CVE-2025-21703

CVE-2025-21703 is a Use-After-Free (UAF) vulnerability in the Linux kernel's netem (network emulator) component, stemming from a failure to update sch->q.qlen before calling qdisc_tree_reduce_backlog(). This issue affects queueing discipline (qdisc) handling, where qdisc_tree_reduce_backlog() only notifies the parent qdisc if the child becomes empty. Without prior backlog reduction in the child, notifications like cops->qlen_notify() are missed, leading to UAF in scenarios such as Deficit Round Robin (DRR), which relies on qlen_notify() for its active list maintenance. The vulnerability carries a CVSS v3.1 base score of 7.8 and is classified under CWE-416.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged security scope (S:U), potentially allowing arbitrary code execution, data corruption, or system crashes through manipulated network queueing operations in netem and related qdiscs like DRR.

Mitigation involves applying kernel patches from the referenced stable commits, such as https://git.kernel.org/stable/c/1f8e3f4a4b8b90ad274dfbc66fc7d55cb582f4d5 and others, which ensure sch->q.qlen is updated before qdisc_tree_reduce_backlog() to properly trigger parent notifications and prevent the UAF. Security practitioners should update affected Linux kernels to versions incorporating these fixes.