{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-15T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: net/mlx5: fs, fix UAF in flow counter release",
    "id" : "2404109",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2404109"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.6",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-911",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet/mlx5: fs, fix UAF in flow counter release\nFix a kernel trace [1] caused by releasing an HWS action of a local flow\ncounter in mlx5_cmd_hws_delete_fte(), where the HWS action refcount and\nmutex were not initialized and the counter struct could already be freed\nwhen deleting the rule.\nFix it by adding the missing initializations and adding refcount for the\nlocal flow counter struct.\n[1] Kernel log:\nCall Trace:\n<TASK>\ndump_stack_lvl+0x34/0x48\nmlx5_fs_put_hws_action.part.0.cold+0x21/0x94 [mlx5_core]\nmlx5_fc_put_hws_action+0x96/0xad [mlx5_core]\nmlx5_fs_destroy_fs_actions+0x8b/0x152 [mlx5_core]\nmlx5_cmd_hws_delete_fte+0x5a/0xa0 [mlx5_core]\ndel_hw_fte+0x1ce/0x260 [mlx5_core]\nmlx5_del_flow_rules+0x12d/0x240 [mlx5_core]\n? ttwu_queue_wakelist+0xf4/0x110\nmlx5_ib_destroy_flow+0x103/0x1b0 [mlx5_ib]\nuverbs_free_flow+0x20/0x50 [ib_uverbs]\ndestroy_hw_idr_uobject+0x1b/0x50 [ib_uverbs]\nuverbs_destroy_uobject+0x34/0x1a0 [ib_uverbs]\nuobj_destroy+0x3c/0x80 [ib_uverbs]\nib_uverbs_run_method+0x23e/0x360 [ib_uverbs]\n? uverbs_finalize_object+0x60/0x60 [ib_uverbs]\nib_uverbs_cmd_verbs+0x14f/0x2c0 [ib_uverbs]\n? do_tty_write+0x1a9/0x270\n? file_tty_write.constprop.0+0x98/0xc0\n? new_sync_write+0xfc/0x190\nib_uverbs_ioctl+0xd7/0x160 [ib_uverbs]\n__x64_sys_ioctl+0x87/0xc0\ndo_syscall_64+0x59/0x90", "A use-after-free flaw was discovered in the Linux kernel’s mlx5 (Net/MLX5) subsystem: within the function mlx5_cmd_hws_delete_fte() the HWS action reference count and mutex for a local flow counter were not initialized, meaning the flow-counter structure could already be freed while deleting the rule. This may lead to memory corruption or kernel instability." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-12-09T00:00:00Z",
    "advisory" : "RHSA-2025:22854",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.20.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-12-09T00:00:00Z",
    "advisory" : "RHSA-2025:22865",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.13.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-12-09T00:00:00Z",
    "advisory" : "RHSA-2025:22865",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.13.1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-39979\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39979\nhttps://lore.kernel.org/linux-cve-announce/2025101559-CVE-2025-39979-f1e9@gregkh/T" ],
  "name" : "CVE-2025-39979",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}