{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-21675", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-29T08:45:45.737Z", "datePublished": "2025-01-31T11:25:37.457Z", "dateUpdated": "2026-05-11T21:04:16.290Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:04:16.290Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Clear port select structure when fail to create\n\nClear the port select structure on error so no stale values left after\ndefiners are destroyed. That's because the mlx5_lag_destroy_definers()\nalways try to destroy all lag definers in the tt_map, so in the flow\nbelow lag definers get double-destroyed and cause kernel crash:\n\n mlx5_lag_port_sel_create()\n mlx5_lag_create_definers()\n mlx5_lag_create_definer() <- Failed on tt 1\n mlx5_lag_destroy_definers() <- definers[tt=0] gets destroyed\n mlx5_lag_port_sel_create()\n mlx5_lag_create_definers()\n mlx5_lag_create_definer() <- Failed on tt 0\n mlx5_lag_destroy_definers() <- definers[tt=0] gets double-destroyed\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n Mem abort info:\n ESR = 0x0000000096000005\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x05: level 1 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00\n [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n Modules linked in: iptable_raw bonding ip_gre ip6_gre gre ip6_tunnel tunnel6 geneve ip6_udp_tunnel udp_tunnel ipip tunnel4 ip_tunnel rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) mlx5_fwctl(OE) fwctl(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlxfw(OE) memtrack(OE) mlx_compat(OE) openvswitch nsh nf_conncount psample xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc netconsole overlay efi_pstore sch_fq_codel zram ip_tables crct10dif_ce qemu_fw_cfg fuse ipv6 crc_ccitt [last unloaded: mlx_compat(OE)]\n CPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G OE 6.11.0+ #2\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core]\n pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core]\n lr : mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core]\n sp : ffff800085fafb00\n x29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000\n x26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000\n x23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000\n x20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350\n x14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0\n x11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c\n x8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190\n x5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000\n Call trace:\n mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core]\n mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core]\n mlx5_lag_destroy_definers+0xa0/0x108 [mlx5_core]\n mlx5_lag_port_sel_create+0x2d4/0x6f8 [mlx5_core]\n mlx5_activate_lag+0x60c/0x6f8 [mlx5_core]\n mlx5_do_bond_work+0x284/0x5c8 [mlx5_core]\n process_one_work+0x170/0x3e0\n worker_thread+0x2d8/0x3e0\n kthread+0x11c/0x128\n ret_from_fork+0x10/0x20\n Code: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400)\n ---[ end trace 0000000000000000 ]---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c"], "versions": [{"version": "dc48516ec7d369c6b80bf9f14d774287b6c428aa", "lessThan": "efc92a260e23cf9fafb0b6f6c9beb6f8df93fab4", "status": "affected", "versionType": "git"}, {"version": "dc48516ec7d369c6b80bf9f14d774287b6c428aa", "lessThan": "473bc285378f49aa27e5b3e95a6d5ed12995d654", "status": "affected", "versionType": "git"}, {"version": "dc48516ec7d369c6b80bf9f14d774287b6c428aa", "lessThan": "1f6e619ef2a4def555b14ac2aeb4304bfccad59b", "status": "affected", "versionType": "git"}, {"version": "dc48516ec7d369c6b80bf9f14d774287b6c428aa", "lessThan": "5641e82cb55b4ecbc6366a499300917d2f3e6790", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c"], "versions": [{"version": "5.16", "status": "affected"}, {"version": "0", "lessThan": "5.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.127", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.74", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.11", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.127"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.6.74"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.12.