{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38115","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.986Z","datePublished":"2025-07-03T08:35:23.750Z","dateUpdated":"2026-05-11T21:21:32.881Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:21:32.881Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: sch_sfq: fix a potential crash on gso_skb handling\n\nSFQ has an assumption of always being able to queue at least one packet.\n\nHowever, after the blamed commit, sch->q.len can be inflated by packets\nin sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed\nby an immediate drop.\n\nFix sfq_drop() to properly clear q->tail in this situation.\n\n\nip netns add lb\nip link add dev to-lb type veth peer name in-lb netns lb\nethtool -K to-lb tso off                 # force qdisc to requeue gso_skb\nip netns exec lb ethtool -K in-lb gro on # enable NAPI\nip link set dev to-lb up\nip -netns lb link set dev in-lb up\nip addr add dev to-lb 192.168.20.1/24\nip -netns lb addr add dev in-lb 192.168.20.2/24\ntc qdisc replace dev to-lb root sfq limit 100\n\nip netns exec lb netserver\n\nnetperf -H 192.168.20.2 -l 100 &\nnetperf -H 192.168.20.2 -l 100 &\nnetperf -H 192.168.20.2 -l 100 &\nnetperf -H 192.168.20.2 -l 100 &"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_sfq.c"],"versions":[{"version":"a53851e2c3218aa30b77abd6e68cf1c371f15afe","lessThan":"c337efb20d6d9f9bbb4746f6b119917af5c886dc","status":"affected","versionType":"git"},{"version":"a53851e2c3218aa30b77abd6e68cf1c371f15afe","lessThan":"b44f791f27b14c9eb6b907fbe51f2ba8bec32085","status":"affected","versionType":"git"},{"version":"a53851e2c3218aa30b77abd6e68cf1c371f15afe","lessThan":"5814a7fc3abb41f63f2d44c9d3ff9d4e62965b72","status":"affected","versionType":"git"},{"version":"a53851e2c3218aa30b77abd6e68cf1c371f15afe","lessThan":"9c19498bdd7cb9d854bd3c54260f71cf7408495e","status":"affected","versionType":"git"},{"version":"a53851e2c3218aa30b77abd6e68cf1c371f15afe","lessThan":"b4e9bab6011b9559b7c157b16b91ae46d4d8c533","status":"affected","versionType":"git"},{"version":"a53851e2c3218aa30b77abd6e68cf1c371f15afe","lessThan":"d1bc80da75c789f2f6830df89d91fb2f7a509943","status":"affected","versionType":"git"},{"version":"a53851e2c3218aa30b77abd6e68cf1c371f15afe","lessThan":"82448d4dcd8406dec688632a405fdcf7f170ec69","status":"affected","versionType":"git"},{"version":"a53851e2c3218aa30b77abd6e68cf1c371f15afe","lessThan":"82ffbe7776d0ac084031f114167712269bf3d832","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_sfq.c"],"versions":[{"version":"4.16","status":"affected"},{"version":"0","lessThan":"4.16","status":"unaffected","versionType":"semver"},{"version":"5.4.295","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.239","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.186","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.142","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.94","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.34","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.3","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"5.4.295"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"5.10.239"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"5.15.186"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"6.1.142"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"6.6.94"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"6.12.34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"6.15.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.16","versionEndExcluding":"6.16"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/c337efb20d6d9f9bbb4746f6b119917af5c886dc"},{"url":"https://git.kernel.org/stable/c/b44f791f27b14c9eb6b907fbe51f2ba8bec32085"},{"url":"https://git.kernel.org/stable/c/5814a7fc3abb41f63f2d44c9d3ff9d4e62965b72"},{"url":"https://git.kernel.org/stable/c/9c19498bdd7cb9d854bd3c54260f71cf7408495e"},{"url":"https://git.kernel.org/stable/c/b4e9bab6011b9559b7c157b16b91ae46d4d8c533"},{"url":"https://git.kernel.org/stable/c/d1bc80da75c789f2f6830df89d91fb2f7a509943"},{"url":"https://git.kernel.org/stable/c/82448d4dcd8406dec688632a405fdcf7f170ec69"},{"url":"https://git.kernel.org/stable/c/82ffbe7776d0ac084031f114167712269bf3d832"}],"title":"net_sched: sch_sfq: fix a potential crash on gso_skb handling","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:34:18.395Z"}}]}}