LiveActive security incident?Get immediate response
CVE Record

CVE-2025-39766: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit

In the Linux kernel, the following vulnerability has been resolved: net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit The following setup can trigger a WARNING in htb_activate due to the condition: !cl->leaf.q->q.qlen tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 \ htb rate 64bit tc qdisc add dev lo parent 1:1 handle f: \ cake memlimit 1b ping -I lo -f -c1 -s64 -W0.001 127.0.0.1 This is because the low memlimit leads to a low buffer_limit, which causes packet dropping. However, cake_enqueue still returns NET_XMIT_SUCCESS, causing htb_enqueue to call htb_activate with an empty child qdisc. We should return NET_XMIT_CN when packets are dropped from the same tin and flow. I do not believe return value of NET_XMIT_CN is necessary for packet drops in the case of ack filtering, as that is meant to optimize performance, not to signal congestion.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

CVE-2025-39766 is a Linux kernel traffic-control bug in the CAKE queueing discipline when used with HTB. Under an unusually low memory limit, CAKE can drop packets but report success, leaving HTB to activate an empty queue and trigger a kernel warning. The sources do not show active exploitation or business-impact severity.

Executive priority

Treat as routine kernel maintenance unless your environment relies heavily on Linux traffic shaping or affected appliances. There is no sourced evidence of active exploitation, but kernel warnings in network scheduling code justify timely patching through normal OS update cycles.

Technical view

The issue is in net/sched: cake_enqueue returned NET_XMIT_SUCCESS after drops caused by a low buffer_limit. HTB then called htb_activate even though the child qdisc had no queued packets, hitting a warning condition. Stable kernel commits change CAKE to return NET_XMIT_CN for same-tin and same-flow drops.

Likely exposure

Exposure appears limited to Linux systems using traffic control with HTB and CAKE qdiscs, especially configurations with very low CAKE memlimit values. The CVE record lists affected Linux kernel lines including 4.19 through 6.17-era branches, but version-range detail is incomplete in the provided bundle.

Exploitation context

The source bundle includes a local reproduction scenario but no public exploitation claim. KEV status is false. Evidence supports a kernel warning caused by specific local traffic-control configuration behavior, not confirmed remote exploitation or privilege escalation.

Researcher notes

The core behavior is a return-code mismatch after CAKE drops packets due to buffer limits. Public sources identify stable kernel commits and Debian advisories, but do not provide CVSS, CWE, complete exploitability analysis, or confirmed security impact beyond the warning path.

Mitigation direction

  • Apply the relevant Linux stable kernel update containing the CAKE return-value fix.
  • Review Debian LTS advisories if running Debian-packaged kernels.
  • Check Siemens guidance for affected Siemens products before applying product-specific updates.
  • Avoid unusually low CAKE memlimit configurations where operationally possible.
  • Monitor vendor kernel advisories for corrected affected-version ranges.

Validation and detection

  • Inventory hosts using Linux traffic control with HTB and CAKE qdiscs.
  • Compare running kernel versions against vendor-fixed kernel releases.
  • Check distribution security advisories for CVE-2025-39766 coverage.
  • Review kernel logs for related HTB or CAKE warning events.
  • Confirm appliances inherit fixes from their vendor firmware or kernel package.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-39766 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
3ADP providers
12Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
siemens-SADPADP container
CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux046f6fd5daefac7f5abdafb436b30f63bc7c602b, 046f6fd5daefac7f5abdafb436b30f63bc7c602b, 046f6fd5daefac7f5abdafb436b30f63bc7c602b, 046f6fd5daefac7f5abdafb436b30f63bc7c602b, 046f6fd5daefac7f5abdafb436b30f63bc7c602b, 046f6fd5daefac7f5abdafb436b30f63bc7c602b, 046f6fd5daefac7f5abdafb436b30f63bc7c602b, 046f6fd5daefac7f5abdafb436b30f63bc7c602bunaffected
LinuxLinux4.19, 0, 5.4.297, 5.10.241, 5.15.190, 6.1.149, 6.6.103, 6.12.44, 6.16.4, 6.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.