CVE-2025-38457 in Linux
Summary
by MITRE • 07/25/2025
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Abort __tc_modify_qdisc if parent class does not exist
Lion's patch [1] revealed an ancient bug in the qdisc API.
Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands:
sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq
Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null.
The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called.
[1] https://lore.kernel.org/netdev/[email protected]/
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/03/2026
The vulnerability CVE-2025-38457 represents a critical flaw in the Linux kernel's traffic control subsystem, specifically within the qdisc (queueing discipline) API implementation. This issue stems from a fundamental race condition and improper validation during qdisc creation operations, creating a pathway for potential system instability and denial of service conditions. The vulnerability manifests when users attempt to create or modify qdisc configurations that reference non-existent parent classes, exposing a long-standing bug that has persisted through kernel versions. The flaw is particularly concerning because it affects core networking functionality and can be triggered through standard traffic control commands, making it accessible to both legitimate users and potential attackers.
The technical root cause lies in the qdisc API's handling of parent class validation during the qdisc creation lifecycle. When a user specifies a parent qdisc that does not correspond to an actual class, the system should reject this configuration before proceeding with initialization. However, the current implementation allows qdisc creation to complete successfully, only to fail later during grafting operations. The qdisc_tree_reduce_backlog function is invoked unconditionally during initialization or modification operations for certain qdisc types including fq, hhf, and choke, causing the system to attempt operations on non-existent child classes. This leads to a null pointer dereference scenario where qdisc_leaf() returns a null class pointer, but subsequent code assumes the class is valid and attempts to invoke qlen_notify() on this null reference, resulting in system crashes or undefined behavior.
The operational impact of this vulnerability extends beyond simple system crashes, as it represents a denial of service vector that can disrupt network functionality on affected systems. When exploited, the vulnerability can cause the kernel to panic or hang during qdisc operations, effectively disabling network traffic control capabilities on the affected interface. This affects systems running the Linux kernel where traffic control is actively used, particularly those implementing complex queuing disciplines for network management. The vulnerability is especially dangerous in production environments where network stability is critical, as it can be triggered through simple tc commands that administrators might use for routine network configuration tasks.
The fix implemented addresses the issue by modifying the qdisc_leaf() function to return error pointers (ERR_PTR) when a parent ID does not correspond to a valid class, enabling early detection and rejection of invalid qdisc configurations. This approach aligns with the principle of fail-fast design patterns commonly recommended in secure coding practices and follows the ATT&CK framework's approach to preventing privilege escalation through kernel vulnerabilities. The solution prevents qdisc_create() from being called when the parent class does not exist, thereby avoiding the problematic sequence that leads to null pointer dereferences. This patch demonstrates proper input validation and error handling that aligns with CWE-248 (Uncaught Exception) and CWE-476 (NULL Pointer Dereference) categories, ensuring that invalid configurations are rejected at the earliest possible point in the execution flow.
Mitigation strategies for this vulnerability should include immediate kernel updates to versions containing the patched code, as well as implementing monitoring for unusual tc command usage patterns that might indicate exploitation attempts. Network administrators should also consider implementing additional security controls such as restricted user permissions for traffic control operations and regular system auditing to detect potential abuse of qdisc APIs. Organizations relying heavily on traffic control functionality should test the patched kernel versions in controlled environments before widespread deployment to ensure compatibility with existing network configurations. The vulnerability highlights the importance of thorough API validation in kernel space and demonstrates how seemingly simple configuration errors can lead to critical system instability, emphasizing the need for comprehensive testing of network subsystems in security-hardened environments.