{
  "threat_severity" : "Important",
  "public_date" : "2025-06-06T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice",
    "id" : "2370776",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2370776"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet_sched: hfsc: Address reentrant enqueue adding class to eltree twice\nSavino says:\n\"We are writing to report that this recent patch\n(141d34391abbb315d68556b7c67ad97885407547) [1]\ncan be bypassed, and a UAF can still occur when HFSC is utilized with\nNETEM.\nThe patch only checks the cl->cl_nactive field to determine whether\nit is the first insertion or not [2], but this field is only\nincremented by init_vf [3].\nBy using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the\ncheck and insert the class twice in the eltree.\nUnder normal conditions, this would lead to an infinite loop in\nhfsc_dequeue for the reasons we already explained in this report [5].\nHowever, if TBF is added as root qdisc and it is configured with a\nvery low rate,\nit can be utilized to prevent packets from being dequeued.\nThis behavior can be exploited to perform subsequent insertions in the\nHFSC eltree and cause a UAF.\"\nTo fix both the UAF and the infinite loop, with netem as an hfsc child,\ncheck explicitly in hfsc_enqueue whether the class is already in the eltree\nwhenever the HFSC_RSC flag is set.\n[1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547\n[2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572\n[3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677\n[4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574\n[5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u", "A use-after-free (UAF) vulnerability, which also presents a potential infinite loop condition, has been resolved in the Linux kernel. This flaw affects the HFSC (Hierarchical Fair Service Curve) queuing discipline when it is used in conjunction with NETEM (Network Emulation).\nA malicious user could exploit this by repeatedly inserting a class into the eltree due to insufficient validation in prior logic, effectively bypassing the protection provided by the HFSC_RSC flag. Successful exploitation could lead to memory corruption, an infinite loop, or a system crash, severely impacting network availability and system stability." ],
  "statement" : "On Red Hat Enterprise Linux 8 and later releases, regular (non-root) users can exploit this issue by abusing unprivileged user namespaces. Red Hat Enterprise Linux 6 and 7 are not affected by this CVE because they did not include the upstream commit that introduced the CVE (37d9cf1).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16582",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14742",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.2",
    "package" : "kernel-0:4.18.0-193.165.1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15035",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.170.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15035",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.170.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14692",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.158.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14692",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.158.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14692",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.158.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16580",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2025-08-25T00:00:00Z",
    "advisory" : "RHSA-2025:14511",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "kernel-0:4.18.0-477.107.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-08-25T00:00:00Z",
    "advisory" : "RHSA-2025:14511",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kernel-0:4.18.0-477.107.1.el8_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16583",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16538",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14744",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.144.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16541",
    "cpe" : "cpe:/o:redhat:rhel_e4s:9.0",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-07-29T00:00:00Z",
    "advisory" : "RHSA-2025:12209",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "kernel-0:5.14.0-284.128.1.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-07-30T00:00:00Z",
    "advisory" : "RHSA-2025:12311",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv",
    "package" : "kernel-rt-0:5.14.0-284.128.1.rt14.413.el9_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16539",
    "cpe" : "cpe:/o:redhat:rhel_e4s:9.2",
    "package" : "kpatch-patch"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-09-24T00:00:00Z",
    "advisory" : "RHSA-2025:16540",
    "cpe" : "cpe:/o:redhat:rhel_eus:9.4",
    "package" : "kpatch-patch"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38001\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38001\nhttps://lore.kernel.org/linux-cve-announce/2025060650-CVE-2025-38001-f921@gregkh/T" ],
  "name" : "CVE-2025-38001",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module sch_hfsc from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}