CVE-2025-68209
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-16

Last updated on: 2025-12-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: mlx5: Fix default values in create CQ Currently, CQs without a completion function are assigned the mlx5_add_cq_to_tasklet function by default. This is problematic since only user CQs created through the mlx5_ib driver are intended to use this function. Additionally, all CQs that will use doorbells instead of polling for completions must call mlx5_cq_arm. However, the default CQ creation flow leaves a valid value in the CQ's arm_db field, allowing FW to send interrupts to polling-only CQs in certain corner cases. These two factors would allow a polling-only kernel CQ to be triggered by an EQ interrupt and call a completion function intended only for user CQs, causing a null pointer exception. Some areas in the driver have prevented this issue with one-off fixes but did not address the root cause. This patch fixes the described issue by adding defaults to the create CQ flow. It adds a default dummy completion function to protect against null pointer exceptions, and it sets an invalid command sequence number by default in kernel CQs to prevent the FW from sending an interrupt to the CQ until it is armed. User CQs are responsible for their own initialization values. Callers of mlx5_core_create_cq are responsible for changing the completion function and arming the CQ per their needs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-18
Generated
2026-05-07
AI Q&A
2025-12-16
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68209
EUVD
EUVD-2025-203687
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's mlx5 driver involves the creation of Completion Queues (CQs). By default, CQs without a completion function are assigned a function intended only for user CQs, which can cause a null pointer exception if triggered. Additionally, kernel CQs that use doorbells instead of polling must be properly armed, but the default creation flow leaves a valid arm_db value, allowing firmware to send interrupts to polling-only CQs in some cases. This can cause a polling-only kernel CQ to be triggered incorrectly, leading to a null pointer exception. The fix adds default dummy completion functions and invalid command sequence numbers to prevent these issues.


How can this vulnerability impact me? :

This vulnerability can cause a null pointer exception in the kernel when a polling-only Completion Queue is incorrectly triggered by an interrupt. This could lead to kernel instability or crashes, potentially affecting system reliability and availability.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version that includes the patch fixing the mlx5 create CQ defaults. This patch adds a default dummy completion function and sets an invalid command sequence number by default in kernel CQs to prevent null pointer exceptions and unwanted interrupts. Ensure that callers of mlx5_core_create_cq properly set the completion function and arm the CQ as needed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart