{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-68325","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-12-16T14:48:05.296Z","datePublished":"2025-12-18T15:02:50.214Z","dateUpdated":"2026-05-11T21:50:59.457Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:50:59.457Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_cake: Fix incorrect qlen reduction in cake_drop\n\nIn cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen\nand backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes\nthat the parent qdisc will enqueue the current packet. However, this\nassumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent\nqdisc stops enqueuing current packet, leaving the tree qlen/backlog\naccounting inconsistent. This mismatch can lead to a NULL dereference\n(e.g., when the parent Qdisc is qfq_qdisc).\n\nThis patch computes the qlen/backlog delta in a more robust way by\nobserving the difference before and after the series of cake_drop()\ncalls, and then compensates the qdisc tree accounting if cake_enqueue()\nreturns NET_XMIT_CN.\n\nTo ensure correct compensation when ACK thinning is enabled, a new\nvariable is introduced to keep qlen unchanged."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_cake.c"],"versions":[{"version":"de04ddd2980b48caa8d7e24a7db2742917a8b280","lessThan":"a3f4e3de41a3f115db35276c6b186ccbc913934a","status":"affected","versionType":"git"},{"version":"0dacfc5372e314d1219f03e64dde3ab495a5a25e","lessThan":"38abf6e931b169ea88d7529b49096f53a5dcf8fe","status":"affected","versionType":"git"},{"version":"710866fc0a64eafcb8bacd91bcb1329eb7e5035f","lessThan":"fcb91be52eb6e92e00b533ebd7c77fecada537e1","status":"affected","versionType":"git"},{"version":"aa12ee1c1bd260943fd6ab556d8635811c332eeb","lessThan":"d01f0e072dadb02fe10f436b940dd957aff0d7d4","status":"affected","versionType":"git"},{"version":"ff57186b2cc39766672c4c0332323933e5faaa88","lessThan":"0b6216f9b3d1c33c76f74511026e5de5385ee520","status":"affected","versionType":"git"},{"version":"15de71d06a400f7fdc15bf377a2552b0ec437cf5","lessThan":"529c284cc2815c8350860e9a31722050fe7117cb","status":"affected","versionType":"git"},{"version":"15de71d06a400f7fdc15bf377a2552b0ec437cf5","lessThan":"3ed6c458530a547ed0c9ea0b02b19bab620be88b","status":"affected","versionType":"git"},{"version":"15de71d06a400f7fdc15bf377a2552b0ec437cf5","lessThan":"9fefc78f7f02d71810776fdeb119a05a946a27cc","status":"affected","versionType":"git"},{"version":"7689ab22de36f8db19095f6bdf11f28cfde92f5c","status":"affected","versionType":"git"},{"version":"62d591dde4defb1333d202410609c4ddeae060b3","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/sched/sch_cake.c"],"versions":[{"version":"6.17","status":"affected"},{"version":"0","lessThan":"6.17","status":"unaffected","versionType":"semver"},{"version":"5.10.248","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.198","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.160","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.120","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.63","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.17.13","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18.2","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.241","versionEndExcluding":"5.10.248"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.190","versionEndExcluding":"5.15.198"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.149","versionEndExcluding":"6.1.160"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.103","versionEndExcluding":"6.6.120"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.44","versionEndExcluding":"6.12.63"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17","versionEndExcluding":"6.17.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17","versionEndExcluding":"6.18.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17","versionEndExcluding":"6.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.297"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16.4"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a3f4e3de41a3f115db35276c6b186ccbc913934a"},{"url":"https://git.kernel.org/stable/c/38abf6e931b169ea88d7529b49096f53a5dcf8fe"},{"url":"https://git.kernel.org/stable/c/fcb91be52eb6e92e00b533ebd7c77fecada537e1"},{"url":"https://git.kernel.org/stable/c/d01f0e072dadb02fe10f436b940dd957aff0d7d4"},{"url":"https://git.kernel.org/stable/c/0b6216f9b3d1c33c76f74511026e5de5385ee520"},{"url":"https://git.kernel.org/stable/c/529c284cc2815c8350860e9a31722050fe7117cb"},{"url":"https://git.kernel.org/stable/c/3ed6c458530a547ed0c9ea0b02b19bab620be88b"},{"url":"https://git.kernel.org/stable/c/9fefc78f7f02d71810776fdeb119a05a946a27cc"}],"title":"net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop","x_generator":{"engine":"bippy-1.2.0"}}}}