In the Linux kernel, the following vulnerability has been resolved:
watch_queue: fix pipe accounting mismatch
Currently, watchqueuesetsize() modifies the pipe buffers charged to user->pipebufs without updating the pipe->nraccounted on the pipe itself, due to the if (!pipehaswatchqueue()) test in piperesizering(). This means that when the pipe is ultimately freed, we decrement user->pipebufs by something other than what than we had charged to it, potentially leading to an underflow. This in turn can cause subsequent toomanypipebuffers_soft() tests to fail with -EPERM.
To remedy this, explicitly account for the pipe usage in watchqueuesetsize() to match the number set via accountpipe_buffers()
(It's unclear why watchqueuesetsize() does not update nraccounted; it may be due to intentional overprovisioning in watchqueueset_size()?)
[
{
"id": "CVE-2025-23138-0c903e4a",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@56ec918e6c86c1536870e4373e91eddd0c44245f",
"digest": {
"line_hashes": [
"261882657925272258987119980819757084968",
"288837079981139119816072797661744786827",
"41575730070958943257187628142249166370"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "kernel/watch_queue.c"
}
},
{
"id": "CVE-2025-23138-24de24b1",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d40e3537265dea9e3c33021874437ff26dc18787",
"digest": {
"length": 1336.0,
"function_hash": "125894456176355259660939713610253191495"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "watch_queue_set_size",
"file": "kernel/watch_queue.c"
}
},
{
"id": "CVE-2025-23138-2bc6a47d",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2d680b988656bb556c863d8b46d9b9096842bf3d",
"digest": {
"line_hashes": [
"261882657925272258987119980819757084968",
"288837079981139119816072797661744786827",
"41575730070958943257187628142249166370"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "kernel/watch_queue.c"
}
},
{
"id": "CVE-2025-23138-2ff55e3f",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@56ec918e6c86c1536870e4373e91eddd0c44245f",
"digest": {
"length": 1336.0,
"function_hash": "47749958323428331126305369504743213807"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "watch_queue_set_size",
"file": "kernel/watch_queue.c"
}
},
{
"id": "CVE-2025-23138-42166485",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f13abc1e8e1a3b7455511c4e122750127f6bc9b0",
"digest": {
"line_hashes": [
"261882657925272258987119980819757084968",
"288837079981139119816072797661744786827",
"41575730070958943257187628142249166370"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "kernel/watch_queue.c"
}
},
{
"id": "CVE-2025-23138-442d8584",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2d680b988656bb556c863d8b46d9b9096842bf3d",
"digest": {
"length": 1336.0,
"function_hash": "47749958323428331126305369504743213807"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "watch_queue_set_size",
"file": "kernel/watch_queue.c"
}
},
{
"id": "CVE-2025-23138-4ffc1028",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@205028ebba838938d3b264dda1d0708fa7fe1ade",
"digest": {
"line_hashes": [
"261882657925272258987119980819757084968",
"288837079981139119816072797661744786827",
"41575730070958943257187628142249166370"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "kernel/watch_queue.c"
}
},
{
"id": "CVE-2025-23138-56d024c9",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8658c75343ed00e5e154ebbe24335f51ba8db547",
"digest": {
"line_hashes": [
"261882657925272258987119980819757084968",
"242196393148124787415534445833538046181",
"68497213264677412567400300711536063887"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "kernel/watch_queue.c"
}
},
{
"id": "CVE-2025-23138-59aaf3ac",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@205028ebba838938d3b264dda1d0708fa7fe1ade",
"digest": {
"length": 1338.0,
"function_hash": "326754150403765975585929789803899268871"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "watch_queue_set_size",
"file": "kernel/watch_queue.c"
}
},
{
"id": "CVE-2025-23138-7697f0d2",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d40e3537265dea9e3c33021874437ff26dc18787",
"digest": {
"line_hashes": [
"261882657925272258987119980819757084968",
"242196393148124787415534445833538046181",
"68497213264677412567400300711536063887"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "kernel/watch_queue.c"
}
},
{
"id": "CVE-2025-23138-80abdb09",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8658c75343ed00e5e154ebbe24335f51ba8db547",
"digest": {
"length": 1449.0,
"function_hash": "4904476069016954265013156404183086351"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "watch_queue_set_size",
"file": "kernel/watch_queue.c"
}
},
{
"id": "CVE-2025-23138-9045ac46",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f13abc1e8e1a3b7455511c4e122750127f6bc9b0",
"digest": {
"length": 1338.0,
"function_hash": "326754150403765975585929789803899268871"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "watch_queue_set_size",
"file": "kernel/watch_queue.c"
}
},
{
"id": "CVE-2025-23138-a362f6d8",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6dafa27764183738dc5368b669b71e3d0d154f12",
"digest": {
"line_hashes": [
"261882657925272258987119980819757084968",
"242196393148124787415534445833538046181",
"68497213264677412567400300711536063887"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "kernel/watch_queue.c"
}
},
{
"id": "CVE-2025-23138-a3fa27d0",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@471c89b7d4f58bd6082f7c1fe14d4ca15c7f1284",
"digest": {
"line_hashes": [
"261882657925272258987119980819757084968",
"242196393148124787415534445833538046181",
"68497213264677412567400300711536063887"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "kernel/watch_queue.c"
}
},
{
"id": "CVE-2025-23138-df566e3f",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@471c89b7d4f58bd6082f7c1fe14d4ca15c7f1284",
"digest": {
"length": 1449.0,
"function_hash": "4904476069016954265013156404183086351"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "watch_queue_set_size",
"file": "kernel/watch_queue.c"
}
},
{
"id": "CVE-2025-23138-f90cb356",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6dafa27764183738dc5368b669b71e3d0d154f12",
"digest": {
"length": 1336.0,
"function_hash": "125894456176355259660939713610253191495"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"function": "watch_queue_set_size",
"file": "kernel/watch_queue.c"
}
}
]