CVE-2025-21702 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/020ecb76812a0526f4130ab5aeb6dc7c773e7ab9
https://git.kernel.org/stable/c/647cef20e649c576dff271e018d5d15d998b629d
https://git.kernel.org/stable/c/78285b53266d6d51fa4ff504a23df03852eba84e
https://git.kernel.org/stable/c/79a955ea4a2e5ddf4a36328959de0de496419888
https://git.kernel.org/stable/c/7a9723ec27aff5674f1fd4934608937f1d650980
https://git.kernel.org/stable/c/a56a6e8589a9b98d8171611fbcc1e45a15fd2455
https://git.kernel.org/stable/c/b6a079c3b6f95378f26e2aeda520cb3176f7067b
https://git.kernel.org/stable/c/e40cb34b7f247fe2e366fd192700d1b4f38196ca
https://lore.kernel.org/linux-cve-announce/2025021847-CVE-2025-21702-3aa3@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-21702
https://www.cve.org/CVERecord?id=CVE-2025-21702

History

Thu, 13 Mar 2025 12:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/78285b53266d6d51fa4ff504a23df03852eba84e https://git.kernel.org/stable/c/79a955ea4a2e5ddf4a36328959de0de496419888 https://git.kernel.org/stable/c/7a9723ec27aff5674f1fd4934608937f1d650980 https://git.kernel.org/stable/c/a56a6e8589a9b98d8171611fbcc1e45a15fd2455

Fri, 07 Mar 2025 18:15:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/020ecb76812a0526f4130ab5aeb6dc7c773e7ab9

Thu, 20 Feb 2025 02:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-438
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Important`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 19 Feb 2025 14:00:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025021847-CVE-2025-21702-3aa3@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-21702 https://www.cve.org/CVERecord?id=CVE-2025-21702
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Important`

Tue, 18 Feb 2025 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.
Title		pfifo_tail_enqueue: Drop new packet when sch->limit == 0
References		https://git.kernel.org/stable/c/647cef20e649c576dff271e018d5d15d998b629d https://git.kernel.org/stable/c/b6a079c3b6f95378f26e2aeda520cb3176f7067b https://git.kernel.org/stable/c/e40cb34b7f247fe2e366fd192700d1b4f38196ca

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-02-18T14:37:43.429Z

Updated: 2025-03-24T15:39:02.735Z

Reserved: 2024-12-29T08:45:45.748Z

Link: CVE-2025-21702

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-02-18T15:15:18.530

Modified: 2025-03-13T13:15:48.563

Link: CVE-2025-21702

Redhat

Severity : Moderate

Publid Date: 2025-02-18T00:00:00Z

Links: CVE-2025-21702 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21702", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.748Z", "datePublished": "2025-02-18T14:37:43.429Z", "dateUpdated": "2025-03-24T15:39:02.735Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-03-24T15:39:02.735Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npfifo_tail_enqueue: Drop new packet when sch->limit == 0\n\nExpected behaviour:\nIn case we reach scheduler's limit, pfifo_tail_enqueue() will drop a\npacket in scheduler's queue and decrease scheduler's qlen by one.\nThen, pfifo_tail_enqueue() enqueue new packet and increase\nscheduler's qlen by one. Finally, pfifo_tail_enqueue() return\n`NET_XMIT_CN` status code.\n\nWeird behaviour:\nIn case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a\nscheduler that has no packet, the 'drop a packet' step will do nothing.\nThis means the scheduler's qlen still has value equal 0.\nThen, we continue to enqueue new packet and increase scheduler's qlen by\none. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by\none and return `NET_XMIT_CN` status code.\n\nThe problem is:\nLet's say we have two qdiscs: Qdisc_A and Qdisc_B.\n - Qdisc_A's type must have '->graft()' function to create parent/child relationship.\n Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.\n - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.\n - Qdisc_B is configured to have `sch->limit == 0`.\n - Qdisc_A is configured to route the enqueued's packet to Qdisc_B.\n\nEnqueue packet through Qdisc_A will lead to:\n - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B)\n - Qdisc_B->q.qlen += 1\n - pfifo_tail_enqueue() return `NET_XMIT_CN`\n - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A.\n\nThe whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1.\nReplace 'hfsc' with other type (for example: 'drr') still lead to the same problem.\nThis violate the design where parent's qlen should equal to the sum of its childrens'qlen.\n\nBug impact: This issue can be used for user->kernel privilege escalation when it is reachable."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/sch_fifo.c"], "versions": [{"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee", "lessThan": "78285b53266d6d51fa4ff504a23df03852eba84e", "status": "affected", "versionType": "git"}, {"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee", "lessThan": "7a9723ec27aff5674f1fd4934608937f1d650980", "status": "affected", "versionType": "git"}, {"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee", "lessThan": "a56a6e8589a9b98d8171611fbcc1e45a15fd2455", "status": "affected", "versionType": "git"}, {"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee", "lessThan": "020ecb76812a0526f4130ab5aeb6dc7c773e7ab9", "status": "affected", "versionType": "git"}, {"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee", "lessThan": "79a955ea4a2e5ddf4a36328959de0de496419888", "status": "affected", "versionType": "git"}, {"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee", "lessThan": "e40cb34b7f247fe2e366fd192700d1b4f38196ca", "status": "affected", "versionType": "git"}, {"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee", "lessThan": "b6a079c3b6f95378f26e2aeda520cb3176f7067b", "status": "affected", "versionType": "git"}, {"version": "57dbb2d83d100ea601c54fe129bfde0678db5dee", "lessThan": "647cef20e649c576dff271e018d5d15d998b629d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/sch_fifo.c"], "versions": [{"version": "2.6.34", "status": "affected"}, {"version": "0", "lessThan": "2.6.34", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.291", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.235", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.179", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.130", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.83", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.14", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.3", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/78285b53266d6d51fa4ff504a23df03852eba84e"}, {"url": "https://git.kernel.org/stable/c/7a9723ec27aff5674f1fd4934608937f1d650980"}, {"url": "https://git.kernel.org/stable/c/a56a6e8589a9b98d8171611fbcc1e45a15fd2455"}, {"url": "https://git.kernel.org/stable/c/020ecb76812a0526f4130ab5aeb6dc7c773e7ab9"}, {"url": "https://git.kernel.org/stable/c/79a955ea4a2e5ddf4a36328959de0de496419888"}, {"url": "https://git.kernel.org/stable/c/e40cb34b7f247fe2e366fd192700d1b4f38196ca"}, {"url": "https://git.kernel.org/stable/c/b6a079c3b6f95378f26e2aeda520cb3176f7067b"}, {"url": "https://git.kernel.org/stable/c/647cef20e649c576dff271e018d5d15d998b629d"}], "title": "pfifo_tail_enqueue: Drop new packet when sch->limit == 0", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npfifo_tail_enqueue: Drop new packet when sch->limit == 0\n\nExpected behaviour:\nIn case we reach scheduler's limit, pfifo_tail_enqueue() will drop a\npacket in scheduler's queue and decrease scheduler's qlen by one.\nThen, pfifo_tail_enqueue() enqueue new packet and increase\nscheduler's qlen by one. Finally, pfifo_tail_enqueue() return\n`NET_XMIT_CN` status code.\n\nWeird behaviour:\nIn case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a\nscheduler that has no packet, the 'drop a packet' step will do nothing.\nThis means the scheduler's qlen still has value equal 0.\nThen, we continue to enqueue new packet and increase scheduler's qlen by\none. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by\none and return `NET_XMIT_CN` status code.\n\nThe problem is:\nLet's say we have two qdiscs: Qdisc_A and Qdisc_B.\n - Qdisc_A's type must have '->graft()' function to create parent/child relationship.\n Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.\n - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.\n - Qdisc_B is configured to have `sch->limit == 0`.\n - Qdisc_A is configured to route the enqueued's packet to Qdisc_B.\n\nEnqueue packet through Qdisc_A will lead to:\n - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B)\n - Qdisc_B->q.qlen += 1\n - pfifo_tail_enqueue() return `NET_XMIT_CN`\n - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A.\n\nThe whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1.\nReplace 'hfsc' with other type (for example: 'drr') still lead to the same problem.\nThis violate the design where parent's qlen should equal to the sum of its childrens'qlen.\n\nBug impact: This issue can be used for user->kernel privilege escalation when it is reachable."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: pfifo_tail_enqueue: Descartar nuevo paquete cuando sch->limit == 0 Comportamiento esperado: En caso de que alcancemos el l\u00edmite del planificador, pfifo_tail_enqueue() descartar\u00e1 un paquete en la cola del planificador y disminuir\u00e1 el qlen del planificador en uno. Luego, pfifo_tail_enqueue() pone en cola un nuevo paquete y aumenta el qlen del planificador en uno. Finalmente, pfifo_tail_enqueue() devuelve el c\u00f3digo de estado `NET_XMIT_CN`. Comportamiento extra\u00f1o: En caso de que establezcamos `sch->limit == 0` y activemos pfifo_tail_enqueue() en un planificador que no tiene ning\u00fan paquete, el paso 'descartar un paquete' no har\u00e1 nada. Esto significa que el qlen del planificador todav\u00eda tiene un valor igual a 0. Luego, continuamos poniendo en cola un nuevo paquete y aumentamos el qlen del planificador en uno. En resumen, podemos aprovechar pfifo_tail_enqueue() para aumentar qlen en uno y devolver el c\u00f3digo de estado `NET_XMIT_CN`. El problema es: digamos que tenemos dos qdiscs: Qdisc_A y Qdisc_B. - El tipo de Qdisc_A debe tener la funci\u00f3n '->graft()' para crear una relaci\u00f3n padre/hijo. Digamos que el tipo de Qdisc_A es `hfsc`. Poner en cola un paquete en esta qdisc activar\u00e1 `hfsc_enqueue`. - El tipo de Qdisc_B es pfifo_head_drop. Poner en cola un paquete en esta qdisc activar\u00e1 `pfifo_tail_enqueue`. - Qdisc_B est\u00e1 configurado para tener `sch->limit == 0`. - Qdisc_A est\u00e1 configurado para enrutar el paquete en cola a Qdisc_B. Poner en cola un paquete a trav\u00e9s de Qdisc_A conducir\u00e1 a: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() devuelve `NET_XMIT_CN` - hfsc_enqueue() comprueba `NET_XMIT_SUCCESS` y ve `NET_XMIT_CN` => hfsc_enqueue() no aumenta el qlen de Qdisc_A. Todo el proceso conduce a una situaci\u00f3n en la que Qdisc_A->q.qlen == 0 y Qdisc_B->q.qlen == 1. Reemplazar 'hfsc' por otro tipo (por ejemplo: 'drr') sigue conduciendo al mismo problema. Esto viola el dise\u00f1o donde el qlen del padre debe ser igual a la suma del qlen de sus hijos. Impacto del error: este problema se puede utilizar para la escalada de privilegios de usuario a kernel cuando sea posible."}], "id": "CVE-2025-21702", "lastModified": "2025-03-13T13:15:48.563", "metrics": {}, "published": "2025-02-18T15:15:18.530", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/020ecb76812a0526f4130ab5aeb6dc7c773e7ab9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/647cef20e649c576dff271e018d5d15d998b629d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/78285b53266d6d51fa4ff504a23df03852eba84e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/79a955ea4a2e5ddf4a36328959de0de496419888"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7a9723ec27aff5674f1fd4934608937f1d650980"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a56a6e8589a9b98d8171611fbcc1e45a15fd2455"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b6a079c3b6f95378f26e2aeda520cb3176f7067b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e40cb34b7f247fe2e366fd192700d1b4f38196ca"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: pfifo_tail_enqueue: Drop new packet when sch->limit == 0", "id": "2346272", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2346272"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-438", "details": ["In the Linux kernel, the following vulnerability has been resolved:\npfifo_tail_enqueue: Drop new packet when sch->limit == 0\nExpected behaviour:\nIn case we reach scheduler's limit, pfifo_tail_enqueue() will drop a\npacket in scheduler's queue and decrease scheduler's qlen by one.\nThen, pfifo_tail_enqueue() enqueue new packet and increase\nscheduler's qlen by one. Finally, pfifo_tail_enqueue() return\n`NET_XMIT_CN` status code.\nWeird behaviour:\nIn case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a\nscheduler that has no packet, the 'drop a packet' step will do nothing.\nThis means the scheduler's qlen still has value equal 0.\nThen, we continue to enqueue new packet and increase scheduler's qlen by\none. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by\none and return `NET_XMIT_CN` status code.\nThe problem is:\nLet's say we have two qdiscs: Qdisc_A and Qdisc_B.\n- Qdisc_A's type must have '->graft()' function to create parent/child relationship.\nLet's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.\n- Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.\n- Qdisc_B is configured to have `sch->limit == 0`.\n- Qdisc_A is configured to route the enqueued's packet to Qdisc_B.\nEnqueue packet through Qdisc_A will lead to:\n- hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B)\n- Qdisc_B->q.qlen += 1\n- pfifo_tail_enqueue() return `NET_XMIT_CN`\n- hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A.\nThe whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1.\nReplace 'hfsc' with other type (for example: 'drr') still lead to the same problem.\nThis violate the design where parent's qlen should equal to the sum of its childrens'qlen.\nBug impact: This issue can be used for user->kernel privilege escalation when it is reachable."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-21702", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21702\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21702\nhttps://lore.kernel.org/linux-cve-announce/2025021847-CVE-2025-21702-3aa3@gregkh/T"], "statement": "The default scheduler is pfifo_fast (and fd_codel for rhel8). This bug in BFIFO (sch_fifo) scheduler is not easy triggerable (requires usage of two qdiscs with special configuration). Both cannot trigger it before sch_fifo enabled. Rated to be Moderate.", "threat_severity": "Moderate"}

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object