CVE-2025-21702: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's pfifo_tail_enqueue function has been discovered and resolved. The issue occurs when sch->limit is set to 0, allowing a packet to be incorrectly enqueued instead of being dropped, leading to a mismatch between parent and child qdisc queue lengths. This vulnerability was discovered on February 18, 2025, and affects the Linux kernel network scheduling subsystem (NVD).

The vulnerability exists in the pfifo_tail_enqueue function's packet handling logic. When sch->limit is set to 0 and the scheduler has no packets, the 'drop a packet' step fails to decrease the scheduler's qlen, allowing a new packet to be enqueued and increasing qlen by one while returning NET_XMIT_CN status code. This creates a scenario where a parent qdisc (Qdisc_A) can have qlen == 0 while its child qdisc (Qdisc_B) has qlen == 1, violating the design principle that a parent's qlen should equal the sum of its children's qlen (Kernel Commit).

The vulnerability can be exploited for user-to-kernel privilege escalation when the affected code path is reachable. This allows unauthorized elevation of privileges, potentially compromising system security (NVD).

The vulnerability has been patched by adding a check to immediately drop new packets when sch->limit is 0. The fix was implemented in the Linux kernel through a patch that modifies the pfifo_tail_enqueue function to properly handle the case when sch->limit is 0 (Kernel Commit).