The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68815

CVE-2025-68815: Linux Kernel Privilege Escalation Flaw

CVE-2025-68815 is a privilege escalation vulnerability in the Linux kernel's net/sched ets module. It allows improper handling of class list management. This article covers technical details, affected versions, and mitigation.

Updated: January 22, 2026

CVE-2025-68815 Overview

A vulnerability has been identified in the Linux kernel's network scheduler (net/sched) ETS (Enhanced Transmission Selection) qdisc implementation. The flaw exists in the handling of class type changes where a DRR (Deficit Round Robin) class is transformed into a strict priority class. When this transformation occurs, the kernel code fails to properly remove the class from the active list, leading to a condition where the class can be added to the active list twice upon subsequent changes.

Critical Impact

This vulnerability can cause kernel warnings and potential system instability when manipulating ETS qdisc configurations through the tc (traffic control) utility. The double-add to the active list triggers list corruption detection in debug builds.

Affected Products

  • Linux Kernel (net/sched ETS qdisc module)
  • Systems running kernel version 6.18.0-rc7 and potentially earlier versions
  • Linux distributions using affected kernel versions with traffic control functionality

Discovery Timeline

  • 2026-01-13 - CVE CVE-2025-68815 published to NVD
  • 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2025-68815

Vulnerability Analysis

The vulnerability resides in the ets_qdisc_change() function within the Linux kernel's ETS (Enhanced Transmission Selection) qdisc implementation. ETS is a traffic scheduling algorithm that combines strict priority queuing with DRR (Deficit Round Robin) for bandwidth sharing among classes.

When a user modifies an ETS qdisc configuration using the tc qdisc change command to convert a DRR class to a strict priority class, the code fails to check whether that class was previously in the active list. If the class was active (had packets queued), it remains in the active list even after becoming a strict class. Subsequently, when the configuration is changed back to DRR, the class is added to the active list again, resulting in a double-add condition.

This list corruption is detected by the kernel's list debugging infrastructure, triggering a list_add double add warning. The stack trace shows the corruption occurring within ets_qdisc_change() called from tc_modify_qdisc().

Root Cause

The root cause is an incomplete state management during qdisc class type transitions. The ets_qdisc_change() function modifies the class type (from DRR to strict or vice versa) without properly cleaning up the class's membership in internal data structures. Specifically, when a DRR class that is currently in the active list is converted to a strict class, the code should remove it from the active list to maintain list integrity. The absence of this removal operation leads to list corruption upon subsequent class type changes.

Attack Vector

This vulnerability requires local access with privileges to modify network qdisc configurations (typically root or CAP_NET_ADMIN capability). The attack vector involves:

  1. Creating an ETS qdisc with a combination of strict and DRR bands
  2. Generating traffic to activate the DRR class (add it to the active list)
  3. Changing the qdisc configuration to convert the active DRR class to strict
  4. Reverting the configuration back to DRR, triggering the double-add

The exploitation sequence using standard tc commands demonstrates the issue:

  • tc qdisc add dev lo root handle 1: ets bands 2 strict 1
  • Adding a child qdisc and filter to direct traffic
  • Sending traffic to populate the queue
  • tc qdisc change dev lo root handle 1: ets bands 2 strict 2 (converts DRR to strict)
  • tc qdisc change dev lo root handle 1: ets bands 2 strict 1 (converts back, triggers bug)

Detection Methods for CVE-2025-68815

Indicators of Compromise

  • Kernel warning messages containing list_add double add in system logs
  • Stack traces referencing ets_qdisc_change() and tc_modify_qdisc() functions
  • Unexpected system behavior or instability when modifying ETS qdisc configurations
  • Kernel crash dumps showing list corruption in the net/sched subsystem

Detection Strategies

  • Monitor kernel logs (dmesg, /var/log/kern.log) for list_add double add warnings
  • Enable kernel list debugging (CONFIG_DEBUG_LIST) to catch list corruption early
  • Audit usage of tc qdisc change commands targeting ETS qdiscs
  • Deploy kernel audit rules to track qdisc modification operations with CAP_NET_ADMIN

Monitoring Recommendations

  • Configure syslog alerting for kernel warnings related to list operations
  • Implement monitoring for traffic control configuration changes via tc utility
  • Enable kernel crash dump collection (kdump) to capture state during failures
  • Use SentinelOne's Linux agent to detect anomalous kernel behavior and privilege escalation attempts

How to Mitigate CVE-2025-68815

Immediate Actions Required

  • Apply the kernel patches referenced in the security advisories
  • Restrict access to traffic control utilities (tc) to only authorized administrators
  • Avoid dynamic modification of ETS qdisc class types on production systems until patched
  • Consider using alternative qdisc implementations if ETS is not strictly required

Patch Information

The Linux kernel developers have released patches to address this vulnerability. The fix ensures that when an ETS class is changed to strict priority mode, it is properly removed from the active list if it was previously a DRR class. Multiple patch commits are available:

  • Linux Kernel Commit Note
  • Linux Kernel Commit Change
  • Linux Kernel Commit Update
  • Linux Kernel Commit Fix
  • Linux Kernel Commit Improvement

Organizations should update to kernel versions containing these fixes through their distribution's package manager.

Workarounds

  • Implement strict access controls limiting CAP_NET_ADMIN capability to essential personnel only
  • Avoid using the ETS qdisc with dynamic class type changes until patches are applied
  • Use static qdisc configurations that do not require runtime modification of class types
  • Deploy network namespace isolation to limit the impact of qdisc misconfigurations
bash
# Restrict tc binary execution to root only
chmod 700 /sbin/tc

# Audit tc command usage
auditctl -w /sbin/tc -p x -k tc_usage

# Check current kernel version
uname -r

# Verify if ETS qdisc module is loaded
lsmod | grep sch_ets

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePrivilege Escalation
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Linux Kernel Commit Note
  • Linux Kernel Commit Change
  • Linux Kernel Commit Update
  • Linux Kernel Commit Fix
  • Linux Kernel Commit Improvement
  • Related CVEs
  • CVE-2026-31411: Linux Kernel Privilege Escalation Flaw
  • CVE-2026-23438: Linux Kernel Privilege Escalation Flaw
  • CVE-2026-23439: Linux Kernel Privilege Escalation Flaw
  • CVE-2026-23437: Linux Kernel Privilege Escalation Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English