{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-21703", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.751Z", "datePublished": "2025-02-18T14:37:44.261Z", "dateUpdated": "2025-03-24T15:39:03.896Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-03-24T15:39:03.896Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetem: Update sch->q.qlen before qdisc_tree_reduce_backlog()\n\nqdisc_tree_reduce_backlog() notifies parent qdisc only if child\nqdisc becomes empty, therefore we need to reduce the backlog of the\nchild qdisc before calling it. Otherwise it would miss the opportunity\nto call cops->qlen_notify(), in the case of DRR, it resulted in UAF\nsince DRR uses ->qlen_notify() to maintain its active list."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/sch_netem.c"], "versions": [{"version": "83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31", "lessThan": "e395fec75ac2dbffc99b4bce57b7f1f3c5449f2c", "status": "affected", "versionType": "git"}, {"version": "216509dda290f6db92c816dd54b83c1df9da9e76", "lessThan": "7f31d74fcc556a9166b1bb20515542de7bb939d1", "status": "affected", "versionType": "git"}, {"version": "c2047b0e216c8edce227d7c42f99ac2877dad0e4", "lessThan": "98a2c685293aae122f688cde11d9334dddc5d207", "status": "affected", "versionType": "git"}, {"version": "10df49cfca73dfbbdb6c4150d859f7e8926ae427", "lessThan": "7b79ca9a1de6a428d486ff52fb3d602321c08f55", "status": "affected", "versionType": "git"}, {"version": "3824c5fad18eeb7abe0c4fc966f29959552dca3e", "lessThan": "1f8e3f4a4b8b90ad274dfbc66fc7d55cb582f4d5", "status": "affected", "versionType": "git"}, {"version": "356078a5c55ec8d2061fcc009fb8599f5b0527f9", "lessThan": "6312555249082d6d8cc5321ff725df05482d8b83", "status": "affected", "versionType": "git"}, {"version": "f8d4bc455047cf3903cd6f85f49978987dbb3027", "lessThan": "839ecc583fa00fab785fde1c85a326743657fd32", "status": "affected", "versionType": "git"}, {"version": "f8d4bc455047cf3903cd6f85f49978987dbb3027", "lessThan": "638ba5089324796c2ee49af10427459c2de35f71", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/sched/sch_netem.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.4.291", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.235", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.179", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.129", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.78", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.14", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13.3", "lessThanOrEqual": "6.13.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/e395fec75ac2dbffc99b4bce57b7f1f3c5449f2c"}, {"url": "https://git.kernel.org/stable/c/7f31d74fcc556a9166b1bb20515542de7bb939d1"}, {"url": "https://git.kernel.org/stable/c/98a2c685293aae122f688cde11d9334dddc5d207"}, {"url": "https://git.kernel.org/stable/c/7b79ca9a1de6a428d486ff52fb3d602321c08f55"}, {"url": "https://git.kernel.org/stable/c/1f8e3f4a4b8b90ad274dfbc66fc7d55cb582f4d5"}, {"url": "https://git.kernel.org/stable/c/6312555249082d6d8cc5321ff725df05482d8b83"}, {"url": "https://git.kernel.org/stable/c/839ecc583fa00fab785fde1c85a326743657fd32"}, {"url": "https://git.kernel.org/stable/c/638ba5089324796c2ee49af10427459c2de35f71"}], "title": "netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()", "x_generator": {"engine": "bippy-5f407fcff5a0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-21703", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-18T15:38:37.163490Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-18T15:46:03.772Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-21703", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-18T15:38:37.163490Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-18T15:38:38.582Z"}}], "cna": {"title": "netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "83c6ab12f08dcc09d4c5ac86fdb89736b28f1d31", "lessThan": "e395fec75ac2dbffc99b4bce57b7f1f3c5449f2c", "versionType": "git"}, {"status": "affected", "version": "216509dda290f6db92c816dd54b83c1df9da9e76", "lessThan": "7f31d74fcc556a9166b1bb20515542de7bb939d1", "versionType": "git"}, {"status": "affected", "version": "c2047b0e216c8edce227d7c42f99ac2877dad0e4", "lessThan": "98a2c685293aae122f688cde11d9334dddc5d207", "versionType": "git"}, {"status": "affected", "version": "10df49cfca73dfbbdb6c4150d859f7e8926ae427", "lessThan": "7b79ca9a1de6a428d486ff52fb3d602321c08f55", "versionType": "git"}, {"status": "affected", "version": "3824c5fad18eeb7abe0c4fc966f29959552dca3e", "lessThan": "1f8e3f4a4b8b90ad274dfbc66fc7d55cb582f4d5", "versionType": "git"}, {"status": "affected", "version": "356078a5c55ec8d2061fcc009fb8599f5b0527f9", "lessThan": "6312555249082d6d8cc5321ff725df05482d8b83", "versionType": "git"}, {"status": "affected", "version": "f8d4bc455047cf3903cd6f85f49978987dbb3027", "lessThan": "839ecc583fa00fab785fde1c85a326743657fd32", "versionType": "git"}, {"status": "affected", "version": "f8d4bc455047cf3903cd6f85f49978987dbb3027", "lessThan": "638ba5089324796c2ee49af10427459c2de35f71", "versionType": "git"}], "programFiles": ["net/sched/sch_netem.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.13"}, {"status": "unaffected", "version": "0", "lessThan": "6.13", "versionType": "semver"}, {"status": "unaffected", "version": "5.4.291", "versionType": "semver", "lessThanOrEqual": "5.4.*"}, {"status": "unaffected", "version": "5.10.235", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.179", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.129", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.78", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.12.14", "versionType": "semver", "lessThanOrEqual": "6.12.