Skip to main content

Linux Kernel CVE-2025-38468

MEDIUM
NULL Pointer Dereference (CWE-476)
2025-07-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 13:32 vuln.today
CVE Published
Jul 28, 2025 - 12:15 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree

htb_lookup_leaf has a BUG_ON that can trigger with the following:

tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2:1 handle 3: blackhole ping -I lo -c1 -W0.001 127.0.0.1

The root cause is the following:

  1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on

the selected leaf qdisc

  1. netem_dequeue calls enqueue on the child qdisc
  2. blackhole_enqueue drops the packet and returns a value that is not

just NET_XMIT_SUCCESS

  1. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and

since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate -> htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase

  1. As this is the only class in the selected hprio rbtree,

__rb_change_child in __rb_erase_augmented sets the rb_root pointer to NULL

  1. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL,

which causes htb_dequeue_tree to call htb_lookup_leaf with the same hprio rbtree, and fail the BUG_ON

The function graph for this scenario is shown here:

  1. | htb_enqueue() {
  2. + 13.635 us | netem_enqueue();
  3. 4.719 us | htb_activate_prios();

0)

2249.199 us | }

  1. | htb_dequeue() {
  2. 2.355 us | htb_lookup_leaf();
  3. | netem_dequeue() {
  4. + 11.061 us | blackhole_enqueue();
  5. | qdisc_tree_reduce_backlog() {
  6. | qdisc_lookup_rcu() {
  7. 1.873 us | qdisc_match_from_root();
  8. 6.292 us | }
  9. 1.894 us | htb_search();
  10. | htb_qlen_notify() {
  11. 2.655 us | htb_deactivate_prios();
  12. 6.933 us | }
  13. + 25.227 us | }
  14. 1.983 us | blackhole_dequeue();
  15. + 86.553 us | }

0)

2932.761 us | qdisc_warn_nonwc();

  1. | htb_lookup_leaf() {
  2. | BUG_ON();

------------------------------------------

The full original bug report can be seen here [1].

We can fix this just by returning NULL instead of the BUG_ON, as htb_dequeue_tree returns NULL when htb_lookup_leaf returns NULL.

[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/

AnalysisAI

Denial of service in Linux kernel net/sched subsystem allows local authenticated attackers to trigger a kernel panic (BUG_ON) by manipulating HTB qdisc (hierarchical token bucket queue discipline) configuration with nested qdisc classes, causing htb_lookup_leaf to encounter an empty rbtree. The vulnerability requires low privilege and local access; no special user interaction is needed once a malicious qdisc configuration is set up. Vendor-released patches are available across multiple stable kernel series.

Technical ContextAI

The vulnerability exists in the HTB (Hierarchical Token Bucket) qdisc implementation within the Linux kernel networking scheduler (net/sched). HTB uses red-black trees (rbtree) to maintain priority classes organized by priority level (hprio). The htb_lookup_leaf function performs a tree traversal to find an eligible leaf qdisc for packet dequeuing. The root cause is a BUG_ON assertion that fails when htb_lookup_leaf is called on an empty rbtree after the last class in a priority level is deactivated. This can occur when a nested qdisc structure (HTB parent → netem → blackhole child) causes the blackhole qdisc to drop packets, triggering qdisc_tree_reduce_backlog which deactivates the class and removes it from the rbtree via htb_safe_rb_erase. When htb_lookup_leaf is subsequently called with the now-empty tree, the BUG_ON triggers, crashing the kernel. The CWE-476 classification indicates a null pointer dereference vulnerability in the error handling path.

RemediationAI

Apply vendor-released kernel patches available from kernel.org stable branches: commit 0e1d5d9b5c5966e2e42e298670808590db5ed628, 3691f84269a23f7edd263e9b6edbc27b7ae332f4, 5c0506cd1b1a3b145bda2612bbf7fe78d186c355, 7ff2d83ecf2619060f30ecf9fad4f2a700fca344, 850226aef8d28a00cf966ef26d2f8f2bff344535, 890a5d423ef0a7bd13447ceaffad21189f557301, e5c480dc62a3025b8428d4818e722da30ad6804f, and fed3570e548a6c9f95c5f4c9e1a7afc1679fd90d represent the fix applied across stable series. For Debian systems, follow security advisories at https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html and msg00008.html. The fix replaces the BUG_ON assertion with a NULL return, allowing htb_dequeue_tree to safely handle empty rbtrees. For systems unable to immediately patch, restrict local user access to tc (traffic control) commands by removing capability CAP_NET_ADMIN from untrusted users or disabling HTB qdisc entirely if not required (trade-off: loss of traffic shaping capability). No user-space workaround exists; kernel upgrade is required for complete remediation.

