CVE-2025-39766
- Source
- https://cve.org/CVERecord?id=CVE-2025-39766
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-39766.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-39766
- Downstream
- Related
- Published
- 2025-09-11T16:56:21.514Z
- Modified
- 2026-03-12T02:16:00.396884Z
- Summary
- net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Make cakeenqueue return NETXMITCN when past bufferlimit
The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qlen
tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 \ htb rate 64bit tc qdisc add dev lo parent 1:1 handle f: \ cake memlimit 1b ping -I lo -f -c1 -s64 -W0.001 127.0.0.1
This is because the low memlimit leads to a low bufferlimit, which causes packet dropping. However, cakeenqueue still returns NETXMITSUCCESS, causing htbenqueue to call htbactivate with an empty child qdisc. We should return NETXMITCN when packets are dropped from the same tin and flow.
I do not believe return value of NETXMITCN is necessary for packet drops in the case of ack filtering, as that is meant to optimize performance, not to signal congestion.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39766.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0dacfc5372e314d1219f03e64dde3ab495a5a25e
- https://git.kernel.org/stable/c/15de71d06a400f7fdc15bf377a2552b0ec437cf5
- https://git.kernel.org/stable/c/62d591dde4defb1333d202410609c4ddeae060b3
- https://git.kernel.org/stable/c/710866fc0a64eafcb8bacd91bcb1329eb7e5035f
- https://git.kernel.org/stable/c/7689ab22de36f8db19095f6bdf11f28cfde92f5c
- https://git.kernel.org/stable/c/aa12ee1c1bd260943fd6ab556d8635811c332eeb
- https://git.kernel.org/stable/c/de04ddd2980b48caa8d7e24a7db2742917a8b280
- https://git.kernel.org/stable/c/ff57186b2cc39766672c4c0332323933e5faaa88
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39766.json
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-39766
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced046f6fd5daefac7f5abdafb436b30f63bc7c602bFixed7689ab22de36f8db19095f6bdf11f28cfde92f5cFixedde04ddd2980b48caa8d7e24a7db2742917a8b280Fixed0dacfc5372e314d1219f03e64dde3ab495a5a25eFixed710866fc0a64eafcb8bacd91bcb1329eb7e5035fFixedaa12ee1c1bd260943fd6ab556d8635811c332eebFixedff57186b2cc39766672c4c0332323933e5faaa88Fixed62d591dde4defb1333d202410609c4ddeae060b3Fixed15de71d06a400f7fdc15bf377a2552b0ec437cf5