AI description
CVE-2025-38001 is a vulnerability in the Linux kernel affecting the Hierarchical Fair Service Curve (HFSC) scheduler component. Disclosed on June 6, 2025, it involves a use-after-free (UAF) condition when HFSC is used with NETEM. The vulnerability stems from a bypass in a previous patch that attempted to address re-entrant enqueue issues. The flaw occurs because the patch only checks the `cl->cl_nactive` field to determine first insertion, but this field is only incremented by `init_vf`. By using `HFSC_RSC` (which uses `inited`), it's possible to bypass the check and insert the class twice in the eltree. This can lead to an infinite loop in `hfsc_dequeue` under normal conditions, but when combined with TBF as root qdisc configured with a very low rate, it can prevent packets from being dequeued, enabling subsequent insertions in the HFSC eltree and causing a UAF condition.
- Description
- In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks the cl->cl_nactive field to determine whether it is the first insertion or not [2], but this field is only incremented by init_vf [3]. By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the check and insert the class twice in the eltree. Under normal conditions, this would lead to an infinite loop in hfsc_dequeue for the reasons we already explained in this report [5]. However, if TBF is added as root qdisc and it is configured with a very low rate, it can be utilized to prevent packets from being dequeued. This behavior can be exploited to perform subsequent insertions in the HFSC eltree and cause a UAF." To fix both the UAF and the infinite loop, with netem as an hfsc child, check explicitly in hfsc_enqueue whether the class is already in the eltree whenever the HFSC_RSC flag is set. [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 [5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u
- Source
- 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- NVD status
- Modified
- Products
- linux_kernel, debian_linux
CVSS 3.1
- Type
- Primary
- Base score
- 5.5
- Impact score
- 3.6
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Severity
- MEDIUM
- nvd@nist.gov
- CWE-835
- Hype score
- Not currently trending
#exploit #Kernel_Security "Exploiting a Linux Kernel 0-day Through Red-Black Tree Transformations", HexaCon 2025. ]-> Linux HFSC Eltree UAF - Debian 12 PoC - https://t.co/7IGmAbxrla // CVE-2025-38001 Analysis + RbTree Attack Against LTS/COS + Mitigations Exploit See also: ]-
@ksg93rd
24 Dec 2025
4428 Impressions
18 Retweets
142 Likes
54 Bookmarks
2 Replies
0 Quotes
An RbTree Family Drama Talk by William Liu and Savino Dicanosa @cor_ctf about exploiting CVE-2025-38001 — a use-after-free in the network packet scheduler. Slides: https://t.co/9uzwjmQilt Video: https://t.co/umCg8CshIO
@linkersec
10 Dec 2025
10551 Impressions
16 Retweets
54 Likes
37 Bookmarks
1 Reply
0 Quotes
Analysis and exploitation of a Use-After-Free vulnerability in the Linux network packet schedule (CVE-2025-38001) https://t.co/t0C6wWlyWI #infosec #Linux https://t.co/wsIxrGgwWo
@0xor0ne
2 Dec 2025
8010 Impressions
44 Retweets
199 Likes
106 Bookmarks
1 Reply
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2023-41990 2 - CVE-2017-0144 3 - CVE-2025-49144 4 - CVE-2023-38606 5 - CVE-2025-38001 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
20 Oct 2025
16 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨CVE-2025-38001: Linux HFSC Eltree Use-After-Free - Debian 12 PoC GitHub: https://t.co/1YTrZ15fRs Bounty: $82,000 Write-up: https://t.co/vFmqiueOZX https://t.co/QFSMgOjCpw
@DarkWebInformer
19 Oct 2025
11334 Impressions
23 Retweets
106 Likes
50 Bookmarks
1 Reply
0 Quotes
Exploiting a Use-After-Free vulnerability in the Linux network packet schedule (CVE-2025-38001) https://t.co/t0C6wWlyWI Credits @cor_ctf #infosec #Linux https://t.co/ncVYtZAVwV
@0xor0ne
12 Oct 2025
18770 Impressions
42 Retweets
225 Likes
81 Bookmarks
1 Reply
1 Quote
🚨 CRITICAL: #SUSE releases kernel security patch SUSE-SU-2025:03222-1. Fixes 4 CVEs, including CVE-2025-38001 & CVE-2025-38212 (CVSS 8.5). Impacts SLE 15 SP6/SP7 & openSUSE Leap 15.6. Read more:👉 https://t.co/NozG7Yo3tN #Security https://t.co/Fkp5gTQbFk
@Cezar_H_Linux
