{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-23138","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-01-11T14:28:41.511Z","datePublished":"2025-04-16T14:13:17.866Z","dateUpdated":"2026-05-11T21:13:42.215Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:13:42.215Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: fix pipe accounting mismatch\n\nCurrently, watch_queue_set_size() modifies the pipe buffers charged to\nuser->pipe_bufs without updating the pipe->nr_accounted on the pipe\nitself, due to the if (!pipe_has_watch_queue()) test in\npipe_resize_ring(). This means that when the pipe is ultimately freed,\nwe decrement user->pipe_bufs by something other than what than we had\ncharged to it, potentially leading to an underflow. This in turn can\ncause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM.\n\nTo remedy this, explicitly account for the pipe usage in\nwatch_queue_set_size() to match the number set via account_pipe_buffers()\n\n(It's unclear why watch_queue_set_size() does not update nr_accounted;\nit may be due to intentional overprovisioning in watch_queue_set_size()?)"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/watch_queue.c"],"versions":[{"version":"162ae0e78bdabf84ef10c1293c4ed7865cb7d3c8","lessThan":"8658c75343ed00e5e154ebbe24335f51ba8db547","status":"affected","versionType":"git"},{"version":"3efbd114b91525bb095b8ae046382197d92126b9","lessThan":"471c89b7d4f58bd6082f7c1fe14d4ca15c7f1284","status":"affected","versionType":"git"},{"version":"b87a1229d8668fbc78ebd9ca0fc797a76001c60f","lessThan":"d40e3537265dea9e3c33021874437ff26dc18787","status":"affected","versionType":"git"},{"version":"68e51bdb1194f11d3452525b99c98aff6f837b24","lessThan":"6dafa27764183738dc5368b669b71e3d0d154f12","status":"affected","versionType":"git"},{"version":"e95aada4cb93d42e25c30a0ef9eb2923d9711d4a","lessThan":"56ec918e6c86c1536870e4373e91eddd0c44245f","status":"affected","versionType":"git"},{"version":"e95aada4cb93d42e25c30a0ef9eb2923d9711d4a","lessThan":"2d680b988656bb556c863d8b46d9b9096842bf3d","status":"affected","versionType":"git"},{"version":"e95aada4cb93d42e25c30a0ef9eb2923d9711d4a","lessThan":"205028ebba838938d3b264dda1d0708fa7fe1ade","status":"affected","versionType":"git"},{"version":"e95aada4cb93d42e25c30a0ef9eb2923d9711d4a","lessThan":"f13abc1e8e1a3b7455511c4e122750127f6bc9b0","status":"affected","versionType":"git"},{"version":"6fb70694f8d1ac34e45246b0ac988f025e1e5b55","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/watch_queue.c"],"versions":[{"version":"6.8","status":"affected"},{"version":"0","lessThan":"6.8","status":"unaffected","versionType":"semver"},{"version":"5.10.236","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.180","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.134","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.87","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.23","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.11","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14.2","lessThanOrEqual":"6.14.*","status":"unaffected","versionType":"semver"},{"version":"6.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.210","versionEndExcluding":"5.10.236"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.149","versionEndExcluding":"5.15.180"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.76","versionEndExcluding":"6.1.134"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.15","versionEndExcluding":"6.6.87"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.12.23"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.13.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.14.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.15"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7.3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8658c75343ed00e5e154ebbe24335f51ba8db547"},{"url":"https://git.kernel.org/stable/c/471c89b7d4f58bd6082f7c1fe14d4ca15c7f1284"},{"url":"https://git.kernel.org/stable/c/d40e3537265dea9e3c33021874437ff26dc18787"},{"url":"https://git.kernel.org/stable/c/6dafa27764183738dc5368b669b71e3d0d154f12"},{"url":"https://git.kernel.org/stable/c/56ec918e6c86c1536870e4373e91eddd0c44245f"},{"url":"https://git.kernel.org/stable/c/2d680b988656bb556c863d8b46d9b9096842bf3d"},{"url":"https://git.kernel.org/stable/c/205028ebba838938d3b264dda1d0708fa7fe1ade"},{"url":"https://git.kernel.org/stable/c/f13abc1e8e1a3b7455511c4e122750127f6bc9b0"}],"title":"watch_queue: fix pipe accounting mismatch","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:42:22.845Z"}}]}}