CVE-2025-38115 in Linuxinfo

Summary

by MITRE • 07/03/2025

In the Linux kernel, the following vulnerability has been resolved:

net_sched: sch_sfq: fix a potential crash on gso_skb handling

SFQ has an assumption of always being able to queue at least one packet.

However, after the blamed commit, sch->q.len can be inflated by packets in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed by an immediate drop.

Fix sfq_drop() to properly clear q->tail in this situation.


ip netns add lb ip link add dev to-lb type veth peer name in-lb netns lb ethtool -K to-lb tso off # force qdisc to requeue gso_skb ip netns exec lb ethtool -K in-lb gro on # enable NAPI ip link set dev to-lb up ip -netns lb link set dev in-lb up ip addr add dev to-lb 192.168.20.1/24 ip -netns lb addr add dev in-lb 192.168.20.2/24 tc qdisc replace dev to-lb root sfq limit 100

ip netns exec lb netserver

netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 &

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/18/2026

The vulnerability identified as CVE-2025-38115 affects the Linux kernel's traffic control subsystem, specifically within the Stochastic Fairness Queuing (SFQ) qdisc implementation. This issue stems from an incorrect assumption in the SFQ algorithm that it can always queue at least one packet, which becomes problematic when handling Generic Segmentation Offload (GSO) skbs. The flaw manifests when the qdisc's internal queue length calculation becomes inflated due to packets contained within the gso_skb structure, creating a scenario where an enqueue operation on an empty SFQ qdisc can be immediately followed by a packet drop.

The technical root cause lies in the sfq_drop() function's failure to properly clear the q->tail pointer when handling edge cases involving GSO skbs. This improper state management leads to a potential kernel crash when the qdisc attempts to process packets under these specific conditions. The vulnerability is particularly concerning because it operates at the network layer kernel space, where memory corruption or improper pointer handling can result in system instability or arbitrary code execution. According to CWE classification, this represents a weakness in the form of improper handling of pointers or memory management, specifically CWE-476.

The operational impact of this vulnerability extends beyond simple system crashes to potentially disrupt network services and cause denial of service conditions. When SFQ qdisc encounters the specific combination of GSO skb handling and queue state management issues, the kernel may experience unpredictable behavior that could affect network throughput and packet processing reliability. The crash scenario becomes more likely when network conditions force the qdisc to requeue GSO skbs while maintaining incorrect internal state pointers. This vulnerability affects systems that utilize SFQ qdisc with GSO enabled, particularly in virtualized environments or network namespaces where the specific traffic patterns described in the reproduction steps can be easily triggered.

The mitigation strategy involves applying the kernel patch that corrects the sfq_drop() function to properly handle the clearing of q->tail when GSO skbs are involved in queue operations. This fix ensures proper state management and prevents the kernel crash scenario. Organizations should prioritize updating their kernel versions to include this fix, particularly those running network-intensive applications or virtualized environments that utilize SFQ qdisc. The ATT&CK framework categorizes this vulnerability under T1499.004 (Endpoint Denial of Service) and T1595.001 (Network Denial of Service) as it can be exploited to cause system instability and network service disruption through carefully crafted network traffic patterns that trigger the specific queue management condition. Network administrators should monitor for any unusual system behavior or crashes in environments where SFQ qdisc is actively used, especially when GSO is enabled on network interfaces.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/03/2025

Moderation

accepted

CPE

ready

EPSS

0.00172

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!