{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-37797","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.941Z","datePublished":"2025-05-02T14:16:01.905Z","dateUpdated":"2026-05-11T21:15:20.823Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:15:20.823Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Fix a UAF vulnerability in class handling\n\nThis patch fixes a Use-After-Free vulnerability in the HFSC qdisc class\nhandling. The issue occurs due to a time-of-check/time-of-use condition\nin hfsc_change_class() when working with certain child qdiscs like netem\nor codel.\n\nThe vulnerability works as follows:\n1. hfsc_change_class() checks if a class has packets (q.qlen != 0)\n2. It then calls qdisc_peek_len(), which for certain qdiscs (e.g.,\n   codel, netem) might drop packets and empty the queue\n3. The code continues assuming the queue is still non-empty, adding\n   the class to vttree\n4. This breaks HFSC scheduler assumptions that only non-empty classes\n   are in vttree\n5. Later, when the class is destroyed, this can lead to a Use-After-Free\n\nThe fix adds a second queue length check after qdisc_peek_len() to verify\nthe queue wasn't emptied."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_hfsc.c"],"versions":[{"version":"21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14","lessThan":"28b09a067831f7317c3841812276022d6c940677","status":"affected","versionType":"git"},{"version":"21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14","lessThan":"39b9095dd3b55d9b2743df038c32138efa34a9de","status":"affected","versionType":"git"},{"version":"21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14","lessThan":"fcc8ede663569c704fb00a702973bd6c00373283","status":"affected","versionType":"git"},{"version":"21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14","lessThan":"20d584a33e480ae80d105f43e0e7b56784da41b9","status":"affected","versionType":"git"},{"version":"21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14","lessThan":"3aa852e3605000d5c47035c3fc3a986d14ccfa9f","status":"affected","versionType":"git"},{"version":"21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14","lessThan":"86cd4641c713455a4f1c8e54c370c598c2b1cee0","status":"affected","versionType":"git"},{"version":"21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14","lessThan":"bb583c88d23b72d8d16453d24856c99bd93dadf5","status":"affected","versionType":"git"},{"version":"21f4d5cc25ec0e6e8eb8420dd2c399e6d2fc7d14","lessThan":"3df275ef0a6ae181e8428a6589ef5d5231e58b5c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_hfsc.c"],"versions":[{"version":"4.14","status":"affected"},{"version":"0","lessThan":"4.14","status":"unaffected","versionType":"semver"},{"version":"5.4.293","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.237","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.181","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.136","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.89","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.26","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.14.5","lessThanOrEqual":"6.14.*","status":"unaffected","versionType":"semver"},{"version":"6.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"5.4.293"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"5.10.237"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"5.15.181"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"6.1.136"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"6.6.89"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"6.12.26"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"6.14.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14","versionEndExcluding":"6.15"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/28b09a067831f7317c3841812276022d6c940677"},{"url":"https://git.kernel.org/stable/c/39b9095dd3b55d9b2743df038c32138efa34a9de"},{"url":"https://git.kernel.org/stable/c/fcc8ede663569c704fb00a702973bd6c00373283"},{"url":"https://git.kernel.org/stable/c/20d584a33e480ae80d105f43e0e7b56784da41b9"},{"url":"https://git.kernel.org/stable/c/3aa852e3605000d5c47035c3fc3a986d14ccfa9f"},{"url":"https://git.kernel.org/stable/c/86cd4641c713455a4f1c8e54c370c598c2b1cee0"},{"url":"https://git.kernel.org/stable/c/bb583c88d23b72d8d16453d24856c99bd93dadf5"},{"url":"https://git.kernel.org/stable/c/3df275ef0a6ae181e8428a6589ef5d5231e58b5c"}],"title":"net_sched: hfsc: Fix a UAF vulnerability in class handling","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:55:28.428Z"}}]}}