CVE-2025-68800
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
13/01/2026
Last modified:
19/01/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats<br />
<br />
Cited commit added a dedicated mutex (instead of RTNL) to protect the<br />
multicast route list, so that it will not change while the driver<br />
periodically traverses it in order to update the kernel about multicast<br />
route stats that were queried from the device.<br />
<br />
One instance of list entry deletion (during route replace) was missed<br />
and it can result in a use-after-free [1].<br />
<br />
Fix by acquiring the mutex before deleting the entry from the list and<br />
releasing it afterwards.<br />
<br />
[1]<br />
BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]<br />
Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043<br />
<br />
CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)<br />
Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017<br />
Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]<br />
Call Trace:<br />
<br />
dump_stack_lvl+0xba/0x110<br />
print_report+0x174/0x4f5<br />
kasan_report+0xdf/0x110<br />
mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]<br />
process_one_work+0x9cc/0x18e0<br />
worker_thread+0x5df/0xe40<br />
kthread+0x3b8/0x730<br />
ret_from_fork+0x3e9/0x560<br />
ret_from_fork_asm+0x1a/0x30<br />
<br />
<br />
Allocated by task 29933:<br />
kasan_save_stack+0x30/0x50<br />
kasan_save_track+0x14/0x30<br />
__kasan_kmalloc+0x8f/0xa0<br />
mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]<br />
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]<br />
process_one_work+0x9cc/0x18e0<br />
worker_thread+0x5df/0xe40<br />
kthread+0x3b8/0x730<br />
ret_from_fork+0x3e9/0x560<br />
ret_from_fork_asm+0x1a/0x30<br />
<br />
Freed by task 29933:<br />
kasan_save_stack+0x30/0x50<br />
kasan_save_track+0x14/0x30<br />
__kasan_save_free_info+0x3b/0x70<br />
__kasan_slab_free+0x43/0x70<br />
kfree+0x14e/0x700<br />
mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]<br />
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]<br />
process_one_work+0x9cc/0x18e0<br />
worker_thread+0x5df/0xe40<br />
kthread+0x3b8/0x730<br />
ret_from_fork+0x3e9/0x560<br />
ret_from_fork_asm+0x1a/0x30
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/216afc198484fde110ebeafc017992266f4596ce
- https://git.kernel.org/stable/c/37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73
- https://git.kernel.org/stable/c/4049a6ace209f4ed150429f86ae796d7d6a4c22b
- https://git.kernel.org/stable/c/5f2831fc593c2b2efbff7dd0dd7441cec76adcd5
- https://git.kernel.org/stable/c/6e367c361a523a4b54fe618215c64a0ee189caf0
- https://git.kernel.org/stable/c/8ac1dacec458f55f871f7153242ed6ab60373b90
- https://git.kernel.org/stable/c/b957366f5611bbaba03dd10ef861283347ddcc88