{"id":"CVE-2025-37797","summary":"net_sched: hfsc: Fix a UAF vulnerability in class handling","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a UAF vulnerability in class handling\n\nThis patch fixes a Use-After-Free vulnerability in the HFSC qdisc class\nhandling. The issue occurs due to a time-of-check/time-of-use condition\nin hfsc_change_class() when working with certain child qdiscs like netem\nor codel.\n\nThe vulnerability works as follows:\n1. hfsc_change_class() checks if a class has packets (q.qlen != 0)\n2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,\n   codel, netem) might drop packets and empty the queue\n3. The code continues assuming the queue is still non-empty, adding\n   the class to vttree\n4. This breaks HFSC scheduler assumptions that only non-empty classes\n   are in vttree\n5. Later, when the class is destroyed, this can lead to a Use-After-Free\n\nThe fix adds a second queue length check after qdisc_peek_len() to verify\nthe queue wasn't emptied.","modified":"2026-04-16T04:33:14.795798031Z","published":"2025-05-02T14:16:01.905Z","related":["ALSA-2025:11855","ALSA-2025:11861","ALSA-2025:16919","ALSA-2025:16920","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01965-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:01972-1","SUSE-SU-2025:01983-1","SUSE-SU-2025:02000-1","SUSE-SU-2025:02322-1","SUSE-SU-2025:02537-1","SUSE-SU-2025:02588-1","SUSE-SU-2025:02601-1","SUSE-SU-2025:02602-1","SUSE-SU-2025:02604-1","SUSE-SU-2025:02606-1","SUSE-SU-2025:02607-1","SUSE-SU-2025:02608-1","SUSE-SU-2025:02610-1","SUSE-SU-2025:02611-1","SUSE-SU-2025:02618-1","SUSE-SU-2025:02619-1","SUSE-SU-2025:02627-1","SUSE-SU-2025:02632-1","SUSE-SU-2025:02636-1","SUSE-SU-2025:02637-1","SUSE-SU-2025:02638-1","SUSE-SU-2025:02647-1","SUSE-SU-2025:02648-1","SUSE-SU-2025:02652-1","SUSE-SU-2025:02671-1","SUSE-SU-2025:02673-1","SUSE-SU-2025:02676-1","SUSE-SU-2025:02687-1","SUSE-SU-2025:02688-1","SUSE-SU-2025:02689-1","SUSE-SU-2025:02691-1","SUSE-SU-2025:02693-1","SUSE-SU-2025:02697-1","SUSE-SU-2025:02698-1","SUSE-SU-2025:02704-1","SUSE-SU-2025:02707-1","SUSE-SU-2025:02708-1","SUSE-SU-2025:02710-1","SUSE-SU-2025:02848-1","SUSE-SU-2025:02850-1","SUSE-SU-2025:02852-1","SUSE-SU-2025:02858-1","SUSE-SU-2025:02942-1","SUSE-SU-2025:20408-1","SUSE-SU-2025:20413-1","SUSE-SU-2025:20419-1","SUSE-SU-2025:20421-1","SUSE-SU-2025:20568-1","SUSE-SU-2025:20569-1","SUSE-SU-2025:20570-1","SUSE-SU-2025:20572-1","SUSE-SU-2025:20573-1","SUSE-SU-2025:20574-1","SUSE-SU-2025:20575-1","SUSE-SU-2025:20576-1","SUSE-SU-2025:20578-1","SUSE-SU-2025:20579-1","SUSE-SU-2025:20580-1","SUSE-SU-2025:20581-1","SUSE-SU-2025:20582-1","SUSE-SU-2025:20583-1","SUSE-SU-2025:20584-1","SUSE-SU-2025:20610-1","SUSE-SU-2025:20611-1","SUSE-SU-2025:20612-1","SUSE-SU-2025:20613-1","SUSE-SU-2025:20614-1","SUSE-SU-2025:20615-1","SUSE-SU-2025:20616-1","SUSE-SU-2025:20620-1","SUSE-SU-2025:20621-1","SUSE-SU-2025:20622-1","SUSE-SU-2025:20623-1","SUSE-SU-2025:20624-1","SUSE-SU-2025:20625-1","SUSE-SU-2025:4123-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37797.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/20d584a33e480ae80d105f43e0e7b56784da41b9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/28b09a067831f7317c3841812276022d6c940677"},{"type":"WEB","url":"https://git.kernel.org/stable/c/39b9095dd3b55d9b2743df038c32138efa34a9de"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3aa852e3605000d5c47035c3fc3a986d14ccfa9f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3df275ef0a6ae181e8428a6589ef5d5231e58b5c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/86cd4641c713455a4f1c8e54c370c598c2b1cee0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bb583c88d23b72d8d16453d24856c99bd93dadf5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fcc8ede663569c704fb00a702973bd6c00373283"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37797.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37797"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14"},{"fixed":"28b09a067831f7317c3841812276022d6c940677"},{"fixed":"39b9095dd3b55d9b2743df038c32138efa34a9de"},{"fixed":"fcc8ede663569c704fb00a702973bd6c00373283"},{"fixed":"20d584a33e480ae80d105f43e0e7b56784da41b9"},{"fixed":"3aa852e3605000d5c47035c3fc3a986d14ccfa9f"},{"fixed":"86cd4641c713455a4f1c8e54c370c598c2b1cee0"},{"fixed":"bb583c88d23b72d8d16453d24856c99bd93dadf5"},{"fixed":"3df275ef0a6ae181e8428a6589ef5d5231e58b5c"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-37797.json"}}],"schema_version":"1.7.5"}