CVE-2025-38108

HIGH

Linux Kernel 5.0-6.15.3 - Race Condition in RED Qdisc

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in __red_change() Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.

References (10)

Core 10
Core References

Scores

CVSS v3 7.0
EPSS 0.0006
EPSS Percentile 17.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-362
Status published
Products (28)
debian/debian_linux 11.0
linux/Kernel 5.0.0 - 5.4.295linux
linux/Kernel 5.11.0 - 5.15.186linux
linux/Kernel 5.16.0 - 6.1.142linux
linux/Kernel 5.5.0 - 5.10.239linux
linux/Kernel 6.13.0 - 6.15.3linux
linux/Kernel 6.2.0 - 6.6.94linux
linux/Kernel 6.7.0 - 6.12.34linux
Linux/Linux < 5.0
Linux/Linux 0c8d13ac96070000da33f394f45e9c19638483c5 - 110a47efcf23438ff8d31dbd9c854fae2a48bf98
... and 18 more
Published Jul 03, 2025
Tracked Since Feb 18, 2026