Race Condition Vulnerability in Linux Kernel Affects Network Scheduler Components
CVE-2025-38477

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 28 July 2025

What is CVE-2025-38477?

A race condition vulnerability resides in the Linux kernel's network scheduler components, specifically related to the qfq_aggregate function. This issue manifests when the 'agg' structure is concurrently accessed and modified by multiple threads during network packet handling. Scenarios such as qfq_dump_class can lead to a NULL dereference, while qfq_delete_class could create a use-after-free vulnerability. The recent patch implements essential protections by ensuring the qfq_destroy_class operation occurs within a critical section and adding sch_tree_lock safeguards around critical functions like qfq_dump_class and qfq_dump_class_stats, thereby mitigating potential risks.

Affected Version(s)

Linux 462dbc9101acd38e92eda93c0726857517a24bbd < 466e10194ab81caa2ee6a332d33ba16bcceeeba6

Linux 462dbc9101acd38e92eda93c0726857517a24bbd

References

https://git.kernel.org/stable/c/466e10194ab81caa2ee6a332d...

https://git.kernel.org/stable/c/fbe48f06e64134dfeafa89ad2...

https://git.kernel.org/stable/c/a6d735100f602c830c16d69fb...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 28, 2025
Vulnerability Reserved
Apr 16, 2025