Skip to main content
CVE-2025-38350 HIGH PATCH This Week

Use-after-free in Linux Kernel traffic control (qdisc) subsystem allows local authenticated attackers to execute arbitrary code, escalate privileges, or cause denial of service. Affects Linux Kernel versions prior to vendor-released patches across multiple stable branches (6.6.x, 6.12.x, 6.15, 6.16-rc1). Triggered when classful qdiscs like DRR and HFSC incorrectly handle child class deactivation during enqueue operations, leaving stale class pointers that can be exploited after deletion. Vendor patches available from kernel.org git stable tree; no active exploitation confirmed (not in CISA KEV), but PoC reproducer exists in public advisory.

Information Disclosure Use After Free Memory Corruption Linux Debian Linux +2
NVD
CVSS 3.1
7.8
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy