{
  "threat_severity" : "Important",
  "public_date" : "2025-05-16T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc",
    "id" : "2366848",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2366848"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc\nAs described in Gerrard's report [1], we have a UAF case when an hfsc class\nhas a netem child qdisc. The crux of the issue is that hfsc is assuming\nthat checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted\nthe class in the vttree or eltree (which is not true for the netem\nduplicate case).\nThis patch checks the n_active class variable to make sure that the code\nwon't insert the class in the vttree or eltree twice, catering for the\nreentrant case.\n[1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/", "A use-after-free vulnerability has been identified in the Linux kernel's HFSC (Hierarchical Fair Service Curve) queuing discipline when it is configured with NETEM (Network Emulation) as a child. This flaw can lead to a kernel panic or crash due to incorrect assumptions about the queue state.\nExploitation of this vulnerability requires local access with CAP_NET_ADMIN privileges and control over the qdisc (queueing discipline) setup. A local attacker could leverage this flaw to achieve denial of service or escalate privileges. Given that it affects kernel memory structures, successful exploitation could result in memory corruption, data leaks, or arbitrary write capabilities, leading to a full kernel crash." ],
  "statement" : "On Red Hat Enterprise Linux 8 and later releases, regular (non-root) users can exploit this issue by abusing unprivileged user namespaces. Red Hat Enterprise Linux 6 and 7 are not affected by this CVE because they did not include the upstream commit that introduced the CVE (37d9cf1).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12662",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.25.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12753",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.66.1.rt7.407.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12752",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.66.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16582",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14742",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.2",
    "package" : "kernel-0:4.18.0-193.165.1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15035",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.170.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15035",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.170.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14692",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.158.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14692",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.158.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14692",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.158.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16580",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2025-08-25T00:00:00Z",
    "advisory" : "RHSA-2025:14511",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.107.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-08-25T00:00:00Z",
    "advisory" : "RHSA-2025:14511",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.107.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16583",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12746",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.32.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12746",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.32.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16538",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14744",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.144.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14749",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.144.1.rt21.216.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16541",
    "cpe" : "cpe:/o:redhat:rhel_e4s:9.0",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-07-29T00:00:00Z",
    "advisory" : "RHSA-2025:12209",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.128.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16539",
    "cpe" : "cpe:/o:redhat:rhel_e4s:9.2",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-08-06T00:00:00Z",
    "advisory" : "RHSA-2025:13135",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.81.1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16540",
    "cpe" : "cpe:/o:redhat:rhel_eus:9.4",
    "package" : "kpatch-patch"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-37890\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-37890\nhttps://lore.kernel.org/linux-cve-announce/2025051617-CVE-2025-37890-437b@gregkh/T" ],
  "name" : "CVE-2025-37890",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module sch_hfsc from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}