16 Sept 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
URGENT: Patch SUSE Linux 15 SP5 now! Live Patch 20 fixes 10 kernel vulnerabilities, including CVE-2025-38001 (CVSS 8.5). Prevent privilege escalation and system crashes. Affected: #SUSE, #openSUSE Leap 15.5, #SAP servers. Read more: 👉 https://t.co/SmocRZdOFK https://t.co/5uS
@Cezar_H_Linux
15 Sept 2025
60 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 CRITICAL ALERT for @SUSELinux & @openSUSE users! Live Patch 17 for SLE 15 SP5/Leap 15.5 patches 9 vulnerabilities, including 2x CVSS 8.5 flaws (CVE-2025-38212, CVE-2025-38001). Read more:👉 https://t.co/YcyQobEZDQ #LinuxSecurity #CyberSecurity #SUSE https://t.co/khI04
@Cezar_H_Linux
14 Sept 2025
41 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
URGENT: Patch #SUSE Linux NOW. Live Patch 17 for SLE 15 SP5 fixes 9 critical kernel vulnerabilities (CVE-2025-38212, CVE-2025-38001, etc.). Risk: Local Privilege Escalation & DoS. Read more:👉 https://t.co/qZMhtWMRT4 https://t.co/f532a39oB0
@Cezar_H_Linux
14 Sept 2025
83 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Urgent: #SUSE releases Live Patch 41 for Linux Kernel (SLE 15 SP4/Leap 15.4). Patches 4 vulnerabilities: CVE-2025-37890, CVE-2025-38000, CVE-2025-38001 (CVSS 8.5), CVE-2025-38212 (CVSS 8.5). Read more: 👉 https://t.co/L6VAeHng7B #Security https://t.co/FyoVgvjs8m
@Cezar_H_Linux
13 Sept 2025
113 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
URGENT: #SUSE releases critical Linux kernel security patch for SLE 15 SP4 and #openSUSE Leap 15.4. Fixes 6 vulnerabilities, including: ✅ CVE-2025-38212 (CVSS 8.5) - IPC UAF ✅ CVE-2025-38001 (CVSS 8.5) - HFSC flaw Read more:👉 https://t.co/uqFzf8yqz1 https://t.co/
@Cezar_H_Linux
13 Sept 2025
114 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical patch for #SUSE SLE 15 SP4 & #openSUSE Leap 15.4! Live Patch 31 fixes 9 kernel vulnerabilities, including high-severity CVEs: CVE-2025-38212 (CVSS 8.5). CVE-2025-38001 (CVSS 8.5) . Read more:👉 https://t.co/59ducSDAqD #Security https://t.co/NH2uNmjEHK
@Cezar_H_Linux
11 Sept 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
URGENT: #SUSE patches 6 critical Linux Kernel vulnerabilities (SUSE-SU-2025:03109-1). CVSS Scores up to 8.5! Impacts: CVE-2025-38212 (IPC), CVE-2025-38001 (HFSC), and more. Read more: 👉 https://t.co/BnY4fxSrYJ #Security https://t.co/i2uifmu70P
@Cezar_H_Linux
10 Sept 2025
64 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
URGENT: #SUSE patches 5 critical CVEs in Linux Kernel RT for SLE 15 SP7. CVE-2025-38212 (CVSS 8.5): IPC flaw CVE-2025-38001 (CVSS 8.5): HFSC flaw Read more: 👉 https://t.co/X16DdiVkST https://t.co/NIxAz9kbmc
@Cezar_H_Linux
10 Sept 2025
60 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
''[CVE-2025-38001] Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: A RBTree Family Drama (Part One: LTS & COS)'' #infosec #pentest #redteam #blueteam https://t.co/WRrelBgglY
@CyberWarship
20 Aug 2025
2769 Impressions
14 Retweets
33 Likes
5 Bookmarks
1 Reply
0 Quotes
Linux の脆弱性 CVE-2025-38001 が FIX:Google kernelCTF と Debian 12 に深刻な影響 https://t.co/iZ6DJtVyEl この脆弱性は、Linux カーネルのネットワーク制御機能 HFSC におけるキュー管理処理に関するものです。NETEM のパケット
@iototsecnews
18 Aug 2025
132 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Researchers exploit CVE-2025-38001 to compromise Google kernelCTF instances and Debian 12 systems, earning $82K in bounties. Highlights need for thorough code audits. Link: https://t.co/q9wXqOIXWU #Security #Linux #Exploit #Kernel #Hacking #Bounty #CVE #Audit #Research #Tech
@dailytechonx
4 Aug 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
URGENT: #Ubuntu 20.04 LTS kernel patch USN-7671-3 fixes: 11 CVEs (7 CRITICAL). Netfilter RCE (CVE-2025-38001). GPU driver exploits Update NOW + recompile modules. Read more: 👉 https://t.co/MMyaWIzXcq https://t.co/ifdLD8q9DF
@Cezar_H_Linux
4 Aug 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
LinuxネットワークパケットスケジューラのHFSCキュー規律における深刻なUse-After-Free脆弱性(CVE-2025-38001)
@pocochi20250519
4 Aug 2025
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Exploiting a Use-After-Free vulnerability in the Linux network packet schedule (CVE-2025-38001) (@cor_ctf) https://t.co/t0C6wWlyWI #infosec #Linux https://t.co/r8cBRApYaX
@0xor0ne
