CVE-2025-38477
published 2025-07-28CVE-2025-38477: In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when…
medium4.7CVSS 3.1
AVLACHPRLUINSUCNINAH
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: Fix race condition on qfq_aggregate
A race condition can occur when 'agg' is modified in qfq_change_agg
(called during qfq_enqueue) while other threads access it
concurrently. For example, qfq_dump_class may trigger a NULL
dereference, and qfq_delete_class may cause a use-after-free.
This patch addresses the issue by:
1. Moved qfq_destroy_class into the critical section.
2. Added sch_tree_lock protection to qfq_dump_class and
qfq_dump_class_stats.
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.147-1 (bookworm) | linux 6.1.147-1 (bookworm) |
| chrome_chrome | — | — | |
| linux | linux | — | — |
| linux | linux | >= 462dbc9101acd38e92eda93c0726857517a24bbd < aa7a22c4d678bf649fd3a1d27debec583563414d | aa7a22c4d678bf649fd3a1d27debec583563414d |
| linux | linux | >= 462dbc9101acd38e92eda93c0726857517a24bbd < d841aa5518508ab195b6781ad0d73ee378d713dd | d841aa5518508ab195b6781ad0d73ee378d713dd |
| linux | linux | >= 462dbc9101acd38e92eda93c0726857517a24bbd < c6df794000147a3a02f79984aada4ce83f8d0a1e | c6df794000147a3a02f79984aada4ce83f8d0a1e |
| linux | linux | >= 462dbc9101acd38e92eda93c0726857517a24bbd < 466e10194ab81caa2ee6a332d33ba16bcceeeba6 | 466e10194ab81caa2ee6a332d33ba16bcceeeba6 |
| linux | linux | >= 462dbc9101acd38e92eda93c0726857517a24bbd < fbe48f06e64134dfeafa89ad23387f66ebca3527 | fbe48f06e64134dfeafa89ad23387f66ebca3527 |
| linux | linux | >= 462dbc9101acd38e92eda93c0726857517a24bbd < a6d735100f602c830c16d69fb6d780eebd8c9ae1 | a6d735100f602c830c16d69fb6d780eebd8c9ae1 |
| linux | linux | >= 462dbc9101acd38e92eda93c0726857517a24bbd < c000a3a330d97f6c073ace5aa5faf94b9adb4b79 | c000a3a330d97f6c073ace5aa5faf94b9adb4b79 |
| linux | linux | >= 462dbc9101acd38e92eda93c0726857517a24bbd < 5e28d5a3f774f118896aec17a3a20a9c5c9dfc64 | 5e28d5a3f774f118896aec17a3a20a9c5c9dfc64 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.147-1 | 6.1.147-1 |
| linux | linux_kernel | >= 0 < 6.12.41-1 | 6.12.41-1 |
| linux | linux_kernel | >= 0 < 6.16.3-1 | 6.16.3-1 |
| linux | linux_kernel | >= 0 < 5.15.0-157.167 | 5.15.0-157.167 |
| linux | linux_kernel | >= 0 < 6.8.0-85.85 | 6.8.0-85.85 |
| linux | linux_kernel | >= 0 < 4.15.0-242.254 | 4.15.0-242.254 |
| linux | linux_kernel | >= 0 < 5.4.0-222.242 | 5.4.0-222.242 |
| linux | linux_kernel | >= 3.8 < 5.4.297 | 5.4.297 |
| linux | linux_kernel | >= 5.11 < 5.15.190 | 5.15.190 |
| linux | linux_kernel | >= 5.16 < 6.1.147 | 6.1.147 |
CVSS provenance
nvdv3.14.7MEDIUMCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
osv7.8HIGH