CVE-2025-39979
Description
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: fs, fix UAF in flow counter release
Fix a kernel trace [1] caused by releasing an HWS action of a local flow counter in mlx5_cmd_hws_delete_fte(), where the HWS action refcount and mutex were not initialized and the counter struct could already be freed when deleting the rule.
Fix it by adding the missing initializations and adding refcount for the local flow counter struct.
[1] Kernel log: Call Trace:
dump_stack_lvl+0x34/0x48 mlx5_fs_put_hws_action.part.0.cold+0x21/0x94 [mlx5_core] mlx5_fc_put_hws_action+0x96/0xad [mlx5_core] mlx5_fs_destroy_fs_actions+0x8b/0x152 [mlx5_core] mlx5_cmd_hws_delete_fte+0x5a/0xa0 [mlx5_core] del_hw_fte+0x1ce/0x260 [mlx5_core] mlx5_del_flow_rules+0x12d/0x240 [mlx5_core] ? ttwu_queue_wakelist+0xf4/0x110 mlx5_ib_destroy_flow+0x103/0x1b0 [mlx5_ib] uverbs_free_flow+0x20/0x50 [ib_uverbs] destroy_hw_idr_uobject+0x1b/0x50 [ib_uverbs] uverbs_destroy_uobject+0x34/0x1a0 [ib_uverbs] uobj_destroy+0x3c/0x80 [ib_uverbs] ib_uverbs_run_method+0x23e/0x360 [ib_uverbs] ? uverbs_finalize_object+0x60/0x60 [ib_uverbs] ib_uverbs_cmd_verbs+0x14f/0x2c0 [ib_uverbs] ? do_tty_write+0x1a9/0x270 ? file_tty_write.constprop.0+0x98/0xc0 ? new_sync_write+0xfc/0x190 ib_uverbs_ioctl+0xd7/0x160 [ib_uverbs] __x64_sys_ioctl+0x87/0xc0 do_syscall_64+0x59/0x90
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in the Linux kernel's mlx5 flow steering subsystem can cause a kernel crash when releasing hardware steering actions for local flow counters.
Vulnerability
Overview
A use-after-free (UAF) vulnerability exists in the Mellanox MLX5 flow steering (fs) subsystem in the Linux kernel. When deleting a flow table entry (FTE) via mlx5_cmd_hws_delete_fte(), the code attempts to release an HWS action associated with a local flow counter. However, the HWS action structure's refcount and mutex were not properly initialized, and the underlying counter struct could already have been freed by the time the action release runs. This race condition leads to a kernel trace and potential system crash [1].
Exploitation
Prerequisites
The issue can be triggered by any user or process that has the capability to create and destroy InfiniBand (IB) flow steering rules using the mlx5_ib driver and the ib_uverbs interface. This typically requires local access with sufficient privileges to interact with the InfiniBand subsystem, though the exact user namespace requirements depend on system configuration. The attacker does not need physical access—only the ability to issue the appropriate ioctl calls that invoke mlx5_ib_destroy_flow() and ultimately lead to the vulnerable code path [1].
Impact
A successful exploit results in a kernel crash (panic or Oops), leading to a denial of service (DoS) condition on the affected system. There is no evidence in the provided sources of an information leak or privilege escalation, but the instability can disrupt system availability indefinitely [1].
Mitigation
The fix is included in the Linux kernel stable commit 3c77f6d244188c3fb11f6aec40bbfe884f1803b5. This commit adds proper initialization of the HWS action's refcount and mutex, and introduces a reference count for the local flow counter structure to prevent premature freeing. System administrators should apply the latest kernel updates from their distribution. No workaround is documented in the advisory. The vulnerability does not appear on the CISA Known Exploited Vulnerabilities (KEV) list at this time [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
23c77f6d244186043819e707cVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.