Bug 2370786 (CVE-2025-38000)

Summary: CVE-2025-38000 kernel: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the HFSC queueing discipline implementation in the Linux kernel. When a packet is enqueued and the child qdisc's peek() function is called before properly updating the HFSC queue's length and backlog counters, a race condition can occur. In some cases, the peek operation may trigger an immediate dequeue and drop, leading to inconsistent queue accounting. This may leave an empty HFSC class in the active list, eventually causing use-after-free (UAF) conditions. Due to the nature of this memory corruption (use-after-free or list corruption) in kernel scheduler code, a successful exploit could lead to privilege escalation, data leakage, or denial of service. Therefore, the CIA impact is assessed as HHH to reflect a worst-case.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-06-06 14:04:22 UTC 
In the Linux kernel, the following vulnerability has been resolved:

sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the
child qdisc's peek() operation before incrementing sch->q.qlen and
sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may
trigger an immediate dequeue and potential packet drop. In such cases,
qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog
have not yet been updated, leading to inconsistent queue accounting. This
can leave an empty HFSC class in the active list, causing further
consequences like use-after-free.

This patch fixes the bug by moving the increment of sch->q.qlen and
sch->qstats.backlog before the call to the child qdisc's peek() operation.
This ensures that queue length and backlog are always accurate when packet
drops or dequeues are triggered during the peek.
Comment 1 Jon Moroney 2025-06-06 16:22:00 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025060639-CVE-2025-38000-f5a4@gregkh/T
Comment 7 errata-xmlrpc 2025-08-25 01:39:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2025:14413 https://access.redhat.com/errata/RHSA-2025:14413
Comment 8 errata-xmlrpc 2025-08-25 14:13:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:14511 https://access.redhat.com/errata/RHSA-2025:14511
Comment 9 errata-xmlrpc 2025-08-27 00:23:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:14692 https://access.redhat.com/errata/RHSA-2025:14692
Comment 10 errata-xmlrpc 2025-08-27 10:39:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:14742 https://access.redhat.com/errata/RHSA-2025:14742
Comment 11 errata-xmlrpc 2025-08-27 11:39:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:14744 https://access.redhat.com/errata/RHSA-2025:14744
Comment 12 errata-xmlrpc 2025-08-27 11:40:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:14746 https://access.redhat.com/errata/RHSA-2025:14746
Comment 13 errata-xmlrpc 2025-08-27 12:39:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:14748 https://access.redhat.com/errata/RHSA-2025:14748
Comment 14 errata-xmlrpc 2025-09-02 06:52:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:15035 https://access.redhat.com/errata/RHSA-2025:15035
Comment 18 errata-xmlrpc 2025-09-24 00:18:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:16539 https://access.redhat.com/errata/RHSA-2025:16539
Comment 19 errata-xmlrpc 2025-09-24 00:19:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:16541 https://access.redhat.com/errata/RHSA-2025:16541
Comment 20 errata-xmlrpc 2025-09-24 00:25:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:16540 https://access.redhat.com/errata/RHSA-2025:16540
Comment 21 errata-xmlrpc 2025-09-24 00:27:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:16538 https://access.redhat.com/errata/RHSA-2025:16538
Comment 22 errata-xmlrpc 2025-09-24 12:48:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions

Via RHSA-2025:16580 https://access.redhat.com/errata/RHSA-2025:16580
Comment 23 errata-xmlrpc 2025-09-24 13:00:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:16582 https://access.redhat.com/errata/RHSA-2025:16582
Comment 24 errata-xmlrpc 2025-09-24 13:03:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions

Via RHSA-2025:16583 https://access.redhat.com/errata/RHSA-2025:16583