Updated: 2025-11-19 04:39:54.934809
Description:
In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted the class in the vttree or eltree (which is not true for the netem duplicate case). This patch checks the n_active class variable to make sure that the code won't insert the class in the vttree or eltree twice, catering for the reentrant case. [1] https://lore.kernel.org/netdev/CAHcdcOm+03OD2j6R0=YHKqmy=VgJ8xEOKuP6c7mSgnp-TEJJbw@mail.gmail.com/
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | HIGH | 7.8 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | kernel | 5.14.0 | 7.8 | HIGH | Released | CLSA-2025:1758034087 | 2025-09-16 22:43:02 | |
| CentOS 8.4 ELS | kernel | 4.18.0 | 7.8 | HIGH | Released | CLSA-2025:1757961864 | 2025-09-16 00:52:19 | |
| CentOS 8.5 ELS | kernel | 4.18.0 | 7.8 | HIGH | Released | CLSA-2025:1757962453 | 2025-09-16 00:52:21 | |
| CentOS Stream 8 ELS | kernel | 4.18.0 | 7.8 | HIGH | Released | CLSA-2025:1757961506 | 2025-09-16 00:52:17 | |
| Oracle Linux 7 ELS | kernel-uek | 5.4.17 | 7.8 | HIGH | Released | CLSA-2025:1757963029 | 2025-09-16 11:20:28 | |
| TuxCare 9.6 ESU | kernel | 5.14.0 | 7.8 | HIGH | Already Fixed | 2025-12-08 17:38:13 | ||
| Ubuntu 18.04 ELS | linux | 4.15.0 | 7.8 | HIGH | Not Vulnerable | 2025-08-12 00:34:44 | ||
| Ubuntu 20.04 ELS | linux | 5.4.0 | 7.8 | HIGH | Released | CLSA-2025:1758019011 | 2025-09-16 22:30:14 |