CVE-2025-68325
Description
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes that the parent qdisc will enqueue the current packet. However, this assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent qdisc stops enqueuing current packet, leaving the tree qlen/backlog accounting inconsistent. This mismatch can lead to a NULL dereference (e.g., when the parent Qdisc is qfq_qdisc).
This patch computes the qlen/backlog delta in a more robust way by observing the difference before and after the series of cake_drop() calls, and then compensates the qdisc tree accounting if cake_enqueue() returns NET_XMIT_CN.
To ensure correct compensation when ACK thinning is enabled, a new variable is introduced to keep qlen unchanged.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A qlen/backlog accounting mismatch in the Linux kernel's sch_cake qdisc can lead to a NULL dereference when cake_enqueue() returns NET_XMIT_CN.
Vulnerability
Description
In the Linux kernel's sch_cake qdisc, the cake_drop() function calls qdisc_tree_reduce_backlog() to update the qlen and backlog of the qdisc hierarchy. However, its caller cake_enqueue() may return NET_XMIT_CN, which indicates that the parent qdisc did not enqueue the current packet. This creates an inconsistency between the qlen/backlog accounting performed by cake_drop() and the actual state of the parent qdisc, potentially leading to a NULL pointer dereference (e.g., when the parent qdisc is qfq_qdisc).
Exploitation
The vulnerability can be triggered by network traffic that causes the sch_cake qdisc to drop packets and subsequently return NET_XMIT_CN from cake_enqueue(). No special privileges are required beyond the ability to send network packets to a system using the affected qdisc configuration. The exact conditions depend on the traffic pattern and the parent qdisc in use.
Impact
A successful exploitation results in a NULL pointer dereference in the kernel, leading to a system crash (denial of service). There is no indication of privilege escalation or remote code execution.
Mitigation
The fix has been applied to the Linux kernel stable tree in commits [1], [2], [3], and [4]. Users should update their kernels to include these patches or apply the corresponding backports.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/0b6216f9b3d1c33c76f74511026e5de5385ee520nvd
- git.kernel.org/stable/c/38abf6e931b169ea88d7529b49096f53a5dcf8fenvd
- git.kernel.org/stable/c/3ed6c458530a547ed0c9ea0b02b19bab620be88bnvd
- git.kernel.org/stable/c/529c284cc2815c8350860e9a31722050fe7117cbnvd
- git.kernel.org/stable/c/9fefc78f7f02d71810776fdeb119a05a946a27ccnvd
- git.kernel.org/stable/c/a3f4e3de41a3f115db35276c6b186ccbc913934anvd
- git.kernel.org/stable/c/d01f0e072dadb02fe10f436b940dd957aff0d7d4nvd
- git.kernel.org/stable/c/fcb91be52eb6e92e00b533ebd7c77fecada537e1nvd
News mentions
0No linked articles in our index yet.