CVE-2025-40083: net/sched: sch_qfq: Fix null-deref in agg_dequeue
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_qfq: Fix null-deref in agg_dequeue
To prevent a potential crash in agg_dequeue (net/sched/sch_qfq.c)
when cl->qdisc->ops->peek(cl->qdisc) returns NULL, we check the return
value before using it, similar to the existing approach in sch_hfsc.c.
To avoid code duplication, the following changes are made:
1. Changed qdisc_warn_nonwc(include/net/pkt_sched.h) into a static
inline function.
2. Moved qdisc_peek_len from net/sched/sch_hfsc.c to
include/net/pkt_sched.h so that sch_qfq can reuse it.
3. Applied qdisc_peek_len in agg_dequeue to avoid crashing.
Security readout for executives and security teams
Plain-English summary
CVE-2025-40083 is a Linux kernel flaw in the QFQ network scheduler code. A missing NULL check can cause a kernel crash in a specific dequeue path. The public bundle does not provide a CVSS score, CWE, exploit details, or evidence of active exploitation.
Executive priority
Treat this as a patch-management item, not an emergency, unless critical systems use affected Linux kernels with QFQ traffic scheduling. The known impact from the bundle is system crash potential, and there is no provided evidence of active exploitation.
Technical view
The issue is in net/sched/sch_qfq.c, where agg_dequeue can dereference a NULL result from cl->qdisc->ops->peek(cl->qdisc). The fix checks the peek result before use and reuses qdisc_peek_len moved to include/net/pkt_sched.h, matching prior handling in sch_hfsc.c.
Likely exposure
Exposure appears limited to Linux systems running affected kernel versions where the sch_qfq scheduler code path is reachable. The bundle lists Linux kernel versions including 3.8, 5.4.302, 5.10.247, 5.15.197, 6.1.159, 6.6.116, 6.12.57, and 6.16 as affected, but provides no CPEs or distribution mapping.
Exploitation context
The source bundle describes a potential crash, not privilege escalation or code execution. KEV status is false, and no cited source in the bundle reports active exploitation or public weaponization. Practical exploitability, required privileges, and remote reachability are not established by the provided evidence.
Researcher notes
The record lacks CVSS, CWE, CPEs, distribution advisories, and exploitability details. Analysis should focus on kernel version lineage, whether sch_qfq can be invoked in the environment, and whether the referenced stable commits are present in downstream vendor kernels.
Mitigation direction
Apply vendor kernel updates containing the referenced stable fixes.
Check Linux distribution advisories for exact fixed package versions.
Prioritize systems using traffic control or sch_qfq configurations.
If immediate patching is not possible, follow vendor guidance for temporary mitigations.
Validation and detection
Inventory Linux kernel versions across servers, appliances, and containers hosts.
Check whether sch_qfq is configured or reachable in traffic control policy.
Confirm installed kernels include one of the referenced stable fixes.
Review crash logs for kernel faults involving sch_qfq or agg_dequeue.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-40083 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.