Critical Vulnerability Information Vulnerability Description: - The vulnerability involves . - When using HFSC and NETEM, it is possible to bypass the recent patch (commit 141d34391abb...) and trigger a Use-After-Free (UAF) issue. Vulnerability Details: - The patch only checks the field to determine if it's the first insertion, but this field is incremented only in . - Using the flag (which invokes ) allows bypassing the check and inserting the class twice into the . - Under normal circumstances, this causes an infinite loop in . - If TBF is configured on the root queue with a very low rate, packet dequeuing can be prevented, enabling exploitation of this behavior for subsequent insertions and triggering UAF. Mitigation: - Explicitly check in whether the class is already in the , especially when the flag is set. Related Links: - Patch Submission - Code Location 1 - Code Location 2 - Code Location 3 - Detailed Report