\n\n1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on\n the selected leaf qdisc\n2. netem_dequeue calls enqueue on the child qdisc\n3. blackhole_enqueue drops the packet and returns a value that is not\n just NET_XMIT_SUCCESS\n4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and\n since qlen is now 0, it calls htb_qlen_notify -\u003e htb_deactivate -\u003e\n htb_deactiviate_prios -\u003e htb_remove_class_from_row -\u003e htb_safe_rb_erase\n5. As this is the only class in the selected hprio rbtree,\n __rb_change_child in __rb_erase_augmented sets the rb_root pointer to\n NULL\n6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,\n which causes htb_dequeue_tree to call htb_lookup_leaf with the same\n hprio rbtree, and fail the BUG_ON\n\nThe function graph for this scenario is shown here:\n 0) | htb_enqueue() {\n 0) + 13.635 us | netem_enqueue();\n 0) 4.719 us | htb_activate_prios();\n 0) # 2249.199 us | }\n 0) | htb_dequeue() {\n 0) 2.355 us | htb_lookup_leaf();\n 0) | netem_dequeue() {\n 0) + 11.061 us | blackhole_enqueue();\n 0) | qdisc_tree_reduce_backlog() {\n 0) | qdisc_lookup_rcu() {\n 0) 1.873 us | qdisc_match_from_root();\n 0) 6.292 us | }\n 0) 1.894 us | htb_search();\n 0) | htb_qlen_notify() {\n 0) 2.655 us | htb_deactivate_prios();\n 0) 6.933 us | }\n 0) + 25.227 us | }\n 0) 1.983 us | blackhole_dequeue();\n 0) + 86.553 us | }\n 0) # 2932.761 us | qdisc_warn_nonwc();\n 0) | htb_lookup_leaf() {\n 0) | BUG_ON();\n ------------------------------------------\n\nThe full original bug report can be seen here [1].\n\nWe can fix this just by returning NULL instead of the BUG_ON,\nas htb_dequeue_tree returns NULL when htb_lookup_leaf returns\nNULL.\n\n[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/"
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T11:12:20.188Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/890a5d423ef0a7bd13447ceaffad21189f557301"
},
{
"url": "https://git.kernel.org/stable/c/7ff2d83ecf2619060f30ecf9fad4f2a700fca344"
},
{
"url": "https://git.kernel.org/stable/c/e5c480dc62a3025b8428d4818e722da30ad6804f"
},
{
"url": "https://git.kernel.org/stable/c/3691f84269a23f7edd263e9b6edbc27b7ae332f4"
},
{
"url": "https://git.kernel.org/stable/c/0e1d5d9b5c5966e2e42e298670808590db5ed628"
}
],
"title": "net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2025-38468",
"datePublished": "2025-07-28T11:12:20.188Z",
"dateReserved": "2025-04-16T04:51:24.020Z",
"dateUpdated": "2025-07-28T11:12:20.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-38468\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-28T12:15:28.503\",\"lastModified\":\"2025-07-29T14:14:29.590\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree\\n\\nhtb_lookup_leaf has a BUG_ON that can trigger with the following:\\n\\ntc qdisc del dev lo root\\ntc qdisc add dev lo root handle 1: htb default 1\\ntc class add dev lo parent 1: classid 1:1 htb rate 64bit\\ntc qdisc add dev lo parent 1:1 handle 2: netem\\ntc qdisc add dev lo parent 2:1 handle 3: blackhole\\nping -I lo -c1 -W0.001 127.0.0.1\\n\\nThe root cause is the following:\\n\\n1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on\\n the selected leaf qdisc\\n2. netem_dequeue calls enqueue on the child qdisc\\n3. blackhole_enqueue drops the packet and returns a value that is not\\n just NET_XMIT_SUCCESS\\n4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and\\n since qlen is now 0, it calls htb_qlen_notify -\u003e htb_deactivate -\u003e\\n htb_deactiviate_prios -\u003e htb_remove_class_from_row -\u003e htb_safe_rb_erase\\n5. As this is the only class in the selected hprio rbtree,\\n __rb_change_child in __rb_erase_augmented sets the rb_root pointer to\\n