{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38107","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.985Z","datePublished":"2025-07-03T08:35:17.487Z","dateUpdated":"2026-05-11T21:21:23.776Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:21:23.776Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: ets: fix a race in ets_qdisc_change()\n\nGerrard Tai reported a race condition in ETS, whenever SFQ perturb timer\nfires at the wrong time.\n\nThe race is as follows:\n\nCPU 0                                 CPU 1\n[1]: lock root\n[2]: qdisc_tree_flush_backlog()\n[3]: unlock root\n |\n |                                    [5]: lock root\n |                                    [6]: rehash\n |                                    [7]: qdisc_tree_reduce_backlog()\n |\n[4]: qdisc_put()\n\nThis can be abused to underflow a parent's qlen.\n\nCalling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()\nshould fix the race, because all packets will be purged from the qdisc\nbefore releasing the lock."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_ets.c"],"versions":[{"version":"699d82e9a6db29d509a71f1f2f4316231e6232e6","lessThan":"eb7b74e9754e1ba2088f914ad1f57a778b11894b","status":"affected","versionType":"git"},{"version":"ce881ddbdc028fb1988b66e40e45ca0529c23b46","lessThan":"0b479d0aa488cb478eb2e1d8868be946ac8afb4f","status":"affected","versionType":"git"},{"version":"b05972f01e7d30419987a1f221b5593668fd6448","lessThan":"347867cb424edae5fec1622712c8dd0a2c42918f","status":"affected","versionType":"git"},{"version":"b05972f01e7d30419987a1f221b5593668fd6448","lessThan":"0383b25488a545be168744336847549d4a2d3d6c","status":"affected","versionType":"git"},{"version":"b05972f01e7d30419987a1f221b5593668fd6448","lessThan":"073f64c03516bcfaf790f8edc772e0cfb8a84ec3","status":"affected","versionType":"git"},{"version":"b05972f01e7d30419987a1f221b5593668fd6448","lessThan":"fed94bd51d62d2e0e006aa61480e94e5cd0582b0","status":"affected","versionType":"git"},{"version":"b05972f01e7d30419987a1f221b5593668fd6448","lessThan":"d92adacdd8c2960be856e0b82acc5b7c5395fddb","status":"affected","versionType":"git"},{"version":"fffa19b5e58c34004a0d6f642d9c24b11d213994","status":"affected","versionType":"git"},{"version":"fb155f6597cd7bc3aeed668c3bb15fc3b7cb257d","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_ets.c"],"versions":[{"version":"6.0","status":"affected"},{"version":"0","lessThan":"6.0","status":"unaffected","versionType":"semver"},{"version":"5.10.239","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.186","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.142","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.94","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.34","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.3","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.142","versionEndExcluding":"5.10.239"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.66","versionEndExcluding":"5.15.186"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.1.142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.6.94"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.12.34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.15.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0","versionEndExcluding":"6.16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.213"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/eb7b74e9754e1ba2088f914ad1f57a778b11894b"},{"url":"https://git.kernel.org/stable/c/0b479d0aa488cb478eb2e1d8868be946ac8afb4f"},{"url":"https://git.kernel.org/stable/c/347867cb424edae5fec1622712c8dd0a2c42918f"},{"url":"https://git.kernel.org/stable/c/0383b25488a545be168744336847549d4a2d3d6c"},{"url":"https://git.kernel.org/stable/c/073f64c03516bcfaf790f8edc772e0cfb8a84ec3"},{"url":"https://git.kernel.org/stable/c/fed94bd51d62d2e0e006aa61480e94e5cd0582b0"},{"url":"https://git.kernel.org/stable/c/d92adacdd8c2960be856e0b82acc5b7c5395fddb"}],"title":"net_sched: ets: fix a race in ets_qdisc_change()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:34:09.673Z"}}]}}