CVE-2025-39766
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-11

Last updated on: 2025-11-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qlen tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 \ htb rate 64bit tc qdisc add dev lo parent 1:1 handle f: \ cake memlimit 1b ping -I lo -f -c1 -s64 -W0.001 127.0.0.1 This is because the low memlimit leads to a low buffer_limit, which causes packet dropping. However, cake_enqueue still returns NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an empty child qdisc. We should return NET_XMIT_CN when packets are dropped from the same tin and flow. I do not believe return value of NET_XMIT_CN is necessary for packet drops in the case of ack filtering, as that is meant to optimize performance, not to signal congestion.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-11
Last Modified
2025-11-03
Generated
2026-06-16
AI Q&A
2025-09-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-39766
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.1.153-1
linux linux_kernel 5.10.244-1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel involves the network scheduler component where the cake_enqueue function incorrectly returns NET_XMIT_SUCCESS even when packets are dropped due to a low buffer limit. This causes the htb_enqueue function to call htb_activate with an empty child queue, potentially triggering a warning. The issue arises because cake_enqueue should return NET_XMIT_CN to signal congestion when packets are dropped from the same tin and flow, but it does not.

Impact Analysis

The vulnerability can cause incorrect signaling of packet transmission success when packets are actually dropped due to buffer limits. This may lead to warnings in the network scheduler and potentially impact network traffic handling, causing performance issues or unexpected behavior in traffic control mechanisms.

Detection Guidance

This vulnerability can be detected by reproducing the conditions that trigger the issue, specifically by using traffic control (tc) commands to configure the network queue disciplines and then sending ping packets to observe warnings or unexpected behavior. The following commands illustrate this detection method: 1. Delete existing qdisc on loopback interface: tc qdisc del dev lo root 2. Add htb qdisc with default class: tc qdisc add dev lo root handle 1: htb default 1 3. Add htb class with a rate: tc class add dev lo parent 1: classid 1:1 htb rate 64bit 4. Add cake qdisc with very low memlimit: tc qdisc add dev lo parent 1:1 handle f: cake memlimit 1b 5. Send a flood ping to localhost: ping -I lo -f -c1 -s64 -W0.001 127.0.0.1 This setup triggers the vulnerability by causing packet drops due to low buffer limits and may produce warnings related to htb_activate. Monitoring system logs for such warnings can help detect the vulnerability.

Mitigation Strategies

Immediate mitigation involves updating the Linux kernel to a version where this vulnerability is resolved, as the issue is fixed by making cake_enqueue return NET_XMIT_CN when past buffer_limit to properly signal congestion and avoid warnings in htb_activate. Until an update is applied, avoid configuring cake qdisc with extremely low memlimit values that can trigger the issue. Monitoring and adjusting traffic control settings to prevent buffer_limit exhaustion can also help mitigate the problem.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-39766. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart