Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68801

CVE-2025-68801: Linux Kernel Use-After-Free Vulnerability

CVE-2025-68801 is a use-after-free vulnerability in the Linux kernel's mlxsw spectrum router component that allows improper neighbour pointer dereferencing. This post explains its impact, affected versions, and mitigation.

Updated:

CVE-2025-68801 Overview

CVE-2025-68801 is a use-after-free vulnerability in the Linux kernel's mlxsw spectrum_router module. The vulnerability occurs in the neighbour entry handling code where the driver stores a pointer to a neighbour structure without properly holding a reference to it. This improper reference counting allows for a use-after-free condition when dereferencing the neighbour pointer after the underlying memory has been freed.

Critical Impact

Local attackers with sufficient privileges could potentially exploit this use-after-free vulnerability to cause denial of service (kernel crash) or potentially achieve privilege escalation through memory corruption in kernel space.

Affected Products

  • Linux kernel with mlxsw spectrum driver (Mellanox/Nvidia switch hardware)
  • Linux kernel versions prior to the security patches
  • Systems running Nvidia SN5600 and similar Mellanox spectrum-based switches

Discovery Timeline

  • January 13, 2026 - CVE CVE-2025-68801 published to NVD
  • January 13, 2026 - Last updated in NVD database

Technical Details for CVE-2025-68801

Vulnerability Analysis

The vulnerability exists in the mlxsw spectrum router's neighbour entry management. When the driver handles neighbour entries for nexthop routing, it stores pointers to neighbour structures without maintaining proper reference counts. A reference is only taken when the neighbour is actively used by a nexthop, but the driver continues to store and dereference the pointer even after the neighbour has been freed through RCU (Read-Copy-Update) mechanisms.

The KASAN (Kernel Address Sanitizer) report shows the use-after-free occurring in the mlxsw_sp_neigh_entry_update() function, triggered during a network device unlinking operation. The call trace demonstrates the issue manifesting when:

  1. A VRF (Virtual Routing and Forwarding) slave device is being unlinked
  2. The router RIF (Router Interface) synchronization process attempts to update neighbour entries
  3. The driver dereferences a neighbour pointer that has already been freed

The freed memory was originally allocated by neigh_alloc() during nexthop initialization and was later freed via kvfree_rcu_bulk() during neighbour event processing, creating a classic TOCTOU-style race condition.

Root Cause

The root cause is an improper reference counting scheme in the mlxsw spectrum router driver. The driver was designed to store neighbour pointers in neighbour entries but only increment the reference count when the neighbour was actively used by a nexthop. This approach failed to account for scenarios where the neighbour could be freed independently while the driver still held a stale pointer.

The fix simplifies the reference counting by always taking a reference when storing a neighbour pointer in a neighbour entry. When the neighbour is used by a nexthop, no additional reference is taken since the associated neighbour entry already holds one.

Attack Vector

The vulnerability can be triggered through network configuration operations that cause neighbour entries to be updated while the underlying neighbour structures are being freed. This typically involves:

The attack requires local access and the ability to manipulate network device configurations. An attacker could trigger the race condition by rapidly configuring and removing network interfaces, VRF slave devices, or routing entries that utilize the mlxsw spectrum router driver. The KASAN report shows the issue can be triggered through netlink operations (rtnetlink_rcv_msg) that modify device master associations.

Detection Methods for CVE-2025-68801

Indicators of Compromise

  • Kernel panic or crash messages containing mlxsw_sp_neigh_entry_update in the stack trace
  • KASAN reports indicating slab-use-after-free in mlxsw spectrum router functions
  • System instability when performing network configuration changes on Mellanox/Nvidia spectrum switches
  • Unexpected kernel oops or BUG messages related to the mlxsw driver during VRF or LAG operations

Detection Strategies

  • Enable KASAN (Kernel Address Sanitizer) in kernel builds to detect use-after-free conditions at runtime
  • Monitor kernel logs for any mlxsw-related crash dumps or memory corruption warnings
  • Deploy kernel debugging tools to trace memory allocation and deallocation in the mlxsw module
  • Implement automated kernel log analysis to detect patterns matching the vulnerability signature

Monitoring Recommendations

  • Configure centralized logging for all systems running mlxsw spectrum drivers
  • Set up alerting for kernel panic events or unexpected reboots on affected switch hardware
  • Monitor for unusual network configuration activity that could indicate exploitation attempts
  • Review audit logs for netlink operations affecting VRF and LAG configurations

How to Mitigate CVE-2025-68801

Immediate Actions Required

  • Update the Linux kernel to a patched version containing the reference counting fix
  • Review and prioritize patching for all systems using Mellanox/Nvidia spectrum-based network hardware
  • Monitor systems for signs of exploitation until patches can be applied
  • Consider limiting access to network configuration capabilities on affected systems

Patch Information

Multiple patch commits have been released to address this vulnerability. The fix simplifies the reference counting scheme by always taking a reference when storing a neighbour pointer in a neighbour entry. The patches have been tested extensively, with the developers running the reproducing test over 300 times without observing the issue after applying the fix.

Apply the kernel patches from the following commits:

Workarounds

  • Limit network configuration operations on affected systems until patches can be applied
  • Restrict access to netlink configuration interfaces to trusted administrators only
  • Avoid rapid reconfiguration of VRF slave devices and LAG interfaces on production systems
  • Consider using alternative network drivers or hardware if patching is not immediately feasible
bash
# Check if your system is running an affected mlxsw driver
lsmod | grep mlxsw

# Verify kernel version and check for available updates
uname -r
apt list --upgradable | grep linux-image  # Debian/Ubuntu
yum check-update kernel  # RHEL/CentOS

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.