{"id":"CVE-2025-23138","summary":"watch_queue: fix pipe accounting mismatch","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: fix pipe accounting mismatch\n\nCurrently, watch_queue_set_size() modifies the pipe buffers charged to\nuser-\u003epipe_bufs without updating the pipe-\u003enr_accounted on the pipe\nitself, due to the if (!pipe_has_watch_queue()) test in\npipe_resize_ring(). This means that when the pipe is ultimately freed,\nwe decrement user-\u003epipe_bufs by something other than what than we had\ncharged to it, potentially leading to an underflow. This in turn can\ncause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM.\n\nTo remedy this, explicitly account for the pipe usage in\nwatch_queue_set_size() to match the number set via account_pipe_buffers()\n\n(It's unclear why watch_queue_set_size() does not update nr_accounted;\nit may be due to intentional overprovisioning in watch_queue_set_size()?)","modified":"2026-04-16T04:40:08.773859884Z","published":"2025-04-16T14:13:17.866Z","related":["SUSE-SU-2025:01614-1","SUSE-SU-2025:01620-1","SUSE-SU-2025:01640-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01918-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:01972-1","SUSE-SU-2025:02262-1","SUSE-SU-2025:20343-1","SUSE-SU-2025:20344-1","SUSE-SU-2025:20354-1","SUSE-SU-2025:20355-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/23xxx/CVE-2025-23138.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/205028ebba838938d3b264dda1d0708fa7fe1ade"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2d680b988656bb556c863d8b46d9b9096842bf3d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/471c89b7d4f58bd6082f7c1fe14d4ca15c7f1284"},{"type":"WEB","url":"https://git.kernel.org/stable/c/56ec918e6c86c1536870e4373e91eddd0c44245f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6dafa27764183738dc5368b669b71e3d0d154f12"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8658c75343ed00e5e154ebbe24335f51ba8db547"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d40e3537265dea9e3c33021874437ff26dc18787"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f13abc1e8e1a3b7455511c4e122750127f6bc9b0"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/23xxx/CVE-2025-23138.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-23138"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"162ae0e78bdabf84ef10c1293c4ed7865cb7d3c8"},{"fixed":"8658c75343ed00e5e154ebbe24335f51ba8db547"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3efbd114b91525bb095b8ae046382197d92126b9"},{"fixed":"471c89b7d4f58bd6082f7c1fe14d4ca15c7f1284"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b87a1229d8668fbc78ebd9ca0fc797a76001c60f"},{"fixed":"d40e3537265dea9e3c33021874437ff26dc18787"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"68e51bdb1194f11d3452525b99c98aff6f837b24"},{"fixed":"6dafa27764183738dc5368b669b71e3d0d154f12"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"e95aada4cb93d42e25c30a0ef9eb2923d9711d4a"},{"fixed":"56ec918e6c86c1536870e4373e91eddd0c44245f"},{"fixed":"2d680b988656bb556c863d8b46d9b9096842bf3d"},{"fixed":"205028ebba838938d3b264dda1d0708fa7fe1ade"},{"fixed":"f13abc1e8e1a3b7455511c4e122750127f6bc9b0"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"6fb70694f8d1ac34e45246b0ac988f025e1e5b55"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-23138.json"}}],"schema_version":"1.7.5"}