Bug 2394648 (CVE-2025-39766) - CVE-2025-39766 kernel: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
Summary: CVE-2025-39766 kernel: net/sched: Make cake_enqueue return NET_XMIT_CN when p...
Keywords:
Status: NEW
Alias: CVE-2025-39766
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-11 17:04 UTC by OSIDB Bzimport
Modified: 2025-09-15 07:53 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-11 17:04:42 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit

The following setup can trigger a WARNING in htb_activate due to
the condition: !cl->leaf.q->q.qlen

tc qdisc del dev lo root
tc qdisc add dev lo root handle 1: htb default 1
tc class add dev lo parent 1: classid 1:1 \
       htb rate 64bit
tc qdisc add dev lo parent 1:1 handle f: \
       cake memlimit 1b
ping -I lo -f -c1 -s64 -W0.001 127.0.0.1

This is because the low memlimit leads to a low buffer_limit, which
causes packet dropping. However, cake_enqueue still returns
NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an
empty child qdisc. We should return NET_XMIT_CN when packets are
dropped from the same tin and flow.

I do not believe return value of NET_XMIT_CN is necessary for packet
drops in the case of ack filtering, as that is meant to optimize
performance, not to signal congestion.
Comment 1 Mauro Matteo Cascella 2025-09-15 07:40:02 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025091144-CVE-2025-39766-7465@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.