Описание
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix use-after-free in taprio_dev_notifier Since taprio’s taprio_dev_notifier() isn’t protected by an RCU read-side critical section, a race with advance_sched() can lead to a use-after-free. Adding rcu_read_lock() inside taprio_dev_notifier() prevents this.
Отчет
A race condition in taprio_dev_notifier() could lead to a use-after-free (UAF) when it accesses q->oper_sched or q->admin_sched outside of an RCU read-side critical section. This could be exploited by triggering concurrent updates to the taprio scheduler (e.g., via traffic control tools). The issue is resolved by wrapping the relevant accesses in rcu_read_lock()/rcu_read_unlock() and switching from rtnl_dereference() to rcu_dereference(). While the exploitability is low (requires root or CAP_NET_ADMIN), this is a clear use-after-free that can potentially compromise kernel memory. Therefore, CIA: HHH. The Privileges for the CVSS could be Low or High depending on what are the default permissions in the system (basically speaking if user has access to the qdisc, then can trigger it, but by default user would not have such access in Red Hat Enterprise Linux that limits this vulnarability impact level to Moderate). The CVSS base score is approximately: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) in systems where access to traffic control is restricted (like Red Hat Enterprise Linux). 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) if unprivileged users are allowed to manipulate qdiscs. The related Kernel config param CONFIG_NET_SCH_TAPRIO enabled only for the latest versions of the Red Hat Enterprise Linux 9 and disabled for the Red Hat Enterprise Linux 8 and before.
Меры по смягчению последствий
To mitigate this issue, prevent module sch_taprio from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 9 | kernel-rt | Affected | ||
| Red Hat Enterprise Linux 10 | kernel | Fixed | RHSA-2025:12662 | 04.08.2025 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2025:12746 | 04.08.2025 |
| Red Hat Enterprise Linux 9 | kernel | Fixed | RHSA-2025:12746 | 04.08.2025 |
| Red Hat Enterprise Linux 9.4 Extended Update Support | kernel | Fixed | RHSA-2025:11810 | 28.07.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix use-after-free in taprio_dev_notifier Since taprio’s taprio_dev_notifier() isn’t protected by an RCU read-side critical section, a race with advance_sched() can lead to a use-after-free. Adding rcu_read_lock() inside taprio_dev_notifier() prevents this.
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix use-after-free in taprio_dev_notifier Since taprio’s taprio_dev_notifier() isn’t protected by an RCU read-side critical section, a race with advance_sched() can lead to a use-after-free. Adding rcu_read_lock() inside taprio_dev_notifier() prevents this.
In the Linux kernel, the following vulnerability has been resolved: n ...
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix use-after-free in taprio_dev_notifier Since taprio’s taprio_dev_notifier() isn’t protected by an RCU read-side critical section, a race with advance_sched() can lead to a use-after-free. Adding rcu_read_lock() inside taprio_dev_notifier() prevents this.
EPSS
7.8 High
CVSS3