CVE-2025-39677
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-05

Last updated on: 2025-11-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix backlog accounting in qdisc_dequeue_internal This issue applies for the following qdiscs: hhf, fq, fq_codel, and fq_pie, and occurs in their change handlers when adjusting to the new limit. The problem is the following in the values passed to the subsequent qdisc_tree_reduce_backlog call given a tbf parent: When the tbf parent runs out of tokens, skbs of these qdiscs will be placed in gso_skb. Their peek handlers are qdisc_peek_dequeued, which accounts for both qlen and backlog. However, in the case of qdisc_dequeue_internal, ONLY qlen is accounted for when pulling from gso_skb. This means that these qdiscs are missing a qdisc_qstats_backlog_dec when dropping packets to satisfy the new limit in their change handlers. One can observe this issue with the following (with tc patched to support a limit of 0): export TARGET=fq tc qdisc del dev lo root tc qdisc add dev lo root handle 1: tbf rate 8bit burst 100b latency 1ms tc qdisc replace dev lo handle 3: parent 1:1 $TARGET limit 1000 echo ''; echo 'add child'; tc -s -d qdisc show dev lo ping -I lo -f -c2 -s32 -W0.001 127.0.0.1 2>&1 >/dev/null echo ''; echo 'after ping'; tc -s -d qdisc show dev lo tc qdisc change dev lo handle 3: parent 1:1 $TARGET limit 0 echo ''; echo 'after limit drop'; tc -s -d qdisc show dev lo tc qdisc replace dev lo handle 2: parent 1:1 sfq echo ''; echo 'post graft'; tc -s -d qdisc show dev lo The second to last show command shows 0 packets but a positive number (74) of backlog bytes. The problem becomes clearer in the last show command, where qdisc_purge_queue triggers qdisc_tree_reduce_backlog with the positive backlog and causes an underflow in the tbf parent's backlog (4096 Mb instead of 0). To fix this issue, the codepath for all clients of qdisc_dequeue_internal has been simplified: codel, pie, hhf, fq, fq_pie, and fq_codel. qdisc_dequeue_internal handles the backlog adjustments for all cases that do not directly use the dequeue handler. The old fq_codel_change limit adjustment loop accumulated the arguments to the subsequent qdisc_tree_reduce_backlog call through the cstats field. However, this is confusing and error prone as fq_codel_dequeue could also potentially mutate this field (which qdisc_dequeue_internal calls in the non gso_skb case), so we have unified the code here with other qdiscs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-05
Last Modified
2025-11-25
Generated
2026-05-07
AI Q&A
2025-09-05
EPSS Evaluated
2026-05-05
NVD
CVE-2025-39677
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.17
linux linux_kernel 6.17
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-NVD-CWE-noinfo
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a flaw in the Linux kernel's network scheduler (net/sched) related to backlog accounting in the function qdisc_dequeue_internal. It affects certain queueing disciplines (qdiscs) like hhf, fq, fq_codel, and fq_pie when they adjust to a new limit. Specifically, when the parent token bucket filter (tbf) runs out of tokens, packets (skbs) are placed in a special queue (gso_skb). The peek handlers account for both queue length and backlog, but qdisc_dequeue_internal only accounts for queue length, missing backlog decrement operations when dropping packets. This causes inaccurate backlog accounting, leading to underflow in the parent's backlog counter and incorrect packet statistics.


How can this vulnerability impact me? :

This vulnerability can cause incorrect backlog accounting in the network scheduler, leading to inaccurate packet statistics and potential underflow in the token bucket filter parent's backlog counter. This may affect network traffic shaping and quality of service, potentially causing unexpected behavior in packet handling and network performance degradation.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by observing discrepancies in packet backlog accounting in affected qdiscs (hhf, fq, fq_codel, fq_pie) when using a tbf parent qdisc. The provided example commands to detect the issue are: export TARGET=fq tc qdisc del dev lo root tc qdisc add dev lo root handle 1: tbf rate 8bit burst 100b latency 1ms tc qdisc replace dev lo handle 3: parent 1:1 $TARGET limit 1000 echo '' ; echo 'add child' ; tc -s -d qdisc show dev lo ping -I lo -f -c2 -s32 -W0.001 127.0.0.1 2>&1 >/dev/null echo '' ; echo 'after ping' ; tc -s -d qdisc show dev lo tc qdisc change dev lo handle 3: parent 1:1 $TARGET limit 0 echo '' ; echo 'after limit drop' ; tc -s -d qdisc show dev lo tc qdisc replace dev lo handle 2: parent 1:1 sfq echo '' ; echo 'post graft' ; tc -s -d qdisc show dev lo These commands show the backlog bytes not decreasing properly, indicating the vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been fixed by simplifying the codepath for all clients of qdisc_dequeue_internal, ensuring proper backlog adjustments. Immediate mitigation involves updating the Linux kernel to a version that includes this fix for the affected qdiscs (hhf, fq, fq_codel, fq_pie).


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart