CVE-2025-68325 - Vulnerability Details

- net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop

Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop

In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen
and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes
that the parent qdisc will enqueue the current packet. However, this
assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent
qdisc stops enqueuing current packet, leaving the tree qlen/backlog
accounting inconsistent. This mismatch can lead to a NULL dereference
(e.g., when the parent Qdisc is qfq_qdisc).

This patch computes the qlen/backlog delta in a more robust way by
observing the difference before and after the series of cake_drop()
calls, and then compensates the qdisc tree accounting if cake_enqueue()
returns NET_XMIT_CN.

To ensure correct compensation when ACK thinning is enabled, a new
variable is introduced to keep qlen unchanged.

Published: 2025-12-18

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`de04ddd2980b48caa8d7e24a7db2742917a8b280`	affected	< a3f4e3de41a3f115db35276c6b186ccbc913934a
`0dacfc5372e314d1219f03e64dde3ab495a5a25e`	affected	< 38abf6e931b169ea88d7529b49096f53a5dcf8fe
`710866fc0a64eafcb8bacd91bcb1329eb7e5035f`	affected	< fcb91be52eb6e92e00b533ebd7c77fecada537e1
`aa12ee1c1bd260943fd6ab556d8635811c332eeb`	affected	< d01f0e072dadb02fe10f436b940dd957aff0d7d4
`ff57186b2cc39766672c4c0332323933e5faaa88`	affected	< 0b6216f9b3d1c33c76f74511026e5de5385ee520
`15de71d06a400f7fdc15bf377a2552b0ec437cf5`	affected	< 529c284cc2815c8350860e9a31722050fe7117cb
`15de71d06a400f7fdc15bf377a2552b0ec437cf5`	affected	< 3ed6c458530a547ed0c9ea0b02b19bab620be88b
`15de71d06a400f7fdc15bf377a2552b0ec437cf5`	affected	< 9fefc78f7f02d71810776fdeb119a05a946a27cc
`7689ab22de36f8db19095f6bdf11f28cfde92f5c`	affected	—
`62d591dde4defb1333d202410609c4ddeae060b3`	affected	—
`5.10.241`	affected	< 5.10.248
`5.15.190`	affected	< 5.15.198
`6.1.149`	affected	< 6.1.160
`6.6.103`	affected	< 6.6.120
`6.12.44`	affected	< 6.12.63
`5.4.297`	affected	< 5.5
`6.16.4`	affected	< 6.17

Linux

affected

Version	Status	Constraints
`6.17`	affected	—
`0`	unaffected	< 6.17
`5.10.248`	unaffected	≤ 5.10.*
`5.15.198`	unaffected	≤ 5.15.*
`6.1.160`	unaffected	≤ 6.1.*
`6.6.120`	unaffected	≤ 6.6.*
`6.12.63`	unaffected	≤ 6.12.*
`6.17.13`	unaffected	≤ 6.17.*
`6.18.2`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4475-1	linux security update
Debian DLA	DLA-4476-1	linux-6.1 security update
Debian DSA	DSA-6127-1	linux security update
Ubuntu USN	USN-8094-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8096-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8096-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8094-2	Linux kernel vulnerabilities
Ubuntu USN	USN-8096-3	Linux kernel vulnerabilities
Ubuntu USN	USN-8096-4	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8096-5	Linux kernel (NVIDIA Tegra IGX) vulnerabilities
Ubuntu USN	USN-8116-1	Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN	USN-8094-3	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8094-4	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8094-5	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-8141-1	Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN	USN-8152-1	Linux kernel (OEM) vulnerabilities
Ubuntu USN	USN-8163-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8163-2	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8179-1	Linux kernel vulnerabilities
Ubuntu USN	USN-8184-1	Linux kernel (Real-time) vulnerabilities
Ubuntu USN	USN-8179-2	Linux kernel (FIPS) vulnerabilities
Ubuntu USN	USN-8185-1	Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN	USN-8179-3	Linux kernel vulnerabilities
Ubuntu USN	USN-8203-1	Linux kernel (Oracle) vulnerabilities
Ubuntu USN	USN-8204-1	Linux kernel (Raspberry Pi Real-time) vulnerabilities
Ubuntu USN	USN-8185-2	Linux kernel (Low Latency NVIDIA) vulnerabilities
Ubuntu USN	USN-8179-4	Linux kernel (GCP) vulnerabilities
Ubuntu USN	USN-8243-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8258-1	Linux kernel (Azure) vulnerabilities
Ubuntu USN	USN-8260-1	Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN	USN-8261-1	Linux kernel (Xilinx) vulnerabilities
Ubuntu USN	USN-8265-1	Linux kernel (NVIDIA Tegra) vulnerabilities

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00068.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0b6216f9b3d1c33c76f74511026e5de5385ee520
https://git.kernel.org/stable/c/38abf6e931b169ea88d7529b49096f53a5dcf8fe
https://git.kernel.org/stable/c/3ed6c458530a547ed0c9ea0b02b19bab620be88b
https://git.kernel.org/stable/c/529c284cc2815c8350860e9a31722050fe7117cb
https://git.kernel.org/stable/c/9fefc78f7f02d71810776fdeb119a05a946a27cc
https://git.kernel.org/stable/c/a3f4e3de41a3f115db35276c6b186ccbc913934a
https://git.kernel.org/stable/c/d01f0e072dadb02fe10f436b940dd957aff0d7d4
https://git.kernel.org/stable/c/fcb91be52eb6e92e00b533ebd7c77fecada537e1
https://lore.kernel.org/linux-cve-announce/2025121802-CVE-2025-68325-13a9@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-68325
https://www.cve.org/CVERecord?id=CVE-2025-68325

History

Mon, 19 Jan 2026 12:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/38abf6e931b169ea88d7529b49096f53a5dcf8fe https://git.kernel.org/stable/c/a3f4e3de41a3f115db35276c6b186ccbc913934a

Sun, 11 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/d01f0e072dadb02fe10f436b940dd957aff0d7d4 https://git.kernel.org/stable/c/fcb91be52eb6e92e00b533ebd7c77fecada537e1

Fri, 19 Dec 2025 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2025121802-CVE-2025-68325-13a9@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-68325 https://www.cve.org/CVERecord?id=CVE-2025-68325

Thu, 18 Dec 2025 15:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes that the parent qdisc will enqueue the current packet. However, this assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent qdisc stops enqueuing current packet, leaving the tree qlen/backlog accounting inconsistent. This mismatch can lead to a NULL dereference (e.g., when the parent Qdisc is qfq_qdisc). This patch computes the qlen/backlog delta in a more robust way by observing the difference before and after the series of cake_drop() calls, and then compensates the qdisc tree accounting if cake_enqueue() returns NET_XMIT_CN. To ensure correct compensation when ACK thinning is enabled, a new variable is introduced to keep qlen unchanged.
Title		net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0b6216f9b3d1c33c76f74511026e5de5385ee520 https://git.kernel.org/stable/c/3ed6c458530a547ed0c9ea0b02b19bab620be88b https://git.kernel.org/stable/c/529c284cc2815c8350860e9a31722050fe7117cb https://git.kernel.org/stable/c/9fefc78f7f02d71810776fdeb119a05a946a27cc

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2025-12-18T15:02:50.214Z

Updated: 2026-05-23T16:02:41.295Z

Reserved: 2025-12-16T14:48:05.296Z

Link: CVE-2025-68325

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2025-12-18T15:16:06.320

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68325

Redhat

Severity :

Publid Date: 2025-12-18T00:00:00Z

Links: CVE-2025-68325 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object