Linux Kernel sch_cake qlen Accounting Inconsistency: NULL Deref Risk
CVE-2025-68325 Published on December 18, 2025
net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
In the Linux kernel, the following vulnerability has been resolved:
net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen
and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes
that the parent qdisc will enqueue the current packet. However, this
assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent
qdisc stops enqueuing current packet, leaving the tree qlen/backlog
accounting inconsistent. This mismatch can lead to a NULL dereference
(e.g., when the parent Qdisc is qfq_qdisc).
This patch computes the qlen/backlog delta in a more robust way by
observing the difference before and after the series of cake_drop()
calls, and then compensates the qdisc tree accounting if cake_enqueue()
returns NET_XMIT_CN.
To ensure correct compensation when ACK thinning is enabled, a new
variable is introduced to keep qlen unchanged.
Products Associated with CVE-2025-68325
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Linux Kernel. Just hit a watch button to start following.
Affected Versions
Linux:- Version de04ddd2980b48caa8d7e24a7db2742917a8b280 and below a3f4e3de41a3f115db35276c6b186ccbc913934a is affected.
- Version 0dacfc5372e314d1219f03e64dde3ab495a5a25e and below 38abf6e931b169ea88d7529b49096f53a5dcf8fe is affected.
- Version 710866fc0a64eafcb8bacd91bcb1329eb7e5035f and below fcb91be52eb6e92e00b533ebd7c77fecada537e1 is affected.
- Version aa12ee1c1bd260943fd6ab556d8635811c332eeb and below d01f0e072dadb02fe10f436b940dd957aff0d7d4 is affected.
- Version ff57186b2cc39766672c4c0332323933e5faaa88 and below 0b6216f9b3d1c33c76f74511026e5de5385ee520 is affected.
- Version 15de71d06a400f7fdc15bf377a2552b0ec437cf5 and below 529c284cc2815c8350860e9a31722050fe7117cb is affected.
- Version 15de71d06a400f7fdc15bf377a2552b0ec437cf5 and below 3ed6c458530a547ed0c9ea0b02b19bab620be88b is affected.
- Version 15de71d06a400f7fdc15bf377a2552b0ec437cf5 and below 9fefc78f7f02d71810776fdeb119a05a946a27cc is affected.
- Version 7689ab22de36f8db19095f6bdf11f28cfde92f5c is affected.
- Version 62d591dde4defb1333d202410609c4ddeae060b3 is affected.
- Version 6.17 is affected.
- Before 6.17 is unaffected.
- Version 5.10.248, <= 5.10.* is unaffected.
- Version 5.15.198, <= 5.15.* is unaffected.
- Version 6.1.160, <= 6.1.* is unaffected.
- Version 6.6.120, <= 6.6.* is unaffected.
- Version 6.12.63, <= 6.12.* is unaffected.
- Version 6.17.13, <= 6.17.* is unaffected.
- Version 6.18.2, <= 6.18.* is unaffected.
- Version 6.19, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.