CVE-2025-21703

HIGH

Linux Kernel - Use-After-Free in DRR Active List via qdisc_tree_reduce_backlog

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list.

References (9)

Core 9

Scores

CVSS v3 7.8
EPSS 0.0027
EPSS Percentile 19.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-416
Status published
Products (33)
linux/Kernel < 5.4.291linux
linux/Kernel 5.11.0 - 5.15.179linux
linux/Kernel 5.16.0 - 6.1.129linux
linux/Kernel 5.5.0 - 5.10.235linux
linux/Kernel 6.13.0 - 6.13.3linux
linux/Kernel 6.2.0 - 6.6.78linux
linux/Kernel 6.7.0 - 6.12.14linux
Linux/Linux < 6.13
Linux/Linux 10df49cfca73dfbbdb6c4150d859f7e8926ae427 - 7b79ca9a1de6a428d486ff52fb3d602321c08f55
Linux/Linux 216509dda290f6db92c816dd54b83c1df9da9e76 - 7f31d74fcc556a9166b1bb20515542de7bb939d1
... and 23 more
Published Feb 18, 2025
Tracked Since Feb 18, 2026