{"id":"CVE-2025-71066","summary":"net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Always remove class from active list before deleting in ets_qdisc_change\n\nzdi-disclosures@trendmicro.com says:\n\nThe vulnerability is a race condition between `ets_qdisc_dequeue` and\n`ets_qdisc_change`.  It leads to UAF on `struct Qdisc` object.\nAttacker requires the capability to create new user and network namespace\nin order to trigger the bug.\nSee my additional commentary at the end of the analysis.\n\nAnalysis:\n\nstatic int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,\n                          struct netlink_ext_ack *extack)\n{\n...\n\n      // (1) this lock is preventing .change handler (`ets_qdisc_change`)\n      //to race with .dequeue handler (`ets_qdisc_dequeue`)\n      sch_tree_lock(sch);\n\n      for (i = nbands; i \u003c oldbands; i++) {\n              if (i \u003e= q-\u003enstrict && q-\u003eclasses[i].qdisc-\u003eq.qlen)\n                      list_del_init(&q-\u003eclasses[i].alist);\n              qdisc_purge_queue(q-\u003eclasses[i].qdisc);\n      }\n\n      WRITE_ONCE(q-\u003enbands, nbands);\n      for (i = nstrict; i \u003c q-\u003enstrict; i++) {\n              if (q-\u003eclasses[i].qdisc-\u003eq.qlen) {\n\t\t      // (2) the class is added to the q-\u003eactive\n                      list_add_tail(&q-\u003eclasses[i].alist, &q-\u003eactive);\n                      q-\u003eclasses[i].deficit = quanta[i];\n              }\n      }\n      WRITE_ONCE(q-\u003enstrict, nstrict);\n      memcpy(q-\u003eprio2band, priomap, sizeof(priomap));\n\n      for (i = 0; i \u003c q-\u003enbands; i++)\n              WRITE_ONCE(q-\u003eclasses[i].quantum, quanta[i]);\n\n      for (i = oldbands; i \u003c q-\u003enbands; i++) {\n              q-\u003eclasses[i].qdisc = queues[i];\n              if (q-\u003eclasses[i].qdisc != &noop_qdisc)\n                      qdisc_hash_add(q-\u003eclasses[i].qdisc, true);\n      }\n\n      // (3) the qdisc is unlocked, now dequeue can be called in parallel\n      // to the rest of .change handler\n      sch_tree_unlock(sch);\n\n      ets_offload_change(sch);\n      for (i = q-\u003enbands; i \u003c oldbands; i++) {\n\t      // (4) we're reducing the refcount for our class's qdisc and\n\t      //  freeing it\n              qdisc_put(q-\u003eclasses[i].qdisc);\n\t      // (5) If we call .dequeue between (4) and (5), we will have\n\t      // a strong UAF and we can control RIP\n              q-\u003eclasses[i].qdisc = NULL;\n              WRITE_ONCE(q-\u003eclasses[i].quantum, 0);\n              q-\u003eclasses[i].deficit = 0;\n              gnet_stats_basic_sync_init(&q-\u003eclasses[i].bstats);\n              memset(&q-\u003eclasses[i].qstats, 0, sizeof(q-\u003eclasses[i].qstats));\n      }\n      return 0;\n}\n\nComment:\nThis happens because some of the classes have their qdiscs assigned to\nNULL, but remain in the active list. This commit fixes this issue by always\nremoving the class from the active list before deleting and freeing its\nassociated qdisc\n\nReproducer Steps\n(trimmed version of what was sent by zdi-disclosures@trendmicro.com)\n\n```\nDEV=\"${DEV:-lo}\"\nROOT_HANDLE=\"${ROOT_HANDLE:-1:}\"\nBAND2_HANDLE=\"${BAND2_HANDLE:-20:}\"   # child under 1:2\nPING_BYTES=\"${PING_BYTES:-48}\"\nPING_COUNT=\"${PING_COUNT:-200000}\"\nPING_DST=\"${PING_DST:-127.0.0.1}\"\n\nSLOW_TBF_RATE=\"${SLOW_TBF_RATE:-8bit}\"\nSLOW_TBF_BURST=\"${SLOW_TBF_BURST:-100b}\"\nSLOW_TBF_LAT=\"${SLOW_TBF_LAT:-1s}\"\n\ncleanup() {\n  tc qdisc del dev \"$DEV\" root 2\u003e/dev/null\n}\ntrap cleanup EXIT\n\nip link set \"$DEV\" up\n\ntc qdisc del dev \"$DEV\" root 2\u003e/dev/null || true\n\ntc qdisc add dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\n\ntc qdisc add dev \"$DEV\" parent 1:2 handle \"$BAND2_HANDLE\" \\\n  tbf rate \"$SLOW_TBF_RATE\" burst \"$SLOW_TBF_BURST\" latency \"$SLOW_TBF_LAT\"\n\ntc filter add dev \"$DEV\" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2\ntc -s qdisc ls dev $DEV\n\nping -I \"$DEV\" -f -c \"$PING_COUNT\" -s \"$PING_BYTES\" -W 0.001 \"$PING_DST\" \\\n  \u003e/dev/null 2\u003e&1 &\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 0\ntc qdisc change dev \"$DEV\" root handle \"$ROOT_HANDLE\" ets bands 2 strict 2\ntc -s qdisc ls dev $DEV\ntc qdisc del dev \"$DEV\" parent \n---truncated---","modified":"2026-03-31T17:29:34.794576Z","published":"2026-01-13T15:31:21.931Z","related":["MGASA-2026-0017","MGASA-2026-0018","SUSE-SU-2026:0447-1","SUSE-SU-2026:0472-1","SUSE-SU-2026:0587-1","SUSE-SU-2026:0928-1","SUSE-SU-2026:0961-1","SUSE-SU-2026:0984-1","SUSE-SU-2026:1003-1","SUSE-SU-2026:1041-1","SUSE-SU-2026:1077-1","SUSE-SU-2026:1081-1","SUSE-SU-2026:1131-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20287-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71066.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/062d5d544e564473450d72e6af83077c2b2ff7c3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/06bfb66a7c8b45e3fed01351a4b087410ae5ef39"},{"type":"WEB","url":"https://git.kernel.org/stable/c/45466141da3c98a0c5fa88be0bc14b4b6a4bd75c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9987cda315c08f63a02423fa2f9a1f6602c861a0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a75d617a4ef08682f5cfaadc01d5141c87e019c9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c7f6e7cc14df72b997258216e99d897d2df0dbbd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ce052b9402e461a9aded599f5b47e76bc727f7de"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71066.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71066"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ae2659d2c670252759ee9c823c4e039c0e05a6f2"},{"fixed":"062d5d544e564473450d72e6af83077c2b2ff7c3"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e25bdbc7e951ae5728fee1f4c09485df113d013c"},{"fixed":"c7f6e7cc14df72b997258216e99d897d2df0dbbd"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"de6d25924c2a8c2988c6a385990cafbe742061bf"},{"fixed":"a75d617a4ef08682f5cfaadc01d5141c87e019c9"},{"fixed":"9987cda315c08f63a02423fa2f9a1f6602c861a0"},{"fixed":"06bfb66a7c8b45e3fed01351a4b087410ae5ef39"},{"fixed":"45466141da3c98a0c5fa88be0bc14b4b6a4bd75c"},{"fixed":"ce052b9402e461a9aded599f5b47e76bc727f7de"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71066.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.248"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.198"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.160"},{"fixed":"6.6.120"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.12.64"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.18.3"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71066.json"}}],"schema_version":"1.7.5"}