Linux Kernel up to 6.15.0 net_sched cl_nactive infinite loop

| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.5 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Linux Kernel up to 6.15.0 and classified as problematic. This issue affects some unknown processing of the component net_sched. Such manipulation of the argument cl_nactive leads to infinite loop. This vulnerability is documented as CVE-2025-38001. There is not any exploit available. It is suggested to upgrade the affected component.
Details
A vulnerability, which was classified as problematic, has been found in Linux Kernel up to 6.15.0. Affected by this issue is an unknown code of the component net_sched. The manipulation of the argument cl_nactive with an unknown input leads to a infinite loop vulnerability. Using CWE to declare the problem leads to CWE-835. The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. Impacted is availability. CVE summarizes:
In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks the cl->cl_nactive field to determine whether it is the first insertion or not [2], but this field is only incremented by init_vf [3]. By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the check and insert the class twice in the eltree. Under normal conditions, this would lead to an infinite loop in hfsc_dequeue for the reasons we already explained in this report [5]. However, if TBF is added as root qdisc and it is configured with a very low rate, it can be utilized to prevent packets from being dequeued. This behavior can be exploited to perform subsequent insertions in the HFSC eltree and cause a UAF." To fix both the UAF and the infinite loop, with netem as an hfsc child, check explicitly in hfsc_enqueue whether the class is already in the eltree whenever the HFSC_RSC flag is set. [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 [5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u
The advisory is available at git.kernel.org. This vulnerability is handled as CVE-2025-38001 since 04/16/2025. Technical details are known, but there is no available exploit.
The vulnerability scanner Nessus provides a plugin with the ID 240328 (Amazon Linux 2023 : bpftool, kernel, kernel-devel (ALAS2023-2025-1037)), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 5.4.294, 5.10.238, 5.15.185, 6.1.141, 6.6.93, 6.12.32, 6.14.10 or 6.15.1 eliminates this vulnerability. Applying the patch e5bee633cc276410337d54b99f77fbc1ad8801e5/6672e6c00810056acaac019fe26cdc26fee8a66c/2c928b3a0b04a431ffcd6c8b7d88a267124a3a28/a0ec22fa20b252edbe070a9de8501eef63c17ef5/295f7c579b07b5b7cf2dffe485f71cc2f27647cb/2f2190ce4ca972051cac6a8d7937448f8cb9673c/4e38eaaabfb7fffbb371a51150203e19eee5d70e/39ed887b1dd2d6b720f87e86692ac3006cc111c8 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at Tenable (240328), EUVD (EUVD-2025-17306) and CERT Bund (WID-SEC-2025-1270). If you want to get best quality of vulnerability data, you may have to visit VulDB.
Affected
- Google Container-Optimized OS
- Debian Linux
- Amazon Linux 2
- Red Hat Enterprise Linux
- Ubuntu Linux
- SUSE Linux
- Oracle Linux
- Dell Avamar
- Open Source Linux Kernel
