In the Linux kernel, the following vulnerability has been resolved:

net_sched: ets: fix a race in ets_qdisc_change()

Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer
fires at the wrong time.

The race is as follows:

CPU 0 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
|
| [5]: lock root
| [6]: rehash
| [7]: qdisc_tree_reduce_backlog()
|
[4]: qdisc_put()

This can be abused to underflow a parent's qlen.

Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Linux
  • Linux Kernel

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Linux
  • Linux Kernel
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://git.kernel.org/stable/c/0383b25488a545be168744336847549d4a2d3d6c cve-icon cve-icon
https://git.kernel.org/stable/c/073f64c03516bcfaf790f8edc772e0cfb8a84ec3 cve-icon cve-icon
https://git.kernel.org/stable/c/0b479d0aa488cb478eb2e1d8868be946ac8afb4f cve-icon cve-icon
https://git.kernel.org/stable/c/347867cb424edae5fec1622712c8dd0a2c42918f cve-icon cve-icon
https://git.kernel.org/stable/c/d92adacdd8c2960be856e0b82acc5b7c5395fddb cve-icon cve-icon
https://git.kernel.org/stable/c/eb7b74e9754e1ba2088f914ad1f57a778b11894b cve-icon cve-icon
https://git.kernel.org/stable/c/fed94bd51d62d2e0e006aa61480e94e5cd0582b0 cve-icon cve-icon
https://lore.kernel.org/linux-cve-announce/2025070323-CVE-2025-38107-9344@gregkh/T cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-38107 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-38107 cve-icon
History

Fri, 04 Jul 2025 12:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Thu, 03 Jul 2025 09:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.
Title net_sched: ets: fix a race in ets_qdisc_change()
References
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2025-07-28T04:12:22.514Z

Reserved: 2025-04-16T04:51:23.985Z

Link: CVE-2025-38107

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-07-03T09:15:24.273

Modified: 2025-07-03T15:13:53.147

Link: CVE-2025-38107

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-07-03T00:00:00Z

Links: CVE-2025-38107 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2025-07-06T22:16:22Z