CVE-2025-37797: 
Linux Kernel vulnerability analysis and mitigation

A Use-After-Free (UAF) vulnerability was discovered in the Linux kernel's HFSC qdisc class handling mechanism, identified as CVE-2025-37797. The vulnerability was disclosed on May 02, 2025, affecting the Linux kernel's network scheduling component, specifically the Hierarchical Fair Service Curve (HFSC) queuing discipline (NVD, Wiz).

The vulnerability stems from a time-of-check/time-of-use (TOCTOU) condition in the hfsc_change_class() function when interacting with certain child qdiscs like netem or codel. The vulnerability occurs in a specific sequence where hfsc_change_class() checks if a class has packets, then calls qdisc_peek_len(), which might drop packets and empty the queue. The code continues assuming the queue is still non-empty, adding the class to vttree, which breaks HFSC scheduler assumptions. According to Red Hat's assessment, this vulnerability has been assigned a CVSS 3.1 Base Score of 5.5 (Red Hat).

When exploited, this vulnerability can lead to a Use-After-Free condition when the class is destroyed, potentially causing system instability or crashes. The vulnerability affects multiple Linux distributions and versions, including various releases of Debian's Linux packages (Wiz).

A fix has been implemented that adds a second queue length check after qdisc_peek_len() to verify the queue wasn't emptied. This ensures that the HFSC scheduler's assumptions about non-empty classes in vttree remain valid (NVD).