CVE-2025-68779 Overview
A use-after-free vulnerability has been identified in the Linux kernel's Mellanox mlx5e network driver. The flaw occurs when the Platform Security Processor (PSP) component is unregistered twice during device removal, leading to a reference count underflow. This double unregistration happens through two separate code paths: _mlx5e_remove calling mlx5e_psp_unregister and mlx5e_nic_cleanup also calling mlx5e_psp_unregister.
Critical Impact
This vulnerability can trigger a refcount underflow condition leading to a use-after-free scenario, potentially causing system instability, kernel panics, or in certain scenarios, could be leveraged for privilege escalation on systems utilizing Mellanox ConnectX network adapters.
Affected Products
- Linux kernel with mlx5_core driver module
- Systems utilizing Mellanox/NVIDIA ConnectX network adapters
- Linux distributions with affected kernel versions containing the mlx5e driver
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-68779 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68779
Vulnerability Analysis
This vulnerability manifests in the mlx5e network driver's device cleanup routine. The core issue stems from improper resource management during driver removal operations. When a Mellanox network device is being removed from the system, the PSP (Platform Security Processor) unregistration function is invoked from two distinct code paths simultaneously.
The first invocation occurs through the _mlx5e_remove function, which directly calls mlx5e_psp_unregister. The second invocation happens when mlx5e_nic_cleanup is called as part of the profile cleanup process, which also attempts to unregister the PSP component. This double unregistration causes the internal reference counter to decrement below zero, triggering a kernel warning about refcount underflow.
The kernel stack trace reveals the problematic execution path traversing through the auxiliary bus subsystem, device driver release mechanisms, and ultimately the mlx5 driver rescanning routines. This indicates the issue can be triggered during dynamic device hot-removal scenarios or driver unload operations.
Root Cause
The root cause is a design flaw in the driver's cleanup logic where the PSP unregistration responsibility was not clearly delineated between the direct removal path and the profile cleanup path. The mlx5e_psp_unregister function was being called redundantly without proper guard checks to prevent multiple invocations. The fix consolidates PSP cleanup to occur exclusively as part of the profile cleanup process, removing the direct call from _mlx5e_remove.
Attack Vector
The attack vector for this vulnerability is local and requires the ability to trigger device removal or driver unload operations. An attacker with local access could potentially trigger this condition by:
- Initiating device hot-removal procedures for Mellanox network adapters
- Unloading and reloading the mlx5_core kernel module
- Triggering driver rescanning operations through the auxiliary bus subsystem
The vulnerability occurs during specific timing windows in the device removal process. While exploitation for privilege escalation would require sophisticated race condition manipulation, the immediate impact is system instability and potential denial of service through kernel crashes.
Detection Methods for CVE-2025-68779
Indicators of Compromise
- Kernel warning messages containing refcount_t: underflow; use-after-free in system logs
- Stack traces in dmesg referencing mlx5e_psp_unregister and mlx5e_nic_cleanup functions
- Unexpected kernel panics or system reboots on systems with Mellanox network adapters
- Audit log entries showing repeated driver removal/reload operations targeting mlx5_core
Detection Strategies
- Monitor kernel logs for refcount underflow warnings using tools like journalctl or syslog aggregation
- Implement kernel module load/unload auditing to detect suspicious driver manipulation
- Deploy runtime kernel integrity monitoring to detect anomalous mlx5_core module behavior
- Configure alerting on system crash dumps containing mlx5e driver references
Monitoring Recommendations
- Enable kernel oops reporting and configure crash dump collection for forensic analysis
- Monitor /var/log/kern.log and /var/log/messages for mlx5-related warning patterns
- Implement SNMP or syslog forwarding for centralized kernel event monitoring
- Configure SentinelOne to alert on kernel-level memory corruption indicators
How to Mitigate CVE-2025-68779
Immediate Actions Required
- Update to a patched Linux kernel version containing the fix commits
- Restrict local access to systems with Mellanox network adapters to authorized personnel only
- Avoid driver reload operations on production systems until patched
- Consider temporarily disabling hot-plug functionality for Mellanox devices if possible
Patch Information
The vulnerability has been resolved in upstream Linux kernel commits. The fix removes the direct PSP unregistration call from the _mlx5e_remove path, ensuring cleanup occurs exclusively through the profile cleanup mechanism. The relevant patches are available in the stable kernel tree:
- Commit 35e93736f699
- Commit e12c912f92cc
Organizations should apply kernel updates from their respective Linux distribution vendors as they become available.
Workarounds
- Avoid triggering device hot-removal operations on affected systems until patched
- Restrict kernel module manipulation privileges to root-only access
- Implement SELinux or AppArmor policies to limit access to driver management operations
- Monitor for and prevent unauthorized attempts to unload/reload the mlx5_core module
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