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2026-24061 CRITICAL POC
9.8 Jan 21

GNU Inetutils telnetd through version 2.7 contains a critical authentication bypass that allows remote attackers to gain

CVE-2025-32433 CRITICAL POC
10.0 Apr 16

Erlang/OTP SSH server allows unauthenticated remote code execution by exploiting a flaw in SSH protocol message handling

CVE-2017-11610 HIGH POC
8.8 Aug 23

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows rem

CVE-2015-0235 CRITICAL POC
10.0 Jan 28

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18,

CVE-2014-3704 HIGH POC
7.5 Oct 16

The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct

CVE-2013-0156 HIGH POC
7.5 Jan 13

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, an

CVE-2017-12629 CRITICAL POC
9.8 Oct 14

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction wi

CVE-2017-14492 CRITICAL POC
9.8 Oct 03

Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execut

CVE-2014-2323 CRITICAL POC
9.8 Mar 14

SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary

CVE-2016-2098 HIGH POC
7.3 Apr 07

Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to e

CVE-2016-6662 CRITICAL POC
9.8 Sep 20

Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.2

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.44 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.27 Image SL-Micro Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.67 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.29 Affected
Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.76 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.14 Affected
Container suse/sle-micro-rancher/5.2:latest Image SLES15-SP3-Micro-5-2-BYOS-Azure Affected
Container suse/sle-micro-rancher/5.3:latest Container suse/sle-micro-rancher/5.4:5.4.4.5.41 Image SLES15-SP4-BYOS Image SLES15-SP4-BYOS-Azure Image SLES15-SP4-BYOS-EC2 Image SLES15-SP4-BYOS-GCE Image SLES15-SP4-CHOST-BYOS Image SLES15-SP4-CHOST-BYOS-Aliyun Image SLES15-SP4-CHOST-BYOS-Azure Image SLES15-SP4-CHOST-BYOS-EC2 Image SLES15-SP4-CHOST-BYOS-GCE Image SLES15-SP4-CHOST-BYOS-SAP-CCloud Image SLES15-SP4-HPC-BYOS Image SLES15-SP4-HPC-BYOS-Azure Image SLES15-SP4-HPC-BYOS-EC2 Image SLES15-SP4-HPC-BYOS-GCE Image SLES15-SP4-HPC-EC2 Image SLES15-SP4-HPC-GCE Image SLES15-SP4-Hardened-BYOS Image SLES15-SP4-Hardened-BYOS-Azure Image SLES15-SP4-Hardened-BYOS-EC2 Image SLES15-SP4-Hardened-BYOS-GCE Image SLES15-SP4-Manager-Proxy-4-3-BYOS Image SLES15-SP4-Manager-Proxy-4-3-BYOS-Azure Image SLES15-SP4-Manager-Proxy-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Proxy-4-3-BYOS-GCE Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Image SLES15-SP4-Micro-5-3 Image SLES15-SP4-Micro-5-3-BYOS Image SLES15-SP4-Micro-5-3-BYOS-Azure Image SLES15-SP4-Micro-5-3-BYOS-EC2 Image SLES15-SP4-Micro-5-3-BYOS-GCE Image SLES15-SP4-Micro-5-3-EC2 Image SLES15-SP4-Micro-5-4 Image SLES15-SP4-Micro-5-4-BYOS Image SLES15-SP4-Micro-5-4-BYOS-Azure Image SLES15-SP4-Micro-5-4-BYOS-EC2 Image SLES15-SP4-Micro-5-4-BYOS-GCE Image SLES15-SP4-Micro-5-4-EC2 Image SLES15-SP4-Micro-5-4-GCE Image SLES15-SP4-SAP Image SLES15-SP4-SAP-Azure Image SLES15-SP4-SAP-EC2 Image SLES15-SP4-SAP-GCE Image SLES15-SP4-SAPCAL Image SLES15-SP4-SAPCAL-Azure Image SLES15-SP4-SAPCAL-EC2 Image SLES15-SP4-SAPCAL-GCE Affected

Share

CVE-2025-38468 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy