Vulnerability Database

318,206

Total vulnerabilities in the database

CVE-2025-39766

In the Linux kernel, the following vulnerability has been resolved:

net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit

The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qlen

tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1
htb rate 64bit tc qdisc add dev lo parent 1:1 handle f:
cake memlimit 1b ping -I lo -f -c1 -s64 -W0.001 127.0.0.1

This is because the low memlimit leads to a low buffer_limit, which causes packet dropping. However, cake_enqueue still returns NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an empty child qdisc. We should return NET_XMIT_CN when packets are dropped from the same tin and flow.

I do not believe return value of NET_XMIT_CN is necessary for packet drops in the case of ack filtering, as that is meant to optimize performance, not to signal congestion.

  • Published: Sep 11, 2025
  • Updated: Jan 10, 2026
  • CVE: CVE-2025-39766
  • Severity: High
  • Exploit:

CVSS v3:

  • Severity: High
  • Score: 7.8
  • AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

No CWE or OWASP classifications available.

Software From Fixed in
linux / linux_kernel 4.19 5.4.297
linux / linux_kernel 5.5 5.10.241
linux / linux_kernel 5.11 5.15.190
linux / linux_kernel 5.16 6.1.149
linux / linux_kernel 6.2 6.6.103
linux / linux_kernel 6.7 6.12.44
linux / linux_kernel 6.13 6.16.4
linux / linux_kernel 6.17-rc1 6.17-rc1.x
linux / linux_kernel 6.17-rc2 6.17-rc2.x
debian / debian_linux 11.0 11.0.x