CVE-2025-38087 – A use-after-free vulnerability in the Linux ker... (How to Fix)

Q: What is the severity of CVE-2025-38087?

CVE-2025-38087 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in the Linux kernel's network scheduler (taprio) allows attackers to potentially crash the kernel or execute arbitrary code. This affects Linux systems using the taprio queuing discipline for traffic scheduling. Attackers need local access to exploit this vulnerability.

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's network scheduler (taprio) allows attackers to potentially crash the kernel or execute arbitrary code. This affects Linux systems using the taprio queuing discipline for traffic scheduling. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific affected versions not explicitly stated in CVE, but references indicate stable kernel patches were applied.

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the taprio queuing discipline (net/sched). Not all Linux systems may have this enabled.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, or potential privilege escalation to kernel-level code execution, resulting in complete system compromise.

🟠

Likely Case

Kernel crash causing system instability or denial of service, requiring reboot to restore functionality.

🟢

If Mitigated

Minimal impact if proper access controls prevent local attackers from reaching vulnerable code paths.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly reachable from network.

🏢 Internal Only: MEDIUM - Local attackers or malicious users could exploit this to crash systems or potentially escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and knowledge of triggering the race condition between taprio_dev_notifier() and advance_sched().

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commits 8a008c89e5e5c5332e4c0a33d707db9ddd529f8a, 8c5713ce1ced75f9e9ed5c642ea3d2ba06ead69c, b1547d28ba468bc3b88764efd13e4319bab63be8, or b160766e26d4e2e2d6fe2294e0b02f92baefcec5

Vendor Advisory: https://git.kernel.org/stable/c/8a008c89e5e5c5332e4c0a33d707db9ddd529f8a

Restart Required: Yes

Instructions:

1. Check current kernel version. 2. Update kernel to patched version from distribution vendor. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable taprio queuing discipline

linux

Remove or disable taprio scheduler if not required

# Check if taprio is loaded: lsmod | grep sch_taprio
# Remove module: sudo rmmod sch_taprio

🧯 If You Can't Patch

Restrict local user access to prevent exploitation
Implement strict access controls and monitor for suspicious local activity

🔍 How to Verify

Check if Vulnerable:

Check kernel version and verify if taprio module is loaded: uname -r && lsmod | grep sch_taprio

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes one of the fix commits: uname -r and check with distribution vendor

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages in /var/log/kern.log or dmesg
System crash/reboot events

Network Indicators:

None - local exploitation only

SIEM Query:

Search for kernel panic events or unexpected system reboots

📊 Metadata

CVE ID: CVE-2025-38087

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.02% exploit probability (4th percentile)

Published: June 30, 2025

Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38087, you might also want to check these: