Description
In the Linux kernel, the following vulnerability has been resolved:

pfifo_tail_enqueue: Drop new packet when sch->limit == 0

Expected behaviour:
In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a
packet in scheduler's queue and decrease scheduler's qlen by one.
Then, pfifo_tail_enqueue() enqueue new packet and increase
scheduler's qlen by one. Finally, pfifo_tail_enqueue() return
`NET_XMIT_CN` status code.

Weird behaviour:
In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a
scheduler that has no packet, the 'drop a packet' step will do nothing.
This means the scheduler's qlen still has value equal 0.
Then, we continue to enqueue new packet and increase scheduler's qlen by
one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by
one and return `NET_XMIT_CN` status code.

The problem is:
Let's say we have two qdiscs: Qdisc_A and Qdisc_B.
- Qdisc_A's type must have '->graft()' function to create parent/child relationship.
Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.
- Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.
- Qdisc_B is configured to have `sch->limit == 0`.
- Qdisc_A is configured to route the enqueued's packet to Qdisc_B.

Enqueue packet through Qdisc_A will lead to:
- hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B)
- Qdisc_B->q.qlen += 1
- pfifo_tail_enqueue() return `NET_XMIT_CN`
- hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A.

The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1.
Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem.
This violate the design where parent's qlen should equal to the sum of its childrens'qlen.

Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.
Published: 2025-02-18
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The flawed pfifo_head_drop enqueue logic increments the child queue length without correctly updating the parent, breaking the invariant that a parent qdisc’s length equals the sum of its children’s lengths. This logic error, classified as CWE‑438, can corrupt kernel state during packet scheduling and, as the CVE notes, lead to privilege escalation when the defect is reachable.

Affected Systems

Linux kernel versions that include the pfifo_head_drop queue and in which this code path exists are affected. The CVE references a known bug in kernel 6.14 release candidate 1, indicating that kernels around that version, and likely earlier ones containing the same implementation, are vulnerable. The issue manifests when a parent scheduler enqueues a packet to a child pfifo_head_drop qdisc configured with a limit of zero, a scenario that can occur in standard Linux distributions that provide the tc command interface.

Risk and Exploitability

The CVSS score of 7.8 signals high severity. The EPSS score of less than 1% suggests that exploitation is presently rare, and the vulnerability is not listed in CISA KEV, though that does not lessen potential risk. The likely attack vector is local manipulation of traffic‑control settings, which requires user‑level access to execute tc commands. Successful exploitation could corrupt kernel data structures and enable a local attacker to gain elevated privileges, making the impact system‑wide if the buggy code path is triggered.

Generated by OpenCVE AI on April 29, 2026 at 01:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that fixes the pfifo_head_drop enqueue implementation.
  • Avoid creating child pfifo_head_drop qdiscs with a limit of zero; use a positive limit or a different qdisc type such as pfifo_fast or none.
  • If a kernel update is not immediately possible, remove the vulnerable qdisc entirely or replace it with a stable scheduler to eliminate the code path.
  • Restrict non‑privileged users from executing traffic‑control commands using SELinux, AppArmor, or similar access controls to reduce the attack surface.

Generated by OpenCVE AI on April 29, 2026 at 01:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4178-1 linux security update
Debian DLA Debian DLA DLA-4193-1 linux-6.1 security update
Debian DSA Debian DSA DSA-5900-1 linux security update
EUVD EUVD EUVD-2025-4797 In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.
Ubuntu USN Ubuntu USN USN-7428-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7428-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7429-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7429-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7445-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7448-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7449-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7449-2 Linux kernel (HWE) vulnerabilities
Ubuntu USN Ubuntu USN USN-7450-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7451-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7452-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7453-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-7455-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7455-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7455-3 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-7455-4 Linux kernel (Oracle) vulnerabilities
Ubuntu USN Ubuntu USN USN-7455-5 Linux kernel (AWS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7459-1 Linux kernel (Intel IoTG) vulnerabilities
Ubuntu USN Ubuntu USN USN-7459-2 Linux kernel (GCP) vulnerabilities
Ubuntu USN Ubuntu USN USN-7460-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7461-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7461-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7461-3 Linux kernel (Xilinx ZynqMP) vulnerabilities
Ubuntu USN Ubuntu USN USN-7462-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-7462-2 Linux kernel (AWS FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-7463-1 Linux kernel (IBM) vulnerabilities
Ubuntu USN Ubuntu USN USN-7468-1 Linux kernel (Azure, N-Series) vulnerabilities
Ubuntu USN Ubuntu USN USN-7475-1 Linux kernel (Xilinx ZynqMP) vulnerabilities
Ubuntu USN Ubuntu USN USN-7523-1 Linux kernel (Raspberry Pi Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-7524-1 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-7539-1 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-7540-1 Linux kernel (Raspberry Pi) vulnerabilities
History

Tue, 12 May 2026 13:30:00 +0000

Type Values Removed Values Added
References

Thu, 02 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 16 Oct 2025 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel

Thu, 13 Mar 2025 12:30:00 +0000

Type Values Removed Values Added
References

Fri, 07 Mar 2025 18:15:00 +0000

Type Values Removed Values Added
References

Thu, 20 Feb 2025 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-438
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 19 Feb 2025 14:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Tue, 18 Feb 2025 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.
Title pfifo_tail_enqueue: Drop new packet when sch->limit == 0
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-12T12:03:22.393Z

Reserved: 2024-12-29T08:45:45.748Z

Link: CVE-2025-21702

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2025-02-18T15:15:18.530

Modified: 2026-05-12T13:16:32.560

Link: CVE-2025-21702

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-02-18T00:00:00Z

Links: CVE-2025-21702 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:15:44Z

Weaknesses