CVE-2025-21703 - Vulnerability Details

- netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()

Description

In the Linux kernel, the following vulnerability has been resolved:

netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()

qdisc_tree_reduce_backlog() notifies parent qdisc only if child
qdisc becomes empty, therefore we need to reduce the backlog of the
child qdisc before calling it. Otherwise it would miss the opportunity
to call cops->qlen_notify(), in the case of DRR, it resulted in UAF
since DRR uses ->qlen_notify() to maintain its active list.

Published: 2025-02-18

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Linux kernel's network emulator (netem) component. A missing update to the backlog length (sch->q.qlen) before invoking qdisc_tree_reduce_backlog() causes a use‑after‑free (CWE‑416) in the DRR qdisc’s qlen_notify callback. If an attacker can trigger this flaw, the freed memory may later be re‑used by the kernel, potentially enabling arbitrary code execution at ring‑0 or causing a system crash.

Affected Systems

The flaw affects all Linux kernel releases that include the netem module, including release candidate 6.14 rc1 and earlier unpatched kernels. Any host running these kernels with netem enabled is susceptible. Based on the description, it is inferred that the impact is primarily local, requiring the attacker to run code with sufficient privileges to manipulate qdisc settings or to send traffic that engages the netem module.

Risk and Exploitability

The CVSS base score of 7.8 indicates high severity. The EPSS score is less than 1%, suggesting a very low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local, and the attacker would need to trigger a malformed backlog state. Based on the description, it is inferred that exploitation would involve manipulations that empty a child qdisc to trigger the use‑after‑free.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31`	affected	< e395fec75ac2dbffc99b4bce57b7f1f3c5449f2c
`216509dda290f6db92c816dd54b83c1df9da9e76`	affected	< 7f31d74fcc556a9166b1bb20515542de7bb939d1
`c2047b0e216c8edce227d7c42f99ac2877dad0e4`	affected	< 98a2c685293aae122f688cde11d9334dddc5d207
`10df49cfca73dfbbdb6c4150d859f7e8926ae427`	affected	< 7b79ca9a1de6a428d486ff52fb3d602321c08f55
`3824c5fad18eeb7abe0c4fc966f29959552dca3e`	affected	< 1f8e3f4a4b8b90ad274dfbc66fc7d55cb582f4d5
`356078a5c55ec8d2061fcc009fb8599f5b0527f9`	affected	< 6312555249082d6d8cc5321ff725df05482d8b83
`f8d4bc455047cf3903cd6f85f49978987dbb3027`	affected	< 839ecc583fa00fab785fde1c85a326743657fd32
`f8d4bc455047cf3903cd6f85f49978987dbb3027`	affected	< 638ba5089324796c2ee49af10427459c2de35f71

Linux

affected

Version	Status	Constraints
`6.13`	affected	—
`0`	unaffected	< 6.13
`5.4.291`	unaffected	≤ 5.4.*
`5.10.235`	unaffected	≤ 5.10.*
`5.15.179`	unaffected	≤ 5.15.*
`6.1.129`	unaffected	≤ 6.1.*
`6.6.78`	unaffected	≤ 6.6.*
`6.12.14`	unaffected	≤ 6.12.*
`6.13.3`	unaffected	≤ 6.13.*
`6.14`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.14:rc1::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to the latest release that contains the netem backlog handling fix
If immediate kernel upgrade is not possible, remove or disable any custom qdisc rules that use the netem module until a patched kernel is available
Monitor system logs for qdisc backlog errors or kernel Oops messages to detect potential use‑after‑free conditions

Generated by OpenCVE AI on April 28, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4102-1	linux-6.1 security update
EUVD	EUVD-2025-4525	In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list.
Ubuntu USN	USN-7445-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7448-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7455-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7455-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-7455-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-7455-4	Linux kernel (Oracle) vulnerabilities
Ubuntu USN	USN-7455-5	Linux kernel (AWS) vulnerabilities
Ubuntu USN	USN-7459-1	Linux kernel (Intel IoTG) vulnerabilities
Ubuntu USN	USN-7459-2	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-7460-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-7461-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7461-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-7461-3	Linux kernel (Xilinx ZynqMP) vulnerabilities
Ubuntu USN	USN-7462-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7462-2	Linux kernel (AWS FIPS) vulnerabilities
Ubuntu USN	USN-7475-1	Linux kernel (Xilinx ZynqMP) vulnerabilities

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://git.kernel.org/stable/c/1f8e3f4a4b8b90ad274dfbc66fc7d55cb582f4d5
https://git.kernel.org/stable/c/6312555249082d6d8cc5321ff725df05482d8b83
https://git.kernel.org/stable/c/638ba5089324796c2ee49af10427459c2de35f71
https://git.kernel.org/stable/c/7b79ca9a1de6a428d486ff52fb3d602321c08f55
https://git.kernel.org/stable/c/7f31d74fcc556a9166b1bb20515542de7bb939d1
https://git.kernel.org/stable/c/839ecc583fa00fab785fde1c85a326743657fd32
https://git.kernel.org/stable/c/98a2c685293aae122f688cde11d9334dddc5d207
https://git.kernel.org/stable/c/e395fec75ac2dbffc99b4bce57b7f1f3c5449f2c
https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
https://lore.kernel.org/linux-cve-announce/2025021849-CVE-2025-21703-79f1@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-21703
https://www.cve.org/CVERecord?id=CVE-2025-21703

History

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html

Mon, 24 Mar 2025 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.14:rc1::::::
Vendors & Products		Linux Linux linux Kernel

Thu, 13 Mar 2025 12:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/7f31d74fcc556a9166b1bb20515542de7bb939d1 https://git.kernel.org/stable/c/98a2c685293aae122f688cde11d9334dddc5d207 https://git.kernel.org/stable/c/e395fec75ac2dbffc99b4bce57b7f1f3c5449f2c

Fri, 21 Feb 2025 14:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/7b79ca9a1de6a428d486ff52fb3d602321c08f55

Thu, 20 Feb 2025 02:45:00 +0000

Type	Values Removed	Values Added
Metrics	threat_severity `Important`	threat_severity `Moderate`

Wed, 19 Feb 2025 14:00:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025021849-CVE-2025-21703-79f1@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-21703 https://www.cve.org/CVERecord?id=CVE-2025-21703
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 18 Feb 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 18 Feb 2025 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifies parent qdisc only if child qdisc becomes empty, therefore we need to reduce the backlog of the child qdisc before calling it. Otherwise it would miss the opportunity to call cops->qlen_notify(), in the case of DRR, it resulted in UAF since DRR uses ->qlen_notify() to maintain its active list.
Title		netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
References		https://git.kernel.org/stable/c/1f8e3f4a4b8b90ad274dfbc66fc7d55cb582f4d5 https://git.kernel.org/stable/c/6312555249082d6d8cc5321ff725df05482d8b83 https://git.kernel.org/stable/c/638ba5089324796c2ee49af10427459c2de35f71 https://git.kernel.org/stable/c/839ecc583fa00fab785fde1c85a326743657fd32

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-02-18T14:37:44.261Z

Updated: 2026-04-02T08:39:25.388Z

Reserved: 2024-12-29T08:45:45.751Z

Link: CVE-2025-21703

Vulnrichment

Updated: 2025-11-03T19:35:52.049Z

NVD

Status : Modified

Published: 2025-02-18T15:15:18.633

Modified: 2025-11-03T20:17:10.003

Link: CVE-2025-21703

Redhat

Severity : Moderate

Publid Date: 2025-02-18T00:00:00Z

Links: CVE-2025-21703 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T19:15:25Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object