LiveActive security incident?Get immediate response
CVE Record

CVE-2025-68800: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Cited commit added a dedicated mutex (instead of RTNL) to protect the multicast route list, so that it will not change while the driver periodically traverses it in order to update the kernel about multicast route stats that were queried from the device. One instance of list entry deletion (during route replace) was missed and it can result in a use-after-free [1]. Fix by acquiring the mutex before deleting the entry from the list and releasing it afterwards. [1] BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum] Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043 CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full) Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017 Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum] Call Trace: <TASK> dump_stack_lvl+0xba/0x110 print_report+0x174/0x4f5 kasan_report+0xdf/0x110 mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x8f/0xa0 mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30 Freed by task 29933: kasan_save_stack+0x30/0x50 kasan_save_track+0x14/0x30 __kasan_save_free_info+0x3b/0x70 __kasan_slab_free+0x43/0x70 kfree+0x14e/0x700 mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum] mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum] process_one_work+0x9cc/0x18e0 worker_thread+0x5df/0xe40 kthread+0x3b8/0x730 ret_from_fork+0x3e9/0x560 ret_from_fork_asm+0x1a/0x30

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2025-68800 is a Linux kernel bug in the mlxsw Spectrum multicast routing driver. A missed lock can let one kernel worker read a route entry after another worker frees it. The source shows a KASAN use-after-free report, but no public severity score or confirmed exploitation.

Executive priority

Treat as a targeted kernel maintenance issue for Linux-based switching or routing platforms using mlxsw Spectrum hardware. It is not supported as internet-wide active exploitation in the supplied sources, but kernel memory-safety defects on network infrastructure merit timely patch tracking.

Technical view

The issue is a use-after-free in drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c during periodic multicast route statistics updates. A route replace path deleted a list entry without holding the dedicated multicast route mutex. The fix acquires that mutex around deletion so stats traversal cannot observe freed route data.

Likely exposure

Exposure appears limited to Linux systems using the mlxsw_spectrum driver with Spectrum multicast routing state. General Linux hosts that do not use this driver or feature are less likely to be exposed. The supplied version data is incomplete, so confirm with kernel or distribution advisories.

Exploitation context

The bundle does not cite active exploitation, KEV listing, exploit availability, or attacker prerequisites. Evidence is limited to a kernel KASAN crash trace showing slab use-after-free during route stats update after multicast route replacement.

Researcher notes

The root cause is missing synchronization in one route replacement deletion path after multicast route list protection moved from RTNL to a dedicated mutex. The public record does not provide CVSS, CWE, exploitability analysis, or detailed affected distribution mapping.

Mitigation direction

  • Apply a kernel or distribution update containing the linked stable mlxsw fixes.
  • Prioritize affected network appliances or hosts using Mellanox Spectrum mlxsw hardware.
  • Check vendor kernel advisories before assuming mainline version ranges map to your distribution.
  • If patching is delayed, review vendor guidance for feature-specific risk reduction.

Validation and detection

  • Inventory Linux systems using the mlxsw_spectrum kernel module or Mellanox Spectrum hardware.
  • Check running kernel versions against distribution advisories for CVE-2025-68800.
  • Confirm the applied kernel includes one of the referenced stable commits.
  • Review kernel logs for mlxsw_spectrum KASAN or use-after-free reports.
Prepared
Confidence
medium
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-68800 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
8Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxf38656d067257cc43b652958dd154e1ab0773701, f38656d067257cc43b652958dd154e1ab0773701, f38656d067257cc43b652958dd154e1ab0773701, f38656d067257cc43b652958dd154e1ab0773701, f38656d067257cc43b652958dd154e1ab0773701, f38656d067257cc43b652958dd154e1ab0773701, f38656d067257cc43b652958dd154e1ab0773701unaffected
LinuxLinux5.7, 0, 5.10.248, 5.15.198, 6.1.160, 6.6.120, 6.12.64, 6.18.3, 6.19affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.