CVE-2025-38001 Overview
CVE-2025-38001 is a Use After Free vulnerability in the Linux kernel's Hierarchical Fair Service Curve (HFSC) network packet scheduler. The vulnerability exists in the net_sched subsystem where a reentrant enqueue operation can add a class to the eligible tree (eltree) twice, bypassing a previous security patch. When HFSC is used in combination with NETEM (Network Emulator), an attacker with local access can exploit this flaw to trigger a Use-After-Free condition or cause an infinite loop in the hfsc_dequeue function, resulting in denial of service.
Critical Impact
Local attackers can exploit this vulnerability to cause system denial of service through infinite loops or memory corruption via Use-After-Free, potentially affecting network services and system stability.
Affected Products
- Linux Kernel (multiple versions from 5.0 through 6.15-rc5)
- Debian Linux 11.0
- Debian Linux 12.0
Discovery Timeline
- June 6, 2025 - CVE-2025-38001 published to NVD
- December 17, 2025 - Last updated in NVD database
Technical Details for CVE-2025-38001
Vulnerability Analysis
This vulnerability stems from an incomplete fix for a previous security issue in the HFSC scheduler. The original patch (commit 141d34391abbb315d68556b7c67ad97885407547) attempted to prevent double insertion of classes into the eltree by checking the cl->cl_nactive field. However, this check is only effective when init_vf is called, as that is the only function that increments the cl_nactive field.
The bypass occurs when an attacker uses HFSC_RSC (Real-time Service Curve), which calls init_ed instead of init_vf. Since init_ed does not increment cl_nactive, the original patch's check can be bypassed, allowing a class to be inserted into the eltree multiple times.
Under normal exploitation conditions, the double insertion causes an infinite loop in hfsc_dequeue. However, by chaining this with TBF (Token Bucket Filter) as a root qdisc configured with a very low rate, an attacker can prevent packets from being dequeued. This creates a window for subsequent insertions into the HFSC eltree, ultimately leading to a Use-After-Free condition when the scheduler attempts to access freed memory.
Root Cause
The root cause is an insufficient validation check in hfsc_enqueue that fails to account for all code paths where a class can be added to the eltree. The previous fix only verified the cl_nactive field, but this field is not updated by the HFSC_RSC path using init_ed. The fix requires an explicit check in hfsc_enqueue to determine whether the class is already present in the eltree whenever the HFSC_RSC flag is set, regardless of the cl_nactive value.
Attack Vector
The attack requires local access to the system with the ability to configure network qdiscs. An attacker would need to:
- Configure HFSC as a child qdisc under TBF (Token Bucket Filter) with a very low rate
- Add NETEM as a child of HFSC to enable reentrant enqueue operations
- Trigger packet enqueue operations that exploit the HFSC_RSC path using init_ed
- Leverage the low TBF rate to prevent dequeue, allowing multiple insertions
- The double insertion corrupts the red-black tree structure, leading to either an infinite loop during dequeue or a Use-After-Free when freed memory is accessed
The exploitation does not require user interaction and can be performed by any user with permissions to configure network schedulers (typically requiring CAP_NET_ADMIN capability).
Detection Methods for CVE-2025-38001
Indicators of Compromise
- Kernel log messages indicating HFSC scheduler errors or warnings in sch_hfsc.c
- Unusual system hangs or high CPU utilization in kernel network scheduling contexts
- Kernel oops or panic messages referencing hfsc_dequeue or hfsc_enqueue functions
- Unexpected TBF and HFSC qdisc configurations with unusually low rate settings
Detection Strategies
- Monitor kernel logs for scheduler-related crashes or infinite loop indicators using dmesg or system logging
- Implement auditd rules to track tc (traffic control) command usage for qdisc configuration changes
- Use SentinelOne Singularity platform to detect anomalous kernel behavior and memory corruption attempts
- Deploy integrity monitoring for network scheduler configurations on critical systems
Monitoring Recommendations
- Enable kernel auditing for network namespace and qdisc modifications
- Monitor for processes attempting to configure complex nested qdisc hierarchies (TBF + HFSC + NETEM)
- Set up alerts for kernel messages containing hfsc, eltree, or rb_tree corruption errors
- Track systems with elevated network capabilities (CAP_NET_ADMIN) for unusual configuration activity
How to Mitigate CVE-2025-38001
Immediate Actions Required
- Apply the latest kernel security patches from your distribution immediately
- Restrict CAP_NET_ADMIN capability to only essential users and processes
- Audit existing qdisc configurations for potentially dangerous HFSC + NETEM combinations
- Consider temporarily disabling HFSC scheduler if not required for operations
Patch Information
Linux kernel developers have released patches across multiple stable branches to address this vulnerability. The fix adds an explicit check in hfsc_enqueue to verify whether a class is already present in the eltree when the HFSC_RSC flag is set. Key patch commits include:
- Kernel Commit 295f7c579b07
- Kernel Commit 2c928b3a0b04
- Kernel Commit 2f2190ce4ca9
- Kernel Commit 39ed887b1dd2
- Kernel Commit 4e38eaaabfb7
- Kernel Commit 6672e6c00810
- Kernel Commit a0ec22fa20b2
- Kernel Commit ac9fe7dd8e73
- Kernel Commit e5bee633cc27
Debian users should refer to the Debian LTS security announcements for updated package versions.
Workarounds
- Disable the HFSC qdisc module if not required: modprobe -r sch_hfsc
- Implement network namespace isolation to limit qdisc configuration exposure
- Use AppArmor or SELinux policies to restrict traffic control (tc) command execution
- Apply principle of least privilege by removing CAP_NET_ADMIN from non-essential services
# Check if HFSC module is loaded
lsmod | grep sch_hfsc
# Temporarily disable HFSC module (if not in use)
sudo modprobe -r sch_hfsc
# Blacklist HFSC module to prevent loading on boot
echo "blacklist sch_hfsc" | sudo tee /etc/modprobe.d/disable-hfsc.conf
# Verify current qdisc configurations for suspicious setups
tc qdisc show
# Update kernel to patched version (Debian/Ubuntu)
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
