CVE-2025-40083

Vulnerability

CVE-2025-40083 is a null-pointer dereference vulnerability in the Linux kernel's Quick Fair Queueing (QFQ) packet scheduler, specifically in the agg_dequeue function within net/sched/sch_qfq.c. The root cause is that cl->qdisc->ops->peek(cl->qdisc) can return NULL, and the return value was used without a check, potentially leading to a kernel crash. The fix adds a NULL check before dereferencing the pointer, mirroring the approach already used in the HFSC scheduler (sch_hfsc.c).

Exploitation

To trigger this vulnerability, an attacker would need to be able to influence the QFQ scheduler's state, likely by sending crafted network traffic or manipulating queuing disciplines via netlink (requiring CAP_NET_ADMIN). The bug manifests when the peek operation on a child qdisc returns NULL, which can occur under specific conditions such as an empty queue or when the child qdisc is empty or in an error state. No authentication is required beyond the ability to interact with the scheduler.

Impact

A successful exploit causes a denial of service (kernel panic) on the affected system. The vulnerability does not appear to allow privilege escalation or arbitrary code execution, as it is a straightforward NULL pointer dereference that leads to a crash.

Mitigation

The fix has been applied to the Linux kernel stable branches via commits [1], [2], [3], and [4]. Users should update their kernel to a version containing these commits. No workaround is available other than applying the patch or avoiding use of the QFQ scheduler.