{"id":"CVE-2025-38477","summary":"net/sched: sch_qfq: Fix race condition on qfq_aggregate","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_qfq: Fix race condition on qfq_aggregate\n\nA race condition can occur when 'agg' is modified in qfq_change_agg\n(called during qfq_enqueue) while other threads access it\nconcurrently. For example, qfq_dump_class may trigger a NULL\ndereference, and qfq_delete_class may cause a use-after-free.\n\nThis patch addresses the issue by:\n\n1. Moved qfq_destroy_class into the critical section.\n\n2. Added sch_tree_lock protection to qfq_dump_class and\nqfq_dump_class_stats.","modified":"2026-04-16T00:03:58.959321148Z","published":"2025-07-28T11:21:38.319Z","related":["ALSA-2025:15008","SUSE-SU-2025:02846-1","SUSE-SU-2025:02849-1","SUSE-SU-2025:02851-1","SUSE-SU-2025:02852-1","SUSE-SU-2025:02853-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:02969-1","SUSE-SU-2025:02996-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:03023-1","SUSE-SU-2025:03310-1","SUSE-SU-2025:03344-1","SUSE-SU-2025:03384-1","SUSE-SU-2025:03465-1","SUSE-SU-2025:03468-1","SUSE-SU-2025:03469-1","SUSE-SU-2025:03470-1","SUSE-SU-2025:03472-1","SUSE-SU-2025:03473-1","SUSE-SU-2025:03475-1","SUSE-SU-2025:03476-1","SUSE-SU-2025:03479-1","SUSE-SU-2025:03480-1","SUSE-SU-2025:03482-1","SUSE-SU-2025:03483-1","SUSE-SU-2025:03485-1","SUSE-SU-2025:03494-1","SUSE-SU-2025:03495-1","SUSE-SU-2025:03496-1","SUSE-SU-2025:03497-1","SUSE-SU-2025:03498-1","SUSE-SU-2025:03503-1","SUSE-SU-2025:03504-1","SUSE-SU-2025:03514-1","SUSE-SU-2025:03515-1","SUSE-SU-2025:03528-1","SUSE-SU-2025:03529-1","SUSE-SU-2025:03538-1","SUSE-SU-2025:03539-1","SUSE-SU-2025:03541-1","SUSE-SU-2025:03543-1","SUSE-SU-2025:03548-1","SUSE-SU-2025:03550-1","SUSE-SU-2025:03551-1","SUSE-SU-2025:03552-1","SUSE-SU-2025:03553-1","SUSE-SU-2025:03554-1","SUSE-SU-2025:03555-1","SUSE-SU-2025:03557-1","SUSE-SU-2025:03559-1","SUSE-SU-2025:03561-1","SUSE-SU-2025:03562-1","SUSE-SU-2025:03563-1","SUSE-SU-2025:03566-1","SUSE-SU-2025:03567-1","SUSE-SU-2025:03568-1","SUSE-SU-2025:03569-1","SUSE-SU-2025:03571-1","SUSE-SU-2025:03572-1","SUSE-SU-2025:03575-1","SUSE-SU-2025:03576-1","SUSE-SU-2025:03577-1","SUSE-SU-2025:03578-1","SUSE-SU-2025:03580-1","SUSE-SU-2025:03583-1","SUSE-SU-2025:20577-1","SUSE-SU-2025:20586-1","SUSE-SU-2025:20601-1","SUSE-SU-2025:20602-1","SUSE-SU-2025:20806-1","SUSE-SU-2025:20807-1","SUSE-SU-2025:20808-1","SUSE-SU-2025:20809-1","SUSE-SU-2025:20810-1","SUSE-SU-2025:20811-1","SUSE-SU-2025:20812-1","SUSE-SU-2025:20813-1","SUSE-SU-2025:20814-1","SUSE-SU-2025:20815-1","SUSE-SU-2025:20816-1","SUSE-SU-2025:20817-1","SUSE-SU-2025:20818-1","SUSE-SU-2025:20819-1","SUSE-SU-2025:20820-1","SUSE-SU-2025:20826-1","SUSE-SU-2025:20827-1","SUSE-SU-2025:20828-1","SUSE-SU-2025:20829-1","SUSE-SU-2025:20830-1","SUSE-SU-2025:20831-1","SUSE-SU-2025:20832-1","SUSE-SU-2025:20833-1","SUSE-SU-2025:20834-1","SUSE-SU-2025:20835-1","SUSE-SU-2025:20836-1","SUSE-SU-2025:20837-1","SUSE-SU-2025:20838-1","SUSE-SU-2025:20839-1","SUSE-SU-2025:20840-1","SUSE-SU-2025:20841-1","SUSE-SU-2025:20842-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:4123-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38477.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/466e10194ab81caa2ee6a332d33ba16bcceeeba6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5e28d5a3f774f118896aec17a3a20a9c5c9dfc64"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a6d735100f602c830c16d69fb6d780eebd8c9ae1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aa7a22c4d678bf649fd3a1d27debec583563414d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c000a3a330d97f6c073ace5aa5faf94b9adb4b79"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c6df794000147a3a02f79984aada4ce83f8d0a1e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d841aa5518508ab195b6781ad0d73ee378d713dd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fbe48f06e64134dfeafa89ad23387f66ebca3527"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38477.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38477"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"462dbc9101acd38e92eda93c0726857517a24bbd"},{"fixed":"aa7a22c4d678bf649fd3a1d27debec583563414d"},{"fixed":"d841aa5518508ab195b6781ad0d73ee378d713dd"},{"fixed":"c6df794000147a3a02f79984aada4ce83f8d0a1e"},{"fixed":"466e10194ab81caa2ee6a332d33ba16bcceeeba6"},{"fixed":"fbe48f06e64134dfeafa89ad23387f66ebca3527"},{"fixed":"a6d735100f602c830c16d69fb6d780eebd8c9ae1"},{"fixed":"c000a3a330d97f6c073ace5aa5faf94b9adb4b79"},{"fixed":"5e28d5a3f774f118896aec17a3a20a9c5c9dfc64"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38477.json"}}],"schema_version":"1.7.5"}