In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the child qdisc's peek() operation before incrementing sch->q.qlen and sch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may trigger an immediate dequeue and potential packet drop. In such cases, qdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog have not yet been updated, leading to inconsistent queue accounting. This can leave an empty HFSC class in the active list, causing further consequences like use-after-free. This patch fixes the bug by moving the increment of sch->q.qlen and sch->qstats.backlog before the call to the child qdisc's peek() operation. This ensures that queue length and backlog are always accurate when packet drops or dequeues are triggered during the peek.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2025060639-CVE-2025-38000-f5a4@gregkh/T
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Advanced Update Support Via RHSA-2025:14413 https://access.redhat.com/errata/RHSA-2025:14413
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2025:14511 https://access.redhat.com/errata/RHSA-2025:14511
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:14692 https://access.redhat.com/errata/RHSA-2025:14692
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2025:14742 https://access.redhat.com/errata/RHSA-2025:14742
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:14744 https://access.redhat.com/errata/RHSA-2025:14744
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2025:14746 https://access.redhat.com/errata/RHSA-2025:14746
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2025:14748 https://access.redhat.com/errata/RHSA-2025:14748
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2025:15035 https://access.redhat.com/errata/RHSA-2025:15035
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2025:16539 https://access.redhat.com/errata/RHSA-2025:16539
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:16541 https://access.redhat.com/errata/RHSA-2025:16541
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:16540 https://access.redhat.com/errata/RHSA-2025:16540
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:16538 https://access.redhat.com/errata/RHSA-2025:16538
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Via RHSA-2025:16580 https://access.redhat.com/errata/RHSA-2025:16580
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:16582 https://access.redhat.com/errata/RHSA-2025:16582
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Via RHSA-2025:16583 https://access.redhat.com/errata/RHSA-2025:16583