CVE-2025-38177Incomplete Cleanup in Linux

CWE-459Incomplete CleanupCWE-401Missing Release of Memory after Effective Lifetime26 documents9 sources
Severity
5.5MEDIUMNVD
OSV8.8OSV7.8OSV5.9OSV4.7
EPSS
0.0%
top 90.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LinuxLinux KernelDebian Linux
Timeline
PublishedJul 4
Latest updateFeb 27

Description

In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: make hfsc_qlen_notify() idempotent hfsc_qlen_notify() is not idempotent either and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers' life: 1. update_vf() decreases cl->cl_nactive, so we can check whether it is non-zero before calling it. 2. eltree_remove() always removes RB node cl->el_node, but we can use RB_EMPTY_NODE() + RB_CLEAR_NODE() to

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

NVDlinux/linux_kernel5.55.10.241+7
Debianlinux/linux_kernel< 5.10.244-1+3
Ubuntulinux/linux_kernel< 5.4.0-219.239
CVEListV5linux/linux959466588aa7f84ccf79ae36a1d89542eaf9aaec9a5fd5c2f4d4afdd5e405083ee53e0789ce76956+8

Also affects: Debian Linux 11.0

Patches

Patch: git.kernel.orgPatch: git.kernel.orgPatch: git.kernel.org

🔴Vulnerability Details

12
OSV
linux-azure-5.15 vulnerabilities2025-09-02
OSV
linux-azure-fips vulnerabilities2025-08-22
OSV
linux-raspi vulnerabilities2025-08-05
OSV
linux-iot vulnerabilities2025-08-04
OSV
linux-azure, linux-azure-5.4, linux-azure-fips, linux-raspi, linux-raspi-5.4 vulnerabilities2025-07-29

📋Vendor Advisories

13
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2025-381772026-02-27
Ubuntu
Linux kernel (Azure) vulnerabilities2025-09-02
Ubuntu
Linux kernel (Azure FIPS) vulnerabilities2025-08-22
Ubuntu
Linux kernel (Raspberry Pi) vulnerabilities2025-08-05
Ubuntu
Linux kernel (IoT) vulnerabilities2025-08-04
CVE-2025-38177 — Incomplete Cleanup in Linux | cvebase