2370776 – (CVE-2025-38001) CVE-2025-38001 kernel: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

Bug 2370776 (CVE-2025-38001) - CVE-2025-38001 kernel: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

Summary: CVE-2025-38001 kernel: net_sched: hfsc: Address reentrant enqueue adding clas...

Keywords:
Status:	NEW
Alias:	CVE-2025-38001
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-06 14:03 UTC by OSIDB Bzimport
Modified:	2025-10-07 10:44 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:12311	None	None	None	2025-07-30 15:16:38 UTC
Red Hat Product Errata	RHSA-2025:14511	None	None	None	2025-08-25 14:13:48 UTC
Red Hat Product Errata	RHSA-2025:14692	None	None	None	2025-08-27 00:23:15 UTC
Red Hat Product Errata	RHSA-2025:14742	None	None	None	2025-08-27 10:39:50 UTC
Red Hat Product Errata	RHSA-2025:14744	None	None	None	2025-08-27 11:39:52 UTC
Red Hat Product Errata	RHSA-2025:15035	None	None	None	2025-09-02 06:52:55 UTC
Red Hat Product Errata	RHSA-2025:16538	None	None	None	2025-09-24 00:27:29 UTC
Red Hat Product Errata	RHSA-2025:16539	None	None	None	2025-09-24 00:18:07 UTC
Red Hat Product Errata	RHSA-2025:16540	None	None	None	2025-09-24 00:25:14 UTC
Red Hat Product Errata	RHSA-2025:16541	None	None	None	2025-09-24 00:19:23 UTC
Red Hat Product Errata	RHSA-2025:16580	None	None	None	2025-09-24 12:48:59 UTC
Red Hat Product Errata	RHSA-2025:16582	None	None	None	2025-09-24 13:00:16 UTC
Red Hat Product Errata	RHSA-2025:16583	None	None	None	2025-09-24 13:03:06 UTC

Description OSIDB Bzimport 2025-06-06 14:03:59 UTC

In the Linux kernel, the following vulnerability has been resolved:

net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

Savino says:
    "We are writing to report that this recent patch
    (141d34391abbb315d68556b7c67ad97885407547) [1]
    can be bypassed, and a UAF can still occur when HFSC is utilized with
    NETEM.

    The patch only checks the cl->cl_nactive field to determine whether
    it is the first insertion or not [2], but this field is only
    incremented by init_vf [3].

    By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the
    check and insert the class twice in the eltree.
    Under normal conditions, this would lead to an infinite loop in
    hfsc_dequeue for the reasons we already explained in this report [5].

    However, if TBF is added as root qdisc and it is configured with a
    very low rate,
    it can be utilized to prevent packets from being dequeued.
    This behavior can be exploited to perform subsequent insertions in the
    HFSC eltree and cause a UAF."

To fix both the UAF and the infinite loop, with netem as an hfsc child,
check explicitly in hfsc_enqueue whether the class is already in the eltree
whenever the HFSC_RSC flag is set.

[1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547
[2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572
[3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677
[4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574
[5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u

Comment 1 Jon Moroney 2025-06-06 16:55:28 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025060650-CVE-2025-38001-f921@gregkh/T

Comment 5 errata-xmlrpc 2025-07-30 15:16:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:12311 https://access.redhat.com/errata/RHSA-2025:12311

Comment 7 errata-xmlrpc 2025-08-25 14:13:46 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:14511 https://access.redhat.com/errata/RHSA-2025:14511

Comment 8 errata-xmlrpc 2025-08-27 00:23:14 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:14692 https://access.redhat.com/errata/RHSA-2025:14692

Comment 9 errata-xmlrpc 2025-08-27 10:39:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:14742 https://access.redhat.com/errata/RHSA-2025:14742

Comment 10 errata-xmlrpc 2025-08-27 11:39:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:14744 https://access.redhat.com/errata/RHSA-2025:14744

Comment 11 errata-xmlrpc 2025-09-02 06:52:54 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:15035 https://access.redhat.com/errata/RHSA-2025:15035

Comment 15 errata-xmlrpc 2025-09-24 00:18:06 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:16539 https://access.redhat.com/errata/RHSA-2025:16539

Comment 16 errata-xmlrpc 2025-09-24 00:19:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:16541 https://access.redhat.com/errata/RHSA-2025:16541

Comment 17 errata-xmlrpc 2025-09-24 00:25:13 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:16540 https://access.redhat.com/errata/RHSA-2025:16540

Comment 18 errata-xmlrpc 2025-09-24 00:27:28 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:16538 https://access.redhat.com/errata/RHSA-2025:16538

Comment 19 errata-xmlrpc 2025-09-24 12:48:58 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions

Via RHSA-2025:16580 https://access.redhat.com/errata/RHSA-2025:16580

Comment 20 errata-xmlrpc 2025-09-24 13:00:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:16582 https://access.redhat.com/errata/RHSA-2025:16582

Comment 21 errata-xmlrpc 2025-09-24 13:03:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions

Via RHSA-2025:16583 https://access.redhat.com/errata/RHSA-2025:16583

Note You need to log in before you can comment on or make changes to this bug.