CVE-2025-38350 Overview
CVE-2025-38350 is a use-after-free vulnerability in the Linux kernel's network traffic control (net/sched) subsystem. The flaw exists in the handling of classful queuing disciplines (qdiscs) where certain qdiscs may invoke their classes' dequeue handler during an enqueue operation. This unexpected behavior can prematurely empty a child qdisc and make an in-flight class passive via qlen_notify(), leading to a use-after-free condition when the class is re-activated with a stale pointer.
Critical Impact
Local attackers with low privileges can exploit this use-after-free vulnerability to achieve arbitrary code execution with kernel privileges, potentially gaining complete control of the affected system.
Affected Products
- Linux Kernel (multiple versions including 6.15 and 6.16 release candidates)
- Debian Linux 11.0
Discovery Timeline
- 2025-07-19 - CVE-2025-38350 published to NVD
- 2025-12-16 - Last updated in NVD database
Technical Details for CVE-2025-38350
Vulnerability Analysis
The vulnerability resides in the qdisc_tree_reduce_backlog() function within the Linux kernel's network scheduler subsystem. When classful qdiscs such as DRR (Deficit Round Robin) invoke their classes' dequeue handler during an enqueue operation, it can unexpectedly drain the child qdisc. This triggers qlen_notify() to mark the class as passive while operations are still in-flight.
The core issue is a backlog accounting inconsistency that affects hierarchical qdisc configurations. Previous attempts to fix this behavior for the HFSC (Hierarchical Fair Service Curve) scheduler by reorganizing backlog accounting proved incomplete, as the parent's parent qdisc could still encounter the same race condition.
When a class is deleted while in a passive state due to this premature notification, subsequent network operations may attempt to access freed memory through stale class pointers, resulting in a use-after-free condition.
Root Cause
The root cause is improper synchronization and notification handling in the qdisc backlog accounting mechanism. When qdisc_tree_reduce_backlog() is called, it fails to consistently invoke qlen_notify() when a child qdisc becomes empty. This leads to a state inconsistency where classes may be re-activated after being marked passive, using stale pointers to freed memory structures.
The fix ensures that qdisc_tree_reduce_backlog() always calls qlen_notify() when the child qdisc is empty. This works because qdisc deletion always involves qdisc_reset() and/or qdisc_purge_queue(), which reset the qlen to 0, ensuring proper notification to the parent.
Attack Vector
Exploitation requires local access with low privileges. An attacker can construct a specific qdisc hierarchy using the tc (traffic control) utility to trigger the vulnerability. The attack involves:
- Creating a nested qdisc hierarchy with DRR at the root, HFSC as a child, and netem with blackhole as leaf qdiscs
- Sending network traffic (e.g., UDP packets) to trigger the enqueue/dequeue race condition
- Deleting a class while the race condition is active
- Sending additional traffic to trigger access to the freed class pointer
The CVE description includes a proof-of-concept reproducer using the tc command to set up the vulnerable qdisc hierarchy and socat to generate traffic.
Detection Methods for CVE-2025-38350
Indicators of Compromise
- Kernel panic or oops messages referencing qdisc_tree_reduce_backlog, qlen_notify, or related net/sched functions
- Unexpected system crashes or instability when complex qdisc configurations are in use
- KASAN (Kernel Address Sanitizer) reports indicating use-after-free in the net/sched subsystem
Detection Strategies
- Enable KASAN in development/testing kernels to detect use-after-free conditions in the net/sched subsystem
- Monitor system logs for kernel oops or panic messages related to network scheduler functions
- Deploy SentinelOne Singularity Platform for runtime kernel exploit detection and behavioral analysis
- Audit systems for unusual or complex qdisc configurations that could indicate exploitation attempts
Monitoring Recommendations
- Monitor for suspicious tc command executions creating nested DRR/HFSC/netem qdisc hierarchies
- Implement auditd rules to track traffic control configuration changes on critical systems
- Review kernel logs for memory corruption indicators following network configuration changes
How to Mitigate CVE-2025-38350
Immediate Actions Required
- Apply the latest kernel security patches from the official Linux kernel stable branches
- For Debian Linux 11.0 systems, apply updates referenced in the Debian LTS announcements
- Limit local user access to systems running vulnerable kernel versions where immediate patching is not possible
- Restrict access to the tc utility for non-privileged users using SELinux or AppArmor policies
Patch Information
The vulnerability has been addressed in multiple kernel stable branches. Patches are available through the official kernel git repository:
- Kernel patch 103406b38c600fec1fe375a77b27d87e314aea09
- Kernel patch 3b290923ad2b23596208c1e29520badef4356a43
- Kernel patch a553afd91f55ff39b1e8a1c4989a29394c9e0472
Debian users should refer to the Debian LTS Security Announcements for distribution-specific patch information.
Workarounds
- Restrict access to the tc command using file permissions or capability controls (remove CAP_NET_ADMIN from unprivileged users)
- Avoid using complex nested qdisc configurations involving DRR, HFSC, netem, and blackhole until patched
- Implement mandatory access control policies (SELinux/AppArmor) to limit qdisc manipulation to trusted administrators only
# Restrict tc command access to root only
chmod 700 /sbin/tc
# Remove CAP_NET_ADMIN capability for unprivileged containers
# In container runtime configuration, ensure NET_ADMIN is not granted
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
