CVE-2025-38684 in Linux
Sumário
de VulDB • 09/06/2026
Based on the crash trace and the provided links, this is a **kernel panic/oops in the Linux networking subsystem**, specifically within the **ETS (Enhanced Transmission Selection) qdisc** (`sch_ets`).
### **Summary of the Issue** The crash occurs in `ets_class_qlen_notify` when modifying an ETS qdisc via `tc` (traffic control). The root cause is a **race condition or use-after-free** related to how ETS handles class backlog notifications during qdisc changes.
---
### **Detailed Analysis**
#### **1. Crash Location** - **Function:** `ets_class_qlen_notify+0x65/0x90 [sch_ets]`
- **Context:** Called from `qdisc_tree_reduce_backlog`, which is invoked during `ets_qdisc_change` (when modifying the qdisc configuration). - **Trigger:** A user-space `tc` command (via `rtnetlink`) is modifying the ETS qdisc.
#### **2. Root Cause** The ETS qdisc maintains a list of classes. When the qdisc is modified (`ets_qdisc_change`), it may need to adjust the backlog (queue length) of classes. The function `ets_class_qlen_notify` is called to notify the class about changes in queue length.
The bug likely involves: - **Dereferencing a freed or invalid pointer:** The `qdisc` or `class` pointer passed to `ets_class_qlen_notify` may have been freed or is no longer valid during the modification process. - **Race Condition:** Multiple threads or contexts might be accessing the qdisc structure concurrently without proper locking.
#### **3. Relevant Patches/Fixes** The links provided point to discussions and patches in the Linux kernel netdev mailing list:
- **[1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/**
- This is likely a patch from **Davide Caratti** (Red Hat) addressing the issue. - The patch probably adds proper locking or checks to prevent accessing invalid pointers during qdisc changes.
- **[2] https://lore.kernel.org/netdev/[email protected]/**
- This may be a report or discussion about the bug, possibly from a user or developer encountering the crash.
#### **4. How to Fix/Workaround** - **Update Kernel:** If you are using a kernel version older than the one where this patch was merged, **upgrade to a newer kernel** that includes the fix. - **Avoid Concurrent Modifications:** Do not modify ETS qdiscs while traffic is being actively shaped or while other `tc` commands are running concurrently. - **Apply Patch:** If you cannot upgrade, you can manually apply the patch from the mailing list to your kernel source.
---
### **Steps to Verify** 1. **Check Kernel Version:** ```bash uname -r ``` 2. **Check for Patch:** Search the kernel source tree for the patch title or commit hash from the mailing list links. 3. **Reproduce:** Try to reproduce the crash by modifying the ETS qdisc while traffic is active.
---
### **Conclusion** This is a known bug in the ETS qdisc implementation. The fix involves ensuring proper synchronization and pointer validity checks during qdisc modifications. Upgrading to a kernel version that includes the fix from the netdev mailing list is the recommended solution.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.