{ "threat_severity" : "Important", "public_date" : "2025-07-19T00:00:00Z", "bugzilla" : { "description" : "kernel: net/sched: Always pass notifications when child class becomes empty", "id" : "2382054", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2382054" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: Always pass notifications when child class becomes empty\nCertain classful qdiscs may invoke their classes' dequeue handler on an\nenqueue operation. This may unexpectedly empty the child qdisc and thus\nmake an in-flight class passive via qlen_notify(). Most qdiscs do not\nexpect such behaviour at this point in time and may re-activate the\nclass eventually anyways which will lead to a use-after-free.\nThe referenced fix commit attempted to fix this behavior for the HFSC\ncase by moving the backlog accounting around, though this turned out to\nbe incomplete since the parent's parent may run into the issue too.\nThe following reproducer demonstrates this use-after-free:\ntc qdisc add dev lo root handle 1: drr\ntc filter add dev lo parent 1: basic classid 1:1\ntc class add dev lo parent 1: classid 1:1 drr\ntc qdisc add dev lo parent 1:1 handle 2: hfsc def 1\ntc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0\ntc qdisc add dev lo parent 2:1 handle 3: netem\ntc qdisc add dev lo parent 3:1 handle 4: blackhole\necho 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\ntc class delete dev lo classid 1:1\necho 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888\nSince backlog accounting issues leading to a use-after-frees on stale\nclass pointers is a recurring pattern at this point, this patch takes\na different approach. Instead of trying to fix the accounting, the patch\nensures that qdisc_tree_reduce_backlog always calls qlen_notify when\nthe child qdisc is empty. This solves the problem because deletion of\nqdiscs always involves a call to qdisc_reset() and / or\nqdisc_purge_queue() which ultimately resets its qlen to 0 thus causing\nthe following qdisc_tree_reduce_backlog() to report to the parent. Note\nthat this may call qlen_notify on passive classes multiple times. This\nis not a problem after the recent patch series that made all the\nclassful qdiscs qlen_notify() handlers idempotent.", "A use-after-free (UAF) vulnerability was found in the Linux kernel's net/sched subsystem, specifically in the Credit-Based Shaper (CBS) qdisc implementation (sch_cbs). The vulnerability occurs because the CBS qdisc's reset function (qdisc_reset_queue()) only resets its internal queue but fails to reset its child qdisc recursively. As a result, a mismatch in queue length (qlen) occurs between CBS and its children during interface resets, eventually allowing attackers to trigger UAF on a parent HFSC scheduler." ], "statement" : "On Red Hat Enterprise Linux 8 and later releases, regular (non-root) users can exploit this issue by abusing unprivileged user namespaces. On Red Hat Enterprise Linux 7, unprivileged user namespaces are disabled by default. Red Hat Enterprise Linux 6 did not include support for them at all, meaning that root privileges are necessary to trigger this flaw.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-09-08T00:00:00Z", "advisory" : "RHSA-2025:15447", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "kernel-0:6.12.0-55.31.1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 7.7 Advanced Update Support", "release_date" : "2025-08-25T00:00:00Z", "advisory" : "RHSA-2025:14413", "cpe" : "cpe:/o:redhat:rhel_aus:7.7", "package" : "kernel-0:3.10.0-1062.99.1.el7" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2025-08-27T00:00:00Z", "advisory" : "RHSA-2025:14746", "cpe" : "cpe:/a:redhat:rhel_extras_rt_els:7", "package" : "kernel-rt-0:3.10.0-1160.137.1.rt56.1289.el7" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2025-08-27T00:00:00Z", "advisory" : "RHSA-2025:14748", "cpe" : "cpe:/o:redhat:rhel_els:7", "package" : "kernel-0:3.10.0-1160.137.1.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-09-15T00:00:00Z", "advisory" : "RHSA-2025:15786", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.75.1.rt7.416.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-09-15T00:00:00Z", "advisory" : "RHSA-2025:15785", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.75.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-09-24T00:00:00Z", "advisory" : "RHSA-2025:16582", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2025-08-27T00:00:00Z", "advisory" : "RHSA-2025:14742", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "kernel-0:4.18.0-193.165.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:15035", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "kernel-0:4.18.0-305.170.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:15035", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "kernel-0:4.18.0-305.170.1.el8_4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-08-27T00:00:00Z", "advisory" : "RHSA-2025:14692", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "kernel-0:4.18.0-372.158.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-08-27T00:00:00Z", "advisory" : "RHSA-2025:14692", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "kernel-0:4.18.0-372.158.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-08-27T00:00:00Z", "advisory" : "RHSA-2025:14692", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kernel-0:4.18.0-372.158.1.el8_6" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-09-24T00:00:00Z", "advisory" : "RHSA-2025:16580", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-08-25T00:00:00Z", "advisory" : "RHSA-2025:14511", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "kernel-0:4.18.0-477.107.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-08-25T00:00:00Z", "advisory" : "RHSA-2025:14511", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kernel-0:4.18.0-477.107.1.el8_8" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-09-24T00:00:00Z", "advisory" : "RHSA-2025:16583", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:15011", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.39.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:15011", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-570.39.1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-09-24T00:00:00Z", "advisory" : "RHSA-2025:16538", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-08-27T00:00:00Z", "advisory" : "RHSA-2025:14744", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "kernel-0:5.14.0-70.144.1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-08-27T00:00:00Z", "advisory" : "RHSA-2025:14749", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv", "package" : "kernel-rt-0:5.14.0-70.144.1.rt21.216.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-09-24T00:00:00Z", "advisory" : "RHSA-2025:16541", "cpe" : "cpe:/o:redhat:rhel_e4s:9.0", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-08-27T00:00:00Z", "advisory" : "RHSA-2025:14696", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "kernel-0:5.14.0-284.134.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-08-27T00:00:00Z", "advisory" : "RHSA-2025:14691", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::nfv", "package" : "kernel-rt-0:5.14.0-284.134.1.rt14.419.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-09-24T00:00:00Z", "advisory" : "RHSA-2025:16539", "cpe" : "cpe:/o:redhat:rhel_e4s:9.2", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-09-02T00:00:00Z", "advisory" : "RHSA-2025:15016", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "kernel-0:5.14.0-427.85.1.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-09-24T00:00:00Z", "advisory" : "RHSA-2025:16540", "cpe" : "cpe:/o:redhat:rhel_eus:9.4", "package" : "kpatch-patch" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38350\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38350\nhttps://lore.kernel.org/linux-cve-announce/2025071933-CVE-2025-38350-262a@gregkh/T" ], "name" : "CVE-2025-38350", "mitigation" : { "value" : "To mitigate this issue, prevent the sch_cbs module from being loaded. Please see https://access.redhat.com/solutions/41278 for how information on how to blacklist a kernel module to prevent it from loading automatically.", "lang" : "en:us" }, "csaw" : false }