FKIE_CVE-2025-68815

Vulnerability from fkie_nvd - Published: 2026-01-13 16:16 - Updated: 2026-04-15 00:35
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net/sched: ets: Remove drr class from the active list if it changes to strict Whenever a user issues an ets qdisc change command, transforming a drr class into a strict one, the ets code isn't checking whether that class was in the active list and removing it. This means that, if a user changes a strict class (which was in the active list) back to a drr one, that class will be added twice to the active list [1]. Doing so with the following commands: tc qdisc add dev lo root handle 1: ets bands 2 strict 1 tc qdisc add dev lo parent 1:2 handle 20: \ tbf rate 8bit burst 100b latency 1s tc filter add dev lo parent 1: basic classid 1:2 ping -c1 -W0.01 -s 56 127.0.0.1 tc qdisc change dev lo root handle 1: ets bands 2 strict 2 tc qdisc change dev lo root handle 1: ets bands 2 strict 1 ping -c1 -W0.01 -s 56 127.0.0.1 Will trigger the following splat with list debug turned on: [ 59.279014][ T365] ------------[ cut here ]------------ [ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0. [ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220 [ 59.280860][ T365] Modules linked in: [ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary) [ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220 [ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44 ... [ 59.288812][ T365] Call Trace: [ 59.289056][ T365] <TASK> [ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80 [ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0 [ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10 [ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240 [ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10 [ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.292313][ T365] ? trace_contention_end+0xc8/0x110 [ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5 [ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0 Fix this by always checking and removing an ets class from the active list when changing it to strict. [1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2f125ebe47d6369e562f3cbd9b6227cff51eaf34
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/43d9a530c8c094d137159784e7c951c65f11ec6c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/58fdce6bc005e964f1dbc3ca716f5fe0f68839a2
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8067db5c95aab9461d23117679338cd8869831fa
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b1e125ae425aba9b45252e933ca8df52a843ec70
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cca2ed931b734fe48139bc6f020e47367346630f
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: Remove drr class from the active list if it changes to strict\n\nWhenever a user issues an ets qdisc change command, transforming a\ndrr class into a strict one, the ets code isn\u0027t checking whether that\nclass was in the active list and removing it. This means that, if a\nuser changes a strict class (which was in the active list) back to a drr\none, that class will be added twice to the active list [1].\n\nDoing so with the following commands:\n\ntc qdisc add dev lo root handle 1: ets bands 2 strict 1\ntc qdisc add dev lo parent 1:2 handle 20: \\\n    tbf rate 8bit burst 100b latency 1s\ntc filter add dev lo parent 1: basic classid 1:2\nping -c1 -W0.01 -s 56 127.0.0.1\ntc qdisc change dev lo root handle 1: ets bands 2 strict 2\ntc qdisc change dev lo root handle 1: ets bands 2 strict 1\nping -c1 -W0.01 -s 56 127.0.0.1\n\nWill trigger the following splat with list debug turned on:\n\n[   59.279014][  T365] ------------[ cut here ]------------\n[   59.279452][  T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0.\n[   59.280153][  T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220\n[   59.280860][  T365] Modules linked in:\n[   59.281165][  T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary)\n[   59.281977][  T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[   59.282391][  T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220\n[   59.282842][  T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 \u003c0f\u003e 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44\n...\n[   59.288812][  T365] Call Trace:\n[   59.289056][  T365]  \u003cTASK\u003e\n[   59.289224][  T365]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   59.289546][  T365]  ets_qdisc_change+0xd2b/0x1e80\n[   59.289891][  T365]  ? __lock_acquire+0x7e7/0x1be0\n[   59.290223][  T365]  ? __pfx_ets_qdisc_change+0x10/0x10\n[   59.290546][  T365]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   59.290898][  T365]  ? __mutex_trylock_common+0xda/0x240\n[   59.291228][  T365]  ? __pfx___mutex_trylock_common+0x10/0x10\n[   59.291655][  T365]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   59.291993][  T365]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   59.292313][  T365]  ? trace_contention_end+0xc8/0x110\n[   59.292656][  T365]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   59.293022][  T365]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   59.293351][  T365]  tc_modify_qdisc+0x63a/0x1cf0\n\nFix this by always checking and removing an ets class from the active list\nwhen changing it to strict.\n\n[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nnet/sched: ets: Eliminar la clase drr de la lista activa si cambia a estricta\n\nSiempre que un usuario emite un comando de cambio de qdisc ets, transformando una clase drr en una estricta, el c\u00f3digo ets no est\u00e1 verificando si esa clase estaba en la lista activa y elimin\u00e1ndola. Esto significa que, si un usuario cambia una clase estricta (que estaba en la lista activa) de nuevo a una drr, esa clase se a\u00f1adir\u00e1 dos veces a la lista activa [1].\n\nHacer esto con los siguientes comandos:\n\ntc qdisc add dev lo root handle 1: ets bands 2 strict 1\ntc qdisc add dev lo parent 1:2 handle 20: \\\n    tbf rate 8bit burst 100b latency 1s\ntc filter add dev lo parent 1: basic classid 1:2\nping -c1 -W0.01 -s 56 127.0.0.1\ntc qdisc change dev lo root handle 1: ets bands 2 strict 2\ntc qdisc change dev lo root handle 1: ets bands 2 strict 1\nping -c1 -W0.01 -s 56 127.0.0.1\n\nActivar\u00e1 el siguiente splat con la depuraci\u00f3n de lista activada:\n\n[   59.279014][  T365] ------------[ cut here ]------------\n[   59.279452][  T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0.\n[   59.280153][  T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220\n[   59.280860][  T365] Modules linked in:\n[   59.281165][  T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary)\n[   59.281977][  T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[   59.282391][  T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220\n[   59.282842][  T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 \u0026lt;0f\u0026gt; 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44\n...\n[   59.288812][  T365] Call Trace:\n[   59.289056][  T365]  \n[   59.289224][  T365]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   59.289546][  T365]  ets_qdisc_change+0xd2b/0x1e80\n[   59.289891][  T365]  ? __lock_acquire+0x7e7/0x1be0\n[   59.290223][  T365]  ? __pfx_ets_qdisc_change+0x10/0x10\n[   59.290546][  T365]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   59.290898][  T365]  ? __mutex_trylock_common+0xda/0x240\n[   59.291228][  T365]  ? __pfx___mutex_trylock_common+0x10/0x10\n[   59.291655][  T365]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   59.291993][  T365]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   59.292313][  T365]  ? trace_contention_end+0xc8/0x110\n[   59.292656][  T365]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   59.293022][  T365]  ? srso_alias_return_thunk+0x5/0xfbef5\n[   59.293351][  T365]  tc_modify_qdisc+0x63a/0x1cf0\n\nSolucione esto siempre verificando y eliminando una clase ets de la lista activa al cambiarla a estricta.\n\n[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663"
    }
  ],
  "id": "CVE-2025-68815",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {},
  "published": "2026-01-13T16:16:03.757",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/02783a37cb1c0a2bd9fcba4ff1b81e6e209c7d87"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2f125ebe47d6369e562f3cbd9b6227cff51eaf34"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/43d9a530c8c094d137159784e7c951c65f11ec6c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/58fdce6bc005e964f1dbc3ca716f5fe0f68839a2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8067db5c95aab9461d23117679338cd8869831fa"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b1e125ae425aba9b45252e933ca8df52a843ec70"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/cca2ed931b734fe48139bc6f020e47367346630f"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Deferred"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.