{
  "threat_severity" : "Moderate",
  "public_date" : "2025-06-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net/sched: fix use-after-free in taprio_dev_notifier",
    "id" : "2375531",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2375531"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: fix use-after-free in taprio_dev_notifier\nSince taprio’s taprio_dev_notifier() isn’t protected by an\nRCU read-side critical section, a race with advance_sched()\ncan lead to a use-after-free.\nAdding rcu_read_lock() inside taprio_dev_notifier() prevents this." ],
  "statement" : "A race condition in taprio_dev_notifier() could lead to a use-after-free (UAF) when it accesses q->oper_sched or q->admin_sched outside of an RCU read-side critical section. This could be exploited by triggering concurrent updates to the taprio scheduler (e.g., via traffic control tools). The issue is resolved by wrapping the relevant accesses in rcu_read_lock()/rcu_read_unlock() and switching from rtnl_dereference() to rcu_dereference(). While the exploitability is low (requires root or CAP_NET_ADMIN), this is a clear use-after-free that can potentially compromise kernel memory. Therefore, CIA: HHH. The Privileges for the CVSS could be Low or High depending on what are the default permissions in the system (basically speaking if user has access to the qdisc, then can trigger it, but by default user would not have such access in Red Hat Enterprise Linux that limits this vulnarability impact level to Moderate).\nThe CVSS base score is approximately:\n6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) in systems where access to traffic control is restricted (like Red Hat Enterprise Linux).\n7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) if unprivileged users are allowed to manipulate qdiscs.\nThe related Kernel config param CONFIG_NET_SCH_TAPRIO enabled only for the latest versions of the Red Hat Enterprise Linux 9 and disabled for the Red Hat Enterprise Linux 8 and before.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12662",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.25.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12746",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.32.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12746",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.32.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-07-28T00:00:00Z",
    "advisory" : "RHSA-2025:11810",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.79.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38087\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38087\nhttps://lore.kernel.org/linux-cve-announce/2025063052-CVE-2025-38087-cd0f@gregkh/T" ],
  "name" : "CVE-2025-38087",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module sch_taprio from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}