CVE-2025-39677: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-39677 is a recently discovered vulnerability in the Linux kernel affecting the backlog accounting in qdiscdequeueinternal. The issue was disclosed on September 5, 2025, and specifically impacts several qdisc implementations including hhf, fq, fqcodel, and fqpie, particularly in their change handlers when adjusting to new limits (NVD).

The vulnerability occurs when a tbf parent runs out of tokens, causing skbs of affected qdiscs to be placed in gsoskb. While peek handlers (qdiscpeekdequeued) account for both qlen and backlog, qdiscdequeueinternal only accounts for qlen when pulling from gsoskb. This results in missing qdiscqstatsbacklog_dec operations when dropping packets to satisfy new limits in change handlers. The issue manifests as an underflow in the tbf parent's backlog, showing 4096 Mb instead of 0. Red Hat has assigned this vulnerability a CVSS v3.1 score of 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) (Red Hat).

The vulnerability affects multiple versions of Red Hat Enterprise Linux (RHEL) including versions 7, 8, 9, and 10, along with their respective kernel-rt variants. The issue can lead to incorrect backlog accounting in network scheduling, potentially affecting network traffic management and quality of service implementations (Red Hat).

A fix has been implemented by simplifying the codepath for all clients of qdiscdequeueinternal, including codel, pie, hhf, fq, fqpie, and fqcodel. The solution ensures that qdiscdequeueinternal handles backlog adjustments for all cases that do not directly use the dequeue handler (NVD).