7.8

CVE-2025-21703

netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()

In the Linux kernel, the following vulnerability has been resolved:

netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()

qdisc_tree_reduce_backlog() notifies parent qdisc only if child
qdisc becomes empty, therefore we need to reduce the backlog of the
child qdisc before calling it. Otherwise it would miss the opportunity
to call cops->qlen_notify(), in the case of DRR, it resulted in UAF
since DRR uses ->qlen_notify() to maintain its active list.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 5.4.288 < 5.4.291
LinuxLinux Kernel Version >= 5.10.232 < 5.10.235
LinuxLinux Kernel Version >= 5.15.175 < 5.15.179
LinuxLinux Kernel Version >= 6.1.121 < 6.1.129
LinuxLinux Kernel Version >= 6.6.67 < 6.6.78
LinuxLinux Kernel Version >= 6.12.6 < 6.12.14
LinuxLinux Kernel Version >= 6.13 < 6.13.3
LinuxLinux Kernel Version6.14 Updaterc1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.28% 0.191
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/1f8e3f4a4b8b90ad274dfbc66fc7d55cb582f4d5
Patch
https://git.kernel.org/stable/c/6312555249082d6d8cc5321ff725df05482d8b83
Patch
https://git.kernel.org/stable/c/638ba5089324796c2ee49af10427459c2de35f71
Patch
https://git.kernel.org/stable/c/7b79ca9a1de6a428d486ff52fb3d602321c08f55
Patch
https://git.kernel.org/stable/c/839ecc583fa00fab785fde1c85a326743657fd32
Patch
https://git.kernel.org/stable/c/7f31d74fcc556a9166b1bb20515542de7bb939d1
Patch
https://git.kernel.org/stable/c/98a2c685293aae122f688cde11d9334dddc5d207
Patch
https://git.kernel.org/stable/c/e395fec75ac2dbffc99b4bce57b7f1f3c5449f2c
Patch
https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html