Login Sign Up

CVE-2025-38684

5.5 MEDIUM
Denial of Service

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's Enhanced Transmission Selection (ETS) queuing discipline allows local attackers to cause a kernel panic and system crash. This affects systems using the sch_ets module for traffic shaping, primarily Linux servers and network appliances. The vulnerability requires local access to trigger via specific tc command operations.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Kernel versions containing the vulnerable ets_qdisc_change() function up to the fix. Specific affected versions include those around 6.12.0-116.el10.x86_64 as shown in the crash report.
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when the sch_ets module is loaded and ETS queuing is configured. Not all systems use this traffic shaping feature.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local denial of service causing kernel panic and system crash, potentially leading to service disruption and data loss if unsaved data is in memory.

🟠

Likely Case

Local denial of service causing system instability or crash when specific tc commands are executed on systems with ETS queuing configured.

🟢

If Mitigated

Minimal impact if proper access controls prevent unauthorized local users from executing tc commands or if ETS queuing is not in use.

🌐 Internet-Facing: LOW - Requires local access to trigger, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Local users with sufficient privileges can cause system crashes, but requires specific configuration and command execution.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and knowledge of specific tc command sequences to trigger the NULL pointer dereference. The crash report shows the exact call path through ets_class_qlen_notify().

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel versions with commit 5b3b346bc4c2aa2c428735438a11989d251f32f1 or later

Vendor Advisory: https://git.kernel.org/stable/c/5b3b346bc4c2aa2c428735438a11989d251f32f1

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fix commit 2. Reboot system to load new kernel 3. Verify sch_ets module loads without issues

🔧 Temporary Workarounds

Disable ETS queuing

all

Remove or disable Enhanced Transmission Selection queuing configurations to prevent triggering the vulnerability

# Remove ETS qdisc configurations
tc qdisc del dev <interface> root
# Unload sch_ets module if not needed
rmmod sch_ets

Restrict tc command access

all

Limit which users can execute traffic control commands to prevent exploitation

# Set permissions on tc binary
chmod 750 /sbin/tc
# Use sudoers to restrict access
echo '%networkadmin ALL=(ALL) NOPASSWD: /sbin/tc' > /etc/sudoers.d/tc-restrict

🧯 If You Can't Patch

  • Ensure only trusted users have local access to systems
  • Monitor for crash reports related to ets_class_qlen_notify or kernel NULL pointer dereferences

🔍 How to Verify

Check if Vulnerable:

Check if sch_ets module is loaded and kernel version is before the fix: lsmod | grep sch_ets && uname -r

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes fix commit: grep -q '5b3b346bc4c2aa2c428735438a11989d251f32f1' /boot/config-$(uname -r) 2>/dev/null && echo 'Fixed' || echo 'Check kernel source'

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages mentioning ets_class_qlen_notify
  • NULL pointer dereference errors in kernel logs
  • System crash reports with sch_ets in call stack

Network Indicators:

  • Unusual tc command execution patterns
  • Sudden network interface reconfiguration

SIEM Query:

source="kernel" AND ("NULL pointer dereference" OR "ets_class_qlen_notify" OR "sch_ets")

📊 Metadata

CVE ID: CVE-2025-38684
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-476
EPSS Score: 0.01% exploit probability (2.3th percentile)
Published: September 4, 2025
Last Updated: January 8, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-38684, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)