NULL\\n6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,\\n which causes htb_dequeue_tree to call htb_lookup_leaf with the same\\n hprio rbtree, and fail the BUG_ON\\n\\nThe function graph for this scenario is shown here:\\n 0) | htb_enqueue() {\\n 0) + 13.635 us | netem_enqueue();\\n 0) 4.719 us | htb_activate_prios();\\n 0) # 2249.199 us | }\\n 0) | htb_dequeue() {\\n 0) 2.355 us | htb_lookup_leaf();\\n 0) | netem_dequeue() {\\n 0) + 11.061 us | blackhole_enqueue();\\n 0) | qdisc_tree_reduce_backlog() {\\n 0) | qdisc_lookup_rcu() {\\n 0) 1.873 us | qdisc_match_from_root();\\n 0) 6.292 us | }\\n 0) 1.894 us | htb_search();\\n 0) | htb_qlen_notify() {\\n 0) 2.655 us | htb_deactivate_prios();\\n 0) 6.933 us | }\\n 0) + 25.227 us | }\\n 0) 1.983 us | blackhole_dequeue();\\n 0) + 86.553 us | }\\n 0) # 2932.761 us | qdisc_warn_nonwc();\\n 0) | htb_lookup_leaf() {\\n 0) | BUG_ON();\\n ------------------------------------------\\n\\nThe full original bug report can be seen here [1].\\n\\nWe can fix this just by returning NULL instead of the BUG_ON,\\nas htb_dequeue_tree returns NULL when htb_lookup_leaf returns\\nNULL.\\n\\n[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/sched: Devuelve NULL cuando htb_lookup_leaf encuentra un rbtree vac\u00edo htb_lookup_leaf tiene un BUG_ON que puede activarse con lo siguiente: tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2:1 handle 3: blackhole ping -I lo -c1 -W0.001 127.0.0.1 La causa ra\u00edz es la siguiente: 1. htb_dequeue llama a htb_dequeue_tree, que llama al controlador de dequeue en el qdisc de hoja seleccionado 2. netem_dequeue llama a enqueue en el hijo qdisc 3. blackhole_enqueue descarta el paquete y devuelve un valor que no es solo NET_XMIT_SUCCESS 4. Debido a esto, netem_dequeue llama a qdisc_tree_reduce_backlog y, dado que qlen ahora es 0, llama a htb_qlen_notify -\u0026gt; htb_deactivate -\u0026gt; htb_deactiviate_prios -\u0026gt; htb_remove_class_from_row -\u0026gt; htb_safe_rb_erase 5. Como esta es la \u00fanica clase en el rbtree hprio seleccionado, __rb_change_child en __rb_erase_augmented establece el puntero rb_root en NULL 6. Debido a que blackhole_dequeue devuelve NULL, netem_dequeue devuelve NULL, lo que hace que htb_dequeue_tree llame a htb_lookup_leaf con el mismo rbtree hprio y falle el BUG_ON Se muestra el gr\u00e1fico de funciones para este escenario aqu\u00ed: 0) | htb_enqueue() { 0) + 13.635 us | netem_enqueue(); 0) 4.719 us | htb_activate_prios(); 0) # 2249.199 us | } 0) | htb_dequeue() { 0) 2.355 us | htb_lookup_leaf(); 0) | netem_dequeue() { 0) + 11.061 us | blackhole_enqueue(); 0) | qdisc_tree_reduce_backlog() { 0) | qdisc_lookup_rcu() { 0) 1.873 us | qdisc_match_from_root(); 0) 6.292 us | } 0) 1.894 us | htb_search(); 0) | htb_qlen_notify() { 0) 2.655 us | htb_deactivate_prios(); 0) 6.933 us | } 0) + 25.227 us | } 0) 1.983 us | blackhole_dequeue(); 0) + 86.553 us | } 0) # 2932.761 us | qdisc_warn_nonwc(); 0) | htb_lookup_leaf() { 0) | BUG_ON(); ------------------------------------------ The full original bug report can be seen here [1]. We can fix this just by returning NULL instead of the BUG_ON, as htb_dequeue_tree returns NULL when htb_lookup_leaf returns NULL. [1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0e1d5d9b5c5966e2e42e298670808590db5ed628\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3691f84269a23f7edd263e9b6edbc27b7ae332f4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7ff2d83ecf2619060f30ecf9fad4f2a700fca344\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/890a5d423ef0a7bd13447ceaffad21189f557301\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e5c480dc62a3025b8428d4818e722da30ad6804f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…