CVE-2025-38477

Published Jul 28, 2025

Last updated a month ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-38477 is a race condition vulnerability in the Linux kernel's Quick Fair Queueing (QFQ) scheduler. The vulnerability occurs when the 'agg' parameter is modified in `qfq_change_agg` (called during `qfq_enqueue`) while other threads concurrently access it. This can lead to a NULL pointer dereference in `qfq_dump_class` or a use-after-free condition in `qfq_delete_class`. The vulnerability impacts the network scheduling functionality and could lead to system crashes or denial of service. The issue is resolved by moving `qfq_destroy_class` into the critical section and adding `sch_tree_lock` protection to `qfq_dump_class` and `qfq_dump_class_stats` functions. The vulnerability can be triggered locally by users with CAP_NET_ADMIN privileges.

Description: In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_class and qfq_dump_class_stats.
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD status: Analyzed
Products: linux_kernel, debian_linux

Risk scores

CVSS 3.1

Type: Primary
Base score: 4.7
Impact score: 3.6
Exploitability score: 1
Vector string: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Severity: MEDIUM

Weaknesses

nvd@nist.gov: CWE-362

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EBF3B8C2-84E4-43F6-ABEB-01BED5979D49",
            "versionEndExcluding": "5.4.297",
            "versionStartIncluding": "3.8"
          },
          {
            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D0D21C35-EB8A-488A-BBF9-403E4817E5DD",
            "versionEndExcluding": "5.10.241",
            "versionStartIncluding": "5.5"
          },
          {
            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AD9E597F-3DDE-4D7E-976C-463D0611F13F",
            "versionEndExcluding": "5.15.190",
            "versionStartIncluding": "5.11"
          },
          {
            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A4FD62FC-0DAE-4ACE-8C9C-66156518C3E1",
            "versionEndExcluding": "6.1.147",
            "versionStartIncluding": "5.16"
          },
          {
            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "094B81E0-B756-4727-85CA-F3F8D1C9D116",
            "versionEndExcluding": "6.6.100",
            "versionStartIncluding": "6.2"
          },
          {
            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0099D5A4-B157-4D36-8858-982C7D579030",
            "versionEndExcluding": "6.12.40",
            "versionStartIncluding": "6.7"
          },
          {
            "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C7AFE5B0-F3B1-4D30-B8BF-EDA0385C4746",
            "versionEndExcluding": "6.15.8",
            "versionStartIncluding": "6.13"
          },
          {
            "criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6D4894DB-CCFE-4602-B1BF-3960B2E19A01"
          },
          {
            "criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "09709862-E348-4378-8632-5A7813EDDC86"
          },
          {
            "criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "415BF58A-8197-43F5-B3D7-D1D63057A26E"
          },
          {
            "criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A0517869-312D-4429-80C2-561086E1421C"
          },
          {
            "criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "85421F4E-C863-4ABF-B4B4-E887CC2F7F92"
          },
          {
            "criteria": "cpe:2.3:o:linux:linux_kernel:6.16:rc6:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3827F0D4-5FEE-4181-B267-5A45E7CA11FC"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.