CVE-2025-37913

Summary

In the Linux kernel, the following vulnerability has been resolved:

net_sched: qfq: Fix double list add in class with netem as child qdisc

As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of qfq, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption.

This patch checks whether the class was already added to the agg->active list (cl_is_active) before doing the addition to cater for the reentrant case.

[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/

Affected Software

VendorProductVersion RangeStatus
LinuxLinux37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea < 041f410aec2c1751ee22b8b73ba05d38c3a6a602affected
LinuxLinux37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea < 005a479540478a820c52de098e5e767e63e36f0aaffected
LinuxLinux37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea < 0bf32d6fb1fcbf841bb9945570e0e2a70072c00faffected
LinuxLinux37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea < 0aa23e0856b7cedb3c88d8e3d281c212c7e4fbebaffected
LinuxLinux37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea < a43783119e01849fbf2fe8855634e8989b240cb4affected
LinuxLinux37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea < 53bc0b55178bd59bdd4bcd16349505cabf54b1a2affected
LinuxLinux37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea < 370218e8ce711684acc4cdd3cc3c6dd7956bc165affected
LinuxLinux37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea < f139f37dcdf34b67f5bf92bc8e0f7f6b3ac63aa4affected
LinuxLinux5.0affected
LinuxLinux0 < 5.0unaffected
LinuxLinux5.4.294 <= 5.4.*unaffected
LinuxLinux5.10.238 <= 5.10.*unaffected
LinuxLinux5.15.182 <= 5.15.*unaffected
LinuxLinux6.1.138 <= 6.1.*unaffected
LinuxLinux6.6.90 <= 6.6.*unaffected
LinuxLinux6.12.28 <= 6.12.*unaffected
LinuxLinux6.14.6 <= 6.14.*unaffected
LinuxLinux6.15 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References