CVE-2025-37915: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-37915 is a vulnerability discovered in the Linux kernel affecting the net_sched subsystem, specifically in the Deficit Round Robin (DRR) queueing discipline. The vulnerability was disclosed on May 20, 2025, and involves a double list addition issue when using netem as a child qdisc (Wiz Database).

The vulnerability occurs in cases where a netem child qdisc makes the parent qdisc's enqueue callback reentrant. In the DRR implementation, this leads to adding the same classifier to the list twice, resulting in memory corruption. The vulnerability has been assigned a CVSS v3.1 score with the vector AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H, indicating local access required with high attack complexity (Red Hat Portal).

The vulnerability can cause memory corruption in the Linux kernel when using specific network traffic control (tc) configurations that combine DRR queueing discipline with netem as a child qdisc. While this doesn't cause a Use-After-Free (UAF) condition, it does lead to memory corruption due to the double list addition (Wiz Database).

A patch has been implemented that adds an additional check before adding a class to the activelist. The fix verifies whether the class was already added to the activelist (clisactive) in addition to checking if qlen is zero, preventing the double list addition in reentrant cases. For the Debian stable distribution (bookworm), these problems have been fixed in version 6.1.140-1 (Debian Security).