{
  "threat_severity" : "Moderate",
  "public_date" : "2025-02-10T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net: sched: fix ets qdisc OOB Indexing",
    "id" : "2344686",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2344686"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.6",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-125",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: sched: fix ets qdisc OOB Indexing\nHaowei Yan <g1042620637@gmail.com> found that ets_class_from_arg() can\nindex an Out-Of-Bound class in ets_class_from_arg() when passed clid of\n0. The overflow may cause local privilege escalation.\n[   18.852298] ------------[ cut here ]------------\n[   18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20\n[   18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]'\n[   18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17\n[   18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n[   18.856532] Call Trace:\n[   18.857441]  <TASK>\n[   18.858227]  dump_stack_lvl+0xc2/0xf0\n[   18.859607]  dump_stack+0x10/0x20\n[   18.860908]  __ubsan_handle_out_of_bounds+0xa7/0xf0\n[   18.864022]  ets_class_change+0x3d6/0x3f0\n[   18.864322]  tc_ctl_tclass+0x251/0x910\n[   18.864587]  ? lock_acquire+0x5e/0x140\n[   18.865113]  ? __mutex_lock+0x9c/0xe70\n[   18.866009]  ? __mutex_lock+0xa34/0xe70\n[   18.866401]  rtnetlink_rcv_msg+0x170/0x6f0\n[   18.866806]  ? __lock_acquire+0x578/0xc10\n[   18.867184]  ? __pfx_rtnetlink_rcv_msg+0x10/0x10\n[   18.867503]  netlink_rcv_skb+0x59/0x110\n[   18.867776]  rtnetlink_rcv+0x15/0x30\n[   18.868159]  netlink_unicast+0x1c3/0x2b0\n[   18.868440]  netlink_sendmsg+0x239/0x4b0\n[   18.868721]  ____sys_sendmsg+0x3e2/0x410\n[   18.869012]  ___sys_sendmsg+0x88/0xe0\n[   18.869276]  ? rseq_ip_fixup+0x198/0x260\n[   18.869563]  ? rseq_update_cpu_node_id+0x10a/0x190\n[   18.869900]  ? trace_hardirqs_off+0x5a/0xd0\n[   18.870196]  ? syscall_exit_to_user_mode+0xcc/0x220\n[   18.870547]  ? do_syscall_64+0x93/0x150\n[   18.870821]  ? __memcg_slab_free_hook+0x69/0x290\n[   18.871157]  __sys_sendmsg+0x69/0xd0\n[   18.871416]  __x64_sys_sendmsg+0x1d/0x30\n[   18.871699]  x64_sys_call+0x9e2/0x2670\n[   18.871979]  do_syscall_64+0x87/0x150\n[   18.873280]  ? do_syscall_64+0x93/0x150\n[   18.874742]  ? lock_release+0x7b/0x160\n[   18.876157]  ? do_user_addr_fault+0x5ce/0x8f0\n[   18.877833]  ? irqentry_exit_to_user_mode+0xc2/0x210\n[   18.879608]  ? irqentry_exit+0x77/0xb0\n[   18.879808]  ? clear_bhb_loop+0x15/0x70\n[   18.880023]  ? clear_bhb_loop+0x15/0x70\n[   18.880223]  ? clear_bhb_loop+0x15/0x70\n[   18.880426]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[   18.880683] RIP: 0033:0x44a957\n[   18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10\n[   18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n[   18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957\n[   18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003\n[   18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0\n[   18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001\n[   18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001\n[   18.888395]  </TASK>\n[   18.888610] ---[ end trace ]---" ],
  "statement" : "The bug could happen only if The Enhanced Transmission Selection scheduler being used (as part of qdisc). This module being supported only in latest versions of Red Hat Enterprise Linux 9 and higher, so not affected before. The security impact is limited (selected Moderate), because only privileged user can enable this scheduler (and it is disabled by default).",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21692\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21692\nhttps://lore.kernel.org/linux-cve-announce/2025021056-CVE-2025-21692-9c7f@gregkh/T" ],
  "name" : "CVE-2025-21692",
  "mitigation" : {
    "value" : "To mitigate this issue, prevent module sch_ets from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.",
    "lang" : "en:us"
  },
  "csaw" : false
}