CVE-2025-68379
Description
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix null deref on srq->rq.queue after resize failure
A NULL pointer dereference can occur in rxe_srq_chk_attr() when ibv_modify_srq() is invoked twice in succession under certain error conditions. The first call may fail in rxe_queue_resize(), which leads rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then triggers a crash (null deref) when accessing srq->rq.queue->buf->index_mask.
Call Trace:
rxe_modify_srq+0x170/0x480 [rdma_rxe] ? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe] ? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs] ? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs] ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs] ? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs] ? tryinc_node_nr_active+0xe6/0x150 ? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs] ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] ? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs] ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs] ? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs] ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs] ? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs] ? __pfx___raw_spin_lock_irqsave+0x10/0x10 ? __pfx_do_vfs_ioctl+0x10/0x10 ? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0 ? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10 ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs] ? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs] __x64_sys_ioctl+0x138/0x1c0 do_syscall_64+0x82/0x250 ? fdget_pos+0x58/0x4c0 ? ksys_write+0xf3/0x1c0 ? __pfx_ksys_write+0x10/0x10 ? do_syscall_64+0xc8/0x250 ? __pfx_vm_mmap_pgoff+0x10/0x10 ? fget+0x173/0x230 ? fput+0x2a/0x80 ? ksys_mmap_pgoff+0x224/0x4c0 ? do_syscall_64+0xc8/0x250 ? do_user_addr_fault+0x37b/0xfe0 ? clear_bhb_loop+0x50/0xa0 ? clear_bhb_loop+0x50/0xa0 ? clear_bhb_loop+0x50/0xa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A null pointer dereference in the Linux kernel's RDMA/rxe driver can be triggered by two successive ibv_modify_srq() calls when the first resize fails, enabling a local denial of service.
Vulnerability
Overview
A null pointer dereference vulnerability exists in the Linux kernel's RDMA/rxe driver, specifically in the rxe_srq_chk_attr() function. The root cause is improper cleanup after a queue resize failure. When ibv_modify_srq() is called and the subordinate twice in quick succession, the first call may fail during rxe_queue_resize(), causing rxe_srq_from_attr() to set srq->rq.queue to NULL. The second call then attempts to access srq->rq.queue->buf->index_mask without a NULL check, leading to a kernel crash [1][2].
Exploitation
Exploitation requires local access and the ability to invoke the ib_uverbs_modify_srq operation on a system using the RDMA/rxe driver. An attacker must trigger two consecutive pass two ibv_modify_srq() calls; the first must be crafted to fail (e.g., by specifying an invalid resize parameter), leaving the queue pointer NULL. A subsequent call then triggers the null dereference. No special privileges beyond basic user-level RDMA access are needed, though the attack is constrained to systems where the rxe module is loaded and SRQ objects are created [1][2].
Impact
A successful exploitation results in a kernel NULL pointer dereference, causing an immediate system denial of service (crash). Since the crash occurs within rxe_modify_srq in the context of a ib_uverbs_ioctl call, it corrupts kernel memory and typically leads to a hang or panic. No privilege escalation or data breach has been described; the primary impact is availability [1][2].
Mitigation
The vulnerability has been fixed in the mainline Linux kernel as of the referenced commits (stable candidate patches). Affected distributions are expected to backport the fix. Users should apply the latest kernel updates for their respective distributions. No workaround is currently documented beyond ensuring the RDMA/rxe module is not loaded if not required [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/503a5e4690ae14c18570141bc0dcf7501a8419b0nvd
- git.kernel.org/stable/c/58aca869babd48cb9c3d6ee9e1452c4b9f5266a6nvd
- git.kernel.org/stable/c/5dbeb421e137824aa9bd8358bdfc926a3965fc0dnvd
- git.kernel.org/stable/c/b8f6eeb87a76b6fb1f6381b0b2894568e1b784f7nvd
- git.kernel.org/stable/c/bc4c14a3863cc0e03698caec9a0cdabd779776eenvd
News mentions
0No linked articles in our index yet.