- Dell NetWorker
- Dell Secure Connect Gateway
Product
Type
Vendor
Name
Version
- 5.4.293
- 5.10.237
- 5.15.184
- 6.0
- 6.1
- 6.1.140
- 6.2
- 6.3
- 6.4
- 6.5
- 6.6
- 6.6.0
- 6.6.1
- 6.6.2
- 6.6.3
- 6.6.4
- 6.6.5
- 6.6.6
- 6.6.7
- 6.6.8
- 6.6.9
- 6.6.10
- 6.6.11
- 6.6.12
- 6.6.13
- 6.6.14
- 6.6.15
- 6.6.16
- 6.6.17
- 6.6.18
- 6.6.19
- 6.6.20
- 6.6.21
- 6.6.22
- 6.6.23
- 6.6.24
- 6.6.25
- 6.6.26
- 6.6.27
- 6.6.28
- 6.6.29
- 6.6.30
- 6.6.31
- 6.6.32
- 6.6.33
- 6.6.34
- 6.6.35
- 6.6.36
- 6.6.37
- 6.6.38
- 6.6.39
- 6.6.40
- 6.6.41
- 6.6.42
- 6.6.43
- 6.6.44
- 6.6.45
- 6.6.46
- 6.6.47
- 6.6.48
- 6.6.49
- 6.6.50
- 6.6.51
- 6.6.52
- 6.6.53
- 6.6.54
- 6.6.55
- 6.6.56
- 6.6.57
- 6.6.58
- 6.6.59
- 6.6.60
- 6.6.61
- 6.6.62
- 6.6.63
- 6.6.64
- 6.6.65
- 6.6.66
- 6.6.67
- 6.6.68
- 6.6.69
- 6.6.70
- 6.6.71
- 6.6.72
- 6.6.73
- 6.6.74
- 6.6.75
- 6.6.76
- 6.6.77
- 6.6.78
- 6.6.79
- 6.6.80
- 6.6.81
- 6.6.82
- 6.6.83
- 6.6.84
- 6.6.85
- 6.6.86
- 6.6.87
- 6.6.88
- 6.6.89
- 6.6.90
- 6.6.91
- 6.6.92
- 6.7
- 6.8
- 6.9
- 6.10
- 6.11
- 6.12
- 6.12.0
- 6.12.1
- 6.12.2
- 6.12.3
- 6.12.4
- 6.12.5
- 6.12.6
- 6.12.7
- 6.12.8
- 6.12.9
- 6.12.10
- 6.12.11
- 6.12.12
- 6.12.13
- 6.12.14
- 6.12.15
- 6.12.16
- 6.12.17
- 6.12.18
- 6.12.19
- 6.12.20
- 6.12.21
- 6.12.22
- 6.12.23
- 6.12.24
- 6.12.25
- 6.12.26
- 6.12.27
- 6.12.28
- 6.12.29
- 6.12.30
- 6.12.31
- 6.13
- 6.14
- 6.14.0
- 6.14.1
- 6.14.2
- 6.14.3
- 6.14.4
- 6.14.5
- 6.14.6
- 6.14.7
- 6.14.8
- 6.14.9
- 6.15.0
License
Website
- Vendor: https://www.kernel.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.6VulDB Meta Temp Score: 5.5
VulDB Base Score: 5.7
VulDB Temp Score: 5.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 5.5
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Infinite loopCWE: CWE-835 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 240328
Nessus Name: Amazon Linux 2023 : bpftool, kernel, kernel-devel (ALAS2023-2025-1037)
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Kernel 5.4.294/5.10.238/5.15.185/6.1.141/6.6.93/6.12.32/6.14.10/6.15.1
Patch: e5bee633cc276410337d54b99f77fbc1ad8801e5/6672e6c00810056acaac019fe26cdc26fee8a66c/2c928b3a0b04a431ffcd6c8b7d88a267124a3a28/a0ec22fa20b252edbe070a9de8501eef63c17ef5/295f7c579b07b5b7cf2dffe485f71cc2f27647cb/2f2190ce4ca972051cac6a8d7937448f8cb9673c/4e38eaaabfb7fffbb371a51150203e19eee5d70e/39ed887b1dd2d6b720f87e86692ac3006cc111c8
Timeline
04/16/2025 🔍06/06/2025 🔍
06/06/2025 🔍
02/19/2026 🔍
Sources
Vendor: kernel.orgAdvisory: git.kernel.org
Status: Confirmed
CVE: CVE-2025-38001 (🔍)
GCVE (CVE): GCVE-0-2025-38001
GCVE (VulDB): GCVE-100-311546
EUVD: 🔍
CERT Bund: WID-SEC-2025-1270 - Linux Kernel: Mehrere Schwachstellen ermöglichen Denial of Service
Entry
Created: 06/06/2025 17:15Updated: 02/19/2026 09:09
Changes: 06/06/2025 17:15 (59), 06/09/2025 14:27 (1), 06/09/2025 17:21 (1), 06/24/2025 12:06 (2), 07/20/2025 21:24 (7), 08/06/2025 21:33 (1), 09/11/2025 20:38 (1), 12/17/2025 21:51 (10), 02/19/2026 09:09 (1)
Complete: 🔍
Cache ID: 216::103
If you want to get best quality of vulnerability data, you may have to visit VulDB.
No comments yet. Languages: en.
Please log in to comment.