Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2025-38107

Опубликовано: 03 июл. 2025
Источник: nvd
CVSS3: 7
EPSS Низкий

Описание

In the Linux kernel, the following vulnerability has been resolved:

net_sched: ets: fix a race in ets_qdisc_change()

Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time.

The race is as follows:

CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put()

This can be abused to underflow a parent's qlen.

Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Версия от 5.4.213 (включая) до 5.5 (исключая)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Версия от 5.10.142 (включая) до 5.10.239 (исключая)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Версия от 5.15.66 (включая) до 5.15.186 (исключая)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Версия от 5.19.8 (включая) до 6.0 (исключая)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Версия от 6.0.1 (включая) до 6.1.142 (исключая)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Версия от 6.2 (включая) до 6.6.94 (исключая)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Версия от 6.7 (включая) до 6.12.34 (исключая)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Версия от 6.13 (включая) до 6.15.3 (исключая)
cpe:2.3:o:linux:linux_kernel:6.0:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
Конфигурация 2
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

EPSS

Процентиль: 2%
0.00014
Низкий

7 High

CVSS3

Дефекты

CWE-362

Связанные уязвимости

ubuntu логотип

CVE-2025-38107

CVSS3: 7
ubuntu
6 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.

redhat логотип

CVE-2025-38107

CVSS3: 7
redhat
6 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.

msrc логотип

CVE-2025-38107

msrc
5 месяцев назад

net_sched: ets: fix a race in ets_qdisc_change()

debian логотип

CVE-2025-38107

CVSS3: 7
debian
6 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: n ...

github логотип

GHSA-6fmq-5w8g-7pm6

CVSS3: 7
github
6 месяцев назад

In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.

EPSS

Процентиль: 2%
0.00014
Низкий

7 High

CVSS3

Дефекты

CWE-362