CVE-2025-68800

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-68800
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68800.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-68800
Downstream
Related
Published
2026-01-13T15:29:09.688Z
Modified
2026-03-24T11:59:22.258156Z
Summary
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
Details

In the Linux kernel, the following vulnerability has been resolved:

mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats

Cited commit added a dedicated mutex (instead of RTNL) to protect the multicast route list, so that it will not change while the driver periodically traverses it in order to update the kernel about multicast route stats that were queried from the device.

One instance of list entry deletion (during route replace) was missed and it can result in a use-after-free [1].

Fix by acquiring the mutex before deleting the entry from the list and releasing it afterwards.

[1] BUG: KASAN: slab-use-after-free in mlxswspmrstatsupdate+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrummr.c:1006 [mlxswspectrum] Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043

CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full) Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017 Workqueue: mlxswcore mlxswspmrstatsupdate [mlxswspectrum] Call Trace: <TASK> dumpstacklvl+0xba/0x110 printreport+0x174/0x4f5 kasanreport+0xdf/0x110 mlxswspmrstatsupdate+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrummr.c:1006 [mlxswspectrum] processonework+0x9cc/0x18e0 workerthread+0x5df/0xe40 kthread+0x3b8/0x730 retfromfork+0x3e9/0x560 retfromforkasm+0x1a/0x30 </TASK>

Allocated by task 29933: kasansavestack+0x30/0x50 kasansavetrack+0x14/0x30 _kasankmalloc+0x8f/0xa0 mlxswspmrrouteadd+0xd8/0x4770 [mlxswspectrum] mlxswsprouterfibmreventwork+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrumrouter.c:7965 [mlxswspectrum] processonework+0x9cc/0x18e0 workerthread+0x5df/0xe40 kthread+0x3b8/0x730 retfromfork+0x3e9/0x560 retfromforkasm+0x1a/0x30

Freed by task 29933: kasansavestack+0x30/0x50 kasansavetrack+0x14/0x30 __kasansavefree_info+0x3b/0x70 _kasanslabfree+0x43/0x70 kfree+0x14e/0x700 mlxswspmrrouteadd+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrummr.c:444 [mlxswspectrum] mlxswsprouterfibmreventwork+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrumrouter.c:7965 [mlxswspectrum] processonework+0x9cc/0x18e0 workerthread+0x5df/0xe40 kthread+0x3b8/0x730 retfromfork+0x3e9/0x560 retfromforkasm+0x1a/0x30

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68800.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f38656d067257cc43b652958dd154e1ab0773701
Fixed
b957366f5611bbaba03dd10ef861283347ddcc88
Fixed
6e367c361a523a4b54fe618215c64a0ee189caf0
Fixed
37ca08b35a27ce8fd8e74dd3fd2ae21c23b63b73
Fixed
5f2831fc593c2b2efbff7dd0dd7441cec76adcd5
Fixed
216afc198484fde110ebeafc017992266f4596ce
Fixed
4049a6ace209f4ed150429f86ae796d7d6a4c22b
Fixed
8ac1dacec458f55f871f7153242ed6ab60373b90

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68800.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.7.0
Fixed
5.10.248
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.198
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.160
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.120
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.64
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-68800.json"