Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68815

CVE-2025-68815: Linux Kernel Privilege Escalation Flaw

CVE-2025-68815 is a privilege escalation vulnerability in the Linux kernel's net/sched ets component. Improper handling of class transitions can allow attackers to elevate privileges. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-68815 Overview

CVE-2025-68815 is a Linux kernel vulnerability in the net/sched subsystem, specifically within the Enhanced Transmission Selection (ETS) queueing discipline (qdisc) implementation. The flaw exists in ets_qdisc_change() in net/sched/sch_ets.c. When a user reconfigures an ETS qdisc to convert a Deficit Round Robin (DRR) class into a strict class, the kernel fails to remove that class from the active list. If the class is later reverted from strict back to DRR, it is appended to the active list a second time, producing a list double-add condition detectable with CONFIG_DEBUG_LIST.

Critical Impact

A local user with CAP_NET_ADMIN can corrupt a kernel linked list through crafted tc qdisc change commands, leading to kernel warnings and potential denial of service or memory corruption.

Affected Products

  • Linux kernel net/sched ETS qdisc implementation (net/sched/sch_ets.c)
  • Linux kernel stable branches prior to the fixed commits referenced upstream
  • Distribution kernels shipping the vulnerable ETS scheduler code

Discovery Timeline

  • 2026-01-13 - CVE-2025-68815 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-68815

Vulnerability Analysis

The ETS qdisc supports two band types: strict-priority bands and DRR bands. DRR classes that have packets to dequeue are tracked on a per-qdisc active list. When an administrator runs tc qdisc change to transform a DRR class into a strict band, ets_qdisc_change() updates the class type but does not call the cleanup path that unlinks the class from the active list. The stale list pointers remain valid because the class structure is preserved across the change.

A subsequent change reverting the class back to DRR re-runs the activation logic. The kernel inserts the class into the active list a second time, even though the prior linkage was never torn down. With list debugging enabled, __list_add_valid_or_report() detects the condition and emits a list_add double add warning from lib/list_debug.c:35. Without debug instrumentation, the corrupted list can cause traversal loops, use-after-free behavior, or invalid memory writes during packet scheduling.

Root Cause

The root cause is a missing state transition handler in ets_qdisc_change(). The function modifies the band classification without checking whether the affected class is currently linked into the active list. The fix introduces an explicit check and unconditionally removes the class from the active list when its type changes to strict, ensuring the list remains consistent across reclassifications.

Attack Vector

Exploitation requires local access and the CAP_NET_ADMIN capability or an equivalent network namespace privilege. An attacker reproduces the issue with a short sequence of tc commands: create an ETS qdisc with two bands and one strict, attach a child qdisc and filter to the DRR band, send traffic to populate the active list, change strict 1 to strict 2, then change it back to strict 1. The next packet enqueued to the affected class triggers the double-add condition.

The vulnerability is reachable from unprivileged user namespaces on kernels where network namespace creation is permitted without root, expanding the attack surface beyond traditional administrators.

No verified exploit code is published. The reproduction steps from the upstream commit message demonstrate the corruption path but do not constitute a weaponized exploit. See the upstream commit references for technical details of the fix.

Detection Methods for CVE-2025-68815

Indicators of Compromise

  • Kernel log entries containing list_add double add originating from __list_add_valid_or_report with call traces referencing ets_qdisc_change and tc_modify_qdisc.
  • Unexpected WARNING splats in dmesg from lib/list_debug.c on hosts where traffic shaping is configured.
  • Soft lockups or panics in the net/sched packet processing path after tc qdisc change operations.

Detection Strategies

  • Audit invocations of tc qdisc change against ETS qdiscs through process auditing rules on /usr/sbin/tc and netlinkRTM_NEWQDISC messages.
  • Correlate kernel ring buffer warnings with the issuing process and user identity using journald or syslog forwarding.
  • Monitor for repeated qdisc reconfiguration patterns targeting the same handle, which is uncommon in production traffic shaping deployments.

Monitoring Recommendations

  • Forward dmesg and /var/log/kern.log to a centralized logging platform and alert on list_add corruption messages.
  • Track CAP_NET_ADMIN usage and network namespace creation events on multi-tenant hosts.
  • Establish baselines for legitimate tc command usage so anomalous reconfiguration sequences trigger investigation.

How to Mitigate CVE-2025-68815

Immediate Actions Required

  • Apply the upstream stable kernel updates that include the ETS active-list fix as soon as distribution packages become available.
  • Inventory hosts where ETS qdiscs are in use by running tc qdisc show across the fleet and prioritize patching those systems.
  • Restrict CAP_NET_ADMIN to trusted administrators and disable unprivileged user namespaces where operationally feasible by setting kernel.unprivileged_userns_clone=0.

Patch Information

The issue is resolved across multiple stable trees through the following commits: 02783a37cb1c, 2f125ebe47d6, 43d9a530c8c0, 58fdce6bc005, 8067db5c95aa, b1e125ae425a, and cca2ed931b73. Refer to the Linux kernel stable commit log and your distribution's security tracker for backported builds.

Workarounds

  • Avoid using the ETS qdisc on untrusted multi-tenant systems until patches are deployed.
  • Remove or replace existing ETS qdiscs with alternative schedulers such as prio or htb if dynamic band reclassification is required.
  • Use Linux Security Modules or seccomp profiles to deny RTM_NEWQDISC netlink operations from non-administrative service accounts.
bash
# Configuration example: restrict unprivileged namespace creation
sysctl -w kernel.unprivileged_userns_clone=0
echo 'kernel.unprivileged_userns_clone=0' >> /etc/sysctl.d/99-hardening.conf

# Inventory ETS qdisc usage across interfaces
for iface in $(ls /sys/class/net/); do
    tc qdisc show dev "$iface" | grep -i ets && echo "ETS found on $iface"
done

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.