CVE-2025-38350

Q: What is the severity of CVE-2025-38350?

CVE-2025-38350 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in the Linux kernel's network traffic control subsystem allows local attackers to potentially crash the system or execute arbitrary code. This affects systems using classful queueing disciplines (qdiscs) like HFSC, DRR, or others with specific configurations. Attackers need local access to exploit this vulnerability.

7.8 HIGH

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's network traffic control subsystem allows local attackers to potentially crash the system or execute arbitrary code. This affects systems using classful queueing disciplines (qdiscs) like HFSC, DRR, or others with specific configurations. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

Linux kernel

Versions: Versions before the fix commits (specific versions vary by distribution; check kernel commit history for affected releases)

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using specific classful qdisc configurations (HFSC, DRR, etc.) with particular traffic control setups. The reproducer shows a specific multi-level qdisc configuration that triggers the issue.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash or potential privilege escalation to kernel-level code execution, resulting in complete system compromise.

🟠

Likely Case

System crash or kernel panic causing denial of service, requiring system reboot to restore functionality.

🟢

If Mitigated

Limited impact if proper access controls prevent local users from manipulating network traffic control settings.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Local users or processes with appropriate permissions could trigger the vulnerability, potentially causing system instability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

The CVE description includes a detailed reproducer using tc commands and socat. Exploitation requires local access and knowledge of traffic control configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing the fix commits: 103406b38c600fec1fe375a77b27d87e314aea09, 3b290923ad2b23596208c1e29520badef4356a43, 7874c9c132e906a52a187d045995b115973c93fb, a44acdd9e84a211989ff4b9b92bf3545d8456ad5, a553afd91f55ff39b1e8a1c4989a29394c9e0472

Vendor Advisory: https://git.kernel.org/stable/c/103406b38c600fec1fe375a77b27d87e314aea09

Restart Required: Yes

Instructions:

1. Update to a kernel version containing the fix commits. 2. Check your distribution's security advisories for specific patched kernel versions. 3. Reboot the system after kernel update.

🔧 Temporary Workarounds

Restrict tc command access

linux

Limit access to traffic control configuration tools to prevent unauthorized users from creating vulnerable qdisc configurations.

chmod 750 /sbin/tc
setfacl -m u:root:rwx /sbin/tc
Remove tc from non-admin user PATH

Avoid vulnerable qdisc configurations

linux

Avoid using the specific multi-level qdisc configurations shown in the reproducer, particularly combinations involving HFSC, DRR, netem, and blackhole.

🧯 If You Can't Patch

Implement strict access controls to prevent local users from executing tc commands or modifying network traffic control settings.
Monitor system logs for kernel panics or crashes and have incident response procedures ready for potential denial of service events.

🔍 How to Verify

Check if Vulnerable:

Check kernel version and compare with distribution security advisories. Examine if system uses complex traffic control configurations with multiple qdisc levels.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits. Test the reproducer commands to ensure they no longer cause system instability.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages in /var/log/messages or dmesg
System crash reports
Unexpected system reboots

Network Indicators:

Unusual traffic control configuration changes
Multiple tc command executions by non-admin users

SIEM Query:

source="kernel" AND ("panic" OR "Oops" OR "use-after-free") OR process="tc" AND user!="root"

📊 Metadata

CVE ID: CVE-2025-38350

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.02% exploit probability (3.5th percentile)

Published: July 19, 2025

Last Updated: December 16, 2025

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict tc command access

Avoid vulnerable qdisc configurations

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities