CVE-2025-38350: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38350 is a vulnerability discovered in Red Hat Enterprise Linux's CBS Packet Scheduling system. The vulnerability was identified on July 19, 2025, and affects the Linux kernel's network scheduling functionality (NVD).

The vulnerability exists within the handling of hfscclass objects in the Linux kernel's network scheduler. The specific flaw stems from the lack of validation for object existence prior to performing operations, which can lead to a use-after-free condition. The issue occurs when certain classful qdiscs invoke their classes' dequeue handler during an enqueue operation, potentially emptying the child qdisc and making an in-flight class passive via qlennotify(). The vulnerability has been assigned a CVSS v3.0 score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) (ZDI).

An attacker who successfully exploits this vulnerability can escalate privileges and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability to execute low-privileged code on the target system (ZDI).

Red Hat has issued an update to correct this vulnerability. The fix ensures that qdisctreereducebacklog always calls qlennotify when the child qdisc is empty, addressing the use-after-free condition. The patch has been integrated into the Linux kernel (ZDI).

The vulnerability was discovered by Gerrard Tai of STAR Labs SG Pte. Ltd. and was disclosed through the Pwn2Own competition. The disclosure timeline indicates responsible handling, with the vulnerability being reported to the vendor on May 29, 2025, and a coordinated public release on July 24, 2025 (ZDI).