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.13"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/efc92a260e23cf9fafb0b6f6c9beb6f8df93fab4"}, {"url": "https://git.kernel.org/stable/c/473bc285378f49aa27e5b3e95a6d5ed12995d654"}, {"url": "https://git.kernel.org/stable/c/1f6e619ef2a4def555b14ac2aeb4304bfccad59b"}, {"url": "https://git.kernel.org/stable/c/5641e82cb55b4ecbc6366a499300917d2f3e6790"}], "title": "net/mlx5: Clear port select structure when fail to create", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-21675", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-01T19:52:01.288500Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-01T19:57:11.729Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T20:58:53.065Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-21675", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-01T19:52:01.288500Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-01T15:58:56.633Z"}}], "cna": {"title": "net/mlx5: Clear port select structure when fail to create", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "dc48516ec7d369c6b80bf9f14d774287b6c428aa", "lessThan": "efc92a260e23cf9fafb0b6f6c9beb6f8df93fab4", "versionType": "git"}, {"status": "affected", "version": "dc48516ec7d369c6b80bf9f14d774287b6c428aa", "lessThan": "473bc285378f49aa27e5b3e95a6d5ed12995d654", "versionType": "git"}, {"status": "affected", "version": "dc48516ec7d369c6b80bf9f14d774287b6c428aa", "lessThan": "1f6e619ef2a4def555b14ac2aeb4304bfccad59b", "versionType": "git"}, {"status": "affected", "version": "dc48516ec7d369c6b80bf9f14d774287b6c428aa", "lessThan": "5641e82cb55b4ecbc6366a499300917d2f3e6790", "versionType": "git"}], "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.16"}, {"status": "unaffected", "version": "0", "lessThan": "5.16", "versionType": "semver"}, {"status": "unaffected", "version": "6.1.127", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.74", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.12.11", "versionType": "semver", "lessThanOrEqual": "6.12.*"}, {"status": "unaffected", "version": "6.13", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/lag/port_sel.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/efc92a260e23cf9fafb0b6f6c9beb6f8df93fab4"}, {"url": "https://git.kernel.org/stable/c/473bc285378f49aa27e5b3e95a6d5ed12995d654"}, {"url": "https://git.kernel.org/stable/c/1f6e619ef2a4def555b14ac2aeb4304bfccad59b"}, {"url": "https://git.kernel.org/stable/c/5641e82cb55b4ecbc6366a499300917d2f3e6790"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Clear port select structure when fail to create\n\nClear the port select structure on error so no stale values left after\ndefiners are destroyed. That's because the mlx5_lag_destroy_definers()\nalways try to destroy all lag definers in the tt_map, so in the flow\nbelow lag definers get double-destroyed and cause kernel crash:\n\n mlx5_lag_port_sel_create()\n mlx5_lag_create_definers()\n mlx5_lag_create_definer() <- Failed on tt 1\n mlx5_lag_destroy_definers() <- definers[tt=0] gets destroyed\n mlx5_lag_port_sel_create()\n mlx5_lag_create_definers()\n mlx5_lag_create_definer() <- Failed on tt 0\n mlx5_lag_destroy_definers() <- definers[tt=0] gets double-destroyed\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n Mem abort info:\n ESR = 0x0000000096000005\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x05: level 1 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00\n [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n Modules linked in: iptable_raw bonding ip_gre ip6_gre gre ip6_tunnel tunnel6 geneve ip6_udp_tunnel udp_tunnel ipip tunnel4 ip_tunnel rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) mlx5_fwctl(OE) fwctl(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlxfw(OE) memtrack(OE) mlx_compat(OE) openvswitch nsh nf_conncount psample xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc netconsole overlay efi_pstore sch_fq_codel zram ip_tables crct10dif_ce qemu_fw_cfg fuse ipv6 crc_ccitt [last unloaded: mlx_compat(OE)]\n CPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G OE 6.11.0+ #2\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core]\n pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core]\n lr : mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core]\n sp : ffff800085fafb00\n x29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000\n