What is the CVSS score of CVE-2025-38477?

CVE-2025-38477 has a CVSS 3.1 base score of 4.7 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2025-38477?

Yes, a patch is available for CVE-2025-38477. Update the affected software to the latest version immediately.

Linux Kernel CVE-2025-38477

MEDIUM

Race Condition (CWE-362)

2025-07-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Information Disclosure Linux Race Condition Red Hat Debian Linux Suse

4.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

May 12, 2026 - 13:33 vuln.today

CVE Published

Jul 28, 2025 - 12:15 nvd

MEDIUM 4.7

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net/sched: sch_qfq: Fix race condition on qfq_aggregate

A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free.

This patch addresses the issue by:

Moved qfq_destroy_class into the critical section.
Added sch_tree_lock protection to qfq_dump_class and

qfq_dump_class_stats.

AnalysisAI

A race condition in the Linux kernel's net/sched sch_qfq module allows local authenticated attackers to cause denial of service through NULL pointer dereference or use-after-free errors when concurrent threads modify queue aggregation structures during packet scheduling. The vulnerability requires low privileges and has a low real-world exploitation probability (EPSS 0.02%), though a vendor patch is available.

Technical ContextAI

The vulnerability exists in the QFQ (Quick Fair Queueing) packet scheduler subsystem within the Linux kernel's traffic control (qdisc) framework. QFQ maintains aggregation structures (agg) that group traffic classes for fair bandwidth allocation. The race condition occurs in net/sched/sch_qfq.c when the qfq_change_agg function modifies aggregation metadata during qfq_enqueue operations while concurrent threads-such as qfq_dump_class (used for statistics retrieval) or qfq_delete_class (used for class deletion)-access the same structures without proper synchronization. This is a classic CWE-362 race condition where multiple execution paths access shared mutable state without atomic protection. The fix adds sch_tree_lock critical sections around both data modification and reads, ensuring that qfq_dump_class and qfq_dump_class_stats cannot race against aggregation structure updates.

RemediationAI

Apply the vendor-released kernel security patches available through multiple upstream commits in the stable kernel repository (commits 466e10194ab81caa2ee6a332d33ba16bcceeeba6, 5e28d5a3f774f118896aec17a3a20a9c5c9dfc64, a6d735100f602c830c16d69fb6d780eebd8c9ae1, aa7a22c4d678bf649fd3a1d27debec583414d, c000a3a330d97f6c073ace5aa5faf94b9adb4b79, c6df794000147a3a02f79984aada4ce83f8d0a1e, d841aa5518508ab195b6781ad0d73ee378d713dd, and fbe48f06e64134dfeafa89ad23387f66ebca3527). For Debian and Debian-LTS users, install the patched kernel version referenced in the Debian LTS security advisories (debian-lts-announce 2025/10/msg00007 and 00008). If immediate patching is not feasible, the high attack complexity and local-access requirement mean that restricting local shell access and removing non-root users from systems with QFQ scheduling enabled reduces exposure, though this is a compensating control with significant operational overhead. Upgrading to patched stable kernel releases (6.16 final or later stable branch updates) is the primary recommended action.