CVE-2025-37890: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37890 is a Use-After-Free (UAF) vulnerability discovered in the Linux kernel's network scheduler component, specifically affecting the HFSC (Hierarchical Fair Service Curve) queueing discipline when used with a netem child qdisc. The vulnerability was identified and publicly disclosed on May 16, 2025, affecting multiple Linux distributions including Debian and Ubuntu systems (NVD, Wiz).

The vulnerability occurs when an HFSC class has a netem child qdisc. The core issue stems from an incorrect assumption in the code where checking cl->qdisc->q.qlen == 0 is presumed to guarantee that the class hasn't been inserted in the vttree or eltree, which proves incorrect in the netem duplicate case. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating moderate severity (Red Hat).

The vulnerability affects multiple Linux distributions including Debian's bullseye, bookworm, trixie, and sid releases, as well as various Ubuntu versions from 20.04 LTS to 25.04. The issue could potentially lead to memory corruption and system instability in affected systems (Wiz, Ubuntu).

A patch has been developed that checks the n_active class variable to ensure the code won't insert the class in the vttree or eltree twice, addressing the reentrant case. For the Debian stable distribution (bookworm), these problems have been fixed in version 6.1.140-1 (Debian, NVD).