CVE-2025-38083 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved:

net_sched: prio: fix a race in prio_tune()

Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer
fires at the wrong time.

The race is as follows:

CPU 0 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
|
| [5]: lock root
| [6]: rehash
| [7]: qdisc_tree_reduce_backlog()
|
[4]: qdisc_put()

This can be abused to underflow a parent's qlen.

Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00092.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Linux	Linux Kernel

Advisories

Source	ID	Title
Debian DLA	DLA-4327-1	linux security update
Debian DLA	DLA-4328-1	linux-6.1 security update
Debian DSA	DSA-5973-1	linux security update
EUVD	EUVD-2025-22847	In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root \| \| [5]: lock root \| [6]: rehash \| [7]: qdisc_tree_reduce_backlog() \| [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.
Ubuntu USN	USN-7681-1	Linux kernel vulnerability
Ubuntu USN	USN-7681-2	Linux kernel (Oracle) vulnerability
Ubuntu USN	USN-7681-3	Linux kernel (Oracle) vulnerability
Ubuntu USN	USN-7682-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7682-2	Linux kernel (Oracle) vulnerabilities
Ubuntu USN	USN-7682-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-7682-4	Linux kernel (Low Latency) vulnerabilities
Ubuntu USN	USN-7682-5	Linux kernel vulnerabilities
Ubuntu USN	USN-7682-6	Linux kernel (IBM) vulnerabilities
Ubuntu USN	USN-7683-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7683-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-7683-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-7686-1	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-7701-1	Linux kernel vulnerabilities
Ubuntu USN	USN-7701-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-7701-3	Linux kernel (IoT) vulnerabilities
Ubuntu USN	USN-7711-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7712-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-7712-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7719-1	Linux kernel (Raspberry Pi Real-time) vulnerabilities
Ubuntu USN	USN-7721-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7737-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7819-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-7832-1	Linux kernel (Oracle) vulnerabilities
Ubuntu USN	USN-7819-2	Linux kernel (Azure FIPS) vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://git.kernel.org/stable/c/20f68e6a9e41693cb0e55e5b9ebbcb40983a4b8f
https://git.kernel.org/stable/c/3aaa7c01cf19d9b9bb64b88b65c3a6fd05da2eb4
https://git.kernel.org/stable/c/4483d8b9127591c60c4eb789d6cab953bc4522a9
https://git.kernel.org/stable/c/46c15c9d0f65c9ba857d63f53264f4b17e8a715f
https://git.kernel.org/stable/c/53d11560e957d53ee87a0653d258038ce12361b7
https://git.kernel.org/stable/c/93f9eeb678d4c9c1abf720b3615fa8299a490845
https://git.kernel.org/stable/c/d35acc1be3480505b5931f17e4ea9b7617fea4d3
https://git.kernel.org/stable/c/e3f6745006dc9423d2b065b90f191cfa11b1b584
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
https://lore.kernel.org/linux-cve-announce/2025062055-CVE-2025-38083-b226@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-38083
https://www.cve.org/CVERecord?id=CVE-2025-38083

History

Mon, 03 Nov 2025 18:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html

Fri, 27 Jun 2025 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-366
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H'}`

Fri, 27 Jun 2025 10:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/20f68e6a9e41693cb0e55e5b9ebbcb40983a4b8f https://git.kernel.org/stable/c/3aaa7c01cf19d9b9bb64b88b65c3a6fd05da2eb4 https://git.kernel.org/stable/c/4483d8b9127591c60c4eb789d6cab953bc4522a9 https://git.kernel.org/stable/c/53d11560e957d53ee87a0653d258038ce12361b7

Sat, 21 Jun 2025 12:45:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025062055-CVE-2025-38083-b226@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-38083 https://www.cve.org/CVERecord?id=CVE-2025-38083
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Fri, 20 Jun 2025 11:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root \| \| [5]: lock root \| [6]: rehash \| [7]: qdisc_tree_reduce_backlog() \| [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.
Title		net_sched: prio: fix a race in prio_tune()
References		https://git.kernel.org/stable/c/46c15c9d0f65c9ba857d63f53264f4b17e8a715f https://git.kernel.org/stable/c/93f9eeb678d4c9c1abf720b3615fa8299a490845 https://git.kernel.org/stable/c/d35acc1be3480505b5931f17e4ea9b7617fea4d3 https://git.kernel.org/stable/c/e3f6745006dc9423d2b065b90f191cfa11b1b584

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-06-20T11:21:51.554Z

Updated: 2025-11-03T17:33:50.557Z

Reserved: 2025-04-16T04:51:23.981Z

Link: CVE-2025-38083

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-06-20T12:15:21.470

Modified: 2025-11-03T18:16:01.647

Link: CVE-2025-38083

Redhat

Severity : Moderate

Publid Date: 2025-06-20T00:00:00Z

Links: CVE-2025-38083 - Bugzilla

OpenCVE Enrichment

Updated: 2025-06-23T08:20:14Z

Metrics

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object