Description

In the Linux kernel, the following vulnerability has been resolved: pfifo_tail_enqueue: Drop new packet when sch->limit == 0 Expected behaviour: In case we reach scheduler's limit, pfifo_tail_enqueue() will drop a packet in scheduler's queue and decrease scheduler's qlen by one. Then, pfifo_tail_enqueue() enqueue new packet and increase scheduler's qlen by one. Finally, pfifo_tail_enqueue() return `NET_XMIT_CN` status code. Weird behaviour: In case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a scheduler that has no packet, the 'drop a packet' step will do nothing. This means the scheduler's qlen still has value equal 0. Then, we continue to enqueue new packet and increase scheduler's qlen by one. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by one and return `NET_XMIT_CN` status code. The problem is: Let's say we have two qdiscs: Qdisc_A and Qdisc_B. - Qdisc_A's type must have '->graft()' function to create parent/child relationship. Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`. - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`. - Qdisc_B is configured to have `sch->limit == 0`. - Qdisc_A is configured to route the enqueued's packet to Qdisc_B. Enqueue packet through Qdisc_A will lead to: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() return `NET_XMIT_CN` - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A. The whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1. Replace 'hfsc' with other type (for example: 'drr') still lead to the same problem. This violate the design where parent's qlen should equal to the sum of its childrens'qlen. Bug impact: This issue can be used for user->kernel privilege escalation when it is reachable.

INFO

Published Date :

2025-02-18T14:37:43.429Z

Last Modified :

2026-04-02T08:39:24.096Z

Source :

Linux
AFFECTED PRODUCTS

The following products are affected by CVE-2025-21702 vulnerability.

Vendors Products
Linux
  • Linux Kernel
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-21702.

URL Resource
https://git.kernel.org/stable/c/020ecb76812a0526f4130ab5aeb6dc7c773e7ab9 cve-icon cve-icon
https://git.kernel.org/stable/c/647cef20e649c576dff271e018d5d15d998b629d cve-icon cve-icon
https://git.kernel.org/stable/c/78285b53266d6d51fa4ff504a23df03852eba84e cve-icon cve-icon
https://git.kernel.org/stable/c/79a955ea4a2e5ddf4a36328959de0de496419888 cve-icon cve-icon
https://git.kernel.org/stable/c/7a9723ec27aff5674f1fd4934608937f1d650980 cve-icon cve-icon
https://git.kernel.org/stable/c/a56a6e8589a9b98d8171611fbcc1e45a15fd2455 cve-icon cve-icon
https://git.kernel.org/stable/c/b6a079c3b6f95378f26e2aeda520cb3176f7067b cve-icon cve-icon
https://git.kernel.org/stable/c/e40cb34b7f247fe2e366fd192700d1b4f38196ca cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html cve-icon
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html cve-icon
https://lore.kernel.org/linux-cve-announce/2025021847-CVE-2025-21702-3aa3@gregkh/T cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-21702 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-21702 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact