Linux Kernel Vulnerability in Network Scheduling by Vendor

CVE-2025-37992

What is CVE-2025-37992?

A vulnerability in the Linux kernel affects network scheduling operations where a reduction in a qdisc's limit may not fully clear the gso_skb list, potentially leading to a NULL pointer dereference. This occurs during the ->change() operation when only the primary skb queue is adjusted, leaving packets unhandled in the gso_skb list. To address this, a new function, qdisc_dequeue_internal(), has been implemented to ensure both the gso_skb list and the main queue clear properly during these adjustments. All relevant queue disciplines (codel, fq, fq_codel, fq_pie, hhf, pie) have been updated to utilize this enhancement.

References