CVE-2025-37752 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

net_sched: sch_sfq: move the limit validation

It is not sufficient to directly validate the limit on the data that the user passes as it can be updated based on how the other parameters are changed.

Move the check at the end of the configuration update process to also catch scenarios where the limit is indirectly updated, for example with the following configurations:

tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1 tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1

This fixes the following syzkaller reported crash:

------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6 index 65535 is out of range for type 'struct sfq_head[128]'
CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline]
__ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429 sfq_link net/sched/sch_sfq.c:203 [inline]
sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]
dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 03/15/2026

The vulnerability identified as CVE-2025-37752 affects the Linux kernel's traffic control subsystem, specifically within the sfq qdisc implementation. This issue resides in the network scheduling functionality that manages packet queuing and scheduling for network interfaces. The sfq qdisc, or Stochastic Fairness Queueing, is designed to provide fair bandwidth distribution among flows while maintaining low latency. The vulnerability stems from improper validation of the limit parameter during qdisc configuration updates, creating a scenario where indirect parameter modifications can lead to out-of-bounds memory access. The root cause lies in the timing of validation checks within the configuration update process, where initial validation occurs before all parameter interactions have been fully resolved. This flaw specifically impacts the sfq implementation in net/sched/sch_sfq.c at line 203, where an array index calculation fails due to improperly validated limit values that can be indirectly modified through other parameter relationships.

The technical flaw manifests as an array-index-out-of-bounds condition when the sfq qdisc processes packet scheduling operations. During the configuration update process, the limit parameter can be modified indirectly through interactions with other parameters such as flows, depth, and divisor. The original validation logic only checked the limit value at the beginning of the configuration process, before all parameter dependencies had been properly resolved. When syzkaller's fuzzing detected this condition, it triggered a UBSAN (Undefined Behavior Sanitizer) error indicating that an index value of 65535 exceeded the bounds of a struct sfq_head array of size 128. This occurs because the limit parameter, which determines the maximum number of packets that can be queued, can be indirectly manipulated through parameter relationships that aren't accounted for in the initial validation. The crash path shows the execution flow leading to sfq_link function, followed by sfq_dec which attempts to access memory beyond the allocated array bounds, ultimately causing a kernel panic through the UBSAN handler.

The operational impact of this vulnerability extends beyond simple kernel crashes, as it represents a potential vector for privilege escalation and denial of service attacks within network management contexts. Attackers could exploit this vulnerability by crafting specific tc (traffic control) commands that manipulate qdisc parameters in ways that bypass initial validation, ultimately leading to kernel memory corruption. The vulnerability affects systems running Linux kernels that utilize the sfq qdisc implementation for network traffic management, particularly those with complex network configurations where qdisc parameters interact dynamically. The issue is particularly concerning in virtualized environments or containerized systems where network traffic control is frequently manipulated, as these scenarios are more likely to trigger the specific parameter interaction patterns that expose the vulnerability. The crash occurs during qdisc reset operations, which are fundamental to network interface management and can affect system stability during network reconfiguration or interface deactivation processes, potentially causing service disruption across multiple network connections.

Mitigation strategies for CVE-2025-37752 involve applying the kernel patch that moves limit validation to occur after all parameter updates have been processed, ensuring that indirect modifications are properly accounted for before bounds checking. The fix implements a post-processing validation approach that validates the limit parameter at the conclusion of the configuration update cycle, rather than at the beginning, preventing scenarios where parameter interactions could result in invalid limit values. System administrators should prioritize applying kernel updates that include this fix, particularly in environments where network traffic control is actively managed or where the system may be exposed to untrusted network traffic control commands. Monitoring for UBSAN errors or kernel oops messages related to sfq qdisc operations should be implemented, as these can serve as early indicators of potential exploitation attempts. The vulnerability also highlights the importance of comprehensive parameter validation in kernel subsystems where parameter relationships can create unexpected interactions, reinforcing the need for robust validation frameworks that account for all potential parameter dependencies and their dynamic interactions within complex subsystems such as the Linux traffic control framework. This fix aligns with security best practices outlined in CWE-129, which addresses improper validation of array indices, and follows ATT&CK techniques related to privilege escalation through kernel vulnerabilities, specifically targeting the T1068 technique of exploiting local privilege escalation opportunities in kernel space.

Responsible

Linux

Reservation

04/16/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00235

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!