CVE-2025-68801 Overview
CVE-2025-68801 is a use-after-free vulnerability in the Linux kernel's mlxsw spectrum_router module. The vulnerability occurs in the neighbour entry handling code where the driver stores a pointer to a neighbour structure without properly holding a reference to it. This improper reference counting allows for a use-after-free condition when dereferencing the neighbour pointer after the underlying memory has been freed.
Critical Impact
Local attackers with sufficient privileges could potentially exploit this use-after-free vulnerability to cause denial of service (kernel crash) or potentially achieve privilege escalation through memory corruption in kernel space.
Affected Products
- Linux kernel with mlxsw spectrum driver (Mellanox/Nvidia switch hardware)
- Linux kernel versions prior to the security patches
- Systems running Nvidia SN5600 and similar Mellanox spectrum-based switches
Discovery Timeline
- January 13, 2026 - CVE CVE-2025-68801 published to NVD
- January 13, 2026 - Last updated in NVD database
Technical Details for CVE-2025-68801
Vulnerability Analysis
The vulnerability exists in the mlxsw spectrum router's neighbour entry management. When the driver handles neighbour entries for nexthop routing, it stores pointers to neighbour structures without maintaining proper reference counts. A reference is only taken when the neighbour is actively used by a nexthop, but the driver continues to store and dereference the pointer even after the neighbour has been freed through RCU (Read-Copy-Update) mechanisms.
The KASAN (Kernel Address Sanitizer) report shows the use-after-free occurring in the mlxsw_sp_neigh_entry_update() function, triggered during a network device unlinking operation. The call trace demonstrates the issue manifesting when:
- A VRF (Virtual Routing and Forwarding) slave device is being unlinked
- The router RIF (Router Interface) synchronization process attempts to update neighbour entries
- The driver dereferences a neighbour pointer that has already been freed
The freed memory was originally allocated by neigh_alloc() during nexthop initialization and was later freed via kvfree_rcu_bulk() during neighbour event processing, creating a classic TOCTOU-style race condition.
Root Cause
The root cause is an improper reference counting scheme in the mlxsw spectrum router driver. The driver was designed to store neighbour pointers in neighbour entries but only increment the reference count when the neighbour was actively used by a nexthop. This approach failed to account for scenarios where the neighbour could be freed independently while the driver still held a stale pointer.
The fix simplifies the reference counting by always taking a reference when storing a neighbour pointer in a neighbour entry. When the neighbour is used by a nexthop, no additional reference is taken since the associated neighbour entry already holds one.
Attack Vector
The vulnerability can be triggered through network configuration operations that cause neighbour entries to be updated while the underlying neighbour structures are being freed. This typically involves:
The attack requires local access and the ability to manipulate network device configurations. An attacker could trigger the race condition by rapidly configuring and removing network interfaces, VRF slave devices, or routing entries that utilize the mlxsw spectrum router driver. The KASAN report shows the issue can be triggered through netlink operations (rtnetlink_rcv_msg) that modify device master associations.
Detection Methods for CVE-2025-68801
Indicators of Compromise
- Kernel panic or crash messages containing mlxsw_sp_neigh_entry_update in the stack trace
- KASAN reports indicating slab-use-after-free in mlxsw spectrum router functions
- System instability when performing network configuration changes on Mellanox/Nvidia spectrum switches
- Unexpected kernel oops or BUG messages related to the mlxsw driver during VRF or LAG operations
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) in kernel builds to detect use-after-free conditions at runtime
- Monitor kernel logs for any mlxsw-related crash dumps or memory corruption warnings
- Deploy kernel debugging tools to trace memory allocation and deallocation in the mlxsw module
- Implement automated kernel log analysis to detect patterns matching the vulnerability signature
Monitoring Recommendations
- Configure centralized logging for all systems running mlxsw spectrum drivers
- Set up alerting for kernel panic events or unexpected reboots on affected switch hardware
- Monitor for unusual network configuration activity that could indicate exploitation attempts
- Review audit logs for netlink operations affecting VRF and LAG configurations
How to Mitigate CVE-2025-68801
Immediate Actions Required
- Update the Linux kernel to a patched version containing the reference counting fix
- Review and prioritize patching for all systems using Mellanox/Nvidia spectrum-based network hardware
- Monitor systems for signs of exploitation until patches can be applied
- Consider limiting access to network configuration capabilities on affected systems
Patch Information
Multiple patch commits have been released to address this vulnerability. The fix simplifies the reference counting scheme by always taking a reference when storing a neighbour pointer in a neighbour entry. The patches have been tested extensively, with the developers running the reproducing test over 300 times without observing the issue after applying the fix.
Apply the kernel patches from the following commits:
- Linux Kernel Commit 4a3c569
- Linux Kernel Commit 675c5ae
- Linux Kernel Commit 8b0e697
- Linux Kernel Commit c437fbf
- Linux Kernel Commit ed8141b
Workarounds
- Limit network configuration operations on affected systems until patches can be applied
- Restrict access to netlink configuration interfaces to trusted administrators only
- Avoid rapid reconfiguration of VRF slave devices and LAG interfaces on production systems
- Consider using alternative network drivers or hardware if patching is not immediately feasible
# Check if your system is running an affected mlxsw driver
lsmod | grep mlxsw
# Verify kernel version and check for available updates
uname -r
apt list --upgradable | grep linux-image # Debian/Ubuntu
yum check-update kernel # RHEL/CentOS
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
