CVE-2025-39766: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
In the Linux kernel, the following vulnerability has been resolved:
net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
The following setup can trigger a WARNING in htb_activate due to
the condition: !cl->leaf.q->q.qlen
tc qdisc del dev lo root
tc qdisc add dev lo root handle 1: htb default 1
tc class add dev lo parent 1: classid 1:1 \
htb rate 64bit
tc qdisc add dev lo parent 1:1 handle f: \
cake memlimit 1b
ping -I lo -f -c1 -s64 -W0.001 127.0.0.1
This is because the low memlimit leads to a low buffer_limit, which
causes packet dropping. However, cake_enqueue still returns
NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an
empty child qdisc. We should return NET_XMIT_CN when packets are
dropped from the same tin and flow.
I do not believe return value of NET_XMIT_CN is necessary for packet
drops in the case of ack filtering, as that is meant to optimize
performance, not to signal congestion.
Security readout for executives and security teams
Plain-English summary
CVE-2025-39766 is a Linux kernel traffic-control bug in the CAKE queueing discipline when used with HTB. Under an unusually low memory limit, CAKE can drop packets but report success, leaving HTB to activate an empty queue and trigger a kernel warning. The sources do not show active exploitation or business-impact severity.
Executive priority
Treat as routine kernel maintenance unless your environment relies heavily on Linux traffic shaping or affected appliances. There is no sourced evidence of active exploitation, but kernel warnings in network scheduling code justify timely patching through normal OS update cycles.
Technical view
The issue is in net/sched: cake_enqueue returned NET_XMIT_SUCCESS after drops caused by a low buffer_limit. HTB then called htb_activate even though the child qdisc had no queued packets, hitting a warning condition. Stable kernel commits change CAKE to return NET_XMIT_CN for same-tin and same-flow drops.
Likely exposure
Exposure appears limited to Linux systems using traffic control with HTB and CAKE qdiscs, especially configurations with very low CAKE memlimit values. The CVE record lists affected Linux kernel lines including 4.19 through 6.17-era branches, but version-range detail is incomplete in the provided bundle.
Exploitation context
The source bundle includes a local reproduction scenario but no public exploitation claim. KEV status is false. Evidence supports a kernel warning caused by specific local traffic-control configuration behavior, not confirmed remote exploitation or privilege escalation.
Researcher notes
The core behavior is a return-code mismatch after CAKE drops packets due to buffer limits. Public sources identify stable kernel commits and Debian advisories, but do not provide CVSS, CWE, complete exploitability analysis, or confirmed security impact beyond the warning path.
Mitigation direction
Apply the relevant Linux stable kernel update containing the CAKE return-value fix.
Review Debian LTS advisories if running Debian-packaged kernels.
Check Siemens guidance for affected Siemens products before applying product-specific updates.
Avoid unusually low CAKE memlimit configurations where operationally possible.
Monitor vendor kernel advisories for corrected affected-version ranges.
Validation and detection
Inventory hosts using Linux traffic control with HTB and CAKE qdiscs.
Compare running kernel versions against vendor-fixed kernel releases.
Check distribution security advisories for CVE-2025-39766 coverage.
Review kernel logs for related HTB or CAKE warning events.
Confirm appliances inherit fixes from their vendor firmware or kernel package.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-39766 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
3ADP providers
12Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Sep 11, 2025, 16:56 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.