CVE-2025-68779
Description
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Avoid unregistering PSP twice
PSP is unregistered twice in: _mlx5e_remove -> mlx5e_psp_unregister mlx5e_nic_cleanup -> mlx5e_psp_unregister
This leads to a refcount underflow in some conditions: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 2 PID: 1694 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0 [...] mlx5e_psp_unregister+0x26/0x50 [mlx5_core] mlx5e_nic_cleanup+0x26/0x90 [mlx5_core] mlx5e_remove+0xe6/0x1f0 [mlx5_core] auxiliary_bus_remove+0x18/0x30 device_release_driver_internal+0x194/0x1f0 bus_remove_device+0xc6/0x130 device_del+0x159/0x3c0 mlx5_rescan_drivers_locked+0xbc/0x2a0 [mlx5_core] [...]
Do not directly remove psp from the _mlx5e_remove path, the PSP cleanup happens as part of profile cleanup.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A double-unregister of the PSP (Port-Specific Protocol) in the Linux kernel's mlx5e driver can cause a refcount underflow, leading to a use-after-free condition.
Vulnerability
Analysis
The Linux kernel's mlx5e network driver contains a use-after-free vulnerability (CVE-2025-68779) stemming from a logic error in its packet scheduler (PSP). Specifically, the mlx5e_psp_unregister function is called twice in the driver removal code path: first within _mlx5e_remove and again within mlx5e_nic_cleanup. This leads to a refcount underflow, as demonstrated the address sanitizer warning indicating a use-after-free condition [1]. The root cause is improper code organization where the PSP cleanup is explicitly triggered by _mlx5e_remove before the normal cleanup sequence runs again as part of the profile cleanup in mlx5e_nic_cleanup.
Exploitation
An attacker with the ability to trigger driver removal UL (e.g., through device hot-unplug, driver reload, or certain error-handling paths) can cause the kernel to hit this refcount bug. The attack surface is local; no network access is required as it's a kernel-level driver issue. The prerequisite is that the attacker must have the ability to cause the mlx5e driver to be removed from a Mellanox/MLX5 network device, which typically requires root privileges or CAP_NET_ADMIN to unbind the driver or force a device removal.
Impact
When triggered, the refcount underflow results in a kernel warning and potential memory corruption (use-after-free). The most likely outcome of a successful exploit is a kernel panic (denial of service). In principle, a local attacker could escalate privileges or execute arbitrary code, though reliable exploitation for code execution is more complex and depends on heap state. The vulnerability is considered medium severity stable kernels.
Mitigation
The fix, merged into the Linux kernel stable tree [1], removes the direct call to mlx5e_psp_unregister from the _mlx5e_remove path, ensuring the PSP cleanup only happens once during the profile cleanup in mlx5e_nic_cleanup. Users can apply the kernel patch referenced in [1] or update to a kernel version that includes the fix. No workaround is available. The vulnerability is not known to be exploited in the wild (no KEV listing).
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.