VYPR
← All advisories
High severity7.8NVD Advisory· Published Sep 11, 2025· Updated May 12, 2026

CVE-2025-39766

CVE-2025-39766

Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit

The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qlen

tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 \ htb rate 64bit tc qdisc add dev lo parent 1:1 handle f: \ cake memlimit 1b ping -I lo -f -c1 -s64 -W0.001 127.0.0.1

This is because the low memlimit leads to a low buffer_limit, which causes packet dropping. However, cake_enqueue still returns NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an empty child qdisc. We should return NET_XMIT_CN when packets are dropped from the same tin and flow.

I do not believe return value of NET_XMIT_CN is necessary for packet drops in the case of ack filtering, as that is meant to optimize performance, not to signal congestion.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's CAKE qdisc, enqueue returns NET_XMIT_SUCCESS even when packets are dropped due to low buffer_limit, causing a WARNING in htb_activate.

Vulnerability

Description

CVE-2025-39766 is a vulnerability in the Linux kernel's CAKE (Common Applications Kept Enhanced) network scheduler. The issue occurs in the cake_enqueue function, which fails to return the correct status code when packets are dropped because the queue has exceeded its buffer limit. Specifically, when the memlimit is set very low (e.g., 1 byte), packets are dropped, but cake_enqueue still returns NET_XMIT_SUCCESS instead of NET_XMIT_CN (congestion notification). This incorrect return value can trigger a WARNING in the HTB (Hierarchy Token Bucket) qdisc's htb_activate function, which checks !cl->leaf.q->q.qlen and expects a non-empty child queue after a successful enqueue [1].

Exploitation

Conditions

An attacker with local access to the system can trigger this condition by setting up a specific qdisc configuration: a root HTB qdisc with a child CAKE qdisc that has an extremely low memlimit (e.g., 1 byte). The provided reproducer uses ping -I lo -f -c1 -s64 -W0.001 127.0.0.1 to generate traffic that causes packet drops due to the low buffer limit. No special privileges beyond the ability to configure network qdiscs are required, but the attacker must be able to create and modify qdiscs, which typically requires root or CAP_NET_ADMIN capabilities [1].

Impact

When the vulnerability is triggered, the kernel emits a WARNING message, which can indicate a potential system instability or denial-of-service condition. The WARNING is a result of an inconsistency in the qdisc state, where HTB believes a child queue has packets (because cake_enqueue returned success) but the queue is actually empty. This can lead to further errors or crashes in the networking subsystem. The vulnerability does not directly allow arbitrary code execution or privilege escalation, but it can cause system disruption [1].

Mitigation

The fix has been applied in the Linux kernel stable branches. The commit ensures that cake_enqueue returns NET_XMIT_CN when packets are dropped from the same tin and flow due to buffer limits. The fix is available in kernel versions that include the commit ff57186b2cc39766672c4c0332323933e5faaa88 (and related backports) [2][3][4]. Users should update their kernel to a patched version. No workaround is provided, but avoiding extremely low memlimit values in CAKE qdiscs can prevent the issue.

References
  1. SSA-032379
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

11

News mentions

1