{"id":"CVE-2025-38107","summary":"net_sched: ets: fix a race in ets_qdisc_change()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: ets: fix a race in ets_qdisc_change()\n\nGerrard Tai reported a race condition in ETS, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0                                 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n |                                    [5]: lock root\n |                                    [6]: rehash\n |                                    [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent's qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock.","modified":"2026-04-16T04:30:31.163386917Z","published":"2025-07-03T08:35:17.487Z","related":["SUSE-SU-2025:02853-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:02969-1","SUSE-SU-2025:02996-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:03023-1","SUSE-SU-2025:20577-1","SUSE-SU-2025:20586-1","SUSE-SU-2025:20601-1","SUSE-SU-2025:20602-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38107.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0383b25488a545be168744336847549d4a2d3d6c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/073f64c03516bcfaf790f8edc772e0cfb8a84ec3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0b479d0aa488cb478eb2e1d8868be946ac8afb4f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/347867cb424edae5fec1622712c8dd0a2c42918f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d92adacdd8c2960be856e0b82acc5b7c5395fddb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/eb7b74e9754e1ba2088f914ad1f57a778b11894b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fed94bd51d62d2e0e006aa61480e94e5cd0582b0"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38107.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38107"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"699d82e9a6db29d509a71f1f2f4316231e6232e6"},{"fixed":"eb7b74e9754e1ba2088f914ad1f57a778b11894b"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ce881ddbdc028fb1988b66e40e45ca0529c23b46"},{"fixed":"0b479d0aa488cb478eb2e1d8868be946ac8afb4f"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b05972f01e7d30419987a1f221b5593668fd6448"},{"fixed":"347867cb424edae5fec1622712c8dd0a2c42918f"},{"fixed":"0383b25488a545be168744336847549d4a2d3d6c"},{"fixed":"073f64c03516bcfaf790f8edc772e0cfb8a84ec3"},{"fixed":"fed94bd51d62d2e0e006aa61480e94e5cd0582b0"},{"fixed":"d92adacdd8c2960be856e0b82acc5b7c5395fddb"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"fffa19b5e58c34004a0d6f642d9c24b11d213994"},{"last_affected":"fb155f6597cd7bc3aeed668c3bb15fc3b7cb257d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38107.json"}}],"schema_version":"1.7.5"}