CVE-2025-23138

MEDIUM EPSS 5.9%
Published Apr 16, 20251y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Apr 16, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: watch_queue: fix pipe accounting mismatch Currently, watch_queue_set_size() modifies the pipe buffers charged to user->pipe_bufs without updating the pipe->nr_accounted on the pipe itself, due to the if (!pipe_has_watch_queue()) test in pipe_resize_ring(). This means that when the pipe is ultimately freed, we decrement user->pipe_bufs by something other than what than we had charged to it, potentially leading to an underflow. This in turn can cause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM. To remedy this, explicitly account for the pipe usage in watch_queue_set_size() to match the number set via account_pipe_buffers() (It's unclear why watch_queue_set_size() does not update nr_accounted; it may be due to intentional overprovisioning in watch_queue_set_size()?)

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
5.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 8

VendorProductVersionRange
linuxlinux_kernel*≥5.10.210  –  <5.10.236
linuxlinux_kernel*≥5.15.149  –  <5.15.180
linuxlinux_kernel*≥6.1.76  –  <6.1.134
linuxlinux_kernel*≥6.6.15  –  <6.6.87
linuxlinux_kernel*≥6.7.3  –  <6.12.23
linuxlinux_kernel*≥6.13  –  <6.13.11
linuxlinux_kernel*≥6.14  –  <6.14.2
debiandebian_linux11.0any

References 10

  • git.kernel.org https://git.kernel.org/stable/c/205028ebba838938d3b264dda1d0708fa7fe1ade
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2d680b988656bb556c863d8b46d9b9096842bf3d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/471c89b7d4f58bd6082f7c1fe14d4ca15c7f1284
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/56ec918e6c86c1536870e4373e91eddd0c44245f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6dafa27764183738dc5368b669b71e3d0d154f12
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8658c75343ed00e5e154ebbe24335f51ba8db547
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d40e3537265dea9e3c33021874437ff26dc18787
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f13abc1e8e1a3b7455511c4e122750127f6bc9b0
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
    Mailing List
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
    Mailing List

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/205028ebba838938d3b264dda1d0708fa7fe1ade
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2d680b988656bb556c863d8b46d9b9096842bf3d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/471c89b7d4f58bd6082f7c1fe14d4ca15c7f1284
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/56ec918e6c86c1536870e4373e91eddd0c44245f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6dafa27764183738dc5368b669b71e3d0d154f12
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8658c75343ed00e5e154ebbe24335f51ba8db547
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d40e3537265dea9e3c33021874437ff26dc18787
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f13abc1e8e1a3b7455511c4e122750127f6bc9b0
    Patch