{"id":"CVE-2025-39766","summary":"net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit\n\nThe following setup can trigger a WARNING in htb_activate due to\nthe condition: !cl-\u003eleaf.q-\u003eq.qlen\n\ntc qdisc del dev lo root\ntc qdisc add dev lo root handle 1: htb default 1\ntc class add dev lo parent 1: classid 1:1 \\\n       htb rate 64bit\ntc qdisc add dev lo parent 1:1 handle f: \\\n       cake memlimit 1b\nping -I lo -f -c1 -s64 -W0.001 127.0.0.1\n\nThis is because the low memlimit leads to a low buffer_limit, which\ncauses packet dropping. However, cake_enqueue still returns\nNET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an\nempty child qdisc. We should return NET_XMIT_CN when packets are\ndropped from the same tin and flow.\n\nI do not believe return value of NET_XMIT_CN is necessary for packet\ndrops in the case of ack filtering, as that is meant to optimize\nperformance, not to signal congestion.","modified":"2026-04-02T12:48:08.941968Z","published":"2025-09-11T16:56:21.514Z","related":["SUSE-SU-2025:03600-1","SUSE-SU-2025:03601-1","SUSE-SU-2025:03633-1","SUSE-SU-2025:03634-1","SUSE-SU-2025:20851-1","SUSE-SU-2025:20861-1","SUSE-SU-2025:20870-1","SUSE-SU-2025:20898-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","SUSE-SU-2025:3725-1","SUSE-SU-2025:3751-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39766.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0dacfc5372e314d1219f03e64dde3ab495a5a25e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/15de71d06a400f7fdc15bf377a2552b0ec437cf5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/62d591dde4defb1333d202410609c4ddeae060b3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/710866fc0a64eafcb8bacd91bcb1329eb7e5035f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7689ab22de36f8db19095f6bdf11f28cfde92f5c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aa12ee1c1bd260943fd6ab556d8635811c332eeb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/de04ddd2980b48caa8d7e24a7db2742917a8b280"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ff57186b2cc39766672c4c0332323933e5faaa88"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39766.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39766"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"046f6fd5daefac7f5abdafb436b30f63bc7c602b"},{"fixed":"7689ab22de36f8db19095f6bdf11f28cfde92f5c"},{"fixed":"de04ddd2980b48caa8d7e24a7db2742917a8b280"},{"fixed":"0dacfc5372e314d1219f03e64dde3ab495a5a25e"},{"fixed":"710866fc0a64eafcb8bacd91bcb1329eb7e5035f"},{"fixed":"aa12ee1c1bd260943fd6ab556d8635811c332eeb"},{"fixed":"ff57186b2cc39766672c4c0332323933e5faaa88"},{"fixed":"62d591dde4defb1333d202410609c4ddeae060b3"},{"fixed":"15de71d06a400f7fdc15bf377a2552b0ec437cf5"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39766.json"}}],"schema_version":"1.7.5"}