CVE-2025-68800: mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
In the Linux kernel, the following vulnerability has been resolved:
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
Cited commit added a dedicated mutex (instead of RTNL) to protect the
multicast route list, so that it will not change while the driver
periodically traverses it in order to update the kernel about multicast
route stats that were queried from the device.
One instance of list entry deletion (during route replace) was missed
and it can result in a use-after-free [1].
Fix by acquiring the mutex before deleting the entry from the list and
releasing it afterwards.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043
CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)
Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017
Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]
Call Trace:
<TASK>
dump_stack_lvl+0xba/0x110
print_report+0x174/0x4f5
kasan_report+0xdf/0x110
mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Freed by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x70
__kasan_slab_free+0x43/0x70
kfree+0x14e/0x700
mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Security readout for executives and security teams
Plain-English summary
CVE-2025-68800 is a Linux kernel bug in the mlxsw Spectrum multicast routing driver. A missed lock can let one kernel worker read a route entry after another worker frees it. The source shows a KASAN use-after-free report, but no public severity score or confirmed exploitation.
Executive priority
Treat as a targeted kernel maintenance issue for Linux-based switching or routing platforms using mlxsw Spectrum hardware. It is not supported as internet-wide active exploitation in the supplied sources, but kernel memory-safety defects on network infrastructure merit timely patch tracking.
Technical view
The issue is a use-after-free in drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c during periodic multicast route statistics updates. A route replace path deleted a list entry without holding the dedicated multicast route mutex. The fix acquires that mutex around deletion so stats traversal cannot observe freed route data.
Likely exposure
Exposure appears limited to Linux systems using the mlxsw_spectrum driver with Spectrum multicast routing state. General Linux hosts that do not use this driver or feature are less likely to be exposed. The supplied version data is incomplete, so confirm with kernel or distribution advisories.
Exploitation context
The bundle does not cite active exploitation, KEV listing, exploit availability, or attacker prerequisites. Evidence is limited to a kernel KASAN crash trace showing slab use-after-free during route stats update after multicast route replacement.
Researcher notes
The root cause is missing synchronization in one route replacement deletion path after multicast route list protection moved from RTNL to a dedicated mutex. The public record does not provide CVSS, CWE, exploitability analysis, or detailed affected distribution mapping.
Mitigation direction
Apply a kernel or distribution update containing the linked stable mlxsw fixes.
Prioritize affected network appliances or hosts using Mellanox Spectrum mlxsw hardware.
Check vendor kernel advisories before assuming mainline version ranges map to your distribution.
If patching is delayed, review vendor guidance for feature-specific risk reduction.
Validation and detection
Inventory Linux systems using the mlxsw_spectrum kernel module or Mellanox Spectrum hardware.
Check running kernel versions against distribution advisories for CVE-2025-68800.
Confirm the applied kernel includes one of the referenced stable commits.
Review kernel logs for mlxsw_spectrum KASAN or use-after-free reports.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2025-68800 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.