CVE-2025-39766 in Linuxinfo

Summary

by MITRE • 09/11/2025

In the Linux kernel, the following vulnerability has been resolved:

net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit

The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qlen

tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 \ htb rate 64bit tc qdisc add dev lo parent 1:1 handle f: \ cake memlimit 1b ping -I lo -f -c1 -s64 -W0.001 127.0.0.1

This is because the low memlimit leads to a low buffer_limit, which causes packet dropping. However, cake_enqueue still returns NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an empty child qdisc. We should return NET_XMIT_CN when packets are dropped from the same tin and flow.

I do not believe return value of NET_XMIT_CN is necessary for packet drops in the case of ack filtering, as that is meant to optimize performance, not to signal congestion.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 01/10/2026

The vulnerability identified as CVE-2025-39766 represents a critical issue within the Linux kernel's traffic control subsystem, specifically affecting the cake qdisc implementation. This flaw manifests in the net/sched subsystem where the cake_enqueue function fails to properly communicate congestion signals when packet drops occur due to buffer limitations. The issue stems from an incorrect return value handling that bypasses proper congestion notification mechanisms, potentially leading to improper queue management and system instability. The vulnerability is particularly concerning as it affects the core networking infrastructure that handles packet scheduling and traffic control operations across various network interfaces.

The technical root cause of this vulnerability lies in the improper handling of return values within the cake qdisc implementation when packets are dropped due to buffer constraints. When the memlimit parameter is set to extremely low values such as 1 byte, the system calculates a correspondingly small buffer_limit that quickly becomes saturated. The cake_enqueue function continues to return NET_XMIT_SUCCESS even when packets are dropped, rather than properly signaling congestion with NET_XMIT_CN. This misbehavior occurs because the function does not distinguish between successful packet queuing and packet drops that should trigger congestion notification. The specific scenario involves creating a complex traffic control setup with HTB qdisc parent and cake qdisc children, where the low memory limits force rapid packet loss while maintaining incorrect return codes that confuse the higher-level queuing logic.

The operational impact of this vulnerability extends beyond simple packet loss scenarios to potentially compromise network stability and performance monitoring capabilities. When the system incorrectly reports successful packet transmission despite actual drops, the HTB queuing logic becomes confused and may trigger WARNING conditions in htb_activate functions. This creates a cascading effect where the network stack's congestion control mechanisms fail to properly respond to actual network congestion, potentially leading to increased latency, packet loss, and overall degraded network performance. The vulnerability is particularly dangerous in high-throughput environments where proper congestion signaling is essential for maintaining network quality of service and preventing bufferbloat scenarios.

The mitigation strategy for CVE-2025-39766 requires immediate patch application to the Linux kernel's traffic control subsystem, specifically addressing the cake_enqueue function's return value handling. System administrators should ensure their kernel versions include the patched implementation that properly returns NET_XMIT_CN when packets are dropped due to buffer limitations within the same tin and flow. Additionally, network administrators should review their traffic control configurations to avoid extremely low memlimit values that could trigger this condition, though the fix ensures proper behavior regardless of configuration. The vulnerability aligns with CWE-209, which addresses improper handling of return values in network subsystems, and may be categorized under ATT&CK technique T1070.004 for network denial of service attacks that exploit kernel-level networking flaws. Organizations should also implement monitoring for network queuing warnings and congestion signals to detect potential exploitation attempts or misconfigurations that could trigger similar conditions.

Responsible

Linux

Reservation

04/16/2025

Disclosure

09/11/2025

Moderation

accepted

CPE

ready

EPSS

0.00168

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!