Preface: While Kubernetes doesn’t directly expose net/sched as a configurable API, its network management and QoS features often rely on or interact with net/sched at the underlying Linux kernel level to achieve desired network behavior for containerized applications.
Background: net/sched is the Linux kernel subsystem responsible for traffic control (tc). It manages how packets are queued and scheduled for transmission on network interfaces using qdiscs (queueing disciplines). The default qdisc is typically pfifo_fast or fq_codel depending on the kernel version and distribution.
Vulnerability details: The vulnerability CVE-2025-38553 affects the Linux kernel’s net/sched subsystem, specifically the netem qdisc. It arises when multiple netem instances are added to the same qdisc tree, which can lead to:
- Soft lockups
- Out-of-memory (OOM) errors
- Infinite loops during packet dequeueing
The root cause is flawed duplication logic in netem_enqueue, especially when a netem is nested within another netem in a qdisc hierarchy. The fix restricts the addition of a duplicating netem if another netem already exists in the tree
Official announcement: Please see the link for details –