CVE-2025-38457
Description
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Abort __tc_modify_qdisc if parent class does not exist
Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands:
sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq
Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null.
The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called.
[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A null pointer dereference in Linux kernel's qdisc API allows local users to crash the system when creating a qdisc with a non-existent parent class.
Vulnerability
Description
CVE-2025-38457 is a null pointer dereference vulnerability in the Linux kernel's network scheduler (qdisc) API. The bug occurs when a user creates or modifies a qdisc specifying a parent that does not correspond to an existing class. During the qdisc creation process, the kernel invokes the qdisc's init callback before verifying that the parent class exists. Several qdiscs (e.g., fq, hhf, choke) unconditionally call qdisc_tree_reduce_backlog() in their control path, which assumes a non-null class pointer. When the parent class is missing, this leads to a null pointer dereference [1].
Exploitation
An attacker with local access and sufficient privileges (typically root or CAP_NET_ADMIN) can trigger this vulnerability by issuing tc commands to create a qdisc with an invalid parent handle. For example, after setting up an HTB qdisc, adding an fq qdisc with a non-existent parent class causes the kernel to crash. No authentication beyond local shell access is required, and the attack does not depend on network reachability [1].
Impact
Successful exploitation results in a kernel panic (denial of service), crashing the affected system. The vulnerability does not appear to allow privilege escalation or arbitrary code execution; its primary impact is availability [1].
Mitigation
The fix was committed to the Linux kernel stable tree, with backports for various versions (references [2], [3], [4]). Users should update their kernel to a patched version. Siemens has also released a security advisory (SSA-082556) listing affected SIMATIC S7-1500 CPU families and related products, recommending updates to the corresponding kernel-based firmware [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 2.6.20
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- git.kernel.org/stable/c/23c165dde88eac405eebb59051ea1fe139a45803nvdPatch
- git.kernel.org/stable/c/25452638f133ac19d75af3f928327d8016952c8envdPatch
- git.kernel.org/stable/c/4c691d1b6b6dbd73f30ed9ee7da05f037b0c49afnvdPatch
- git.kernel.org/stable/c/8ecd651ef24ab50123692a4e3e25db93cb11602anvdPatch
- git.kernel.org/stable/c/90436e72c9622c2f70389070088325a3232d339fnvdPatch
- git.kernel.org/stable/c/923a276c74e25073ae391e930792ac86a9f77f1envdPatch
- git.kernel.org/stable/c/e28a383d6485c3bb51dc5953552f76c4dea33eeanvdPatch
- git.kernel.org/stable/c/ffdde7bf5a439aaa1955ebd581f5c64ab1533963nvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlnvdThird Party Advisory
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-082556.htmlnvd
News mentions
0No linked articles in our index yet.