*"}, {"status": "unaffected", "version": "6.13.3", "versionType": "semver", "lessThanOrEqual": "6.13.*"}, {"status": "unaffected", "version": "6.14", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/sched/sch_netem.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/e395fec75ac2dbffc99b4bce57b7f1f3c5449f2c"}, {"url": "https://git.kernel.org/stable/c/7f31d74fcc556a9166b1bb20515542de7bb939d1"}, {"url": "https://git.kernel.org/stable/c/98a2c685293aae122f688cde11d9334dddc5d207"}, {"url": "https://git.kernel.org/stable/c/7b79ca9a1de6a428d486ff52fb3d602321c08f55"}, {"url": "https://git.kernel.org/stable/c/1f8e3f4a4b8b90ad274dfbc66fc7d55cb582f4d5"}, {"url": "https://git.kernel.org/stable/c/6312555249082d6d8cc5321ff725df05482d8b83"}, {"url": "https://git.kernel.org/stable/c/839ecc583fa00fab785fde1c85a326743657fd32"}, {"url": "https://git.kernel.org/stable/c/638ba5089324796c2ee49af10427459c2de35f71"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetem: Update sch->q.qlen before qdisc_tree_reduce_backlog()\n\nqdisc_tree_reduce_backlog() notifies parent qdisc only if child\nqdisc becomes empty, therefore we need to reduce the backlog of the\nchild qdisc before calling it. Otherwise it would miss the opportunity\nto call cops->qlen_notify(), in the case of DRR, it resulted in UAF\nsince DRR uses ->qlen_notify() to maintain its active list."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-03-24T15:39:03.896Z"}}}, "cveMetadata": {"cveId": "CVE-2025-21703", "state": "PUBLISHED", "dateUpdated": "2025-03-24T15:39:03.896Z", "dateReserved": "2024-12-29T08:45:45.751Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2025-02-18T14:37:44.261Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1FF7C185-6CBF-4EF2-83B3-4FB93242DFF2", "versionEndExcluding": "5.4.291", "versionStartIncluding": "5.4.288", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB3C4F74-535B-4D55-8234-E28674C6D696", "versionEndExcluding": "5.10.235", "versionStartIncluding": "5.10.232", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F5BEAC01-7945-4D86-A92F-E46057B48853", "versionEndExcluding": "5.15.179", "versionStartIncluding": "5.15.175", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A0092B6-E8B6-447B-8269-C16FD051ABD6", "versionEndExcluding": "6.1.129", "versionStartIncluding": "6.1.121", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B81326A-BA71-48DE-B949-271DF57577D6", "versionEndExcluding": "6.6.78", "versionStartIncluding": "6.6.67", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BCF08963-4D69-4A0B-A57A-2B0107804026", "versionEndExcluding": "6.12.14", "versionStartIncluding": "6.12.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E92CEE3-1FC3-4AFC-A513-DEDBA7414F00", "versionEndExcluding": "6.13.3", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetem: Update sch->q.qlen before qdisc_tree_reduce_backlog()\n\nqdisc_tree_reduce_backlog() notifies parent qdisc only if child\nqdisc becomes empty, therefore we need to reduce the backlog of the\nchild qdisc before calling it. Otherwise it would miss the opportunity\nto call cops->qlen_notify(), in the case of DRR, it resulted in UAF\nsince DRR uses ->qlen_notify() to maintain its active list."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netem: Actualizar sch->q.qlen antes de qdisc_tree_reduce_backlog() qdisc_tree_reduce_backlog() notifica a la qdisc principal solo si la qdisc secundaria se vac\u00eda, por lo tanto, debemos reducir el backlog de la qdisc secundaria antes de llamarla. De lo contrario, perder\u00eda la oportunidad de llamar a cops->qlen_notify(), en el caso de DRR, result\u00f3 en UAF ya que DRR usa ->qlen_notify() para mantener su lista activa."}], "id": "CVE-2025-21703", "lastModified": "2025-03-24T17:38:41.197", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-02-18T15:15:18.633", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1f8e3f4a4b8b90ad274dfbc66fc7d55cb582f4d5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6312555249082d6d8cc5321ff725df05482d8b83"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/638ba5089324796c2ee49af10427459c2de35f71"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7b79ca9a1de6a428d486ff52fb3d602321c08f55"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7f31d74fcc556a9166b1bb20515542de7bb939d1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/839ecc583fa00fab785fde1c85a326743657fd32"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/98a2c685293aae122f688cde11d9334dddc5d207"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e395fec75ac2dbffc99b4bce57b7f1f3c5449f2c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()", "id": "2346269", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2346269"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnetem: Update sch->q.qlen before qdisc_tree_reduce_backlog()\nqdisc_tree_reduce_backlog() notifies parent qdisc only if child\nqdisc becomes empty, therefore we need to reduce the backlog of the\nchild qdisc before calling it. Otherwise it would miss the opportunity\nto call cops->qlen_notify(), in the case of DRR, it resulted in UAF\nsince DRR uses ->qlen_notify() to maintain its active list."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent module sch_netem from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."}, "name": "CVE-2025-21703", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21703\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21703\nhttps://lore.kernel.org/linux-cve-announce/2025021849-CVE-2025-21703-79f1@gregkh/T"], "statement": "The bug happens only if emulate network delay, loss, and packet re-ordering qdisc scheduler being used. By default it is disabled. It is hard to trigger it and the security impact is limited.", "threat_severity": "Moderate"}