CVE-2025-38350— Linux kernel 安全漏洞
影响版本矩阵 26
| 厂商 | 产品 | 版本范围 | 状态 |
|---|---|---|---|
| Linux | Linux | 1034e3310752e8675e313f7271b348914008719a< 3b290923ad2b23596208c1e29520badef4356a43 | affected |
f9f593e34d2fb67644372c8f7b033bdc622ad228< e9921b57dca05ac5f4fa1fa8e993d4f0ee52e2b7 | affected | ||
89c301e929a0db14ebd94b4d97764ce1d6981653< e269f29e9395527bc00c213c6b15da04ebb35070 | affected | ||
f1dde3eb17dc1b8bd07aed00004b1e05fc87a3d4< 7874c9c132e906a52a187d045995b115973c93fb | affected | ||
93c276942e75de0e5bc91576300d292e968f5a02< f680a4643c6f71e758d8fe0431a958e9a6a4f59d | affected | ||
49b21795b8e5654a7df3d910a12e1060da4c04cf< a553afd91f55ff39b1e8a1c4989a29394c9e0472 | affected | ||
3f981138109f63232a5fb7165938d4c945cc1b9d< a44acdd9e84a211989ff4b9b92bf3545d8456ad5 | affected | ||
3f981138109f63232a5fb7165938d4c945cc1b9d< 103406b38c600fec1fe375a77b27d87e314aea09 | affected | ||
| … +18 条更多 | |||
获取后续新漏洞提醒登录后订阅
一、 漏洞 CVE-2025-38350 基础信息
漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗ 尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
net/sched: Always pass notifications when child class becomes empty
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Linux kernel 安全漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于子类变空时通知传递不当,可能导致释放后重用。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD
受影响产品
二、漏洞 CVE-2025-38350 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|
AI 生成 POC高级
未找到公开 POC。
登录以生成 AI POC三、漏洞 CVE-2025-38350 的情报信息
请登录查看更多情报信息。
IV. Related Vulnerabilities
V. Comments for CVE-2025-38350
暂无评论