{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-04T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net/sched: ets: use old 'nbands' while purging unused classes",
    "id" : "2393190",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2393190"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-476",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/sched: ets: use old 'nbands' while purging unused classes\nShuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify()\nafter recent changes from Lion [2]. The problem is: in ets_qdisc_change()\nwe purge unused DWRR queues; the value of 'q->nbands' is the new one, and\nthe cleanup should be done with the old one. The problem is here since my\nfirst attempts to fix ets_qdisc_change(), but it surfaced again after the\nrecent qdisc len accounting fixes. Fix it purging idle DWRR queues before\nassigning a new value of 'q->nbands', so that all purge operations find a\nconsistent configuration:\n- old 'q->nbands' because it's needed by ets_class_find()\n- old 'q->nstrict' because it's needed by ets_class_is_strict()\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary)\nHardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021\nRIP: 0010:__list_del_entry_valid_or_report+0x4/0x80\nCode: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab\nRSP: 0018:ffffba186009f400 EFLAGS: 00010202\nRAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004\nRDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004\nR10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000\nR13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000\nFS:  00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n<TASK>\nets_class_qlen_notify+0x65/0x90 [sch_ets]\nqdisc_tree_reduce_backlog+0x74/0x110\nets_qdisc_change+0x630/0xa40 [sch_ets]\n__tc_modify_qdisc.constprop.0+0x216/0x7f0\ntc_modify_qdisc+0x7c/0x120\nrtnetlink_rcv_msg+0x145/0x3f0\nnetlink_rcv_skb+0x53/0x100\nnetlink_unicast+0x245/0x390\nnetlink_sendmsg+0x21b/0x470\n____sys_sendmsg+0x39d/0x3d0\n___sys_sendmsg+0x9a/0xe0\n__sys_sendmsg+0x7a/0xd0\ndo_syscall_64+0x7d/0x160\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f2155114084\nCode: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89\nRSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084\nRDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003\nRBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f\nR10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0\nR13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0\n</TASK>\n[1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/\n[2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-09-08T00:00:00Z",
    "advisory" : "RHSA-2025:15447",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "kernel-0:6.12.0-55.31.1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-09-15T00:00:00Z",
    "advisory" : "RHSA-2025:15785",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.75.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15035",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "kernel-0:4.18.0-305.170.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15035",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "kernel-0:4.18.0-305.170.1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15011",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.39.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-09-02T00:00:00Z",
    "advisory" : "RHSA-2025:15011",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.39.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-38684\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38684\nhttps://lore.kernel.org/linux-cve-announce/2025090447-CVE-2025-38684-db4c@gregkh/T" ],
  "name" : "CVE-2025-38684",
  "csaw" : false
}