{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-37992","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.976Z","datePublished":"2025-05-26T14:54:15.796Z","dateUpdated":"2026-05-11T21:19:12.976Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:19:12.976Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Flush gso_skb list too during ->change()\n\nPreviously, when reducing a qdisc's limit via the ->change() operation, only\nthe main skb queue was trimmed, potentially leaving packets in the gso_skb\nlist. This could result in NULL pointer dereference when we only check\nsch->limit against sch->q.qlen.\n\nThis patch introduces a new helper, qdisc_dequeue_internal(), which ensures\nboth the gso_skb list and the main queue are properly flushed when trimming\nexcess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie)\nare updated to use this helper in their ->change() routines."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/sch_generic.h","net/sched/sch_codel.c","net/sched/sch_fq.c","net/sched/sch_fq_codel.c","net/sched/sch_fq_pie.c","net/sched/sch_hhf.c","net/sched/sch_pie.c"],"versions":[{"version":"76e3cc126bb223013a6b9a0e2a51238d1ef2e409","lessThan":"ea1132ccb112f51ba749c56a912f67970c2cd542","status":"affected","versionType":"git"},{"version":"76e3cc126bb223013a6b9a0e2a51238d1ef2e409","lessThan":"d3336f746f196c6a53e0480923ae93939f047b6c","status":"affected","versionType":"git"},{"version":"76e3cc126bb223013a6b9a0e2a51238d1ef2e409","lessThan":"d38939ebe0d992d581acb6885c1723fa83c1fb2c","status":"affected","versionType":"git"},{"version":"76e3cc126bb223013a6b9a0e2a51238d1ef2e409","lessThan":"a7d6e0ac0a8861f6b1027488062251a8e28150fd","status":"affected","versionType":"git"},{"version":"76e3cc126bb223013a6b9a0e2a51238d1ef2e409","lessThan":"d1365ca80b012d8a7863e45949e413fb61fa4861","status":"affected","versionType":"git"},{"version":"76e3cc126bb223013a6b9a0e2a51238d1ef2e409","lessThan":"fe88c7e4fc2c1cd75a278a15ffbf1689efad4e76","status":"affected","versionType":"git"},{"version":"76e3cc126bb223013a6b9a0e2a51238d1ef2e409","lessThan":"2d3cbfd6d54a2c39ce3244f33f85c595844bd7b8","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/net/sch_generic.h","net/sched/sch_codel.c","net/sched/sch_fq.c","net/sched/sch_fq_codel.c","net/sched/sch_fq_pie.c","net/sched/sch_hhf.c","net/sched/sch_pie.c"],"versions":[{"version":"3.5","status":"affected"},{"version":"0","lessThan":"3.5","status":"unaffected","versionType":"semver"},{"version":"5.10.238","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.184","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.140","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.92","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.30","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.14.8","lessThanOrEqual":"6.14.*","status":"unaffected","versionType":"semver"},{"version":"6.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5","versionEndExcluding":"5.10.238"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5","versionEndExcluding":"5.15.184"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5","versionEndExcluding":"6.1.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5","versionEndExcluding":"6.6.92"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5","versionEndExcluding":"6.12.30"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5","versionEndExcluding":"6.14.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5","versionEndExcluding":"6.15"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ea1132ccb112f51ba749c56a912f67970c2cd542"},{"url":"https://git.kernel.org/stable/c/d3336f746f196c6a53e0480923ae93939f047b6c"},{"url":"https://git.kernel.org/stable/c/d38939ebe0d992d581acb6885c1723fa83c1fb2c"},{"url":"https://git.kernel.org/stable/c/a7d6e0ac0a8861f6b1027488062251a8e28150fd"},{"url":"https://git.kernel.org/stable/c/d1365ca80b012d8a7863e45949e413fb61fa4861"},{"url":"https://git.kernel.org/stable/c/fe88c7e4fc2c1cd75a278a15ffbf1689efad4e76"},{"url":"https://git.kernel.org/stable/c/2d3cbfd6d54a2c39ce3244f33f85c595844bd7b8"}],"title":"net_sched: Flush gso_skb list too during ->change()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:58:06.592Z"}}]}}