{
  "threat_severity" : "Important",
  "public_date" : "2025-06-06T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()",
    "id" : "2370786",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2370786"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nsch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()\nWhen enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the\nchild qdisc's peek() operation before incrementing sch->q.qlen and\nsch->qstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may\ntrigger an immediate dequeue and potential packet drop. In such cases,\nqdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog\nhave not yet been updated, leading to inconsistent queue accounting. This\ncan leave an empty HFSC class in the active list, causing further\nconsequences like use-after-free.\nThis patch fixes the bug by moving the increment of sch->q.qlen and\nsch->qstats.backlog before the call to the child qdisc's peek() operation.\nThis ensures that queue length and backlog are always accurate when packet\ndrops or dequeues are triggered during the peek.", "A flaw was found in the HFSC queueing discipline implementation in the Linux kernel. When a packet is enqueued and the child qdisc's peek() function is called before properly updating the HFSC queue's length and backlog counters, a race condition can occur. In some cases, the peek operation may trigger an immediate dequeue and drop, leading to inconsistent queue accounting. This may leave an empty HFSC class in the active list, eventually causing use-after-free (UAF) conditions. Due to the nature of this memory corruption (use-after-free or list corruption) in kernel scheduler code, a successful exploit could lead to privilege escalation, data leakage, or denial of service. Therefore, the CIA impact is assessed as HHH to reflect a worst-case." ],
  "statement" : "On Red Hat Enterprise Linux 8 and later releases, regular (non-root) users can exploit this issue by abusing unprivileged user namespaces. On Red Hat Enterprise Linux 7, unprivileged user namespaces are disabled by default. Red Hat Enterprise Linux 6 did not include support for them at all, meaning that root privileges are necessary to trigger this flaw.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7.7 Advanced Update Support",
    "release_date" : "2025-08-25T00:00:00Z",
    "advisory" : "RHSA-2025:14413",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.7",
    "package" : "kernel-0:3.10.0-1062.99.1.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14746",
    "cpe" : "cpe:/a:redhat:rhel_extras_rt_els:7",
    "package" : "kernel-rt-0:3.10.0-1160.137.1.rt56.1289.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14748",
    "cpe" : "cpe:/o:redhat:rhel_els:7",
    "package" : "kernel-0:3.10.0-1160.137.1.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16582",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14742",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.2",
    "package" : "kernel-0:4.18.0-193.165.1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15035",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.170.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15035",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.170.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14692",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.158.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14692",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.158.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14692",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.158.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16580",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2025-08-25T00:00:00Z",
    "advisory" : "RHSA-2025:14511",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.107.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-08-25T00:00:00Z",
    "advisory" : "RHSA-2025:14511",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.107.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16583",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16538",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14744",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.144.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16541",
    "cpe" : "cpe:/o:redhat:rhel_e4s:9.0",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-07-29T00:00:00Z",
    "advisory" : "RHSA-2025:12209",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.128.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16539",
    "cpe" : "cpe:/o:redhat:rhel_e4s:9.2",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16540",
    "cpe" : "cpe:/o:redhat:rhel_eus:9.4",
    "package" : "kpatch-patch"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38000\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38000\nhttps://lore.kernel.org/linux-cve-announce/2025060639-CVE-2025-38000-f5a4@gregkh/T" ],
  "name" : "CVE-2025-38000",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module sch_hfsc from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}