LiveActive security incident?Get immediate response
CVE Record

CVE-2025-40083: net/sched: sch_qfq: Fix null-deref in agg_dequeue

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix null-deref in agg_dequeue To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c) when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return value before using it, similar to the existing approach in sch_hfsc.c. To avoid code duplication, the following changes are made: 1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static inline function. 2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to include/net/pkt_sched.h so that sch_qfq can reuse it. 3. Applied qdisc_peek_len in agg_dequeue to avoid crashing.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2025-40083 is a Linux kernel flaw in the QFQ network scheduler code. A missing NULL check can cause a kernel crash in a specific dequeue path. The public bundle does not provide a CVSS score, CWE, exploit details, or evidence of active exploitation.

Executive priority

Treat this as a patch-management item, not an emergency, unless critical systems use affected Linux kernels with QFQ traffic scheduling. The known impact from the bundle is system crash potential, and there is no provided evidence of active exploitation.

Technical view

The issue is in net/sched/sch_qfq.c, where agg_dequeue can dereference a NULL result from cl->qdisc->ops->peek(cl->qdisc). The fix checks the peek result before use and reuses qdisc_peek_len moved to include/net/pkt_sched.h, matching prior handling in sch_hfsc.c.

Likely exposure

Exposure appears limited to Linux systems running affected kernel versions where the sch_qfq scheduler code path is reachable. The bundle lists Linux kernel versions including 3.8, 5.4.302, 5.10.247, 5.15.197, 6.1.159, 6.6.116, 6.12.57, and 6.16 as affected, but provides no CPEs or distribution mapping.

Exploitation context

The source bundle describes a potential crash, not privilege escalation or code execution. KEV status is false, and no cited source in the bundle reports active exploitation or public weaponization. Practical exploitability, required privileges, and remote reachability are not established by the provided evidence.

Researcher notes

The record lacks CVSS, CWE, CPEs, distribution advisories, and exploitability details. Analysis should focus on kernel version lineage, whether sch_qfq can be invoked in the environment, and whether the referenced stable commits are present in downstream vendor kernels.

Mitigation direction

  • Apply vendor kernel updates containing the referenced stable fixes.
  • Check Linux distribution advisories for exact fixed package versions.
  • Prioritize systems using traffic control or sch_qfq configurations.
  • If immediate patching is not possible, follow vendor guidance for temporary mitigations.

Validation and detection

  • Inventory Linux kernel versions across servers, appliances, and containers hosts.
  • Check whether sch_qfq is configured or reachable in traffic control policy.
  • Confirm installed kernels include one of the referenced stable fixes.
  • Review crash logs for kernel faults involving sch_qfq or agg_dequeue.
Prepared
Confidence
medium
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-40083 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
8Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux462dbc9101acd38e92eda93c0726857517a24bbd, 462dbc9101acd38e92eda93c0726857517a24bbd, 462dbc9101acd38e92eda93c0726857517a24bbd, 462dbc9101acd38e92eda93c0726857517a24bbd, 462dbc9101acd38e92eda93c0726857517a24bbd, 462dbc9101acd38e92eda93c0726857517a24bbd, 462dbc9101acd38e92eda93c0726857517a24bbdunaffected
LinuxLinux3.8, 0, 5.4.302, 5.10.247, 5.15.197, 6.1.159, 6.6.116, 6.12.57, 6.16affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.