CVE-2025-23138

watch_queue: fix pipe accounting mismatch

Severity Score

7.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: watch_queue: fix pipe accounting mismatch Currently, watch_queue_set_size() modifies the pipe buffers charged to
user->pipe_bufs without updating the pipe->nr_accounted on the pipe
itself, due to the if (!pipe_has_watch_queue()) test in
pipe_resize_ring(). This means that when the pipe is ultimately freed,
we decrement user->pipe_bufs by something other than what than we had
charged to it, potentially leading to an underflow. This in turn can
cause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM. To remedy this, explicitly account for the pipe usage in
watch_queue_set_size() to match the number set via account_pipe_buffers() (It's unclear why watch_queue_set_size() does not update nr_accounted;
it may be due to intentional overprovisioning in watch_queue_set_size()?)

In the Linux kernel, the following vulnerability has been resolved: watch_queue: fix pipe accounting mismatch Currently, watch_queue_set_size() modifies the pipe buffers charged to user->pipe_bufs without updating the pipe->nr_accounted on the pipe itself, due to the if (!pipe_has_watch_queue()) test in pipe_resize_ring(). This means that when the pipe is ultimately freed, we decrement user->pipe_bufs by something other than what than we had charged to it, potentially leading to an underflow. This in turn can cause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM. To remedy this, explicitly account for the pipe usage in watch_queue_set_size() to match the number set via account_pipe_buffers() (It's unclear why watch_queue_set_size() does not update nr_accounted; it may be due to intentional overprovisioning in watch_queue_set_size()?)

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-01-11 CVE Reserved
2025-04-16 CVE Published
2025-04-16 CVE Updated
2025-04-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (14)

URL	Tag	Source
https://git.kernel.org/stable/c/162ae0e78bdabf84ef10c1293c4ed7865cb7d3c8	Vuln. Introduced
https://git.kernel.org/stable/c/3efbd114b91525bb095b8ae046382197d92126b9	Vuln. Introduced
https://git.kernel.org/stable/c/b87a1229d8668fbc78ebd9ca0fc797a76001c60f	Vuln. Introduced
https://git.kernel.org/stable/c/68e51bdb1194f11d3452525b99c98aff6f837b24	Vuln. Introduced
https://git.kernel.org/stable/c/e95aada4cb93d42e25c30a0ef9eb2923d9711d4a	Vuln. Introduced
https://git.kernel.org/stable/c/6fb70694f8d1ac34e45246b0ac988f025e1e5b55	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/8658c75343ed00e5e154ebbe24335f51ba8db547	2025-04-10
https://git.kernel.org/stable/c/471c89b7d4f58bd6082f7c1fe14d4ca15c7f1284	2025-04-10
https://git.kernel.org/stable/c/d40e3537265dea9e3c33021874437ff26dc18787	2025-04-10
https://git.kernel.org/stable/c/6dafa27764183738dc5368b669b71e3d0d154f12	2025-04-10
https://git.kernel.org/stable/c/56ec918e6c86c1536870e4373e91eddd0c44245f	2025-04-10
https://git.kernel.org/stable/c/2d680b988656bb556c863d8b46d9b9096842bf3d	2025-04-10
https://git.kernel.org/stable/c/205028ebba838938d3b264dda1d0708fa7fe1ade	2025-04-10
https://git.kernel.org/stable/c/f13abc1e8e1a3b7455511c4e122750127f6bc9b0	2025-03-01

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.210 < 5.10.236 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.210 < 5.10.236"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.149 < 5.15.180 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.149 < 5.15.180"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.76 < 6.1.134 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.76 < 6.1.134"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.15 < 6.6.87 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.15 < 6.6.87"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.8 < 6.12.23 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.12.23"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.8 < 6.13.11 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.13.11"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.8 < 6.14.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.14.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.8 < 6.15-rc1 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.8 < 6.15-rc1"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.7.3 Search vendor "Linux" for product "Linux Kernel" and version "6.7.3"		en		Affected