{ "threat_severity" : "Moderate", "public_date" : "2026-01-13T00:00:00Z", "bugzilla" : { "description" : "kernel: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats", "id" : "2429065", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2429065" }, "cvss3" : { "cvss3_base_score" : "7.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats\nCited commit added a dedicated mutex (instead of RTNL) to protect the\nmulticast route list, so that it will not change while the driver\nperiodically traverses it in order to update the kernel about multicast\nroute stats that were queried from the device.\nOne instance of list entry deletion (during route replace) was missed\nand it can result in a use-after-free [1].\nFix by acquiring the mutex before deleting the entry from the list and\nreleasing it afterwards.\n[1]\nBUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]\nRead of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043\nCPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)\nHardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017\nWorkqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]\nCall Trace:\n\ndump_stack_lvl+0xba/0x110\nprint_report+0x174/0x4f5\nkasan_report+0xdf/0x110\nmlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]\nprocess_one_work+0x9cc/0x18e0\nworker_thread+0x5df/0xe40\nkthread+0x3b8/0x730\nret_from_fork+0x3e9/0x560\nret_from_fork_asm+0x1a/0x30\n\nAllocated by task 29933:\nkasan_save_stack+0x30/0x50\nkasan_save_track+0x14/0x30\n__kasan_kmalloc+0x8f/0xa0\nmlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]\nmlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]\nprocess_one_work+0x9cc/0x18e0\nworker_thread+0x5df/0xe40\nkthread+0x3b8/0x730\nret_from_fork+0x3e9/0x560\nret_from_fork_asm+0x1a/0x30\nFreed by task 29933:\nkasan_save_stack+0x30/0x50\nkasan_save_track+0x14/0x30\n__kasan_save_free_info+0x3b/0x70\n__kasan_slab_free+0x43/0x70\nkfree+0x14e/0x700\nmlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]\nmlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]\nprocess_one_work+0x9cc/0x18e0\nworker_thread+0x5df/0xe40\nkthread+0x3b8/0x730\nret_from_fork+0x3e9/0x560\nret_from_fork_asm+0x1a/0x30" ], "statement" : "A use-after-free exists in mlxsw_spectrum multicast routing when a route entry is deleted from the multicast route list without holding route_list_lock, while the periodic stats worker traverses the same list. A privileged attacker who can manipulate multicast routes on a host using mlxsw Spectrum hardware can trigger the race to crash the kernel and potentially corrupt memory.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-02-25T00:00:00Z", "advisory" : "RHSA-2026:3275", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "kernel-0:6.12.0-124.39.1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-23T00:00:00Z", "advisory" : "RHSA-2026:3110", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-553.107.1.rt7.448.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-23T00:00:00Z", "advisory" : "RHSA-2026:3083", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-553.107.1.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-03-09T00:00:00Z", "advisory" : "RHSA-2026:3966", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.38.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-03-17T00:00:00Z", "advisory" : "RHSA-2026:4759", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.41.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-03-09T00:00:00Z", "advisory" : "RHSA-2026:3966", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.38.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-03-17T00:00:00Z", "advisory" : "RHSA-2026:4759", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-611.41.1.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-03-30T00:00:00Z", "advisory" : "RHSA-2026:6164", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "kernel-0:5.14.0-570.103.1.el9_6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-68800\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68800\nhttps://lore.kernel.org/linux-cve-announce/2026011307-CVE-2025-68800-39d2@gregkh/T" ], "name" : "CVE-2025-68800", "csaw" : false }