CVE-2025-21702

{"id": "CVE-2025-21702", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}]}, "published": "2025-02-18T15:15:18.530", "references": [{"url": "https://git.kernel.org/stable/c/020ecb76812a0526f4130ab5aeb6dc7c773e7ab9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/647cef20e649c576dff271e018d5d15d998b629d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/78285b53266d6d51fa4ff504a23df03852eba84e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/79a955ea4a2e5ddf4a36328959de0de496419888", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7a9723ec27aff5674f1fd4934608937f1d650980", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a56a6e8589a9b98d8171611fbcc1e45a15fd2455", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b6a079c3b6f95378f26e2aeda520cb3176f7067b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e40cb34b7f247fe2e366fd192700d1b4f38196ca", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npfifo_tail_enqueue: Drop new packet when sch->limit == 0\n\nExpected behaviour:\nIn case we reach scheduler's limit, pfifo_tail_enqueue() will drop a\npacket in scheduler's queue and decrease scheduler's qlen by one.\nThen, pfifo_tail_enqueue() enqueue new packet and increase\nscheduler's qlen by one. Finally, pfifo_tail_enqueue() return\n`NET_XMIT_CN` status code.\n\nWeird behaviour:\nIn case we set `sch->limit == 0` and trigger pfifo_tail_enqueue() on a\nscheduler that has no packet, the 'drop a packet' step will do nothing.\nThis means the scheduler's qlen still has value equal 0.\nThen, we continue to enqueue new packet and increase scheduler's qlen by\none. In summary, we can leverage pfifo_tail_enqueue() to increase qlen by\none and return `NET_XMIT_CN` status code.\n\nThe problem is:\nLet's say we have two qdiscs: Qdisc_A and Qdisc_B.\n - Qdisc_A's type must have '->graft()' function to create parent/child relationship.\n Let's say Qdisc_A's type is `hfsc`. Enqueue packet to this qdisc will trigger `hfsc_enqueue`.\n - Qdisc_B's type is pfifo_head_drop. Enqueue packet to this qdisc will trigger `pfifo_tail_enqueue`.\n - Qdisc_B is configured to have `sch->limit == 0`.\n - Qdisc_A is configured to route the enqueued's packet to Qdisc_B.\n\nEnqueue packet through Qdisc_A will lead to:\n - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B)\n - Qdisc_B->q.qlen += 1\n - pfifo_tail_enqueue() return `NET_XMIT_CN`\n - hfsc_enqueue() check for `NET_XMIT_SUCCESS` and see `NET_XMIT_CN` => hfsc_enqueue() don't increase qlen of Qdisc_A.\n\nThe whole process lead to a situation where Qdisc_A->q.qlen == 0 and Qdisc_B->q.qlen == 1.\nReplace 'hfsc' with other type (for example: 'drr') still lead to the same problem.\nThis violate the design where parent's qlen should equal to the sum of its childrens'qlen.\n\nBug impact: This issue can be used for user->kernel privilege escalation when it is reachable."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: pfifo_tail_enqueue: Descartar nuevo paquete cuando sch->limit == 0 Comportamiento esperado: En caso de que alcancemos el l\u00edmite del planificador, pfifo_tail_enqueue() descartar\u00e1 un paquete en la cola del planificador y disminuir\u00e1 el qlen del planificador en uno. Luego, pfifo_tail_enqueue() pone en cola un nuevo paquete y aumenta el qlen del planificador en uno. Finalmente, pfifo_tail_enqueue() devuelve el c\u00f3digo de estado `NET_XMIT_CN`. Comportamiento extra\u00f1o: En caso de que establezcamos `sch->limit == 0` y activemos pfifo_tail_enqueue() en un planificador que no tiene ning\u00fan paquete, el paso 'descartar un paquete' no har\u00e1 nada. Esto significa que el qlen del planificador todav\u00eda tiene un valor igual a 0. Luego, continuamos poniendo en cola un nuevo paquete y aumentamos el qlen del planificador en uno. En resumen, podemos aprovechar pfifo_tail_enqueue() para aumentar qlen en uno y devolver el c\u00f3digo de estado `NET_XMIT_CN`. El problema es: digamos que tenemos dos qdiscs: Qdisc_A y Qdisc_B. - El tipo de Qdisc_A debe tener la funci\u00f3n '->graft()' para crear una relaci\u00f3n padre/hijo. Digamos que el tipo de Qdisc_A es `hfsc`. Poner en cola un paquete en esta qdisc activar\u00e1 `hfsc_enqueue`. - El tipo de Qdisc_B es pfifo_head_drop. Poner en cola un paquete en esta qdisc activar\u00e1 `pfifo_tail_enqueue`. - Qdisc_B est\u00e1 configurado para tener `sch->limit == 0`. - Qdisc_A est\u00e1 configurado para enrutar el paquete en cola a Qdisc_B. Poner en cola un paquete a trav\u00e9s de Qdisc_A conducir\u00e1 a: - hfsc_enqueue(Qdisc_A) -> pfifo_tail_enqueue(Qdisc_B) - Qdisc_B->q.qlen += 1 - pfifo_tail_enqueue() devuelve `NET_XMIT_CN` - hfsc_enqueue() comprueba `NET_XMIT_SUCCESS` y ve `NET_XMIT_CN` => hfsc_enqueue() no aumenta el qlen de Qdisc_A. Todo el proceso conduce a una situaci\u00f3n en la que Qdisc_A->q.qlen == 0 y Qdisc_B->q.qlen == 1. Reemplazar 'hfsc' por otro tipo (por ejemplo: 'drr') sigue conduciendo al mismo problema. Esto viola el dise\u00f1o donde el qlen del padre debe ser igual a la suma del qlen de sus hijos. Impacto del error: este problema se puede utilizar para la escalada de privilegios de usuario a kernel cuando sea posible."}], "lastModified": "2025-10-16T13:58:06.320", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EED05E52-7CFA-4A43-A352-40F047FDB63A", "versionEndExcluding": "5.4.291", "versionStartIncluding": "2.6.34"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "545121FA-DE31-4154-9446-C2000FB4104D", "versionEndExcluding": "5.10.235", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C708062C-4E1B-465F-AE6D-C09C46400875", "versionEndExcluding": "5.15.179", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "26997835-273D-4841-ABD3-4696059AC299", "versionEndExcluding": "6.1.130", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7D9F642F-6E05-4926-B0FE-62F95B7266BC", "versionEndExcluding": "6.6.83", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "033BB7EE-C9A2-45EA-BAC9-87BB9D951BCD", "versionEndExcluding": "6.12.14", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E92CEE3-1FC3-4AFC-A513-DEDBA7414F00", "versionEndExcluding": "6.13.3", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "186716B6-2B66-4BD0-852E-D48E71C0C85F"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}