CVE-2025-37752

Published May 1, 2025

Last updated 21 days ago

Linux Kernel

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-37752 is an array-out-of-bounds vulnerability found in the Linux kernel's network packet scheduler, specifically within the Stochastic Fairness Queueing (SFQ) queuing discipline. The vulnerability stems from insufficient validation of the SFQ limit parameter. An invalid SFQ limit, combined with interactions between SFQ and the TBF Qdisc, can lead to writing a 0x0000 value approximately 256KB out of bounds at a misaligned offset. The vulnerability occurs because the limit validation is performed directly on user-provided data without considering how other parameter changes might affect the limit value. This can lead to scenarios where the limit is indirectly updated through configurations. When exploited, this can trigger an array-index-out-of-bounds condition in `net/sched/sch_sfq.c`.

Description
In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: move the limit validation It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed. Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations: tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1 This fixes the following syzkaller reported crash: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6 index 65535 is out of range for type 'struct sfq_head[128]' CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429 sfq_link net/sched/sch_sfq.c:203 [inline] sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline] dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375
Source
416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD status
Awaiting Analysis

Social media

Hype score
Not currently trending

  1. [CVE-2025-37752] Two Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bounds Great article by D3vil about exploiting a type confusion in the network scheduler subsystem and pwning all kernelCTF instances. https://t.co/lpZyXYFM3w https://t.co/U

    @linkersec

    13 May 2025

    5569 Impressions

    32 Retweets

    141 Likes

    67 Bookmarks

    1 Reply

    2 Quotes

  2. CVE-2025-37752 : Two Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bounds https://t.co/ruMufIUtxj

    @freedomhack101

    13 May 2025

    64 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. [CVE-2025-37752] Two Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bounds https://t.co/0MknQ7evhq

    @akaclandestine

    12 May 2025

    3548 Impressions

    16 Retweets

    74 Likes

    28 Bookmarks

    1 Reply

    1 Quote

  4. Top 5 Trending CVEs: 1 - CVE-2025-37752 2 - CVE-2025-0995 3 - CVE-2025-1550 4 - CVE-2025-24203 5 - CVE-2025-32819 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    12 May 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. [CVE-2025-37752] Two Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bound by @cor_ctf D3vil https://t.co/m2O4XYyJpD https://t.co/cVdDtUTima

    @alexjplaskett

    11 May 2025

    4495 Impressions

    24 Retweets

    83 Likes

    43 Bookmarks

    0 Replies

    0 Quotes

  6. We are back😎 Say hello to our kernelCTF submission for CVE-2025-37752🩸 Who would have thought you could pwn a kernel with just a 0x0000 written 262636 bytes out of bounds? Read the full writeup at: https://t.co/GkpCjamlaZ 👀

    @cor_ctf

    6 May 2025

    4944 Impressions

    43 Retweets

    138 Likes

    53 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.