CVE-2025-68800 Overview
A use-after-free vulnerability has been identified in the Linux kernel's mlxsw (Mellanox Spectrum) driver, specifically within the spectrum_mr component responsible for multicast route statistics management. The vulnerability occurs during the periodic traversal of the multicast route list when updating kernel statistics from device queries. A race condition exists where a route entry deletion during route replacement operations was not properly protected by the dedicated mutex, leading to potential memory corruption.
Critical Impact
Local attackers with access to affected Mellanox Spectrum network hardware could potentially exploit this use-after-free condition to cause system crashes or potentially achieve privilege escalation through memory corruption.
Affected Products
- Linux kernel with mlxsw_spectrum driver
- Mellanox Spectrum-based network switches (MSN2010/SA002610)
- Linux kernel versions prior to the security patch
Discovery Timeline
- 2026-01-13 - CVE-2025-68800 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68800
Vulnerability Analysis
This use-after-free vulnerability resides in the mlxsw_sp_mr_stats_update function within drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c. The kernel workqueue periodically invokes this function to traverse the multicast route list and update statistics that have been queried from the Mellanox Spectrum device.
A previous commit introduced a dedicated mutex (replacing RTNL) to protect the multicast route list during these periodic traversals. However, one critical instance of list entry deletion during route replacement operations was missed, creating a window where the stats update worker could access freed memory.
The KASAN (Kernel Address Sanitizer) report indicates a read of 8 bytes from freed memory at the address associated with a multicast route structure. The allocation trace shows the memory was allocated via mlxsw_sp_mr_route_add, and subsequently freed during route replacement operations in the same function path.
Root Cause
The root cause is a missing mutex acquisition around list entry deletion during multicast route replacement. While the dedicated mutex was correctly implemented to protect list traversal operations, the deletion path in mlxsw_sp_mr_route_add (specifically around line 444 in spectrum_mr.c) failed to acquire the mutex before removing entries from the list. This created a race condition between the stats update worker thread and the route replacement operation.
Attack Vector
The vulnerability requires local access with the ability to trigger multicast route replacement operations on systems with Mellanox Spectrum network hardware. An attacker could potentially exploit this by:
- Triggering rapid multicast route additions and replacements via the routing subsystem
- Racing the route replacement against the periodic stats update worker (mlxsw_sp_mr_stats_update)
- Causing the worker to access freed memory, potentially leading to information disclosure or kernel memory corruption
The vulnerability is exploitable through the kernel's multicast routing subsystem events, which are processed via the mlxsw_sp_router_fibmr_event_work worker. The timing window exists between when a route entry is freed during replacement and when the stats update worker attempts to read from that memory.
Detection Methods for CVE-2025-68800
Indicators of Compromise
- KASAN slab-use-after-free reports in kernel logs referencing mlxsw_sp_mr_stats_update
- Kernel panic or oops messages originating from the mlxsw_spectrum module
- Unexpected system crashes on servers with Mellanox Spectrum network adapters during multicast routing operations
- Workqueue crash reports for mlxsw_core workqueue with mlxsw_sp_mr_stats_update in the call trace
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) in development and test environments to detect use-after-free conditions
- Monitor kernel logs for BUG reports containing slab-use-after-free and mlxsw_spectrum references
- Implement system monitoring for unexpected kernel worker thread crashes in the mlxsw_core workqueue
- Deploy kernel crash dump analysis tools to identify memory corruption patterns
Monitoring Recommendations
- Configure kernel log monitoring to alert on KASAN reports and memory corruption messages
- Monitor system stability metrics on hosts with Mellanox Spectrum hardware
- Track multicast routing events and correlate with system stability issues
- Implement automated kernel crash dump collection and analysis for affected systems
How to Mitigate CVE-2025-68800
Immediate Actions Required
- Apply the kernel security patches from the official kernel.org repository immediately
- Schedule system reboots to activate patched kernels on affected systems
- Consider temporarily reducing multicast routing activity on critical production systems until patched
- Enable KASAN in test environments to validate patch effectiveness
Patch Information
The fix involves acquiring the dedicated mutex before deleting entries from the multicast route list and releasing it afterwards during route replacement operations. Multiple kernel commits have been released to address this vulnerability:
- Kernel Commit 216afc198484
- Kernel Commit 37ca08b35a27
- Kernel Commit 4049a6ace209
- Kernel Commit 5f2831fc593c
- Kernel Commit 8ac1dacec458
Workarounds
- Limit multicast routing configuration changes on systems with Mellanox Spectrum hardware until patched
- Consider temporarily blacklisting the mlxsw_spectrum module if multicast routing is not required
- Implement network isolation for systems that cannot be immediately patched
- Monitor affected systems closely for signs of exploitation or instability
# Check if mlxsw_spectrum module is loaded
lsmod | grep mlxsw_spectrum
# Verify current kernel version
uname -r
# Check for available kernel updates with the security fix
apt-cache policy linux-image-$(uname -r)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