4 Aug 2025
7702 Impressions
53 Retweets
223 Likes
89 Bookmarks
2 Replies
1 Quote
[CVE-2025-38001] Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: A RBTree Family Drama (Part One: LTS & COS) https://t.co/DdKtTXZhuI
@hashimzulkifli
4 Aug 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-38001] Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: A RBTree Family Drama (Part One: LTS & COS) https://t.co/lQyWIZh8W4
@Dinosn
3 Aug 2025
2130 Impressions
2 Retweets
13 Likes
9 Bookmarks
0 Replies
0 Quotes
2025-07-12 の人気記事はコチラでした。(自動ツイート) #Hacker_Trends ――― [CVE-2025-38001] Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: A RBTree Family Drama (Part One: LTS & COS) https://t.co/o18JieEEim https://t.co/uKR
@motikan2010
13 Jul 2025
98 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Últimas noticias sobre #Hacking: En las últimas 24 horas, se han descubierto vulnerabilidades críticas en diversas plataformas como CVE-2025-38001 en Google y Debian 12, y CitrixBleed 2, además de un ataque a Gravity Forms de WordPress. Los parches... 👉 https://t.co/V4Uug
@JaimeARestrepo_
12 Jul 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
URGENT: #Ubuntu 24.10/24.04 LTS kernel flaws (CVE-2025-38001, etc.) allow privilege escalation & network attacks. Patch via: sudo apt update && sudo apt upgrade. Read more: 👉https://t.co/alQePDB537 #LinuxSecurity https://t.co/TVamfHN1ZX
@Cezar_H_Linux
9 Jul 2025
32 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🚨 Breaking: #Linux kernel real-time (RT) systems are vulnerable to CVE-2025-38001 (Netfilter bypass) and CVE-2025-37997 (InfiniBand leaks). Patch via sudo apt upgrade + reboot. Details: 👉 https://t.co/W9iKrcUVIs #InfoSec https://t.co/X22mGbU04m
@Cezar_H_Linux
2 Jul 2025
33 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical Linux Kernel (Real-time) Patch Alert! 🚀 CVE-2025-38001 & other flaws fixed in GPU, SMB, Netfilter. Read more: 👉 https://t.co/7VHqFLkBPu #Linux #Infosec #Ubuntu https://t.co/vC0C8n5Zpf
@Cezar_H_Linux
2 Jul 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-38001 In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are… https://t.co/7PzcmtFfNJ
@CVEnew
6 Jun 2025
181 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DEC27C91-8035-49D5-8C57-B8F8541B23F7",
"versionEndExcluding": "5.4.294",
"versionStartIncluding": "5.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0DAAEF7F-D560-47FC-8B65-20404DB82432",
"versionEndExcluding": "5.10.238",
"versionStartIncluding": "5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E11820B2-24BD-40A8-9E6B-5BC447252321",
"versionEndExcluding": "5.15.185",
"versionStartIncluding": "5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7CEA8241-A858-4009-B4EE-31C62772811A",
"versionEndExcluding": "6.1.141",
"versionStartIncluding": "5.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "50A4A9DE-24AB-4FB4-AACD-85D8EABB0571",
"versionEndExcluding": "6.6.93",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3930985-A25E-4043-A450-F01B563C0DA5",
"versionEndExcluding": "6.12.32",
"versionStartIncluding": "6.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DB4249FA-EF24-4488-A579-B8E8EE87EA6F",
"versionEndExcluding": "6.14.10",
"versionStartIncluding": "6.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ACD734B1-0431-4BEB-9769-ECB016833EB2",
"versionEndExcluding": "6.15.1",
"versionStartIncluding": "6.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:-:*:*:*:*:*:*",
"matchCriteriaId": "1D0FE595-0CFE-4491-808B-CEF691CE7B0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "963CFC36-FBAD-465F-9891-CDBBF962DFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "1B084A7A-6047-4804-9395-6000E4A43828",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc5:*:*:*:*:*:*",
"matchCriteriaId": "C3430640-AC87-44BF-ABF5-09E0A97E3758",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc6:*:*:*:*:*:*",
"matchCriteriaId": "FDF49B77-4688-4908-9239-89B729456D22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc7:*:*:*:*:*:*",
"matchCriteriaId": "77F342FB-3D7B-4EAE-BF8B-57B7B860BAFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc8:*:*:*:*:*:*",
"matchCriteriaId": "47D61679-6515-4E18-83C7-A71982CCD83C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]