CVE-2025-37797
Published: May 2, 2025
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class handling This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free The fix adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14 - < 28b09a067831f7317c3841812276022d6c940677affected 21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14 - < 39b9095dd3b55d9b2743df038c32138efa34a9deaffected 21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14 - < fcc8ede663569c704fb00a702973bd6c00373283affected 21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14 - < 20d584a33e480ae80d105f43e0e7b56784da41b9affected 21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14 - < 3aa852e3605000d5c47035c3fc3a986d14ccfa9f+3 more versions |
Linux | Linux | affected 4.14unaffected 0 - < 4.14unaffected 5.4.293 - <= 5.4.*unaffected 5.10.237 - <= 5.10.*unaffected 5.15.181 - <= 5.15.*+5 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now