CVE-2025-38553: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-38553 is a vulnerability discovered in the Linux kernel's network scheduling (net/sched) component, specifically affecting the netem (Network Emulator) functionality. The vulnerability was disclosed on August 19, 2025, and impacts the duplication prevention logic in netem_enqueue when a netem resides in a qdisc tree with other netems (NVD).

The vulnerability stems from a flaw in netem's duplication-prevention logic that allows a duplicating netem to coexist with other netems in the same qdisc tree. This configuration can trigger recursive re-enqueueing, leading to soft lockups and Out-of-Memory (OOM) conditions. The issue has been assigned a CVSS v3.1 score of 4.4 with vector CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (RedHat).

The vulnerability can result in soft lockups and Out-of-Memory (OOM) conditions in the Linux kernel. The impact is limited to Denial of Service (DoS) scenarios, as exploitation requires local privileged network configuration access (CAPNETADMIN on the host or inside a netns) (RedHat).

The vulnerability has been fixed by implementing restrictions that prevent a duplicating netem from inhabiting the same tree as other netems. The fix has been incorporated into Linux kernel version 6.16.3 and later. For affected systems, updates are available through distribution-specific kernel packages (Debian).