CVE-2025-21919 (GCVE-0-2025-21919)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2026-05-11 21:09
VLAI?
Title
sched/fair: Fix potential memory corruption in child_cfs_rq_on_list
Summary
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix potential memory corruption in child_cfs_rq_on_list child_cfs_rq_on_list attempts to convert a 'prev' pointer to a cfs_rq. This 'prev' pointer can originate from struct rq's leaf_cfs_rq_list, making the conversion invalid and potentially leading to memory corruption. Depending on the relative positions of leaf_cfs_rq_list and the task group (tg) pointer within the struct, this can cause a memory fault or access garbage data. The issue arises in list_add_leaf_cfs_rq, where both cfs_rq->leaf_cfs_rq_list and rq->leaf_cfs_rq_list are added to the same leaf list. Also, rq->tmp_alone_branch can be set to rq->leaf_cfs_rq_list. This adds a check `if (prev == &rq->leaf_cfs_rq_list)` after the main conditional in child_cfs_rq_on_list. This ensures that the container_of operation will convert a correct cfs_rq struct. This check is sufficient because only cfs_rqs on the same CPU are added to the list, so verifying the 'prev' pointer against the current rq's list head is enough. Fixes a potential memory corruption issue that due to current struct layout might not be manifesting as a crash but could lead to unpredictable behavior when the layout changes.
Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 5cb300dcdd27e6a351ac02541e0231261c775852 (git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 000c9ee43928f2ce68a156dd40bab7616256f4dd (git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 9cc7f0018609f75a349e42e3aebc3b0e905ba775 (git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < b5741e4b9ef3567613b2351384f91d3f16e59986 (git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < e1dd09df30ba86716cb2ffab97dc35195c01eb8f (git)
Affected: fdaba61ef8a268d4136d0a113d153f7a89eb9984 , < 3b4035ddbfc8e4521f85569998a7569668cccf51 (git)
Create a notification for this product.
Linux Linux Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21919",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:23:59.713530Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:33.844Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:11.086Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/fair.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5cb300dcdd27e6a351ac02541e0231261c775852",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            },
            {
              "lessThan": "000c9ee43928f2ce68a156dd40bab7616256f4dd",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            },
            {
              "lessThan": "9cc7f0018609f75a349e42e3aebc3b0e905ba775",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            },
            {
              "lessThan": "b5741e4b9ef3567613b2351384f91d3f16e59986",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            },
            {
              "lessThan": "e1dd09df30ba86716cb2ffab97dc35195c01eb8f",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            },
            {
              "lessThan": "3b4035ddbfc8e4521f85569998a7569668cccf51",
              "status": "affected",
              "version": "fdaba61ef8a268d4136d0a113d153f7a89eb9984",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/fair.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/fair: Fix potential memory corruption in child_cfs_rq_on_list\n\nchild_cfs_rq_on_list attempts to convert a \u0027prev\u0027 pointer to a cfs_rq.\nThis \u0027prev\u0027 pointer can originate from struct rq\u0027s leaf_cfs_rq_list,\nmaking the conversion invalid and potentially leading to memory\ncorruption. Depending on the relative positions of leaf_cfs_rq_list and\nthe task group (tg) pointer within the struct, this can cause a memory\nfault or access garbage data.\n\nThe issue arises in list_add_leaf_cfs_rq, where both\ncfs_rq-\u003eleaf_cfs_rq_list and rq-\u003eleaf_cfs_rq_list are added to the same\nleaf list. Also, rq-\u003etmp_alone_branch can be set to rq-\u003eleaf_cfs_rq_list.\n\nThis adds a check `if (prev == \u0026rq-\u003eleaf_cfs_rq_list)` after the main\nconditional in child_cfs_rq_on_list. This ensures that the container_of\noperation will convert a correct cfs_rq struct.\n\nThis check is sufficient because only cfs_rqs on the same CPU are added\nto the list, so verifying the \u0027prev\u0027 pointer against the current rq\u0027s list\nhead is enough.\n\nFixes a potential memory corruption issue that due to current struct\nlayout might not be manifesting as a crash but could lead to unpredictable\nbehavior when the layout changes."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:09:04.367Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5cb300dcdd27e6a351ac02541e0231261c775852"
        },
        {
          "url": "https://git.kernel.org/stable/c/000c9ee43928f2ce68a156dd40bab7616256f4dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cc7f0018609f75a349e42e3aebc3b0e905ba775"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5741e4b9ef3567613b2351384f91d3f16e59986"
