In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes that the parent qdisc will enqueue the current packet. However, this assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent qdisc stops enqueuing current packet, leaving the tree qlen/backlog accounting inconsistent. This mismatch can lead to a NULL dereference (e.g., when the parent Qdisc is qfq_qdisc). This patch computes the qlen/backlog delta in a more robust way by observing the difference before and after the series of cake_drop() calls, and then compensates the qdisc tree accounting if cake_enqueue() returns NET_XMIT_CN. To ensure correct compensation when ACK thinning is enabled, a new variable is introduced to keep qlen unchanged.
Conclusion & alert: CVE-2025-68325 is rated Low Risk (7.9/100): low exploitation likelihood (EPSS 0.18%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.07% | 0.18% | +0.11% |
| 2 | 2026-05-28 | 0.05% | 0.07% | +0.02% |
| 3 | 2026-05-17 | — | 0.05% | — |
Full EPSS history (5 records total)
CVSS metrics for this CVE.
No CVSS data in dataset for this CVE.
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2025-68325 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6. | https://security-tracker.debian.org/tracker/CVE-2025-68325 |
redhat
|
— | — | https://access.redhat.com/security/cve/CVE-2025-68325 |
suse
|
medium | CVE-2025-68325 severity moderate: SUSE including 392 source package names (13.2-9.1:libsqlite3-0-3.49.1-1.1, 2.1.3-6.115:kernel-default-base-6.4.0-39.1.21.16, …), 734 product×package rows across 98 product lines (Container suse/sl-micro/6.0/baremetal-os-container, Container suse/sl-micro/6.0/base-os-container, … (98 product lines)): Fixed 283, Known Affected 231, Known Not Affected 195, First Fixed 25. | https://www.suse.com/security/cve/CVE-2025-68325/ |
ubuntu
|
medium | CVE-2025-68325 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1405 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1010, ignored 172, released 148, not-affected 58, pending 14, needed 3. | https://ubuntu.com/security/CVE-2025-68325 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| linux | linux_kernel | >= 5.10.241, < 5.10.248 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 5.15.190, < 5.15.198 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 6.1.149, < 6.1.160 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 6.6.103, < 6.6.120 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 6.12.44, < 6.12.63 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 6.17, < 6.17.13 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 6.17, < 6.18.2 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 6.17, < 6.19 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 5.4.297 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| linux | linux_kernel | >= 6.16.4 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |