Linux kernel: race condition in Linux kernel net_sched prio_tune (CVE-2025-38083) #shorts

Summary

Welcome to Tech Pulse. Today we’re discussing CVE-2025-38083, a critical race condition in the Linux kernel’s network scheduler. Discovered by Gerrard Tai, this flaw allows attackers to manipulate queue lengths by exploiting a timing window in the PRIO queue discipline. It was publicly disclosed on June 20, 2025, and patches have been released by major Linux vendors.

Product details

This vulnerability affects Linux kernel version 5.0 in its default configuration, as shipped in many distributions prior to the fix commits. Ubuntu 24.04 addressed it in USN-7681-3, Oracle Linux issued a kernel security update, and SUSE included patches in their recent kernel maintenance releases. Any system running an unpatched 5.0 branch kernel or earlier custom builds with the vulnerable commit range is at risk.

Vulnerability type summary

CVE-2025-38083 is a classic race condition in the net_sched subsystem, specifically in the prio_tune function of the PRIO queuing discipline. Race conditions occur when two threads or CPUs access shared data without proper synchronization, leading to unpredictable behavior that can be abused by attackers.

Details of the vulnerability

In the vulnerable code path, CPU 0 locks the root qdisc and calls qdisc_tree_flush_backlog(), then unlocks. If CPU 1 preempts at just the wrong moment, it can relock the same qdisc, rehash and call qdisc_tree_reduce_backlog() while the tree is in an inconsistent state. Meanwhile CPU 0 finishes qdisc_put(). The mismatch in queue accounting can underflow the parent queue’s length counter, potentially leading to denial of service or packet loss. The patch replaces qdisc_tree_flush_backlog() with qdisc_purge_queue(), ensuring that all packets are removed under the same lock and preventing the race window.

Conclusion

To protect your systems, apply the updated kernel released by your distribution—Ubuntu’s USN-7681-3, Oracle Linux’s security update, or SUSE’s kernel patch. If you maintain custom kernels on version 5.0, merge the upstream commits that switch to qdisc_purge_queue(). Regularly review your kernel version and update promptly to stay ahead of critical race conditions like CVE-2025-38083.

Watch the full video on YouTube: CVE-2025-38083

Remediation and exploitation details

This chain involves the following actors

  • Local Privileged User: Initiates the race condition exploit to underflow the queue length

This following systems are involved

  • Linux Kernel (Network packet scheduling): Host operating system containing the vulnerable code in the PRIO scheduler
  • PRIO Queueing Discipline (Enforce priority-based packet scheduling on an interface): Component where the race in prio_tune() can be triggered

Attack entry point

  • Traffic Control Utility (tc): User-level tool to attach, configure or remove the PRIO scheduler and its classes via netlink

Remediation actions

System Administrator
Apply the upstream patch in kernel 6.16-rc2 or later
Linux Kernel
System Administrator
Install distribution updates (for example Ubuntu USN-7681-3 or SUSE kernel update)
Operating System

Exploitation actions

Concurrent invocation of backlog flush and queue release around the scheduler’s perturbation timer

Local Privileged User
Step 1: Attach a PRIO queueing discipline to a network interface (for example eth0) and add a stochastic fair queueing class under one of its bands.,Step 2: Spawn two threads or processes: Process A will issue a backlog-flush call, Process B will perform a queue release or class deletion.,Step 3: Use a high-precision loop or timer to trigger Process A’s flush call exactly when the scheduler’s internal perturbation timer fires, creating a lock-release window.,Step 4: In that window, Process B calls the queue reduction routine, reducing the parent queue length counter while the flush has not yet cleared all references.,Step 5: The overlap causes the parent queue length to underflow below zero. Repeat the flush-release cycle to sustain corrupted queue state until packet scheduling breaks and service is denied.
Linux Kernel
Examples:
  • tc qdisc add dev eth0 root prio
  • tc qdisc add dev eth0 parent 1:2 sfq perturb 10
  • Parallel execution of “tc qdisc change dev eth0 root prio” and “tc class delete dev eth0 classid 1:2” synchronized to the SFQ perturb timer

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-38083
Description
In the Linux kernel, the following vulnerability has been resolved: net_sched: prio: fix a race in prio_tune() Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock.
Provider
Linux
CWE / problem types
Affected Software Versions
Linux:Linux:[{'version': '7b8e0b6e659983154c8d7e756cdb833d89a3d4d7', 'lessThan': '53d11560e957d53ee87a0653d258038ce12361b7', 'status': 'affected', 'versionType': 'git'}, {'version': '7b8e0b6e659983154c8d7e756cdb833d89a3d4d7', 'lessThan': '4483d8b9127591c60c4eb789d6cab953bc4522a9', 'status': 'affected', 'versionType': 'git'}, {'version': '7b8e0b6e659983154c8d7e756cdb833d89a3d4d7', 'lessThan': '20f68e6a9e41693cb0e55e5b9ebbcb40983a4b8f', 'status': 'affected', 'versionType': 'git'}, {'version': '7b8e0b6e659983154c8d7e756cdb833d89a3d4d7', 'lessThan': '3aaa7c01cf19d9b9bb64b88b65c3a6fd05da2eb4', 'status': 'affected', 'versionType': 'git'}, {'version': '7b8e0b6e659983154c8d7e756cdb833d89a3d4d7', 'lessThan': '46c15c9d0f65c9ba857d63f53264f4b17e8a715f', 'status': 'affected', 'versionType': 'git'}, {'version': '7b8e0b6e659983154c8d7e756cdb833d89a3d4d7', 'lessThan': 'e3f6745006dc9423d2b065b90f191cfa11b1b584', 'status': 'affected', 'versionType': 'git'}, {'version': '7b8e0b6e659983154c8d7e756cdb833d89a3d4d7', 'lessThan': '93f9eeb678d4c9c1abf720b3615fa8299a490845', 'status': 'affected', 'versionType': 'git'}, {'version': '7b8e0b6e659983154c8d7e756cdb833d89a3d4d7', 'lessThan': 'd35acc1be3480505b5931f17e4ea9b7617fea4d3', 'status': 'affected', 'versionType': 'git'}],Linux:Linux:[{'version': '5.0', 'status': 'affected'}, {'version': '0', 'lessThan': '5.0', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '5.4.295', 'lessThanOrEqual': '5.4.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '5.10.239', 'lessThanOrEqual': '5.10.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '5.15.186', 'lessThanOrEqual': '5.15.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.1.142', 'lessThanOrEqual': '6.1.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.6.94', 'lessThanOrEqual': '6.6.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.12.34', 'lessThanOrEqual': '6.12.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.15.3', 'lessThanOrEqual': '6.15.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.16', 'lessThanOrEqual': '*', 'status': 'unaffected', 'versionType': 'original_commit_for_fix'}]
Date Published
2025-06-20T11:21:51.554Z
Last Updated
2025-07-28T04:11:55.593Z