x26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000\n x23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000\n x20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350\n x14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0\n x11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c\n x8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190\n x5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000\n Call trace:\n mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core]\n mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core]\n mlx5_lag_destroy_definers+0xa0/0x108 [mlx5_core]\n mlx5_lag_port_sel_create+0x2d4/0x6f8 [mlx5_core]\n mlx5_activate_lag+0x60c/0x6f8 [mlx5_core]\n mlx5_do_bond_work+0x284/0x5c8 [mlx5_core]\n process_one_work+0x170/0x3e0\n worker_thread+0x2d8/0x3e0\n kthread+0x11c/0x128\n ret_from_fork+0x10/0x20\n Code: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400)\n ---[ end trace 0000000000000000 ]---"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.127", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.74", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.12.11", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.13", "versionStartIncluding": "5.16"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T07:18:49.451Z"}}}, "cveMetadata": {"cveId": "CVE-2025-21675", "state": "PUBLISHED", "dateUpdated": "2025-10-01T19:57:11.729Z", "dateReserved": "2024-12-29T08:45:45.737Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2025-01-31T11:25:37.457Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A3538C88-E91E-4A62-8415-2EA2F03EAAE3", "versionEndExcluding": "6.1.127", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "38B2F4A9-C656-4A97-8718-D27E6BDFD82A", "versionEndExcluding": "6.6.74", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7D0DBC3-F63C-4396-8A47-6F3D4FA0556E", "versionEndExcluding": "6.12.11", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc2:*:*:*:*:*:*", "matchCriteriaId": "5A073481-106D-4B15-B4C7-FB0213B8E1D4", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc3:*:*:*:*:*:*", "matchCriteriaId": "DE491969-75AE-4A6B-9A58-8FC5AF98798F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc4:*:*:*:*:*:*", "matchCriteriaId": "93C0660D-7FB8-4FBA-892A-B064BA71E49E", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc5:*:*:*:*:*:*", "matchCriteriaId": "034C36A6-C481-41F3-AE9A-D116E5BE6895", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc6:*:*:*:*:*:*", "matchCriteriaId": "8AF9DC49-2085-4FFB-A7E3-73DFAFECC7F2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc7:*:*:*:*:*:*", "matchCriteriaId": "5DFCDFB8-4FD0-465A-9076-D813D78FE51B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Clear port select structure when fail to create\n\nClear the port select structure on error so no stale values left after\ndefiners are destroyed. That's because the mlx5_lag_destroy_definers()\nalways try to destroy all lag definers in the tt_map, so in the flow\nbelow lag definers get double-destroyed and cause kernel crash:\n\n mlx5_lag_port_sel_create()\n mlx5_lag_create_definers()\n mlx5_lag_create_definer() <- Failed on tt 1\n mlx5_lag_destroy_definers() <- definers[tt=0] gets destroyed\n mlx5_lag_port_sel_create()\n mlx5_lag_create_definers()\n mlx5_lag_create_definer() <- Failed on tt 0\n mlx5_lag_destroy_definers() <- definers[tt=0] gets double-destroyed\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n Mem abort info:\n ESR = 0x0000000096000005\n EC = 0x25: DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n FSC = 0x05: level 1 translation fault\n Data abort info:\n ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\n CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n user pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00\n [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\n Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP\n Modules linked in: iptable_raw bonding ip_gre ip6_gre gre ip6_tunnel tunnel6 geneve ip6_udp_tunnel udp_tunnel ipip tunnel4 ip_tunnel rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) mlx5_fwctl(OE) fwctl(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlxfw(OE) memtrack(OE) mlx_compat(OE) openvswitch nsh nf_conncount psample xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc netconsole overlay efi_pstore sch_fq_codel zram ip_tables crct10dif_ce qemu_fw_cfg