Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68779

CVE-2025-68779: Linux Kernel Use-After-Free Vulnerability

CVE-2025-68779 is a use-after-free vulnerability in the Linux kernel's mlx5e driver that causes refcount underflow when PSP is unregistered twice. This article covers technical details, affected systems, and mitigation.

Updated:

CVE-2025-68779 Overview

CVE-2025-68779 is a use-after-free vulnerability in the Linux kernel's Mellanox mlx5_core driver. The flaw exists in the net/mlx5e Ethernet driver code path that manages Packet Security Protocol (PSP) offload registration. During device removal, the kernel calls mlx5e_psp_unregister twice — once from _mlx5e_remove and again from mlx5e_nic_cleanup — triggering a refcount_t underflow. The duplicate teardown produces a WARNING at lib/refcount.c:28 followed by use-after-free conditions on the PSP object. The fix removes the redundant PSP teardown from _mlx5e_remove, leaving cleanup to the profile cleanup path.

Critical Impact

A refcount underflow in mlx5e_psp_unregister can lead to a use-after-free on the PSP context, producing kernel warnings, memory corruption, or crashes during driver unbind or device rescans.

Affected Products

  • Linux kernel builds containing the net/mlx5e PSP support before commit e12c912f92cc
  • Systems using Mellanox ConnectX network adapters with the mlx5_core driver loaded
  • Distributions shipping development or pre-release kernels with PSP offload enabled

Discovery Timeline

  • 2026-01-13 - CVE-2025-68779 published to the National Vulnerability Database
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-68779

Vulnerability Analysis

The vulnerability resides in the Mellanox mlx5e Ethernet driver, which provides PSP cryptographic offload for ConnectX network adapters. PSP resources are tracked through a reference-counted object registered with the networking stack via mlx5e_psp_register and released via mlx5e_psp_unregister. The driver removal flow inadvertently invokes the unregister routine twice along the same teardown chain.

The first call originates from _mlx5e_remove, which directly invokes mlx5e_psp_unregister. The second call occurs through the profile cleanup path: mlx5e_removemlx5e_nic_cleanupmlx5e_psp_unregister. Because both paths execute during a single auxiliary bus removal, the PSP reference counter decrements past zero. The kernel records this with refcount_t: underflow; use-after-free and emits a stack trace through auxiliary_bus_remove, device_release_driver_internal, and mlx5_rescan_drivers_locked.

Root Cause

The root cause is duplicated cleanup logic across the device removal and profile cleanup code paths. The PSP unregister call belongs to the profile cleanup stage only. Leaving it in _mlx5e_remove causes the same release to execute twice, dropping the reference below zero and freeing memory still tracked elsewhere in the driver.

Attack Vector

Triggering the flaw requires actions that bind and unbind the mlx5_core auxiliary device, such as driver rescans, device hotplug events, or module reload sequences on systems with PSP-capable hardware. The condition is not directly remotely triggerable. Exploitation primarily produces denial-of-service through kernel warnings and crashes, with theoretical memory-corruption follow-on from the use-after-free on freed PSP state.

The vulnerability mechanism is described in the upstream commit message and stack trace. See the Kernel Git Commit Fixes and Kernel Git Commit Changes for the patch details.

Detection Methods for CVE-2025-68779

Indicators of Compromise

  • Kernel log entries containing refcount_t: underflow; use-after-free originating from refcount_warn_saturate
  • Stack traces referencing mlx5e_psp_unregister, mlx5e_nic_cleanup, and mlx5e_remove from the mlx5_core module
  • Unexpected WARNING events at lib/refcount.c:28 during driver unbind, module reload, or mlx5_rescan_drivers_locked operations

Detection Strategies

  • Audit dmesg and journalctl -k output on Mellanox-equipped hosts for refcount underflow warnings tied to PSP teardown
  • Inventory running kernel versions across the fleet and flag systems with PSP-enabled mlx5e builds predating the upstream fix
  • Correlate driver rebind events from udev or auxiliary bus operations with kernel warning bursts to identify reproducible triggers

Monitoring Recommendations

  • Forward kernel ring buffer logs to a centralized log platform and alert on refcount_warn_saturate plus mlx5_core in the same stack
  • Monitor host stability metrics on systems performing live driver upgrades or virtual function rescans
  • Track auxiliary bus remove operations on ConnectX hardware as part of change-management telemetry

How to Mitigate CVE-2025-68779

Immediate Actions Required

  • Apply the upstream kernel fix commit e12c912f92cc or update to a distribution kernel that incorporates the patch
  • Avoid repeated driver rebind or mlx5_rescan_drivers_locked operations on unpatched hosts until the fix is deployed
  • Identify systems running PSP-capable mlx5e builds and prioritize them for kernel updates

Patch Information

The fix is committed upstream as e12c912f92ccea671b514caf371f28485714bb4b, which removes the redundant mlx5e_psp_unregister call from _mlx5e_remove. PSP cleanup now occurs solely through the profile cleanup path in mlx5e_nic_cleanup. A related change is tracked under commit 35e93736f69963337912594eb3951ab320b77521. Rebuild and deploy a kernel containing these commits, then reboot affected hosts to load the corrected mlx5_core module.

Workarounds

  • Where patching is not immediately possible, refrain from unbinding or reloading the mlx5_core driver on production hosts
  • Disable PSP offload configuration on mlx5e interfaces if operationally acceptable to reduce the chance of executing the affected code path
  • Restrict administrative access that permits driver rescans or module reloads to limit the trigger surface
bash
# Verify the running kernel and mlx5_core module version
uname -r
modinfo mlx5_core | grep -E '^(version|srcversion|filename)'

# Inspect kernel log for the underflow signature
dmesg | grep -E 'refcount_t: underflow|mlx5e_psp_unregister'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.