CVE-2025-37913

net_sched: qfq: Fix double list add in class with netem as child qdisc

Published: 5/20/2025 Last updated: 11/3/2025 Reserved: 4/16/2025

In the Linux kernel, the following vulnerability has been resolved: net_sched: qfq: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of qfq, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. This patch checks whether the class was already added to the agg->active list (cl_is_active) before doing the addition to cater for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/

CNA assigner: Linux (416baaa9-dc9f-4396-8d5f-8c081fb06d67) Requested by: n/a

Opam packages affected (27)

albatross cdrom conf-bpftool conf-libbpf conf-linux-libc-dev core core_unix hvsock mirage-block-unix mm ocaml-probes orun rawlink rawlink-eio rawlink-lwt shell solo5 solo5-bindings-hvt solo5-bindings-spt solo5-cross-aarch64 solo5-kernel-ukvm tracy-client tuntap uring vhd-format vhd-format-lwt xapi-stdext-unix

Products affected (4)

Product	Vendor	Version
Linux	Linux	< 5.4.215
Linux	Linux	Versions prior to 5.3.9.18
Linux	Linux	16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3
Linux	Linux	Adobe Digital Editions 4.5.3 and earlier.

CVE-2025-37913

net_sched: qfq: Fix double list add in class with netem as child qdisc

Opam packages affected (27)

Products affected (4)

References (20)