CVE-2025-37913: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37913 is a vulnerability discovered in the Linux kernel's network scheduling component, specifically in the QFQ (Quick Fair Queueing) scheduler. The vulnerability was disclosed on May 20, 2025, affecting the Linux kernel's network traffic control subsystem (NVD, Red Hat).

The vulnerability occurs in the QFQ scheduler when handling netem (Network Emulator) as a child qdisc. The issue arises when a netem child qdisc makes the parent qdisc's enqueue callback reentrant, causing the same classifier to be added to the list twice. This double addition leads to memory corruption. The vulnerability has been assigned a CVSS v3.1 base score of 6.3 with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H and is categorized under CWE-367 (Red Hat).

The vulnerability can result in memory corruption in the Linux kernel. While it doesn't lead to Use-After-Free (UAF) conditions, the double list addition can compromise system stability and potentially lead to privilege escalation or denial of service (NVD).

A patch has been developed that checks whether the class was already added to the agg->active list (clisactive) before performing the addition, addressing the reentrant case. The fix has been included in various Linux distributions, including Debian's version 6.1.140-1 (Debian).