{"id":"CVE-2025-38000","summary":"sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nsch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()\n\nWhen enqueuing the first packet to an HFSC class, hfsc_enqueue() calls the\nchild qdisc's peek() operation before incrementing sch-\u003eq.qlen and\nsch-\u003eqstats.backlog. If the child qdisc uses qdisc_peek_dequeued(), this may\ntrigger an immediate dequeue and potential packet drop. In such cases,\nqdisc_tree_reduce_backlog() is called, but the HFSC qdisc's qlen and backlog\nhave not yet been updated, leading to inconsistent queue accounting. This\ncan leave an empty HFSC class in the active list, causing further\nconsequences like use-after-free.\n\nThis patch fixes the bug by moving the increment of sch-\u003eq.qlen and\nsch-\u003eqstats.backlog before the call to the child qdisc's peek() operation.\nThis ensures that queue length and backlog are always accurate when packet\ndrops or dequeues are triggered during the peek.","modified":"2026-05-18T05:56:18.220794985Z","published":"2025-06-06T13:03:35.405Z","related":["SUSE-SU-2025:02249-1","SUSE-SU-2025:02254-1","SUSE-SU-2025:02264-1","SUSE-SU-2025:02307-1","SUSE-SU-2025:02308-1","SUSE-SU-2025:02320-1","SUSE-SU-2025:02321-1","SUSE-SU-2025:02322-1","SUSE-SU-2025:02333-1","SUSE-SU-2025:02334-1","SUSE-SU-2025:02335-1","SUSE-SU-2025:02537-1","SUSE-SU-2025:02538-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:03097-1","SUSE-SU-2025:03100-1","SUSE-SU-2025:03104-1","SUSE-SU-2025:03106-1","SUSE-SU-2025:03108-1","SUSE-SU-2025:03109-1","SUSE-SU-2025:03111-1","SUSE-SU-2025:03123-1","SUSE-SU-2025:03124-1","SUSE-SU-2025:03126-1","SUSE-SU-2025:03129-1","SUSE-SU-2025:03130-1","SUSE-SU-2025:03133-1","SUSE-SU-2025:03135-1","SUSE-SU-2025:03138-1","SUSE-SU-2025:03143-1","SUSE-SU-2025:03148-1","SUSE-SU-2025:03153-1","SUSE-SU-2025:03154-1","SUSE-SU-2025:03156-1","SUSE-SU-2025:03160-1","SUSE-SU-2025:03165-1","SUSE-SU-2025:03175-1","SUSE-SU-2025:03179-1","SUSE-SU-2025:03180-1","SUSE-SU-2025:03181-1","SUSE-SU-2025:03182-1","SUSE-SU-2025:03184-1","SUSE-SU-2025:03185-1","SUSE-SU-2025:03186-1","SUSE-SU-2025:03190-1","SUSE-SU-2025:03191-1","SUSE-SU-2025:03194-1","SUSE-SU-2025:03195-1","SUSE-SU-2025:03207-1","SUSE-SU-2025:03208-1","SUSE-SU-2025:03209-1","SUSE-SU-2025:03210-1","SUSE-SU-2025:03212-1","SUSE-SU-2025:03213-1","SUSE-SU-2025:03215-1","SUSE-SU-2025:03217-1","SUSE-SU-2025:03222-1","SUSE-SU-2025:03223-1","SUSE-SU-2025:03226-1","SUSE-SU-2025:03235-1","SUSE-SU-2025:20475-1","SUSE-SU-2025:20483-1","SUSE-SU-2025:20493-1","SUSE-SU-2025:20498-1","SUSE-SU-2025:20698-1","SUSE-SU-2025:20699-1","SUSE-SU-2025:20700-1","SUSE-SU-2025:20701-1","SUSE-SU-2025:20702-1","SUSE-SU-2025:20703-1","SUSE-SU-2025:20704-1","SUSE-SU-2025:20705-1","SUSE-SU-2025:20706-1","SUSE-SU-2025:20707-1","SUSE-SU-2025:20709-1","SUSE-SU-2025:20710-1","SUSE-SU-2025:20711-1","SUSE-SU-2025:20712-1","SUSE-SU-2025:20714-1","SUSE-SU-2025:20761-1","SUSE-SU-2025:20762-1","SUSE-SU-2025:20763-1","SUSE-SU-2025:20764-1","SUSE-SU-2025:20766-1","SUSE-SU-2025:20767-1","SUSE-SU-2025:20775-1","SUSE-SU-2025:20776-1","SUSE-SU-2025:20777-1","SUSE-SU-2025:20778-1","SUSE-SU-2025:20779-1","SUSE-SU-2025:20780-1","SUSE-SU-2025:20782-1","SUSE-SU-2025:4123-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38000.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1034e3310752e8675e313f7271b348914008719a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3f981138109f63232a5fb7165938d4c945cc1b9d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/49b21795b8e5654a7df3d910a12e1060da4c04cf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/89c301e929a0db14ebd94b4d97764ce1d6981653"},{"type":"WEB","url":"https://git.kernel.org/stable/c/93c276942e75de0e5bc91576300d292e968f5a02"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f9f593e34d2fb67644372c8f7b033bdc622ad228"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38000.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38000"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"12d0ad3be9c3854e52ec74bb83bb6f43612827c7"},{"fixed":"1034e3310752e8675e313f7271b348914008719a"},{"fixed":"f9f593e34d2fb67644372c8f7b033bdc622ad228"},{"fixed":"89c301e929a0db14ebd94b4d97764ce1d6981653"},{"fixed":"f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4"},{"fixed":"93c276942e75de0e5bc91576300d292e968f5a02"},{"fixed":"49b21795b8e5654a7df3d910a12e1060da4c04cf"},{"fixed":"3f3a22eebbc32b4fa8ce9c1d5f9db214b45b9335"},{"fixed":"3f981138109f63232a5fb7165938d4c945cc1b9d"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38000.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.8.0"},{"fixed":"5.4.294"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.238"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.185"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.141"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.93"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.31"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.14.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38000.json"}}],"schema_version":"1.7.5"}