CVE-2025-38350 | net/sched: Always pass notifications when child class becomes empty

In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.

Published: 2025-07-19 Last update: 2026-06-17 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-38350 is rated Low Risk (33.7/100): CVSS High severity, with low exploitation likelihood (EPSS 0.17%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-38350

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.08% 0.17% +0.10%
2 2026-05-15 0.04% 0.08% +0.04%
3 2025-12-15 0.04%

Full EPSS history (5 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-38350

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.8 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 5.9 [email protected]

Weakness enumeration for CVE-2025-38350

GitHub Security Advisory for CVE-2025-38350

GHSA-6mr5-83vp-r7m7 · Severity: high — In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass...

OS Trackers for CVE-2025-38350

vendor priority summary link
debian not yet assigned CVE-2025-38350 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6. https://security-tracker.debian.org/tracker/CVE-2025-38350
redhat high https://access.redhat.com/security/cve/CVE-2025-38350
suse high https://www.suse.com/security/cve/CVE-2025-38350/
ubuntu medium CVE-2025-38350 medium priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1414 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1017, released 208, ignored 155, not-affected 33, needed 1. https://ubuntu.com/security/CVE-2025-38350

Affected software / configurations for CVE-2025-38350

Vendor Product Version Raw CPE
linux linux_kernel >= 5.4.294, < 5.4.296 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.10.238, < 5.10.240 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.15.185, < 5.15.187 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.1.141, < 6.1.144 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.6.93, < 6.6.97 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.12.31, < 6.12.37 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.14.9, < 6.15 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.15.1, < 6.15.6 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel 6.15 cpe:2.3:o:linux:linux_kernel:6.15:-:*:*:*:*:*:*
linux linux_kernel 6.16 cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:*
linux linux_kernel 6.16 cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:*
linux linux_kernel 6.16 cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:*
linux linux_kernel 6.16 cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:*
debian debian_linux 11.0 cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

References for CVE-2025-38350

URL Tags
https://git.kernel.org/stable/c/103406b38c600fec1fe375a77b27d87e314aea09 Patch
https://git.kernel.org/stable/c/3b290923ad2b23596208c1e29520badef4356a43 Patch
https://git.kernel.org/stable/c/7874c9c132e906a52a187d045995b115973c93fb Patch
https://git.kernel.org/stable/c/a44acdd9e84a211989ff4b9b92bf3545d8456ad5 Patch
https://git.kernel.org/stable/c/a553afd91f55ff39b1e8a1c4989a29394c9e0472 Patch
https://git.kernel.org/stable/c/e269f29e9395527bc00c213c6b15da04ebb35070 Patch
https://git.kernel.org/stable/c/e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7 Patch
https://git.kernel.org/stable/c/f680a4643c6f71e758d8fe0431a958e9a6a4f59d Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-082556.html
https://cert-portal.siemens.com/productcert/html/ssa-089022.html
cvelogic Threat Intelligence