{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-21702","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.748Z","datePublished":"2025-02-18T14:37:43.429Z","dateUpdated":"2026-04-02T08:39:24.096Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-04-02T08:39:24.096Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npfifo_tail_enqueue: Drop new packet when sch->limit == 0\n\nExpected behaviour:\nIn case we reach scheduler's limit, pfifo_tail_enqueue() will drop a\npacket in scheduler's queue and decrease scheduler's qlen by one.\nThen, pfifo_tail_enqueue() enqueue new packet and increase\nscheduler's qlen by one. Finally, pfifo_tail_enqueue() return\n`NET_XMIT_CN` status code.\n\nWeird behaviour:\nIn case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a\nscheduler that has no packet, the 'drop a packet' step will do nothing.\nThis means the scheduler's qlen still has value equal 0.\nThen, we continue to enqueue new packet and increase scheduler's qlen by\none. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by\none and return `NET_XMIT_CN` status code.\n\nThe problem is:\nLet's say we have two qdiscs: Qdisc_A and Qdisc_B.\n - Qdisc_A's type must have '->graft()' function to create parent/child relationship.\n   Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.\n - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.\n - Qdisc_B is configured to have `sch->limit == 0`.\n - Qdisc_A is configured to route the enqueued's packet to Qdisc_B.\n\nEnqueue packet through Qdisc_A will lead to:\n - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B)\n - Qdisc_B->q.qlen += 1\n - pfifo_tail_enqueue() return `NET_XMIT_CN`\n - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A.\n\nThe whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1.\nReplace 'hfsc' with other type (for example: 'drr') still lead to the same problem.\nThis violate the design where parent's qlen should equal to the sum of its childrens'qlen.\n\nBug impact: This issue can be used for user->kernel privilege escalation when it is reachable."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_fifo.c"],"versions":[{"version":"57dbb2d83d100ea601c54fe129bfde0678db5dee","lessThan":"78285b53266d6d51fa4ff504a23df03852eba84e","status":"affected","versionType":"git"},{"version":"57dbb2d83d100ea601c54fe129bfde0678db5dee","lessThan":"7a9723ec27aff5674f1fd4934608937f1d650980","status":"affected","versionType":"git"},{"version":"57dbb2d83d100ea601c54fe129bfde0678db5dee","lessThan":"a56a6e8589a9b98d8171611fbcc1e45a15fd2455","status":"affected","versionType":"git"},{"version":"57dbb2d83d100ea601c54fe129bfde0678db5dee","lessThan":"020ecb76812a0526f4130ab5aeb6dc7c773e7ab9","status":"affected","versionType":"git"},{"version":"57dbb2d83d100ea601c54fe129bfde0678db5dee","lessThan":"79a955ea4a2e5ddf4a36328959de0de496419888","status":"affected","versionType":"git"},{"version":"57dbb2d83d100ea601c54fe129bfde0678db5dee","lessThan":"e40cb34b7f247fe2e366fd192700d1b4f38196ca","status":"affected","versionType":"git"},{"version":"57dbb2d83d100ea601c54fe129bfde0678db5dee","lessThan":"b6a079c3b6f95378f26e2aeda520cb3176f7067b","status":"affected","versionType":"git"},{"version":"57dbb2d83d100ea601c54fe129bfde0678db5dee","lessThan":"647cef20e649c576dff271e018d5d15d998b629d","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_fifo.c"],"versions":[{"version":"2.6.34","status":"affected"},{"version":"0","lessThan":"2.6.34","status":"unaffected","versionType":"semver"},{"version":"5.4.291","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.235","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.179","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.130","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.83","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.14","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.3","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"5.4.291"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"5.10.235"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"5.15.179"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.1.130"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.6.83"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.12.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.13.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/78285b53266d6d51fa4ff504a23df03852eba84e"},{"url":"https://git.kernel.org/stable/c/7a9723ec27aff5674f1fd4934608937f1d650980"},{"url":"https://git.kernel.org/stable/c/a56a6e8589a9b98d8171611fbcc1e45a15fd2455"},{"url":"https://git.kernel.org/stable/c/020ecb76812a0526f4130ab5aeb6dc7c773e7ab9"},{"url":"https://git.kernel.org/stable/c/79a955ea4a2e5ddf4a36328959de0de496419888"},{"url":"https://git.kernel.org/stable/c/e40cb34b7f247fe2e366fd192700d1b4f38196ca"},{"url":"https://git.kernel.org/stable/c/b6a079c3b6f95378f26e2aeda520cb3176f7067b"},{"url":"https://git.kernel.org/stable/c/647cef20e649c576dff271e018d5d15d998b629d"}],"title":"pfifo_tail_enqueue: Drop new packet when sch->limit == 0","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:35:50.649Z"}}]}}