Security tracker / CVE-2025-39677

CVE-2025-39677

net/sched: Fix backlog accounting in qdisc_dequeue_internal

References

• Debian security tracker
• cve.org

Notes

 carnil> Introduced in 2d3cbfd6d54a ("net_sched: Flush gso_skb list too during
 carnil> ->change()")
 carnil> 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM")
 carnil> 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc"). Vulnerable
 carnil> versions: 3.5.

Bugs

Status

Branch	Status
upstream	released (6.17-rc3) [52bf272636bda69587952b35ae97690b8dc89941]
6.18-upstream-stable	N/A "Fixed before branching point"
6.17-upstream-stable	N/A "Fixed before branching point"
6.16-upstream-stable	released (6.16.4) [a225f44d84b8900d679c5f5a9ea46fe9c0cc7802]
6.12-upstream-stable	needed
6.6-upstream-stable	needed
6.1-upstream-stable	needed
5.10-upstream-stable	needed
sid	released (6.16.5-1)
6.12-trixie-security	needed
6.1-bookworm-security	needed
5.10-bullseye-security	needed