{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-29T12:49:46.789","vulnerabilities":[{"cve":{"id":"CVE-2025-37953","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-05-20T16:15:33.483","lastModified":"2025-12-17T20:04:41.750","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nsch_htb: make htb_deactivate() idempotent\n\nAlan reported a NULL pointer dereference in htb_next_rb_node()\nafter we made htb_qlen_notify() idempotent.\n\nIt turns out in the following case it introduced some regression:\n\nhtb_dequeue_tree():\n  |-> fq_codel_dequeue()\n    |-> qdisc_tree_reduce_backlog()\n      |-> htb_qlen_notify()\n        |-> htb_deactivate()\n  |-> htb_next_rb_node()\n  |-> htb_deactivate()\n\nFor htb_next_rb_node(), after calling the 1st htb_deactivate(), the\nclprio[prio]->ptr could be already set to  NULL, which means\nhtb_next_rb_node() is vulnerable here.\n\nFor htb_deactivate(), although we checked qlen before calling it, in\ncase of qlen==0 after qdisc_tree_reduce_backlog(), we may call it again\nwhich triggers the warning inside.\n\nTo fix the issues here, we need to:\n\n1) Make htb_deactivate() idempotent, that is, simply return if we\n   already call it before.\n2) Make htb_next_rb_node() safe against ptr==NULL.\n\nMany thanks to Alan for testing and for the reproducer."},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sch_htb: hacer que htb_deactivate() sea idempotente. Alan informó una desreferencia de puntero NULL en htb_next_rb_node() después de que htb_qlen_notify() fuera idempotente. Resulta que en el siguiente caso introdujo alguna regresión: htb_dequeue_tree(): |-> fq_codel_dequeue() |-> qdisc_tree_reduce_backlog() |-> htb_qlen_notify() |-> htb_deactivate() |-> htb_next_rb_node() |-> htb_deactivate() Para htb_next_rb_node(), después de llamar al primer htb_deactivate(), el clprio[prio]->ptr podría estar ya establecido en NULL, lo que significa que htb_next_rb_node() es vulnerable aquí. Para htb_deactivate(), aunque verificamos qlen antes de llamarlo, en caso de qlen==0 después de qdisc_tree_reduce_backlog(), podemos llamarlo nuevamente, lo que activa la advertencia interna. Para solucionar estos problemas, necesitamos: 1) Hacer que htb_deactivate() sea idempotente, es decir, que simplemente regrese si ya lo llamamos. 2) Hacer que htb_next_rb_node() sea seguro contra ptr==NULL. Muchas gracias a Alan por las pruebas y por el reproductor."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-476"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.1.138:*:*:*:*:*:*:*","matchCriteriaId":"BC65592C-4F4A-41FF-A271-60B010E949AF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.6.90:*:*:*:*:*:*:*","matchCriteriaId":"D59F317C-54D9-46AF-9BE7-9679E9BD1AEF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.12.28:*:*:*:*:*:*:*","matchCriteriaId":"F3B49C5B-6A74-41DF-A9E0-C09A2D71CAD9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14.6:*:*:*:*:*:*:*","matchCriteriaId":"33C3A487-6E91-4036-AF1B-D478270395FA"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*","matchCriteriaId":"4C9D071F-B28E-46EC-AC61-22B913390211"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*","matchCriteriaId":"13FC0DDE-E513-465E-9E81-515702D49B74"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*","matchCriteriaId":"8C7B5B0E-4EEB-48F5-B4CF-0935A7633845"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.15:rc5:*:*:*:*:*:*","matchCriteriaId":"2D240580-3048-49B2-9E27-F115A9DF8224"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","matchCriteriaId":"FA6FEEC2-9F11-4643-8827-749718254FED"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/31ff70ad39485698cf779f2078132d80b57f6c07","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/3769478610135e82b262640252d90f6efb05be71","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/98cd7ed92753090a714f0802d4434314526fe61d","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/99ff8a20fd61315bf9ae627440a5ff07d22ee153","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a9945f7cf1709adc5d2d31cb6cfc85627ce299a8","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c2d25fddd867ce20a266806634eeeb5c30cb520c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c4792b9e38d2f61b07eac72f10909fa76130314b","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/c928dd4f6bf0c25c72b11824a1e9ac9bd37296a0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}