Vulnerability Database

318,756

Total vulnerabilities in the database

CVE-2025-38107

In the Linux kernel, the following vulnerability has been resolved:

net_sched: ets: fix a race in ets_qdisc_change()

Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time.

The race is as follows:

CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put()

This can be abused to underflow a parent's qlen.

Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.

  • Published: Jul 3, 2025
  • Updated: Dec 17, 2025
  • CVE: CVE-2025-38107
  • Severity: High
  • Exploit:

CVSS v3:

  • Severity: High
  • Score: 7
  • AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

Software From Fixed in
linux / linux_kernel 5.4.213 5.5
linux / linux_kernel 5.10.142 5.10.239
linux / linux_kernel 5.15.66 5.15.186
linux / linux_kernel 5.19.8 6.0
linux / linux_kernel 6.0.1 6.1.142
linux / linux_kernel 6.2 6.6.94
linux / linux_kernel 6.7 6.12.34
linux / linux_kernel 6.13 6.15.3
linux / linux_kernel 6.0 6.0.x
linux / linux_kernel 6.0-rc4 6.0-rc4.x
linux / linux_kernel 6.0-rc5 6.0-rc5.x
linux / linux_kernel 6.0-rc6 6.0-rc6.x
linux / linux_kernel 6.0-rc7 6.0-rc7.x
linux / linux_kernel 6.16-rc1 6.16-rc1.x
debian / debian_linux 11.0 11.0.x