fuse ipv6 crc_ccitt [last unloaded: mlx_compat(OE)]\n CPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G OE 6.11.0+ #2\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\n Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core]\n pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core]\n lr : mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core]\n sp : ffff800085fafb00\n x29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000\n x26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000\n x23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000\n x20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350\n x14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0\n x11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c\n x8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190\n x5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000\n x2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000\n Call trace:\n mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core]\n mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core]\n mlx5_lag_destroy_definers+0xa0/0x108 [mlx5_core]\n mlx5_lag_port_sel_create+0x2d4/0x6f8 [mlx5_core]\n mlx5_activate_lag+0x60c/0x6f8 [mlx5_core]\n mlx5_do_bond_work+0x284/0x5c8 [mlx5_core]\n process_one_work+0x170/0x3e0\n worker_thread+0x2d8/0x3e0\n kthread+0x11c/0x128\n ret_from_fork+0x10/0x20\n Code: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400)\n ---[ end trace 0000000000000000 ]---"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5: Borrar la estructura de selecci\u00f3n de puerto cuando falla la creaci\u00f3n. Borra la estructura de selecci\u00f3n de puerto en caso de error para que no queden valores obsoletos despu\u00e9s de que se destruyen los definidores. Esto se debe a que mlx5_lag_destroy_definers() siempre intenta destruir todos los definidores de retraso en tt_map, por lo que en el flujo a continuaci\u00f3n, los definidores de retraso se destruyen dos veces y causan un bloqueo del kernel: mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() &lt;- Failed on tt 1 mlx5_lag_destroy_definers() &lt;- definers[tt=0] gets destroyed mlx5_lag_port_sel_create() mlx5_lag_create_definers() mlx5_lag_create_definer() &lt;- Failed on tt 0 mlx5_lag_destroy_definers() &lt;- definers[tt=0] gets double-destroyed Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00 [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: iptable_raw bonding ip_gre ip6_gre gre ip6_tunnel tunnel6 geneve ip6_udp_tunnel udp_tunnel ipip tunnel4 ip_tunnel rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) mlx5_fwctl(OE) fwctl(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlxfw(OE) memtrack(OE) mlx_compat(OE) openvswitch nsh nf_conncount psample xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc netconsole overlay efi_pstore sch_fq_codel zram ip_tables crct10dif_ce qemu_fw_cfg fuse ipv6 crc_ccitt [last unloaded: mlx_compat(OE)] CPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G OE 6.11.0+ #2 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 Workqueue: mlx5_lag mlx5_do_bond_work [mlx5_core] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] lr : mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] sp : ffff800085fafb00 x29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000 x26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000 x23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000 x20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350 x14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0 x11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c x8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190 x5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000 Call trace: mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core] mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core] mlx5_lag_destroy_definers+0xa0/0x108 [mlx5_core] mlx5_lag_port_sel_create+0x2d4/0x6f8 [mlx5_core] mlx5_activate_lag+0x60c/0x6f8 [mlx5_core] mlx5_do_bond_work+0x284/0x5c8 [mlx5_core] process_one_work+0x170/0x3e0 worker_thread+0x2d8/0x3e0 kthread+0x11c/0x128 ret_from_fork+0x10/0x20 Code: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400) ---[ end trace 0000000000000000 ]--- "}], "id": "CVE-2025-21675", "lastModified": "2025-11-03T21:19:06.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-31T12:15:28.677", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1f6e619ef2a4def555b14ac2aeb4304bfccad59b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/473bc285378f49aa27e5b3e95a6d5ed12995d654"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5641e82cb55b4ecbc6366a499300917d2f3e6790"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/efc92a260e23cf9fafb0b6f6c9beb6f8df93fab4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-476"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: net/mlx5: Clear port select structure when fail to create", "id": "2343177", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2343177"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nnet/mlx5: Clear port select structure when fail to create\nClear the port select structure on error so no stale values left after\ndefiners are destroyed. That's because the mlx5_lag_destroy_definers()\nalways try to destroy all lag definers in the tt_map, so in the flow\nbelow lag definers get double-destroyed and cause kernel crash:\nmlx5_lag_port_sel_create()\nmlx5_lag_create_definers()\nmlx5_lag_create_definer() <- Failed on tt 1\nmlx5_lag_destroy_definers() <- definers[tt=0] gets destroyed\nmlx5_lag_port_sel_create()\nmlx5_lag_create_definers()\nmlx5_lag_create_definer() <- Failed on tt 0\nmlx5_lag_destroy_definers() <- definers[tt=0] gets double-destroyed\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000008\nMem abort info:\nESR = 0x0000000096000005\nEC = 0x25: DABT (current EL), IL = 32 bits\nSET = 0, FnV = 0\nEA = 0, S1PTW = 0\nFSC = 0x05: level 1 translation fault\nData abort info:\nISV = 0, ISS = 0x00000005, ISS2 = 0x00000000\nCM = 0, WnR = 0, TnD = 0, TagAccess = 0\nGCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 64k pages, 48-bit VAs, pgdp=0000000112ce2e00\n[0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000\nInternal error: Oops: 0000000096000005 [#1] PREEMPT SMP\nModules linked in: iptable_raw bonding ip_gre ip6_gre gre ip6_tunnel tunnel6 geneve ip6_udp_tunnel udp_tunnel ipip tunnel4 ip_tunnel rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) ib_uverbs(OE) mlx5_fwctl(OE) fwctl(OE) mlx5_core(OE) mlxdevm(OE) ib_core(OE) mlxfw(OE) memtrack(OE) mlx_compat(OE) openvswitch nsh nf_conncount psample xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc netconsole overlay efi_pstore sch_fq_codel zram ip_tables crct10dif_ce qemu_fw_cfg fuse ipv6 crc_ccitt [last unloaded: mlx_compat(OE)]\nCPU: 3 UID: 0 PID: 217 Comm: kworker/u53:2 Tainted: G OE 6.11.0+ #2\nTainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\nHardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015\nWorkqueue: mlx5_lag mlx5_do_bond_work [mlx5_core]\npstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : mlx5_del_flow_rules+0x24/0x2c0 [mlx5_core]\nlr : mlx5_lag_destroy_definer+0x54/0x100 [mlx5_core]\nsp : ffff800085fafb00\nx29: ffff800085fafb00 x28: ffff0000da0c8000 x27: 0000000000000000\nx26: ffff0000da0c8000 x25: ffff0000da0c8000 x24: ffff0000da0c8000\nx23: ffff0000c31f81a0 x22: 0400000000000000 x21: ffff0000da0c8000\nx20: 0000000000000000 x19: 0000000000000001 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8b0c9350\nx14: 0000000000000000 x13: ffff800081390d18 x12: ffff800081dc3cc0\nx11: 0000000000000001 x10: 0000000000000b10 x9 : ffff80007ab7304c\nx8 : ffff0000d00711f0 x7 : 0000000000000004 x6 : 0000000000000190\nx5 : ffff00027edb3010 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : ffff0000d39b8000 x1 : ffff0000d39b8000 x0 : 0400000000000000\nCall trace:\nmlx5_del_flow_rules+0x24/0x2c0 [mlx5_core]\nmlx5_lag_destroy_definer+0x54/0x100 [mlx5_core]\nmlx5_lag_destroy_definers+0xa0/0x108 [mlx5_core]\nmlx5_lag_port_sel_create+0x2d4/0x6f8 [mlx5_core]\nmlx5_activate_lag+0x60c/0x6f8 [mlx5_core]\nmlx5_do_bond_work+0x284/0x5c8 [mlx5_core]\nprocess_one_work+0x170/0x3e0\nworker_thread+0x2d8/0x3e0\nkthread+0x11c/0x128\nret_from_fork+0x10/0x20\nCode: a9025bf5 aa0003f6 a90363f7 f90023f9 (f9400400)\n---[ end trace 0000000000000000 ]---"], "name": "CVE-2025-21675", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-01-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-21675\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21675\nhttps://lore.kernel.org/linux-cve-announce/2025013101-CVE-2025-21675-bf0e@gregkh/T"], "threat_severity": "Moderate"}

{}