{"id":"CVE-2025-37992","summary":"net_sched: Flush gso_skb list too during -\u003echange()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Flush gso_skb list too during -\u003echange()\n\nPreviously, when reducing a qdisc's limit via the -\u003echange() operation, only\nthe main skb queue was trimmed, potentially leaving packets in the gso_skb\nlist. This could result in NULL pointer dereference when we only check\nsch-\u003elimit against sch-\u003eq.qlen.\n\nThis patch introduces a new helper, qdisc_dequeue_internal(), which ensures\nboth the gso_skb list and the main queue are properly flushed when trimming\nexcess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie)\nare updated to use this helper in their -\u003echange() routines.","modified":"2026-03-20T12:42:36.816391Z","published":"2025-05-26T14:54:15.796Z","related":["MGASA-2025-0182","MGASA-2025-0183","SUSE-SU-2025:02249-1","SUSE-SU-2025:02254-1","SUSE-SU-2025:02307-1","SUSE-SU-2025:02333-1","SUSE-SU-2025:02334-1","SUSE-SU-2025:02335-1","SUSE-SU-2025:02538-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:20475-1","SUSE-SU-2025:20483-1","SUSE-SU-2025:20493-1","SUSE-SU-2025:20498-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37992.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2d3cbfd6d54a2c39ce3244f33f85c595844bd7b8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a7d6e0ac0a8861f6b1027488062251a8e28150fd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d1365ca80b012d8a7863e45949e413fb61fa4861"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d3336f746f196c6a53e0480923ae93939f047b6c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d38939ebe0d992d581acb6885c1723fa83c1fb2c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ea1132ccb112f51ba749c56a912f67970c2cd542"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fe88c7e4fc2c1cd75a278a15ffbf1689efad4e76"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/37xxx/CVE-2025-37992.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-37992"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"76e3cc126bb223013a6b9a0e2a51238d1ef2e409"},{"fixed":"ea1132ccb112f51ba749c56a912f67970c2cd542"},{"fixed":"d3336f746f196c6a53e0480923ae93939f047b6c"},{"fixed":"d38939ebe0d992d581acb6885c1723fa83c1fb2c"},{"fixed":"a7d6e0ac0a8861f6b1027488062251a8e28150fd"},{"fixed":"d1365ca80b012d8a7863e45949e413fb61fa4861"},{"fixed":"fe88c7e4fc2c1cd75a278a15ffbf1689efad4e76"},{"fixed":"2d3cbfd6d54a2c39ce3244f33f85c595844bd7b8"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37992.json"}}],"schema_version":"1.7.5"}