NULL Pointer Dereference in kernel-uek-debug-modules-desktop | CVE-2025-38468

Q: How to fix?

Upgrade Oracle:10 kernel-uek-debug-modules-desktop to version 0:6.12.0-103.40.4.1.el10uek or higher. This issue was patched in ELSA-2025-20551 .

Threat Intelligence

0.01% (2^nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-ORACLE10-KERNELUEKDEBUGMODULESDESKTOP-12589955
published10 Sept 2025
disclosed28 Jul 2025

Report a new vulnerability Found a mistake?

Introduced: 28 Jul 2025

CVE-2025-38468 (opens in a new tab) CWE-476 (opens in a new tab)

How to fix?

Upgrade Oracle:10 kernel-uek-debug-modules-desktop to version 0:6.12.0-103.40.4.1.el10uek or higher.
This issue was patched in ELSA-2025-20551.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-uek-debug-modules-desktop package and not the kernel-uek-debug-modules-desktop package as distributed by Oracle. See How to fix? for Oracle:10 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree

htb_lookup_leaf has a BUG_ON that can trigger with the following:

tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2:1 handle 3: blackhole ping -I lo -c1 -W0.001 127.0.0.1

The root cause is the following:

htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on the selected leaf qdisc
netem_dequeue calls enqueue on the child qdisc
blackhole_enqueue drops the packet and returns a value that is not just NET_XMIT_SUCCESS
Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate -> htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase
As this is the only class in the selected hprio rbtree, __rb_change_child in __rb_erase_augmented sets the rb_root pointer to NULL
Because blackhole_dequeue returns NULL, netem_dequeue returns NULL, which causes htb_dequeue_tree to call htb_lookup_leaf with the same hprio rbtree, and fail the BUG_ON

The function graph for this scenario is shown here: 0) | htb_enqueue() { 0) + 13.635 us | netem_enqueue(); 0) 4.719 us | htb_activate_prios(); 0) # 2249.199 us | } 0) | htb_dequeue() { 0) 2.355 us | htb_lookup_leaf(); 0) | netem_dequeue() { 0) + 11.061 us | blackhole_enqueue(); 0) | qdisc_tree_reduce_backlog() { 0) | qdisc_lookup_rcu() { 0) 1.873 us | qdisc_match_from_root(); 0) 6.292 us | } 0) 1.894 us | htb_search(); 0) | htb_qlen_notify() { 0) 2.655 us | htb_deactivate_prios(); 0) 6.933 us | } 0) + 25.227 us | } 0) 1.983 us | blackhole_dequeue(); 0) + 86.553 us | } 0) # 2932.761 us | qdisc_warn_nonwc(); 0) | htb_lookup_leaf() { 0) | BUG_ON();

The full original bug report can be seen here [1].

We can fix this just by returning NULL instead of the BUG_ON, as htb_dequeue_tree returns NULL when htb_lookup_leaf returns NULL.

[1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/

References

CVSS Base Scores

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
Low
Privileges Required (PR)
Low
User Interaction (UI)
None

Scope (S)
Unchanged

Confidentiality (C)
None
Integrity (I)
None
Availability (A)
High

NULL Pointer Dereference Affecting kernel-uek-debug-modules-desktop package, versions <0:6.12.0-103.40.4.1.el10uek

Severity