Vulnerability Database

310,472

Total vulnerabilities in the database

CVE-2025-23138

In the Linux kernel, the following vulnerability has been resolved:

watch_queue: fix pipe accounting mismatch

Currently, watch_queue_set_size() modifies the pipe buffers charged to user->pipe_bufs without updating the pipe->nr_accounted on the pipe itself, due to the if (!pipe_has_watch_queue()) test in pipe_resize_ring(). This means that when the pipe is ultimately freed, we decrement user->pipe_bufs by something other than what than we had charged to it, potentially leading to an underflow. This in turn can cause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM.

To remedy this, explicitly account for the pipe usage in watch_queue_set_size() to match the number set via account_pipe_buffers()

(It's unclear why watch_queue_set_size() does not update nr_accounted; it may be due to intentional overprovisioning in watch_queue_set_size()?)

  • Published: Apr 16, 2025
  • Updated: Nov 5, 2025
  • CVE: CVE-2025-23138
  • Severity: Medium
  • Exploit:

CVSS v3:

  • Severity: Medium
  • Score: 5.5
  • AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

No CWE or OWASP classifications available.

Software From Fixed in
linux / linux_kernel 5.10.210 5.10.236
linux / linux_kernel 5.15.149 5.15.180
linux / linux_kernel 6.1.76 6.1.134
linux / linux_kernel 6.6.15 6.6.87
linux / linux_kernel 6.7.3 6.12.23
linux / linux_kernel 6.13 6.13.11
linux / linux_kernel 6.14 6.14.2
debian / debian_linux 11.0 11.0.x