CVE-2025-38457

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A flaw exists in the Linux kernel’s networking subsystem related to traffic control (net/sched). Specifically, the issue occurs when creating or modifying a queueing discipline (qdisc) with a parent qdisc, potentially leading to a failure when the parent class does not exist. This can happen in qdiscs like fq, hhf, and choke, which unconditionally invoke qdisc tree reduce backlog() during initialization or changes. This function attempts to access a null class, causing a failure. The issue arises because grafting is performed after the qdisc’s initialization callback is executed. The solution involves ensuring that qdisc leaf(), which looks up the parent class, returns an error if the class is not found before qdisc create() is called.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.