Description

In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ets qdisc OOB Indexing Haowei Yan <g1042620637@gmail.com> found that ets_class_from_arg() can index an Out-Of-Bound class in ets_class_from_arg() when passed clid of 0. The overflow may cause local privilege escalation. [ 18.852298] ------------[ cut here ]------------ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 [ 18.853743] index 18446744073709551615 is out of range for type 'ets_class [16]' [ 18.854254] CPU: 0 UID: 0 PID: 1275 Comm: poc Not tainted 6.12.6-dirty #17 [ 18.854821] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 18.856532] Call Trace: [ 18.857441] <TASK> [ 18.858227] dump_stack_lvl+0xc2/0xf0 [ 18.859607] dump_stack+0x10/0x20 [ 18.860908] __ubsan_handle_out_of_bounds+0xa7/0xf0 [ 18.864022] ets_class_change+0x3d6/0x3f0 [ 18.864322] tc_ctl_tclass+0x251/0x910 [ 18.864587] ? lock_acquire+0x5e/0x140 [ 18.865113] ? __mutex_lock+0x9c/0xe70 [ 18.866009] ? __mutex_lock+0xa34/0xe70 [ 18.866401] rtnetlink_rcv_msg+0x170/0x6f0 [ 18.866806] ? __lock_acquire+0x578/0xc10 [ 18.867184] ? __pfx_rtnetlink_rcv_msg+0x10/0x10 [ 18.867503] netlink_rcv_skb+0x59/0x110 [ 18.867776] rtnetlink_rcv+0x15/0x30 [ 18.868159] netlink_unicast+0x1c3/0x2b0 [ 18.868440] netlink_sendmsg+0x239/0x4b0 [ 18.868721] ____sys_sendmsg+0x3e2/0x410 [ 18.869012] ___sys_sendmsg+0x88/0xe0 [ 18.869276] ? rseq_ip_fixup+0x198/0x260 [ 18.869563] ? rseq_update_cpu_node_id+0x10a/0x190 [ 18.869900] ? trace_hardirqs_off+0x5a/0xd0 [ 18.870196] ? syscall_exit_to_user_mode+0xcc/0x220 [ 18.870547] ? do_syscall_64+0x93/0x150 [ 18.870821] ? __memcg_slab_free_hook+0x69/0x290 [ 18.871157] __sys_sendmsg+0x69/0xd0 [ 18.871416] __x64_sys_sendmsg+0x1d/0x30 [ 18.871699] x64_sys_call+0x9e2/0x2670 [ 18.871979] do_syscall_64+0x87/0x150 [ 18.873280] ? do_syscall_64+0x93/0x150 [ 18.874742] ? lock_release+0x7b/0x160 [ 18.876157] ? do_user_addr_fault+0x5ce/0x8f0 [ 18.877833] ? irqentry_exit_to_user_mode+0xc2/0x210 [ 18.879608] ? irqentry_exit+0x77/0xb0 [ 18.879808] ? clear_bhb_loop+0x15/0x70 [ 18.880023] ? clear_bhb_loop+0x15/0x70 [ 18.880223] ? clear_bhb_loop+0x15/0x70 [ 18.880426] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 18.880683] RIP: 0033:0x44a957 [ 18.880851] Code: ff ff e8 fc 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 8974 24 10 [ 18.881766] RSP: 002b:00007ffcdd00fad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 18.882149] RAX: ffffffffffffffda RBX: 00007ffcdd010db8 RCX: 000000000044a957 [ 18.882507] RDX: 0000000000000000 RSI: 00007ffcdd00fb70 RDI: 0000000000000003 [ 18.885037] RBP: 00007ffcdd010bc0 R08: 000000000703c770 R09: 000000000703c7c0 [ 18.887203] R10: 0000000000000080 R11: 0000000000000246 R12: 0000000000000001 [ 18.888026] R13: 00007ffcdd010da8 R14: 00000000004ca7d0 R15: 0000000000000001 [ 18.888395] </TASK> [ 18.888610] ---[ end trace ]---

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  7.8 HIGH

Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://git.kernel.org/stable/c/03c56665dab1f4ac844bc156652d50d639093fa5	Patch
https://git.kernel.org/stable/c/1332c6ed446be787f901ed1064ec6a3c694f028a	Patch
https://git.kernel.org/stable/c/997f6ec4208b23c87daf9f044689685f091826f7	Patch
https://git.kernel.org/stable/c/bcf0d815e728a3a304b50455b32a3170c16e1eaa	Patch
https://git.kernel.org/stable/c/d62b04fca4340a0d468d7853bd66e511935a18cb	Patch
https://git.kernel.org/stable/c/f4168299e553f17aa2ba4016e77a9c38da40eb1d	Patch
https://git.kernel.org/stable/c/f6b0f05fbfa4044f890e8a348288c0d9a20bd1d0	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-129	Improper Validation of Array Index	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Configuration 1 ( hide )

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*    Show Matching CPE(s)	From (including) 5.6	Up to (excluding) 5.10.234
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*    Show Matching CPE(s)	From (including) 5.11	Up to (excluding) 5.15.178
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*    Show Matching CPE(s)	From (including) 5.16	Up to (excluding) 6.1.128
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*    Show Matching CPE(s)	From (including) 6.2	Up to (excluding) 6.6.75
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*    Show Matching CPE(s)	From (including) 6.7	Up to (excluding) 6.12.12
cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*    Show Matching CPE(s)
cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*    Show Matching CPE(s)
cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*    Show Matching CPE(s)
cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*    Show Matching CPE(s)
cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*    Show Matching CPE(s)
cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*    Show Matching CPE(s)
cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*    Show Matching CPE(s)
cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*    Show Matching CPE(s)

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

2 change records found show changes

Initial Analysis by NIST 2/21/2025 10:59:44 AM

Action	Type	Old Value	New Value
Added	CVSS V3.1		NIST AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Added	CWE		NIST CWE-129
Added	CPE Configuration		Record truncated, showing 500 of 986 characters. View Entire Change Record OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.6 up to (excluding) 5.10.234 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.178 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.128 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.75 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (
Changed	Reference Type	https://git.kernel.org/stable/c/03c56665dab1f4ac844bc156652d50d639093fa5 No Types Assigned	https://git.kernel.org/stable/c/03c56665dab1f4ac844bc156652d50d639093fa5 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/1332c6ed446be787f901ed1064ec6a3c694f028a No Types Assigned	https://git.kernel.org/stable/c/1332c6ed446be787f901ed1064ec6a3c694f028a Patch
Changed	Reference Type	https://git.kernel.org/stable/c/997f6ec4208b23c87daf9f044689685f091826f7 No Types Assigned	https://git.kernel.org/stable/c/997f6ec4208b23c87daf9f044689685f091826f7 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/bcf0d815e728a3a304b50455b32a3170c16e1eaa No Types Assigned	https://git.kernel.org/stable/c/bcf0d815e728a3a304b50455b32a3170c16e1eaa Patch
Changed	Reference Type	https://git.kernel.org/stable/c/d62b04fca4340a0d468d7853bd66e511935a18cb No Types Assigned	https://git.kernel.org/stable/c/d62b04fca4340a0d468d7853bd66e511935a18cb Patch
Changed	Reference Type	https://git.kernel.org/stable/c/f4168299e553f17aa2ba4016e77a9c38da40eb1d No Types Assigned	https://git.kernel.org/stable/c/f4168299e553f17aa2ba4016e77a9c38da40eb1d Patch
Changed	Reference Type	https://git.kernel.org/stable/c/f6b0f05fbfa4044f890e8a348288c0d9a20bd1d0 No Types Assigned	https://git.kernel.org/stable/c/f6b0f05fbfa4044f890e8a348288c0d9a20bd1d0 Patch

New CVE Received from kernel.org 2/10/2025 11:15:38 AM

Action	Type	Old Value	New Value
Added	Description		Record truncated, showing 500 of 3219 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: net: sched: fix ets qdisc OOB Indexing Haowei Yan <g1042620637@gmail.com> found that ets_class_from_arg() can index an Out-Of-Bound class in ets_class_from_arg() when passed clid of 0. The overflow may cause local privilege escalation. [ 18.852298] ------------[ cut here ]------------ [ 18.853271] UBSAN: array-index-out-of-bounds in net/sched/sch_ets.c:93:20 [ 18.853743] index 18446744073709551615 is out of range for
Added	Reference		https://git.kernel.org/stable/c/03c56665dab1f4ac844bc156652d50d639093fa5
Added	Reference		https://git.kernel.org/stable/c/1332c6ed446be787f901ed1064ec6a3c694f028a
Added	Reference		https://git.kernel.org/stable/c/997f6ec4208b23c87daf9f044689685f091826f7
Added	Reference		https://git.kernel.org/stable/c/bcf0d815e728a3a304b50455b32a3170c16e1eaa
Added	Reference		https://git.kernel.org/stable/c/d62b04fca4340a0d468d7853bd66e511935a18cb
Added	Reference		https://git.kernel.org/stable/c/f4168299e553f17aa2ba4016e77a9c38da40eb1d
Added	Reference		https://git.kernel.org/stable/c/f6b0f05fbfa4044f890e8a348288c0d9a20bd1d0