{
  "threat_severity" : "Moderate",
  "public_date" : "2025-02-18T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: pfifo_tail_enqueue: Drop new packet when sch->limit == 0",
    "id" : "2346272",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2346272"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-438",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\npfifo_tail_enqueue: Drop new packet when sch->limit == 0\nExpected behaviour:\nIn case we reach scheduler's limit, pfifo_tail_enqueue() will drop a\npacket in scheduler's queue and decrease scheduler's qlen by one.\nThen, pfifo_tail_enqueue() enqueue new packet and increase\nscheduler's qlen by one. Finally, pfifo_tail_enqueue() return\n`NET_XMIT_CN` status code.\nWeird behaviour:\nIn case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a\nscheduler that has no packet, the 'drop a packet' step will do nothing.\nThis means the scheduler's qlen still has value equal 0.\nThen, we continue to enqueue new packet and increase scheduler's qlen by\none. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by\none and return `NET_XMIT_CN` status code.\nThe problem is:\nLet's say we have two qdiscs: Qdisc_A and Qdisc_B.\n- Qdisc_A's type must have '->graft()' function to create parent/child relationship.\nLet's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.\n- Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.\n- Qdisc_B is configured to have `sch->limit == 0`.\n- Qdisc_A is configured to route the enqueued's packet to Qdisc_B.\nEnqueue packet through Qdisc_A will lead to:\n- hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B)\n- Qdisc_B->q.qlen += 1\n- pfifo_tail_enqueue() return `NET_XMIT_CN`\n- hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A.\nThe whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1.\nReplace 'hfsc' with other type (for example: 'drr') still lead to the same problem.\nThis violate the design where parent's qlen should equal to the sum of its childrens'qlen.\nBug impact: This issue can be used for user->kernel privilege escalation when it is reachable." ],
  "statement" : "The default scheduler is pfifo_fast (and fd_codel for rhel8). This bug in BFIFO (sch_fifo) scheduler is not easy triggerable (requires usage of two qdiscs with special configuration). Both cannot trigger it before sch_fifo enabled. Rated to be Moderate.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20095",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.8.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21702\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21702\nhttps://lore.kernel.org/linux-cve-announce/2025021847-CVE-2025-21702-3aa3@gregkh/T" ],
  "name" : "CVE-2025-21702",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}