{"id":"CVE-2025-37890","summary":"net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc\n\nAs described in Gerrard's report [1], we have a UAF case when an hfsc class\nhas a netem child qdisc. The crux of the issue is that hfsc is assuming\nthat checking for cl-\u003eqdisc-\u003eq.qlen == 0 guarantees that it hasn't inserted\nthe class in the vttree or eltree (which is not true for the netem\nduplicate case).\n\nThis patch checks the n_active class variable to make sure that the code\nwon't insert the class in the vttree or eltree twice, catering for the\nreentrant case.\n\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/","modified":"2026-04-16T04:32:41.622719518Z","published":"2025-05-16T13:01:12.798Z","related":["ALSA-2025:12662","ALSA-2025:12746","ALSA-2025:12752","ALSA-2025:12753","SUSE-SU-2025:01964-1","SUSE-SU-2025:01965-1","SUSE-SU-2025:02000-1","SUSE-SU-2025:02254-1","SUSE-SU-2025:02264-1","SUSE-SU-2025:02307-1","SUSE-SU-2025:02308-1","SUSE-SU-2025:02320-1","SUSE-SU-2025:02321-1","SUSE-SU-2025:02322-1","SUSE-SU-2025:02333-1","SUSE-SU-2025:02537-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:03097-1","SUSE-SU-2025:03100-1","SUSE-SU-2025:03106-1","SUSE-SU-2025:03108-1","SUSE-SU-2025:03109-1","SUSE-SU-2025:03111-1","SUSE-SU-2025:03123-1","SUSE-SU-2025:03124-1","SUSE-SU-2025:03126-1","SUSE-SU-2025:03129-1","SUSE-SU-2025:03130-1","SUSE-SU-2025:03133-1","SUSE-SU-2025:03148-1","SUSE-SU-2025:03153-1","SUSE-SU-2025:03154-1","SUSE-SU-2025:03156-1","SUSE-SU-2025:03160-1","SUSE-SU-2025:03165-1","SUSE-SU-2025:03175-1","SUSE-SU-2025:03179-1","SUSE-SU-2025:03180-1","SUSE-SU-2025:03181-1","SUSE-SU-2025:03182-1","SUSE-SU-2025:03184-1","SUSE-SU-2025:03185-1","SUSE-SU-2025:03186-1","SUSE-SU-2025:03190-1","SUSE-SU-2025:03191-1","SUSE-SU-2025:03194-1","SUSE-SU-2025:03195-1","SUSE-SU-2025:03207-1","SUSE-SU-2025:03208-1","SUSE-SU-2025:03209-1","SUSE-SU-2025:03210-1","SUSE-SU-2025:03212-1","SUSE-SU-2025:03215-1","SUSE-SU-2025:03217-1","SUSE-SU-2025:03223-1","SUSE-SU-2025:03226-1","SUSE-SU-2025:03235-1","SUSE-SU-2025:20408-1","SUSE-SU-2025:20413-1","SUSE-SU-2025:20419-1","SUSE-SU-2025:20421-1","SUSE-SU-2025:20698-1","SUSE-SU-2025:20699-1","SUSE-SU-2025:20700-1","SUSE-SU-2025:20703-1","SUSE-SU-2025:20704-1","SUSE-SU-2025:20705-1","SUSE-SU-2025:20706-1","SUSE-SU-2025:20707-1","SUSE-SU-2025:20711-1","SUSE-SU-2025:20712-1","SUSE-SU-2025:20714-1","SUSE-SU-2025:20761-1","SUSE-SU-2025:20763-1","SUSE-SU-2025:20766-1","SUSE-SU-2025:20767-1","SUSE-SU-2025:20775-1","SUSE-SU-2025:20776-1","SUSE-SU-2025:20777-1","SUSE-SU-2025:20778-1","SUSE-SU-2025:20782-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37890.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/141d34391abbb315d68556b7c67ad97885407547"},{"type":"WEB","url":"https://git.kernel.org/stable/c/273bbcfa53541cde38b2003ad88a59b770306421"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2e7093c7a8aba5d4f8809f271488e5babe75e202"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6082a87af4c52f58150d40dec1716011d871ac21"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8df7d37d626430035b413b97cee18396b3450bef"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ac39fd4a757584d78ed062d4f6fd913f83bd98b5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e0cf8ee23e1915431f262a7b2dee0c7a7d699af0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e3e949a39a91d1f829a4890e7dfe9417ac72e4d0"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37890.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37890"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea"},{"fixed":"273bbcfa53541cde38b2003ad88a59b770306421"},{"fixed":"e0cf8ee23e1915431f262a7b2dee0c7a7d699af0"},{"fixed":"e3e949a39a91d1f829a4890e7dfe9417ac72e4d0"},{"fixed":"8df7d37d626430035b413b97cee18396b3450bef"},{"fixed":"6082a87af4c52f58150d40dec1716011d871ac21"},{"fixed":"2e7093c7a8aba5d4f8809f271488e5babe75e202"},{"fixed":"ac39fd4a757584d78ed062d4f6fd913f83bd98b5"},{"fixed":"141d34391abbb315d68556b7c67ad97885407547"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-37890.json"}}],"schema_version":"1.7.5"}