CVE-2025-38108

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified)

Description: A race condition has been identified in the Linux kernel's RED (Random Early Detection) component. This issue occurs when the SFQ (Stochastic Fairness Queuing) perturb timer fires at an inappropriate time, allowing for a potential underflow of a parent's queue length. The race condition involves concurrent execution of qdisc tree flush backlog() and qdisc put() functions, which can be exploited. To resolve this issue, calling qdisc purge queue() instead of qdisc tree flush backlog() is suggested, as it purges all packets from the queue before releasing the lock.

Recommendations: As a temporary workaround, consider modifying the code to call qdisc purge queue() instead of qdisc tree flush backlog() to prevent the race condition. Restrict access to the vulnerable red change() function until a patch is available. Avoid using the qdisc tree flush backlog() function in conjunction with qdisc put() until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.