Description
In the Linux kernel, the following vulnerability has been resolved: net_sched: qfq: Fix double list add in class with netem as child qdisc As described in Gerrard's report [1], there are use cases where a netem child qdisc will make the parent qdisc's enqueue callback reentrant. In the case of qfq, there won't be a UAF, but the code will add the same classifier to the list twice, which will cause memory corruption. This patch checks whether the class was already added to the agg->active list (cl_is_active) before doing the addition to cater for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
References (10)
Scores
CVSS v3
7.8
EPSS
0.0008
EPSS Percentile
24.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-415
Status
published
Products (11)
debian/debian_linux
11.0
linux/Kernel
5.0.0 - 5.4.294linux
linux/Kernel
5.11.0 - 5.15.182linux
linux/Kernel
5.16.0 - 6.1.138linux
linux/Kernel
5.5.0 - 5.10.238linux
linux/Kernel
6.13.0 - 6.14.6linux
linux/Kernel
6.2.0 - 6.6.90linux
linux/Kernel
6.7.0 - 6.12.28linux
linux/linux_kernel
5.0 (7 CPE variants)
linux/linux_kernel
6.15 rc1 (4 CPE variants)
... and 1 more
Published
May 20, 2025
Tracked Since
Feb 18, 2026