CVE-2025-38350 — linux / linux_kernel
Use After FreeIn the Linux kernel, the following vulnerability has been resolved:
net/sched: Always pass notifications when child class becomes empty
Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free.
The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free:
tc qdisc add dev lo root handle 1: drr
tc filter add dev lo parent 1: basic classid 1:1
tc class add dev lo parent 1: classid 1:1 drr
tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1
tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0
tc qdisc add dev lo parent 2:1 handle 3: netem
tc qdisc add dev lo parent 3:1 handle 4: blackhole
echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888
tc class delete dev lo classid 1:1
echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888
Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.
| Software | From | Fixed in |
|---|---|---|
| linux / linux_kernel | 5.4.294 | 5.4.296 |
| linux / linux_kernel | 5.10.238 | 5.10.240 |
| linux / linux_kernel | 5.15.185 | 5.15.187 |
| linux / linux_kernel | 6.1.141 | 6.1.144 |
| linux / linux_kernel | 6.6.93 | 6.6.97 |
| linux / linux_kernel | 6.12.31 | 6.12.37 |
| linux / linux_kernel | 6.14.9 | 6.15 |
| linux / linux_kernel | 6.15.1 | 6.15.6 |
| linux / linux_kernel | 6.15 | 6.15.x |
| linux / linux_kernel | 6.16-rc1 | 6.16-rc1.x |
| linux / linux_kernel | 6.16-rc2 | 6.16-rc2.x |
| linux / linux_kernel | 6.16-rc3 | 6.16-rc3.x |
| linux / linux_kernel | 6.16-rc4 | 6.16-rc4.x |
| debian / debian_linux | 11.0 | 11.0.x |
- https://cert-portal.siemens.com/productcert/html/ssa-082556.html
- https://cert-portal.siemens.com/productcert/html/ssa-089022.html
- https://git.kernel.org/stable/c/103406b38c600fec1fe375a77b27d87e314aea09
- https://git.kernel.org/stable/c/3b290923ad2b23596208c1e29520badef4356a43
- https://git.kernel.org/stable/c/7874c9c132e906a52a187d045995b115973c93fb
- https://git.kernel.org/stable/c/a44acdd9e84a211989ff4b9b92bf3545d8456ad5
- https://git.kernel.org/stable/c/a553afd91f55ff39b1e8a1c4989a29394c9e0472
- https://git.kernel.org/stable/c/e269f29e9395527bc00c213c6b15da04ebb35070
- https://git.kernel.org/stable/c/e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7
- https://git.kernel.org/stable/c/f680a4643c6f71e758d8fe0431a958e9a6a4f59d
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime
Frequently Asked Questions
A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.
CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.
A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.
Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.
Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.
SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.