CVE-2025-39766

EUVD-2025-28946

11.09.2025, 17:15

In the Linux kernel, the following vulnerability has been resolved:

net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit

The following setup can trigger a WARNING in htb_activate due to
the condition: !cl->leaf.q->q.qlen

tc qdisc del dev lo root
tc qdisc add dev lo root handle 1: htb default 1
tc class add dev lo parent 1: classid 1:1 \
       htb rate 64bit
tc qdisc add dev lo parent 1:1 handle f: \
       cake memlimit 1b
ping -I lo -f -c1 -s64 -W0.001 127.0.0.1

This is because the low memlimit leads to a low buffer_limit, which
causes packet dropping. However, cake_enqueue still returns
NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an
empty child qdisc. We should return NET_XMIT_CN when packets are
dropped from the same tin and flow.

I do not believe return value of NET_XMIT_CN is necessary for packet
drops in the case of ack filtering, as that is meant to optimize
performance, not to signal congestion.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
siemens-SADP	ADP	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	4.19 ≤ 𝑥 < 5.4.297
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.241
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.190
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.149
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.103
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.44
linux	linux_kernel	6.13 ≤ 𝑥 < 6.16.4
linux	linux_kernel	6.17:rc1
linux	linux_kernel	6.17:rc2
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
Siemens	SIMATIC CN 4100	𝑥 < V5.0	ADP
siemens	simatic_cn_4100	𝑥 < 5.0	ADP

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.172-1 fixed
bullseye	vulnerable
bullseye (security)	5.10.251-5 fixed
forky	7.0.7-1 fixed
sid	7.0.7-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.88-1 fixed

linux-6.1

bullseye (security)

6.1.172-1~deb11u1

fixed

openSUSE / SLES Releases

openSUSE Product

Release

kernel-64kb

suse enterprise desktop 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-azure

suse enterprise sap 15 SP6	6.4.0-150600.8.52.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.20.15.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.8.52.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.15.2 fixed

kernel-default

suse enterprise desktop 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-default-base

suse enterprise desktop 15 SP6	6.4.0-150600.23.73.1.150600.12.32.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1.150700.17.13.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.73.1.150600.12.32.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1.150700.17.13.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.73.1.150600.12.32.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1.150700.17.13.1 fixed

kernel-docs

suse enterprise desktop 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-macros

suse enterprise desktop 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-source

suse enterprise desktop 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-source-azure

suse enterprise sap 15 SP6	6.4.0-150600.8.52.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.20.15.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.8.52.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.15.2 fixed

kernel-syms

suse enterprise desktop 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

kernel-syms-azure

suse enterprise sap 15 SP6	6.4.0-150600.8.52.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.20.15.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.8.52.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.15.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.19.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.73.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.19.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

kernel

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-64k

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-64k-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-64k-debug

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-64k-debug-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-64k-debug-devel

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-64k-debug-devel-matched

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-64k-debug-modules

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-64k-debug-modules-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-64k-debug-modules-extra

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-64k-devel

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-64k-devel-matched

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-64k-modules

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-64k-modules-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-64k-modules-extra

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-abi-stablelists

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-debug

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-debug-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-debug-devel

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-debug-devel-matched

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-debug-modules

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-debug-modules-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-debug-modules-extra

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-debug-uki-virt

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-devel

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-devel-matched

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-doc

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-modules

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-modules-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-modules-extra

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-64k

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-64k-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-64k-debug

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-64k-debug-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-64k-debug-devel

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-64k-debug-modules

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-64k-debug-modules-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-64k-debug-modules-extra

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-64k-devel

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-64k-modules

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-64k-modules-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-64k-modules-extra

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-debug

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-debug-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-debug-devel

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-debug-modules

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-debug-modules-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-debug-modules-extra

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-devel

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-modules

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-modules-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-rt-modules-extra

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-tools

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-tools-libs

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-tools-libs-devel

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-uki-virt

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-uki-virt-addons

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-zfcpdump

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-zfcpdump-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-zfcpdump-devel

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-zfcpdump-devel-matched

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-zfcpdump-modules

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-zfcpdump-modules-core

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

kernel-zfcpdump-modules-extra

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

libperf

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

perf

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

python3-perf

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

rtla

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

RHEL 9

0:5.14.0-611.49.1.el9_7

fixed

References

https://git.kernel.org/stable/c/0dacfc5372e314d1219f03e64dde3ab495a5a25e

https://git.kernel.org/stable/c/15de71d06a400f7fdc15bf377a2552b0ec437cf5

https://git.kernel.org/stable/c/62d591dde4defb1333d202410609c4ddeae060b3

https://git.kernel.org/stable/c/710866fc0a64eafcb8bacd91bcb1329eb7e5035f

https://git.kernel.org/stable/c/7689ab22de36f8db19095f6bdf11f28cfde92f5c

https://git.kernel.org/stable/c/aa12ee1c1bd260943fd6ab556d8635811c332eeb

https://git.kernel.org/stable/c/de04ddd2980b48caa8d7e24a7db2742917a8b280

https://git.kernel.org/stable/c/ff57186b2cc39766672c4c0332323933e5faaa88

https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html

https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html

https://cert-portal.siemens.com/productcert/html/ssa-032379.html