Bug 2366848 (CVE-2025-37890)

Summary: CVE-2025-37890 kernel: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anbernal, dfreiber, drow, jburrell, mcascell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A use-after-free vulnerability has been identified in the Linux kernel's HFSC (Hierarchical Fair Service Curve) queuing discipline when it is configured with NETEM (Network Emulation) as a child. This flaw can lead to a kernel panic or crash due to incorrect assumptions about the queue state. Exploitation of this vulnerability requires local access with CAP_NET_ADMIN privileges and control over the qdisc (queueing discipline) setup. A local attacker could leverage this flaw to achieve denial of service or escalate privileges. Given that it affects kernel memory structures, successful exploitation could result in memory corruption, data leaks, or arbitrary write capabilities, leading to a full kernel crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-05-16 14:01:18 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc

As described in Gerrard's report [1], we have a UAF case when an hfsc class
has a netem child qdisc. The crux of the issue is that hfsc is assuming
that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted
the class in the vttree or eltree (which is not true for the netem
duplicate case).

This patch checks the n_active class variable to make sure that the code
won't insert the class in the vttree or eltree twice, catering for the
reentrant case.

[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
Comment 1 Avinash Hanwate 2025-05-19 03:35:45 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025051617-CVE-2025-37890-437b@gregkh/T
Comment 15 errata-xmlrpc 2025-08-04 09:20:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:12662 https://access.redhat.com/errata/RHSA-2025:12662
Comment 16 errata-xmlrpc 2025-08-04 16:18:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:12746 https://access.redhat.com/errata/RHSA-2025:12746
Comment 17 errata-xmlrpc 2025-08-04 16:23:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:12753 https://access.redhat.com/errata/RHSA-2025:12753
Comment 18 errata-xmlrpc 2025-08-04 16:51:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:12752 https://access.redhat.com/errata/RHSA-2025:12752
Comment 19 errata-xmlrpc 2025-08-06 07:51:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:13135 https://access.redhat.com/errata/RHSA-2025:13135
Comment 22 errata-xmlrpc 2025-08-25 14:13:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:14511 https://access.redhat.com/errata/RHSA-2025:14511
Comment 23 errata-xmlrpc 2025-08-27 00:23:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:14692 https://access.redhat.com/errata/RHSA-2025:14692
Comment 24 errata-xmlrpc 2025-08-27 10:39:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:14742 https://access.redhat.com/errata/RHSA-2025:14742
Comment 25 errata-xmlrpc 2025-08-27 11:39:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:14744 https://access.redhat.com/errata/RHSA-2025:14744
Comment 26 errata-xmlrpc 2025-08-27 13:19:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:14749 https://access.redhat.com/errata/RHSA-2025:14749
Comment 27 errata-xmlrpc 2025-09-02 06:52:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:15035 https://access.redhat.com/errata/RHSA-2025:15035
Comment 35 errata-xmlrpc 2025-09-24 00:18:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:16539 https://access.redhat.com/errata/RHSA-2025:16539
Comment 36 errata-xmlrpc 2025-09-24 00:19:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:16541 https://access.redhat.com/errata/RHSA-2025:16541
Comment 37 errata-xmlrpc 2025-09-24 00:25:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:16540 https://access.redhat.com/errata/RHSA-2025:16540
Comment 38 errata-xmlrpc 2025-09-24 00:27:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:16538 https://access.redhat.com/errata/RHSA-2025:16538
Comment 39 errata-xmlrpc 2025-09-24 12:48:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions

Via RHSA-2025:16580 https://access.redhat.com/errata/RHSA-2025:16580
Comment 40 errata-xmlrpc 2025-09-24 13:00:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:16582 https://access.redhat.com/errata/RHSA-2025:16582
Comment 41 errata-xmlrpc 2025-09-24 13:03:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions

Via RHSA-2025:16583 https://access.redhat.com/errata/RHSA-2025:16583