Описание
In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class handling This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows:
- hfsc_change_class() checks if a class has packets (q.qlen != 0)
- It then calls qdisc_peek_len(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue
- The code continues assuming the queue is still non-empty, adding the class to vttree
- This breaks HFSC scheduler assumptions that only non-empty classes are in vttree
- Later, when the class is destroyed, this can lead to a Use-After-Free The fix adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied.
Отчет
The bug could happen only when qdisc with child qdiscs like netem or codel being used.
Меры по смягчению последствий
To mitigate this issue, prevent module sch_hfsc from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Out of support scope | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 10 | kernel | Fixed | RHSA-2025:11855 | 28.07.2025 |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | kernel-rt | Fixed | RHSA-2025:21082 | 12.11.2025 |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | kernel | Fixed | RHSA-2025:21063 | 12.11.2025 |
| Red Hat Enterprise Linux 8 | kernel-rt | Fixed | RHSA-2025:16920 | 29.09.2025 |
| Red Hat Enterprise Linux 8 | kernel | Fixed | RHSA-2025:16919 | 29.09.2025 |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | kernel | Fixed | RHSA-2025:21667 | 18.11.2025 |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | kernel | Fixed | RHSA-2025:22752 | 04.12.2025 |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | kernel | Fixed | RHSA-2025:22752 | 04.12.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
7 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class handling This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free The fix adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied.
In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class handling This patch fixes a Use-After-Free vulnerability in the HFSC qdisc class handling. The issue occurs due to a time-of-check/time-of-use condition in hfsc_change_class() when working with certain child qdiscs like netem or codel. The vulnerability works as follows: 1. hfsc_change_class() checks if a class has packets (q.qlen != 0) 2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g., codel, netem) might drop packets and empty the queue 3. The code continues assuming the queue is still non-empty, adding the class to vttree 4. This breaks HFSC scheduler assumptions that only non-empty classes are in vttree 5. Later, when the class is destroyed, this can lead to a Use-After-Free The fix adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied.
In the Linux kernel, the following vulnerability has been resolved: n ...
Security update for the Linux Kernel (Live Patch 59 for SLE 15 SP3)
EPSS
7 High
CVSS3