FKIE_CVE-2025-68325

Vulnerability from fkie_nvd - Published: 2025-12-18 15:16 - Updated: 2026-06-17 09:58
Severity
Summary
In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes that the parent qdisc will enqueue the current packet. However, this assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent qdisc stops enqueuing current packet, leaving the tree qlen/backlog accounting inconsistent. This mismatch can lead to a NULL dereference (e.g., when the parent Qdisc is qfq_qdisc). This patch computes the qlen/backlog delta in a more robust way by observing the difference before and after the series of cake_drop() calls, and then compensates the qdisc tree accounting if cake_enqueue() returns NET_XMIT_CN. To ensure correct compensation when ACK thinning is enabled, a new variable is introduced to keep qlen unchanged.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0b6216f9b3d1c33c76f74511026e5de5385ee520
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/38abf6e931b169ea88d7529b49096f53a5dcf8fe
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3ed6c458530a547ed0c9ea0b02b19bab620be88b
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/529c284cc2815c8350860e9a31722050fe7117cb
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9fefc78f7f02d71810776fdeb119a05a946a27cc
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a3f4e3de41a3f115db35276c6b186ccbc913934a
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d01f0e072dadb02fe10f436b940dd957aff0d7d4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/fcb91be52eb6e92e00b533ebd7c77fecada537e1
Impacted products
Vendor Product Version
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_cake.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a3f4e3de41a3f115db35276c6b186ccbc913934a",
              "status": "affected",
              "version": "de04ddd2980b48caa8d7e24a7db2742917a8b280",
              "versionType": "git"
            },
            {
              "lessThan": "38abf6e931b169ea88d7529b49096f53a5dcf8fe",
              "status": "affected",
              "version": "0dacfc5372e314d1219f03e64dde3ab495a5a25e",
              "versionType": "git"
            },
            {
              "lessThan": "fcb91be52eb6e92e00b533ebd7c77fecada537e1",
              "status": "affected",
              "version": "710866fc0a64eafcb8bacd91bcb1329eb7e5035f",
              "versionType": "git"
            },
            {
              "lessThan": "d01f0e072dadb02fe10f436b940dd957aff0d7d4",
              "status": "affected",
              "version": "aa12ee1c1bd260943fd6ab556d8635811c332eeb",
              "versionType": "git"
            },
            {
              "lessThan": "0b6216f9b3d1c33c76f74511026e5de5385ee520",
              "status": "affected",
              "version": "ff57186b2cc39766672c4c0332323933e5faaa88",
              "versionType": "git"
            },
            {
              "lessThan": "529c284cc2815c8350860e9a31722050fe7117cb",
              "status": "affected",
              "version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
              "versionType": "git"
            },
            {
              "lessThan": "3ed6c458530a547ed0c9ea0b02b19bab620be88b",
              "status": "affected",
              "version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
              "versionType": "git"
            },
            {
              "lessThan": "9fefc78f7f02d71810776fdeb119a05a946a27cc",
              "status": "affected",
              "version": "15de71d06a400f7fdc15bf377a2552b0ec437cf5",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7689ab22de36f8db19095f6bdf11f28cfde92f5c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "62d591dde4defb1333d202410609c4ddeae060b3",
              "versionType": "git"
            },
            {
              "lessThan": "5.10.248",
              "status": "affected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.198",
              "status": "affected",
              "version": "5.15.190",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.160",
              "status": "affected",
              "version": "6.1.149",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.120",
              "status": "affected",
              "version": "6.6.103",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.63",
              "status": "affected",
              "version": "6.12.44",
              "versionType": "semver"
            },
            {
              "lessThan": "5.5",
              "status": "affected",
              "version": "5.4.297",
              "versionType": "semver"
            },
            {
              "lessThan": "6.17",
              "status": "affected",
              "version": "6.16.4",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_cake.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.17"
            },
            {
              "lessThan": "6.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.160",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.63",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.17.*",
              "status": "unaffected",
              "version": "6.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_cake: Fix incorrect qlen reduction in cake_drop\n\nIn cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen\nand backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes\nthat the parent qdisc will enqueue the current packet. However, this\nassumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent\nqdisc stops enqueuing current packet, leaving the tree qlen/backlog\naccounting inconsistent. This mismatch can lead to a NULL dereference\n(e.g., when the parent Qdisc is qfq_qdisc).\n\nThis patch computes the qlen/backlog delta in a more robust way by\nobserving the difference before and after the series of cake_drop()\ncalls, and then compensates the qdisc tree accounting if cake_enqueue()\nreturns NET_XMIT_CN.\n\nTo ensure correct compensation when ACK thinning is enabled, a new\nvariable is introduced to keep qlen unchanged."
    }
  ],
  "id": "CVE-2025-68325",
  "lastModified": "2026-06-17T09:58:56.250",
  "metrics": {},
  "published": "2025-12-18T15:16:06.320",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/0b6216f9b3d1c33c76f74511026e5de5385ee520"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/38abf6e931b169ea88d7529b49096f53a5dcf8fe"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/3ed6c458530a547ed0c9ea0b02b19bab620be88b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/529c284cc2815c8350860e9a31722050fe7117cb"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9fefc78f7f02d71810776fdeb119a05a946a27cc"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a3f4e3de41a3f115db35276c6b186ccbc913934a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d01f0e072dadb02fe10f436b940dd957aff0d7d4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/fcb91be52eb6e92e00b533ebd7c77fecada537e1"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Deferred"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.