Bug 2394648 (CVE-2025-39766) - CVE-2025-39766 kernel: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
Summary: CVE-2025-39766 kernel: net/sched: Make cake_enqueue return NET_XMIT_CN when p...
Keywords:
Status: NEW
Alias: CVE-2025-39766
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-11 17:04 UTC by OSIDB Bzimport
Modified: 2026-06-04 12:16 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:19568 0 None None None 2026-05-20 12:57:32 UTC
Red Hat Product Errata RHSA-2026:19569 0 None None None 2026-05-20 12:15:44 UTC
Red Hat Product Errata RHSA-2026:21209 0 None None None 2026-05-27 01:42:50 UTC
Red Hat Product Errata RHSA-2026:22334 0 None None None 2026-06-01 22:10:15 UTC
Red Hat Product Errata RHSA-2026:22900 0 None None None 2026-06-03 15:19:23 UTC
Red Hat Product Errata RHSA-2026:22940 0 None None None 2026-06-03 19:17:50 UTC
Red Hat Product Errata RHSA-2026:23224 0 None None None 2026-06-04 12:16:22 UTC
Red Hat Product Errata RHSA-2026:8921 0 None None None 2026-04-20 09:04:41 UTC
Red Hat Product Errata RHSA-2026:9264 0 None None None 2026-04-21 12:49:08 UTC

Description OSIDB Bzimport 2025-09-11 17:04:42 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit

The following setup can trigger a WARNING in htb_activate due to
the condition: !cl->leaf.q->q.qlen

tc qdisc del dev lo root
tc qdisc add dev lo root handle 1: htb default 1
tc class add dev lo parent 1: classid 1:1 \
       htb rate 64bit
tc qdisc add dev lo parent 1:1 handle f: \
       cake memlimit 1b
ping -I lo -f -c1 -s64 -W0.001 127.0.0.1

This is because the low memlimit leads to a low buffer_limit, which
causes packet dropping. However, cake_enqueue still returns
NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an
empty child qdisc. We should return NET_XMIT_CN when packets are
dropped from the same tin and flow.

I do not believe return value of NET_XMIT_CN is necessary for packet
drops in the case of ack filtering, as that is meant to optimize
performance, not to signal congestion.
Comment 1 Mauro Matteo Cascella 2025-09-15 07:40:02 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091144-CVE-2025-39766-7465@gregkh/T
Comment 4 errata-xmlrpc 2026-04-20 09:04:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:8921 https://access.redhat.com/errata/RHSA-2026:8921
Comment 5 errata-xmlrpc 2026-04-21 12:49:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:9264 https://access.redhat.com/errata/RHSA-2026:9264
Comment 6 errata-xmlrpc 2026-05-20 12:15:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19569 https://access.redhat.com/errata/RHSA-2026:19569
Comment 7 errata-xmlrpc 2026-05-20 12:57:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19568 https://access.redhat.com/errata/RHSA-2026:19568
Comment 8 errata-xmlrpc 2026-05-27 01:42:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:21209 https://access.redhat.com/errata/RHSA-2026:21209
Comment 9 errata-xmlrpc 2026-06-01 22:10:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:22334 https://access.redhat.com/errata/RHSA-2026:22334
Comment 11 errata-xmlrpc 2026-06-03 15:19:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:22900 https://access.redhat.com/errata/RHSA-2026:22900
Comment 12 errata-xmlrpc 2026-06-03 19:17:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:22940 https://access.redhat.com/errata/RHSA-2026:22940
Comment 13 errata-xmlrpc 2026-06-04 12:16:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:23224 https://access.redhat.com/errata/RHSA-2026:23224
Note You need to log in before you can comment on or make changes to this bug.