CVE-2025-21647 | sched: sch_cake: add bounds checks to host bulk flow fairness counts

In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: add bounds checks to host bulk flow fairness counts Even though we fixed a logic error in the commit cited below, syzbot still managed to trigger an underflow of the per-host bulk flow counters, leading to an out of bounds memory access. To avoid any such logic errors causing out of bounds memory accesses, this commit factors out all accesses to the per-host bulk flow counters to a series of helpers that perform bounds-checking before any increments and decrements. This also has the benefit of improving readability by moving the conditional checks for the flow mode into these helpers, instead of having them spread out throughout the code (which was the cause of the original logic error). As part of this change, the flow quantum calculation is consolidated into a helper function, which means that the dithering applied to the ost load scaling is now applied both in the DRR rotation and when a sparse flow's quantum is first initiated. The only user-visible effect of this is that the maximum packet size that can be sent while a flow stays sparse will now vary with +/- one byte in some cases. This should not make a noticeable difference in practice, and thus it's not worth complicating the code to preserve the old behaviour.

Published: 2025-01-19 Last update: 2026-05-12 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-21647 is rated Low Risk (30.5/100): CVSS High severity, with low exploitation likelihood (EPSS 0.02%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-21647

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-02-27 0.06% 0.02% -0.03%
2 2025-11-04 0.04% 0.06% +0.02%
3 2025-09-27 0.04%

Full EPSS history (6 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-21647

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.1 3.1 HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.8 5.2 [email protected]

Weakness enumeration for CVE-2025-21647

GitHub Security Advisory for CVE-2025-21647

GHSA-j2g7-wj3p-j9c9 · Severity: high — In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: add bounds...

OS Trackers for CVE-2025-21647

vendor priority summary link
debian not yet assigned CVE-2025-21647 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6. https://security-tracker.debian.org/tracker/CVE-2025-21647
redhat medium https://access.redhat.com/security/cve/CVE-2025-21647
suse high https://www.suse.com/security/cve/CVE-2025-21647/
ubuntu high CVE-2025-21647 high priority: Ubuntu including 158 source packages (linux, linux-allwinner-5.19, …), 1551 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1145, released 188, ignored 147, not-affected 70, needed 1. https://ubuntu.com/security/CVE-2025-21647

Affected software / configurations for CVE-2025-21647

Vendor Product Version Raw CPE
linux linux_kernel >= 5.4.284, < 5.4.291 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.10.226, < 5.10.235 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 5.15.167, < 5.15.179 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.1.110, < 6.1.125 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.6.51, < 6.6.72 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.10.10, < 6.11 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel >= 6.11.1, < 6.12.10 cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linux linux_kernel 6.11 cpe:2.3:o:linux:linux_kernel:6.11:-:*:*:*:*:*:*
linux linux_kernel 6.11 cpe:2.3:o:linux:linux_kernel:6.11:rc7:*:*:*:*:*:*
linux linux_kernel 6.13 cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*
linux linux_kernel 6.13 cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*
linux linux_kernel 6.13 cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*
linux linux_kernel 6.13 cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*
linux linux_kernel 6.13 cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*
linux linux_kernel 6.13 cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*

References for CVE-2025-21647

URL Tags
https://git.kernel.org/stable/c/27202e2e8721c3b23831563c36ed5ac7818641ba Patch
https://git.kernel.org/stable/c/44fe1efb4961c1a5ccab16bb579dfc6b308ad58b Patch
https://git.kernel.org/stable/c/737d4d91d35b5f7fa5bb442651472277318b0bfd Patch
https://git.kernel.org/stable/c/91bb18950b88f955838ec0c1d97f74d135756dc7 Patch
https://git.kernel.org/stable/c/a777e06dfc72bed73c05dcb437d7c27ad5f90f3f Patch
https://git.kernel.org/stable/c/b1a1743aaa4906c41c426eda97e2e2586f79246d Patch
https://git.kernel.org/stable/c/bb0245fa72b783cb23a9949c5048781341e91423 Patch
https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
https://cert-portal.siemens.com/productcert/html/ssa-265688.html
https://cert-portal.siemens.com/productcert/html/ssa-503939.html
cvelogic Threat Intelligence