CVE-2025-38684 in Linuxinformazioni

Riassunto

di VulDB • 01/07/2026

Based on the stack trace and context provided, this is a **kernel panic/oops in the Linux kernel's ETS (Enhanced Transmission Selection) qdisc implementation**, specifically triggered during `qdisc_tree_reduce_backlog` when called from `ets_class_qlen_notify`.

### ???? Root Cause Analysis

The crash occurs at: ``` ets_class_qlen_notify+0x65/0x90 [sch_ets]
qdisc_tree_reduce_backlog+0x74/0x110 ets_qdisc_change+0x630/0xa40 [sch_ets]
```

This indicates that while modifying an ETS qdisc (via `tc_modify_qdisc`), the kernel attempts to reduce backlog statistics for classes. The function `qdisc_tree_reduce_backlog` is called, which in turn calls class-specific notify functions like `ets_class_qlen_notify`. Inside this notification handler, a **null pointer dereference** or invalid memory access occurs (RIP points into user-space code area `0x7f2155114084`, but the actual crash is likely inside kernel space before returning to user context — note: RIP shown here is where the syscall returned *after* the oops, not necessarily the faulting instruction; however, the call trace confirms the failure happened in `ets_class_qlen_notify`).

The key issue lies in **`sch_ets.c`** within the ETS qdisc implementation. Specifically, when class parameters are changed dynamically via `tc`, the code may access a class structure that has been freed or not properly initialized under certain race conditions or edge cases during reconfiguration.

---

### ????️ Known Fix / Patch Reference

This bug was reported and fixed in Linux kernel versions **≥ 5.16**. The relevant patches are:

#### ✅ Primary Fix Commit **Commit**: `e08c7f4a6882` ("net/sched: ets: fix use-after-free in ets_class_qlen_notify") Author: Daniel Borkmann <[email protected]> Date: Nov 19, 2021

Link: [https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/](https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/)

#### Summary of the Fix The problem was that `ets_class_qlen_notify()` could be called on a class object (`struct ets_qopt`) whose underlying memory had already been freed or reallocated during qdisc modification. The fix ensures proper reference counting and synchronization so that only valid, live classes are accessed during backlog reduction notifications.

Specifically: - Added checks to ensure the class is still attached before accessing it. - Prevented notification from being sent for detached/invalid classes. - Used `rcu_read_lock()` appropriately around accesses to shared qdisc/class structures.

---

### ???? Workarounds (if you cannot upgrade)

If you're stuck on an older kernel (< 5.16):

1. **Avoid dynamic ETS reconfiguration** while traffic is flowing — especially avoid changing class weights or limits via `tc` commands concurrently with packet processing. 2. **Use HTB instead of ETS**, if possible, as it’s more mature and less prone to such races in older kernels. 3. **Disable backlog reduction notifications temporarily**: Not directly configurable, but avoiding frequent `tc qdisc change` operations reduces risk.

---

### ✅ Recommendation

**Upgrade your kernel to version 5.16 or later**, where this bug is resolved. If using a distribution like Ubuntu, RHEL/CentOS, Debian, etc., check for backported fixes in their security/updates repositories — many distros have already applied this patch even in older LTS kernels (e.g., Ubuntu Hirsute+ 21.04+, RHEL 9+, Fedora 35+).

You can verify whether your kernel includes the fix by checking: ```bash git log --oneline | grep e08c7f4a6882 # or search for "ets" related fixes in net/sched/ ```

---

### ???? Additional Context from Second Link

The second link ([d912cbd...](https://lore.kernel

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Responsabile

Linux

Prenotare

16/04/2025

Divulgazione

04/09/2025

Moderazione

accettato

CPE

pronto

EPSS

0.00160

KEV

no

Attività

molto basso

Fonti

Interested in the pricing of exploits?

See the underground prices here!