net/sched: Abort __tc_modify_qdisc if parent class does not exist

Summary

CVE	CVE-2025-38457
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2025-07-25 16:15:31 UTC
Updated	2026-05-12 13:16:49 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/[email protected]/

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: NVD-CWE-noinfo

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Linux	Linux Kernel	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 923a276c74e25073ae391e930792ac86a9f77f1e git	Not specified
CNA	Linux	Linux	affected 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 90436e72c9622c2f70389070088325a3232d339f git	Not specified
CNA	Linux	Linux	affected 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 25452638f133ac19d75af3f928327d8016952c8e git	Not specified
CNA	Linux	Linux	affected 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 23c165dde88eac405eebb59051ea1fe139a45803 git	Not specified
CNA	Linux	Linux	affected 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af git	Not specified
CNA	Linux	Linux	affected 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 8ecd651ef24ab50123692a4e3e25db93cb11602a git	Not specified
CNA	Linux	Linux	affected 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 e28a383d6485c3bb51dc5953552f76c4dea33eea git	Not specified
CNA	Linux	Linux	affected 5e50da01d0ce7ef0ba3ed6cfabd62f327da0aca6 ffdde7bf5a439aaa1955ebd581f5c64ab1533963 git	Not specified
CNA	Linux	Linux	affected 2.6.20	Not specified
CNA	Linux	Linux	unaffected 2.6.20 semver	Not specified
CNA	Linux	Linux	unaffected 5.4.296 5.4.* semver	Not specified
CNA	Linux	Linux	unaffected 5.10.240 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.189 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.146 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.99 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.39 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.15.7 6.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.16 * original_commit_for_fix	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	affected V3.1.5 * custom	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339f	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
lists.debian.org/debian-lts-announce/2025/10/msg00008.html	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org	Third Party Advisory
cert-portal.siemens.com/productcert/html/ssa-082556.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com
git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49af	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602a	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
lists.debian.org/debian-lts-announce/2025/10/msg00007.html	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org	Third Party Advisory
git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eea	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org	Patch
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.