CVE-2025-38083 Overview
CVE-2025-38083 is a race condition in the Linux kernel's net_sched PRIO queueing discipline. The flaw resides in the prio_tune() function and triggers when the Stochastic Fairness Queueing (SFQ) perturb timer fires at an inopportune moment. An attacker with local access and the ability to configure traffic control on a qdisc can race the perturb timer against prio_tune() to underflow a parent qdisc's qlen counter. The vulnerability was reported by Gerrard Tai and resolved upstream by replacing qdisc_tree_flush_backlog() with qdisc_purge_queue(), which drains all packets before releasing the root lock.
Critical Impact
Local attackers with traffic control privileges can corrupt qdisc state and trigger denial of service or kernel memory corruption through qlen underflow.
Affected Products
- Linux kernel (multiple stable branches up to and including 6.16-rc1)
- Debian Linux 11.0
- Siemens products referenced in advisory SSA-082556
Discovery Timeline
- 2025-06-20 - CVE-2025-38083 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2025-38083
Vulnerability Analysis
The vulnerability is a classic race condition [CWE-362] in the kernel's packet scheduler subsystem. The PRIO qdisc supports multiple bands, each of which can be configured with a child qdisc such as SFQ. SFQ uses a periodic perturb timer to rehash flows and call qdisc_tree_reduce_backlog() to adjust parent statistics.
When prio_tune() replaces a child qdisc, it acquires the root lock, calls qdisc_tree_flush_backlog() to clear backlog counters, then releases the lock before calling qdisc_put() on the old qdisc. Between the unlock and qdisc_put(), the SFQ perturb timer on another CPU can acquire the root lock, perform a rehash, and call qdisc_tree_reduce_backlog() on the now-flushed parent. The reduction operates on counters that have already been zeroed, underflowing qlen to a large unsigned value.
Root Cause
The root cause is improper synchronization between the qdisc replacement path and the SFQ perturb timer. qdisc_tree_flush_backlog() does not purge in-flight packets atomically with the lock-protected region, leaving a window where the old qdisc still holds enqueued packets that the timer can later account for against an already-flushed parent.
Attack Vector
An unprivileged local user typically cannot reach this path, but a user with CAP_NET_ADMIN in a user namespace can configure PRIO qdiscs with SFQ children and trigger repeated tc qdisc change operations while the SFQ perturb timer fires. The resulting qlen underflow corrupts qdisc accounting and can be leveraged for further memory safety violations in the packet scheduler. The fix replaces qdisc_tree_flush_backlog() with qdisc_purge_queue() so all packets are drained before the lock is released, eliminating the timing window.
Detection Methods for CVE-2025-38083
Indicators of Compromise
- Kernel logs reporting unexpected qdisc statistics or warnings from the net_sched subsystem
- Unprivileged processes creating user namespaces and invoking tc to manipulate PRIO and SFQ qdiscs in rapid succession
- Crashes or soft lockups originating in prio_tune, sfq_perturbation, or qdisc_tree_reduce_backlog
Detection Strategies
- Audit tc qdisc and tc class operations through auditd rules targeting the setsockopt, unshare, and netlink RTM_NEWQDISC events
- Monitor for processes that create user namespaces and immediately exercise networking capabilities, a common pattern for kernel race condition exploitation
- Correlate kernel oops or WARN_ON output referencing net/sched/sch_prio.c or sch_sfq.c with the originating user session
Monitoring Recommendations
- Enable kernel lockdep and KASAN on test systems to surface the race and any downstream memory corruption
- Forward dmesg and journald kernel messages to a centralized logging backend for retroactive analysis
- Track installed kernel versions against the fixed commits listed in the upstream stable tree advisories
How to Mitigate CVE-2025-38083
Immediate Actions Required
- Apply the upstream kernel patches referenced by commits 20f68e6a, 3aaa7c01, 4483d8b9, 46c15c9d, 53d11560, 93f9eeb6, d35acc1b, and e3f67450
- Update Debian systems using the fixes shipped in Debian LTS Announcement #00007 and Debian LTS Announcement #00008
- Siemens customers should review Siemens Security Advisory SSA-082556 for product-specific guidance
Patch Information
The upstream fix replaces qdisc_tree_flush_backlog() with qdisc_purge_queue() inside prio_tune(), ensuring that all packets are removed from the qdisc before the root lock is released. Backports are available across stable branches; see the kernel.org stable commit for the canonical change.
Workarounds
- Restrict creation of unprivileged user namespaces by setting kernel.unprivileged_userns_clone=0 where supported
- Limit CAP_NET_ADMIN to trusted administrators and avoid granting it inside untrusted containers
- Disable or avoid configurations that combine PRIO with SFQ children on hosts running unpatched kernels
# Configuration example
sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/90-hardening.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
