CVE-2025-39766
published 2025-09-11CVE-2025-39766: In the Linux kernel, the following vulnerability has been resolved: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit The following setup…
high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
The following setup can trigger a WARNING in htb_activate due to
the condition: !cl->leaf.q->q.qlen
tc qdisc del dev lo root
tc qdisc add dev lo root handle 1: htb default 1
tc class add dev lo parent 1: classid 1:1 \
htb rate 64bit
tc qdisc add dev lo parent 1:1 handle f: \
cake memlimit 1b
ping -I lo -f -c1 -s64 -W0.001 127.0.0.1
This is because the low memlimit leads to a low buffer_limit, which
causes packet dropping. However, cake_enqueue still returns
NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an
empty child qdisc. We should return NET_XMIT_CN when packets are
dropped from the same tin and flow.
I do not believe return value of NET_XMIT_CN is necessary for packet
drops in the case of ack filtering, as that is meant to optimize
performance, not to signal congestion.
Affected
37 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | linux | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| debian | linux-6.1 | < linux 6.1.153-1 (bookworm) | linux 6.1.153-1 (bookworm) |
| linux | linux | — | — |
| linux | linux | >= 046f6fd5daefac7f5abdafb436b30f63bc7c602b < 7689ab22de36f8db19095f6bdf11f28cfde92f5c | 7689ab22de36f8db19095f6bdf11f28cfde92f5c |
| linux | linux | >= 046f6fd5daefac7f5abdafb436b30f63bc7c602b < de04ddd2980b48caa8d7e24a7db2742917a8b280 | de04ddd2980b48caa8d7e24a7db2742917a8b280 |
| linux | linux | >= 046f6fd5daefac7f5abdafb436b30f63bc7c602b < 0dacfc5372e314d1219f03e64dde3ab495a5a25e | 0dacfc5372e314d1219f03e64dde3ab495a5a25e |
| linux | linux | >= 046f6fd5daefac7f5abdafb436b30f63bc7c602b < 710866fc0a64eafcb8bacd91bcb1329eb7e5035f | 710866fc0a64eafcb8bacd91bcb1329eb7e5035f |
| linux | linux | >= 046f6fd5daefac7f5abdafb436b30f63bc7c602b < aa12ee1c1bd260943fd6ab556d8635811c332eeb | aa12ee1c1bd260943fd6ab556d8635811c332eeb |
| linux | linux | >= 046f6fd5daefac7f5abdafb436b30f63bc7c602b < ff57186b2cc39766672c4c0332323933e5faaa88 | ff57186b2cc39766672c4c0332323933e5faaa88 |
| linux | linux | >= 046f6fd5daefac7f5abdafb436b30f63bc7c602b < 62d591dde4defb1333d202410609c4ddeae060b3 | 62d591dde4defb1333d202410609c4ddeae060b3 |
| linux | linux | >= 046f6fd5daefac7f5abdafb436b30f63bc7c602b < 15de71d06a400f7fdc15bf377a2552b0ec437cf5 | 15de71d06a400f7fdc15bf377a2552b0ec437cf5 |
| linux | linux_kernel | — | — |
| linux | linux_kernel | >= 0 < 5.10.244-1 | 5.10.244-1 |
| linux | linux_kernel | >= 0 < 6.1.153-1 | 6.1.153-1 |
| linux | linux_kernel | >= 0 < 6.12.48-1 | 6.12.48-1 |
| linux | linux_kernel | >= 0 < 6.16.5-1 | 6.16.5-1 |
| linux | linux_kernel | >= 0 < 5.15.0-163.173 | 5.15.0-163.173 |
| linux | linux_kernel | >= 0 < 6.8.0-100.100 | 6.8.0-100.100 |
| linux | linux_kernel | >= 4.19 < 5.4.297 | 5.4.297 |
| linux | linux_kernel | >= 5.11 < 5.15.190 | 5.15.190 |
| linux | linux_kernel | >= 5.16 < 6.1.149 | 6.1.149 |
| linux | linux_kernel | >= 5.5 < 5.10.241 | 5.10.241 |
| linux | linux_kernel | >= 6.13 < 6.16.4 | 6.16.4 |
| linux | linux_kernel | >= 6.2 < 6.6.103 | 6.6.103 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.8HIGH