        },
        {
          "url": "https://git.kernel.org/stable/c/e1dd09df30ba86716cb2ffab97dc35195c01eb8f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b4035ddbfc8e4521f85569998a7569668cccf51"
        }
      ],
      "title": "sched/fair: Fix potential memory corruption in child_cfs_rq_on_list",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21919",
    "datePublished": "2025-04-01T15:40:54.075Z",
    "dateReserved": "2024-12-29T08:45:45.787Z",
    "dateUpdated": "2026-05-11T21:09:04.367Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-21919",
      "date": "2026-05-24",
      "epss": "0.00014",
      "percentile": "0.0301"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21919\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-04-01T16:15:22.557\",\"lastModified\":\"2025-11-03T20:17:27.967\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsched/fair: Fix potential memory corruption in child_cfs_rq_on_list\\n\\nchild_cfs_rq_on_list attempts to convert a \u0027prev\u0027 pointer to a cfs_rq.\\nThis \u0027prev\u0027 pointer can originate from struct rq\u0027s leaf_cfs_rq_list,\\nmaking the conversion invalid and potentially leading to memory\\ncorruption. Depending on the relative positions of leaf_cfs_rq_list and\\nthe task group (tg) pointer within the struct, this can cause a memory\\nfault or access garbage data.\\n\\nThe issue arises in list_add_leaf_cfs_rq, where both\\ncfs_rq-\u003eleaf_cfs_rq_list and rq-\u003eleaf_cfs_rq_list are added to the same\\nleaf list. Also, rq-\u003etmp_alone_branch can be set to rq-\u003eleaf_cfs_rq_list.\\n\\nThis adds a check `if (prev == \u0026rq-\u003eleaf_cfs_rq_list)` after the main\\nconditional in child_cfs_rq_on_list. This ensures that the container_of\\noperation will convert a correct cfs_rq struct.\\n\\nThis check is sufficient because only cfs_rqs on the same CPU are added\\nto the list, so verifying the \u0027prev\u0027 pointer against the current rq\u0027s list\\nhead is enough.\\n\\nFixes a potential memory corruption issue that due to current struct\\nlayout might not be manifesting as a crash but could lead to unpredictable\\nbehavior when the layout changes.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sched/fair: Se corrige la posible corrupci\u00f3n de memoria en child_cfs_rq_on_list. child_cfs_rq_on_list intenta convertir un puntero \u0027prev\u0027 en un cfs_rq. Este puntero \u0027prev\u0027 puede originarse en leaf_cfs_rq_list de struct rq, invalidando la conversi\u00f3n y potencialmente provocando corrupci\u00f3n de memoria. Dependiendo de las posiciones relativas de leaf_cfs_rq_list y el puntero del grupo de tareas (tg) dentro de la estructura, esto puede causar un fallo de memoria o acceder a datos basura. El problema surge en list_add_leaf_cfs_rq, donde tanto cfs_rq-\u0026gt;leaf_cfs_rq_list como rq-\u0026gt;leaf_cfs_rq_list se a\u00f1aden a la misma lista de hojas. Adem\u00e1s, rq-\u0026gt;tmp_alone_branch puede establecerse en rq-\u0026gt;leaf_cfs_rq_list. Esto a\u00f1ade una comprobaci\u00f3n `if (prev == \u0026amp;rq-\u0026gt;leaf_cfs_rq_list)` despu\u00e9s de la condici\u00f3n principal en child_cfs_rq_on_list. Esto garantiza que la operaci\u00f3n container_of convierta una estructura cfs_rq correcta. Esta comprobaci\u00f3n es suficiente porque solo se a\u00f1aden a la lista las cfs_rqs en la misma CPU, por lo que basta con verificar el puntero `prev` con la cabecera de la lista de la rq actual. Corrige un posible problema de corrupci\u00f3n de memoria que, debido al dise\u00f1o actual de la estructura, podr\u00eda no manifestarse como un fallo, pero podr\u00eda provocar un comportamiento impredecible al cambiar el dise\u00f1o.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.13\",\"versionEndExcluding\":\"5.15.179\",\"matchCriteriaId\":\"92B01601-81F0-4810-B204-2E3CF4BA98F7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.131\",\"matchCriteriaId\":\"BA9C2DE3-D37C-46C6-8DCD-2EE509456E0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.83\",\"matchCriteriaId\":\"7D9F642F-6E05-4926-B0FE-62F95B7266BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.19\",\"matchCriteriaId\":\"32865E5C-8AE1-4D3D-A64D-299039694A88\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.7\",\"matchCriteriaId\":\"842F5A44-3E71-4546-B4FD-43B0ACE3F32B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"186716B6-2B66-4BD0-852E-D48E71C0C85F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D3E781C-403A-498F-9DA9-ECEE50F41E75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"66619FB8-0AAF-4166-B2CF-67B24143261D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3D6550E-6679-4560-902D-AF52DCFE905B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"45B90F6B-BEC7-4D4E-883A-9DBADE021750\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/000c9ee43928f2ce68a156dd40bab7616256f4dd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3b4035ddbfc8e4521f85569998a7569668cccf51\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5cb300dcdd27e6a351ac02541e0231261c775852\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9cc7f0018609f75a349e42e3aebc3b0e905ba775\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b5741e4b9ef3567613b2351384f91d3f16e59986\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/e1dd09df30ba86716cb2ffab97dc35195c01eb8f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T19:39:11.086Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-21919\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-01T19:23:59.713530Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787 Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-01T14:37:43.464Z\"}}], \"cna\": {\"title\": \"sched/fair: Fix potential memory corruption in child_cfs_rq_on_list\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"fdaba61ef8a268d4136d0a113d153f7a89eb9984\", \"lessThan\": \"5cb300dcdd27e6a351ac02541e0231261c775852\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"fdaba61ef8a268d4136d0a113d153f7a89eb9984\", \"lessThan\": \"000c9ee43928f2ce68a156dd40bab7616256f4dd\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"fdaba61ef8a268d4136d0a113d153f7a89eb9984\", \"lessThan\": \"9cc7f0018609f75a349e42e3aebc3b0e905ba775\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"fdaba61ef8a268d4136d0a113d153f7a89eb9984\", \"lessThan\": \"b5741e4b9ef3567613b2351384f91d3f16e59986\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"fdaba61ef8a268d4136d0a113d153f7a89eb9984\", \"lessThan\": \"e1dd09df30ba86716cb2ffab97dc35195c01eb8f\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"fdaba61ef8a268d4136d0a113d153f7a89eb9984\", \"lessThan\": \"3b4035ddbfc8e4521f85569998a7569668cccf51\", \"versionType\": \"git\"}], \"programFiles\": [\"kernel/sched/fair.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.13\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.13\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.15.179\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.131\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6.83\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.12.19\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.12.*\"}, {\"status\": \"unaffected\", \"version\": \"6.13.7\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.13.*\"}, {\"status\": \"unaffected\", \"version\": \"6.14\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"kernel/sched/fair.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/5cb300dcdd27e6a351ac02541e0231261c775852\"}, {\"url\": \"https://git.kernel.org/stable/c/000c9ee43928f2ce68a156dd40bab7616256f4dd\"}, {\"url\": \"https://git.kernel.org/stable/c/9cc7f0018609f75a349e42e3aebc3b0e905ba775\"}, {\"url\": \"https://git.kernel.org/stable/c/b5741e4b9ef3567613b2351384f91d3f16e59986\"}, {\"url\": \"https://git.kernel.org/stable/c/e1dd09df30ba86716cb2ffab97dc35195c01eb8f\"}, {\"url\": \"https://git.kernel.org/stable/c/3b4035ddbfc8e4521f85569998a7569668cccf51\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nsched/fair: Fix potential memory corruption in child_cfs_rq_on_list\\n\\nchild_cfs_rq_on_list attempts to convert a \u0027prev\u0027 pointer to a cfs_rq.\\nThis \u0027prev\u0027 pointer can originate from struct rq\u0027s leaf_cfs_rq_list,\\nmaking the conversion invalid and potentially leading to memory\\ncorruption. Depending on the relative positions of leaf_cfs_rq_list and\\nthe task group (tg) pointer within the struct, this can cause a memory\\nfault or access garbage data.\\n\\nThe issue arises in list_add_leaf_cfs_rq, where both\\ncfs_rq-\u003eleaf_cfs_rq_list and rq-\u003eleaf_cfs_rq_list are added to the same\\nleaf list. Also, rq-\u003etmp_alone_branch can be set to rq-\u003eleaf_cfs_rq_list.\\n\\nThis adds a check `if (prev == \u0026rq-\u003eleaf_cfs_rq_list)` after the main\\nconditional in child_cfs_rq_on_list. This ensures that the container_of\\noperation will convert a correct cfs_rq struct.\\n\\nThis check is sufficient because only cfs_rqs on the same CPU are added\\nto the list, so verifying the \u0027prev\u0027 pointer against the current rq\u0027s list\\nhead is enough.\\n\\nFixes a potential memory corruption issue that due to current struct\\nlayout might not be manifesting as a crash but could lead to unpredictable\\nbehavior when the layout changes.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.179\", \"versionStartIncluding\": \"5.13\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.131\", \"versionStartIncluding\": \"5.13\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.83\", \"versionStartIncluding\": \"5.13\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.12.19\", \"versionStartIncluding\": \"5.13\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.13.7\", \"versionStartIncluding\": \"5.13\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.14\", \"versionStartIncluding\": \"5.13\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-05-11T21:09:04.367Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-21919\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-11T21:09:04.367Z\", \"dateReserved\": \"2024-12-29T08:45:45.787Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2025-04-01T15:40:54.075Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.