CVE-2025-21971 in Linuxinfo

Summary

by MITRE • 04/01/2025

In the Linux kernel, the following vulnerability has been resolved:

net_sched: Prevent creation of classes with TC_H_ROOT

The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination condition when traversing up the qdisc tree to update parent backlog counters. However, if a class is created with classid TC_H_ROOT, the traversal terminates prematurely at this class instead of reaching the actual root qdisc, causing parent statistics to be incorrectly maintained. In case of DRR, this could lead to a crash as reported by Mingi Cho.

Prevent the creation of any Qdisc class with classid TC_H_ROOT (0xFFFFFFFF) across all qdisc types, as suggested by Jamal.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/01/2026

This vulnerability resides within the Linux kernel's traffic control subsystem, specifically affecting the net_sched component responsible for managing network packet scheduling and queuing disciplines. The flaw manifests in how the kernel handles qdisc tree traversal operations, particularly when processing backlog counters for parent qdisc nodes. The core issue stems from the qdisc_tree_reduce_backlog() function which employs TC_H_ROOT as a termination condition during upward traversal of the qdisc hierarchy to maintain accurate backlog statistics. When a malicious or erroneous process attempts to create a qdisc class with the classid TC_H_ROOT set to 0xFFFFFFFF, the traversal logic prematurely terminates at this artificial root class instead of continuing to the actual kernel root qdisc node. This incorrect termination leads to cascading failures in parent statistics maintenance and can result in severe operational consequences including system instability and potential crashes.

The technical exploitation of this vulnerability occurs through improper classid assignment within qdisc operations, specifically targeting the TC_H_ROOT identifier that serves as both a legitimate root reference and a critical termination condition in the traversal algorithm. When a class is created with this specific classid, the kernel's traversal mechanism fails to properly account for the hierarchical structure, causing parent qdisc nodes to lose accurate backlog counter information. This mismanagement of statistics can trigger memory corruption patterns particularly in the DRR (Deficit Round Robin) queuing discipline implementation, as documented by Mingi Cho who reported the crash conditions. The vulnerability represents a classic case of improper input validation and boundary condition handling within kernel space operations, where a legitimate identifier is being misused as both a reference point and a termination signal in the same operational context.

The operational impact of this vulnerability extends beyond simple statistical inaccuracies to potentially compromise system stability and availability. The most severe consequence occurs in DRR implementations where the premature termination of traversal can lead to memory access violations and kernel crashes, effectively causing denial of service conditions. Network services relying on traffic control mechanisms may experience intermittent failures or complete service outages when malicious or faulty applications attempt to create qdisc classes with TC_H_ROOT identifiers. The vulnerability affects all qdisc types across the kernel's traffic control framework, meaning that any network configuration utilizing queuing disciplines could be impacted. System administrators may observe unexpected kernel panics or crashes during high network traffic periods when the traversal logic encounters these malformed class structures.

Mitigation strategies for this vulnerability must be implemented at multiple levels to ensure comprehensive protection. The primary fix involves preventing the creation of any qdisc class with the TC_H_ROOT classid across all qdisc implementations, which effectively blocks the root cause of the traversal issue. Kernel-level patches should enforce strict validation of classid parameters during qdisc creation operations, rejecting any attempt to assign the 0xFFFFFFFF identifier as a classid value. Network administrators should implement monitoring solutions to detect unusual qdisc creation patterns and classid assignments that might indicate exploitation attempts. Additionally, systems should be configured to avoid using deprecated or experimental queuing disciplines that may not properly validate classid parameters. The fix aligns with security best practices outlined in CWE-248 and follows ATT&CK techniques related to kernel exploitation and privilege escalation through improper input validation. Organizations should prioritize kernel updates and maintain strict network traffic control configurations to prevent unauthorized qdisc manipulation while ensuring that legitimate network management operations continue to function properly without disruption.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00187

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!