CVE-2025-68325

EIP tracks 2 public exploits for CVE-2025-68325. PoCs published by adminlove520, n132.

AI-analyzed exploit summary The repository contains a functional proof-of-concept exploit for CVE-2025-68325, a null-dereference vulnerability in the Linux kernel's sch_cake module. The exploit script (`tc_poc.sh`) configures a qfq and cake qdisc to trigger the vulnerability, while the README provides a detailed patch analysis and root cause explanation.

In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes that the parent qdisc will enqueue the current packet. However, this assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent qdisc stops enqueuing current packet, leaving the tree qlen/backlog accounting inconsistent. This mismatch can lead to a NULL dereference (e.g., when the parent Qdisc is qfq_qdisc). This patch computes the qlen/backlog delta in a more robust way by observing the difference before and after the series of cake_drop() calls, and then compensates the qdisc tree accounting if cake_enqueue() returns NET_XMIT_CN. To ensure correct compensation when ACK thinning is enabled, a new variable is introduced to keep qlen unchanged.