CVE-2025-38161
📋 TL;DR
This CVE describes a use-after-free vulnerability in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically in the mlx5 driver for Mellanox network adapters. When firmware commands fail during RQ (Receive Queue) destruction, improper cleanup leads to kernel memory corruption that can cause system crashes or potential privilege escalation. Systems using RDMA with affected mlx5 drivers are vulnerable.
💻 Affected Systems
- Linux kernel with mlx5 RDMA driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, potential privilege escalation to kernel mode, or system instability requiring reboot.
Likely Case
System crash or kernel panic when RDMA operations fail, requiring system reboot and causing service disruption.
If Mitigated
System remains stable with proper patching; unpatched systems may experience crashes during RDMA operations.
🎯 Exploit Status
Exploitation requires triggering firmware command failures during RQ destruction; may be difficult to reliably trigger.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in Linux kernel stable branches (commits referenced in CVE)
Vendor Advisory: https://git.kernel.org/stable/c/0a7790cbba654e925243571cf2f24d61603d3ed3
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. For distributions: Use package manager (yum update kernel / apt-get upgrade linux-image). 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable RDMA mlx5 driver
linuxPrevent loading of vulnerable mlx5 RDMA driver module
echo 'blacklist mlx5_ib' >> /etc/modprobe.d/blacklist.conf
rmmod mlx5_ib
Disable RDMA functionality
linuxDisable RDMA subsystem if not required
echo 'blacklist rdma_ucm' >> /etc/modprobe.d/blacklist.conf
rmmod rdma_ucm rdma_cm ib_core
🧯 If You Can't Patch
- Restrict RDMA access to trusted users and systems only
- Monitor system logs for kernel panic or refcount warnings related to mlx5
🔍 How to Verify
Check if Vulnerable:
Check if mlx5_ib module is loaded: lsmod | grep mlx5_ibCheck Version:
uname -rVerify Fix Applied:
Check kernel version after update matches patched version; verify no refcount warnings in dmesg📡 Detection & Monitoring
Log Indicators:
- Kernel logs showing 'refcount_t: underflow; use-after-free'
- WARNING messages mentioning mlx5_core_put_rsc
- System crash/panic logs
Network Indicators:
- Unusual RDMA connection failures
SIEM Query:
source="kernel" AND ("refcount_t: underflow" OR "mlx5_core_put_rsc" OR "use-after-free")🔗 References
- https://git.kernel.org/stable/c/0a7790cbba654e925243571cf2f24d61603d3ed3
- https://git.kernel.org/stable/c/26d2f662d3a6655a82fd8a287e8b1ce471567f36
- https://git.kernel.org/stable/c/50ac361ff8914133e3cf6ef184bac90c22cb8d79
- https://git.kernel.org/stable/c/5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6
- https://git.kernel.org/stable/c/7c4c84cdcc19e89d42f6bf117238e5471173423e
- https://git.kernel.org/stable/c/cf32affe6f3801cfb72a65e69c4bc7a8ee9be100
- https://git.kernel.org/stable/c/f9784da76ad7be66230e829e743bdf68a2c49e56
- https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html
