CVE-2025-21971 (GCVE-0-2025-21971)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2026-05-11 21:10
VLAI
Title
net_sched: Prevent creation of classes with TC_H_ROOT
Summary
In the Linux kernel, the following vulnerability has been resolved: net_sched: Prevent creation of classes with TC_H_ROOT The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination condition when traversing up the qdisc tree to update parent backlog counters. However, if a class is created with classid TC_H_ROOT, the traversal terminates prematurely at this class instead of reaching the actual root qdisc, causing parent statistics to be incorrectly maintained. In case of DRR, this could lead to a crash as reported by Mingi Cho. Prevent the creation of any Qdisc class with classid TC_H_ROOT (0xFFFFFFFF) across all qdisc types, as suggested by Jamal.
Severity
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < e05d9938b1b0ac40b6054cc5fa0ccbd9afd5ed4c (git)
Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < 7a82fe67a9f4d7123d8e5ba8f0f0806c28695006 (git)
Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < 003d92c91cdb5a64b25a9a74cb8543aac9a8bb48 (git)
Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < e5ee00607bbfc97ef1526ea95b6b2458ac9e7cb7 (git)
Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < 78533c4a29ac3aeddce4b481770beaaa4f3bfb67 (git)
Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < 5c3ca9cb48b51bd72bf76b8b05e24f3cd53db5e7 (git)
Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < 94edfdfb9505ab608e86599d1d1e38c83816fc1c (git)
Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < 0c3057a5a04d07120b3d0ec9c79568fceb9c921e (git)
Create a notification for this product.
Linux Linux Affected: 2.6.25
Unaffected: 0 , < 2.6.25 (semver)
Unaffected: 5.4.292 , ≤ 5.4.* (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:14.063Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e05d9938b1b0ac40b6054cc5fa0ccbd9afd5ed4c",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "7a82fe67a9f4d7123d8e5ba8f0f0806c28695006",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "003d92c91cdb5a64b25a9a74cb8543aac9a8bb48",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "e5ee00607bbfc97ef1526ea95b6b2458ac9e7cb7",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "78533c4a29ac3aeddce4b481770beaaa4f3bfb67",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "5c3ca9cb48b51bd72bf76b8b05e24f3cd53db5e7",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "94edfdfb9505ab608e86599d1d1e38c83816fc1c",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "0c3057a5a04d07120b3d0ec9c79568fceb9c921e",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:10:08.235Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e05d9938b1b0ac40b6054cc5fa0ccbd9afd5ed4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a82fe67a9f4d7123d8e5ba8f0f0806c28695006"
        },
        {
          "url": "https://git.kernel.org/stable/c/003d92c91cdb5a64b25a9a74cb8543aac9a8bb48"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5ee00607bbfc97ef1526ea95b6b2458ac9e7cb7"
        },
        {
          "url": "https://git.kernel.org/stable/c/78533c4a29ac3aeddce4b481770beaaa4f3bfb67"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c3ca9cb48b51bd72bf76b8b05e24f3cd53db5e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/94edfdfb9505ab608e86599d1d1e38c83816fc1c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c3057a5a04d07120b3d0ec9c79568fceb9c921e"
        }
      ],
      "title": "net_sched: Prevent creation of classes with TC_H_ROOT",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21971",
    "datePublished": "2025-04-01T15:47:04.448Z",
    "dateReserved": "2024-12-29T08:45:45.797Z",
    "dateUpdated": "2026-05-11T21:10:08.235Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-21971",
      "date": "2026-06-16",
      "epss": "0.00164",
      "percentile": "0.0589"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21971\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-01T16:15:28.440\",\"lastModified\":\"2025-11-03T20:17:33.693\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet_sched: Prevent creation of classes with TC_H_ROOT\\n\\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\\ncondition when traversing up the qdisc tree to update parent backlog\\ncounters. However, if a class is created with classid TC_H_ROOT, the\\ntraversal terminates prematurely at this class instead of reaching the\\nactual root qdisc, causing parent statistics to be incorrectly maintained.\\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\\n\\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net_sched: Impide la creaci\u00f3n de clases con TC_H_ROOT La funci\u00f3n qdisc_tree_reduce_backlog() usa TC_H_ROOT como condici\u00f3n de terminaci\u00f3n al recorrer el \u00e1rbol qdisc para actualizar los contadores de backlog primarios. Sin embargo, si se crea una clase con classid TC_H_ROOT, el recorrido termina prematuramente en esta clase en lugar de alcanzar la qdisc root real, lo que provoca que las estad\u00edsticas primarias se mantengan incorrectamente. En caso de DRR, esto podr\u00eda provocar un fallo como lo inform\u00f3 Mingi Cho. Impide la creaci\u00f3n de cualquier clase Qdisc con classid TC_H_ROOT (0xFFFFFFFF) en todos los tipos de qdisc, como sugiri\u00f3 Jamal.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-835\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.26\",\"versionEndExcluding\":\"5.4.292\",\"matchCriteriaId\":\"4BD62979-FC36-4038-9FB3-9B60075F08CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.236\",\"matchCriteriaId\":\"1DF46FB0-9163-4ABE-8CCA-32A497D4715B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.180\",\"matchCriteriaId\":\"D19801C8-3D18-405D-9989-E6C9B30255FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.132\",\"matchCriteriaId\":\"91D1C2F6-55A1-4CF4-AC66-ADF758259C59\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.84\",\"matchCriteriaId\":\"994E0F00-FAC4-40E4-9068-C7D4D8242EC8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.20\",\"matchCriteriaId\":\"60E9C5DF-D778-4572-848A-5D6CFFE022CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.8\",\"matchCriteriaId\":\"0A20D4D7-B329-4C68-B662-76062EA7DCF0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:2.6.25:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"F650D09A-41EA-4EB5-925B-F2146E8DDF2A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"186716B6-2B66-4BD0-852E-D48E71C0C85F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D3E781C-403A-498F-9DA9-ECEE50F41E75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"66619FB8-0AAF-4166-B2CF-67B24143261D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3D6550E-6679-4560-902D-AF52DCFE905B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"45B90F6B-BEC7-4D4E-883A-9DBADE021750\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"1759FFB7-531C-41B1-9AE1-FD3D80E0D920\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/003d92c91cdb5a64b25a9a74cb8543aac9a8bb48\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/0c3057a5a04d07120b3d0ec9c79568fceb9c921e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5c3ca9cb48b51bd72bf76b8b05e24f3cd53db5e7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/78533c4a29ac3aeddce4b481770beaaa4f3bfb67\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/7a82fe67a9f4d7123d8e5ba8f0f0806c28695006\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/94edfdfb9505ab608e86599d1d1e38c83816fc1c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e05d9938b1b0ac40b6054cc5fa0ccbd9afd5ed4c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e5ee00607bbfc97ef1526ea95b6b2458ac9e7cb7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.