CVE-2025-68815
Description
In the Linux kernel, the following vulnerability has been resolved:
net/sched: ets: Remove drr class from the active list if it changes to strict
Whenever a user issues an ets qdisc change command, transforming a drr class into a strict one, the ets code isn't checking whether that class was in the active list and removing it. This means that, if a user changes a strict class (which was in the active list) back to a drr one, that class will be added twice to the active list [1].
Doing so with the following commands:
tc qdisc add dev lo root handle 1: ets bands 2 strict 1 tc qdisc add dev lo parent 1:2 handle 20: \ tbf rate 8bit burst 100b latency 1s tc filter add dev lo parent 1: basic classid 1:2 ping -c1 -W0.01 -s 56 127.0.0.1 tc qdisc change dev lo root handle 1: ets bands 2 strict 2 tc qdisc change dev lo root handle 1: ets bands 2 strict 1 ping -c1 -W0.01 -s 56 127.0.0.1
Will trigger the following splat with list debug turned on:
[ 59.279014][ T365] ------------[ cut here ]------------ [ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0. [ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220 [ 59.280860][ T365] Modules linked in: [ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary) [ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220 [ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44 ... [ 59.288812][ T365] Call Trace: [ 59.289056][ T365] [ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80 [ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0 [ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10 [ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240 [ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10 [ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.292313][ T365] ? trace_contention_end+0xc8/0x110 [ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0
Fix this by always checking and removing an ets class from the active list when changing it to strict.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's ETS qdisc, changing a DRR class to strict fails to remove it from the active list, causing a list double-add crash.
Vulnerability
Description
The ETS (Earliest Tx Time) qdisc in the Linux kernel contains a bug where changing a class from DRR (Deficit Round Robin) to strict does not remove the class from the active list if it was already present. This oversight leads to a double addition when the class is later changed back to DRR, triggering a kernel warning and potential crash [1][2][3].
Exploitation
An attacker with local root privileges can trigger the bug by issuing a specific sequence of tc commands to modify the ETS qdisc. The attack requires the ability to create and change qdiscs, which is typically restricted to privileged users. The provided reproduction steps demonstrate the exact command sequence that causes the list corruption [1].
Impact
When the bug is triggered, the kernel detects a list double-add and emits a warning (with CONFIG_DEBUG_LIST enabled) or may cause a system crash. This results in a denial of service (DoS) condition. While the immediate impact is a crash, the underlying list corruption could potentially be leveraged for more severe exploits in certain configurations.
Mitigation
Patches have been applied to the Linux kernel stable branches as referenced in the commit IDs [1][2][3]. Users should update their kernels to versions containing these fixes. No workaround is available other than avoiding the specific qdisc change sequence.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- git.kernel.org/stable/c/02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87nvd
- git.kernel.org/stable/c/2f125ebe47d6369e562f3cbd9b6227cff51eaf34nvd
- git.kernel.org/stable/c/43d9a530c8c094d137159784e7c951c65f11ec6cnvd
- git.kernel.org/stable/c/58fdce6bc005e964f1dbc3ca716f5fe0f68839a2nvd
- git.kernel.org/stable/c/8067db5c95aab9461d23117679338cd8869831fanvd
- git.kernel.org/stable/c/b1e125ae425aba9b45252e933ca8df52a843ec70nvd
- git.kernel.org/stable/c/cca2ed931b734fe48139bc6f020e47367346630fnvd
News mentions
0No linked articles in our index yet.