Login Sign Up

CVE-2025-38568

7.8 HIGH
Denial of Service Buffer Overflow

📋 TL;DR

A stack-based buffer overflow vulnerability in the Linux kernel's mqprio traffic control module allows writing 4 bytes beyond the allocated buffer when parsing network traffic control entries. This affects all Linux systems using the mqprio scheduler, potentially leading to kernel crashes or arbitrary code execution with kernel privileges.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Kernel versions before the fix commits (specific versions vary by distribution)
Operating Systems: Linux distributions using vulnerable kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when mqprio traffic control scheduler is configured or used. Requires CAP_NET_ADMIN capability to trigger.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to root, kernel panic causing system crash, or remote code execution if combined with other vulnerabilities.

🟠

Likely Case

Kernel panic leading to denial of service (system crash) when malicious traffic control configurations are applied.

🟢

If Mitigated

Limited impact if mqprio scheduler is not used or systems have kernel hardening features like stack canaries.

🌐 Internet-Facing: LOW - Requires local access or ability to configure network traffic control rules.
🏢 Internal Only: MEDIUM - Local users or processes with CAP_NET_ADMIN capability can trigger the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access with CAP_NET_ADMIN or root privileges to configure traffic control rules. No public exploits known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions containing commits: 39491e859fd4, 66fc2ebdd9d5, d00e4125680f, f1a9dbcb7d17, ffd2dc4c6c49

Vendor Advisory: https://git.kernel.org/stable/c/39491e859fd494d0b51adc5c7d54c8a7dcf1d198

Restart Required: Yes

Instructions:

1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Disable mqprio scheduler

linux

Remove or disable mqprio traffic control scheduler if not needed

# Check if mqprio is loaded: lsmod | grep sch_mqprio
# Remove module: rmmod sch_mqprio
# Blacklist to prevent loading: echo 'blacklist sch_mqprio' >> /etc/modprobe.d/blacklist.conf

Restrict CAP_NET_ADMIN

linux

Limit which users/processes can configure network traffic control

# Remove CAP_NET_ADMIN from non-privileged users
# Use capabilities: setcap -r CAP_NET_ADMIN /path/to/binary
# Or use SELinux/AppArmor to restrict network configuration

🧯 If You Can't Patch

  • Implement strict access controls to prevent unauthorized users from configuring traffic control rules
  • Deploy kernel hardening features like stack canaries and KASLR if not already enabled

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if mqprio module is loaded: uname -r && lsmod | grep sch_mqprio

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version contains one of the fix commits: uname -r && check distribution's kernel changelog

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • Ooops messages in dmesg
  • System crashes related to network configuration

Network Indicators:

  • Unusual traffic control configuration attempts
  • Multiple failed tc command executions

SIEM Query:

source="kernel" AND ("panic" OR "Oops" OR "general protection fault") AND ("mqprio" OR "sch_mqprio" OR "tc")

📊 Metadata

CVE ID: CVE-2025-38568
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
EPSS Score: 0.02% exploit probability (2.7th percentile)
Published: August 19, 2025
Last Updated: November 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38568, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)