VYPR
Unrated severityNVD Advisory· Published Jan 13, 2026· Updated Apr 15, 2026

CVE-2025-68816

CVE-2025-68816

Description

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: fw_tracer, Validate format string parameters

Add validation for format string parameters in the firmware tracer to prevent potential security vulnerabilities and crashes from malformed format strings received from firmware.

The firmware tracer receives format strings from the device firmware and uses them to format trace messages. Without proper validation, bad firmware could provide format strings with invalid format specifiers (e.g., %s, %p, %n) that could lead to crashes, or other undefined behavior.

Add mlx5_tracer_validate_params() to validate that all format specifiers in trace strings are limited to safe integer/hex formats (%x, %d, %i, %u, %llx, %lx, etc.). Reject strings containing other format types that could be used to access arbitrary memory or cause crashes. Invalid format strings are added to the trace output for visibility with "BAD_FORMAT: " prefix.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

82

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.