### [CVE-2025-37953](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-37953)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=0a188c0e197383683fd093ab1ea6ce9a5869a6ea%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=32ae12ce6a9f6bace186ca7335220ff59b6cc3cd%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=5ba8b837b522d7051ef81bacf3d95383ff8edce5%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=6.1.138%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=6.12.28%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=6.14.6%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=6.6.90%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=73cf6af13153d62f9b76eff422eea79dbc70f15e%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=967955c9e57f8eebfccc298037d4aaf3d42bc1c9%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=a61f1b5921761fbaf166231418bc1db301e5bf59%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=bbbf5e0f87078b715e7a665d662a2c0e77f044ae%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=e6b45f4de763b00dc1c55e685e2dd1aaf525d3c1%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue)

### Description

In the Linux kernel, the following vulnerability has been resolved:sch_htb: make htb_deactivate() idempotentAlan reported a NULL pointer dereference in htb_next_rb_node()after we made htb_qlen_notify() idempotent.It turns out in the following case it introduced some regression:htb_dequeue_tree():  |-> fq_codel_dequeue()    |-> qdisc_tree_reduce_backlog()      |-> htb_qlen_notify()        |-> htb_deactivate()  |-> htb_next_rb_node()  |-> htb_deactivate()For htb_next_rb_node(), after calling the 1st htb_deactivate(), theclprio[prio]->ptr could be already set to  NULL, which meanshtb_next_rb_node() is vulnerable here.For htb_deactivate(), although we checked qlen before calling it, incase of qlen==0 after qdisc_tree_reduce_backlog(), we may call it againwhich triggers the warning inside.To fix the issues here, we need to:1) Make htb_deactivate() idempotent, that is, simply return if we   already call it before.2) Make htb_next_rb_node() safe against ptr==NULL.Many thanks to Alan for testing and for the reproducer.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/runwhen-contrib/helm-charts
- https://github.com/w4zu/Debian_security