{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-39979", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.150Z", "datePublished": "2025-10-15T07:55:59.609Z", "dateUpdated": "2025-10-15T07:55:59.609Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-10-15T07:55:59.609Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: fs, fix UAF in flow counter release\n\nFix a kernel trace [1] caused by releasing an HWS action of a local flow\ncounter in mlx5_cmd_hws_delete_fte(), where the HWS action refcount and\nmutex were not initialized and the counter struct could already be freed\nwhen deleting the rule.\n\nFix it by adding the missing initializations and adding refcount for the\nlocal flow counter struct.\n\n[1] Kernel log:\n Call Trace:\n <TASK>\n dump_stack_lvl+0x34/0x48\n mlx5_fs_put_hws_action.part.0.cold+0x21/0x94 [mlx5_core]\n mlx5_fc_put_hws_action+0x96/0xad [mlx5_core]\n mlx5_fs_destroy_fs_actions+0x8b/0x152 [mlx5_core]\n mlx5_cmd_hws_delete_fte+0x5a/0xa0 [mlx5_core]\n del_hw_fte+0x1ce/0x260 [mlx5_core]\n mlx5_del_flow_rules+0x12d/0x240 [mlx5_core]\n ? ttwu_queue_wakelist+0xf4/0x110\n mlx5_ib_destroy_flow+0x103/0x1b0 [mlx5_ib]\n uverbs_free_flow+0x20/0x50 [ib_uverbs]\n destroy_hw_idr_uobject+0x1b/0x50 [ib_uverbs]\n uverbs_destroy_uobject+0x34/0x1a0 [ib_uverbs]\n uobj_destroy+0x3c/0x80 [ib_uverbs]\n ib_uverbs_run_method+0x23e/0x360 [ib_uverbs]\n ? uverbs_finalize_object+0x60/0x60 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x14f/0x2c0 [ib_uverbs]\n ? do_tty_write+0x1a9/0x270\n ? file_tty_write.constprop.0+0x98/0xc0\n ? new_sync_write+0xfc/0x190\n ib_uverbs_ioctl+0xd7/0x160 [ib_uverbs]\n __x64_sys_ioctl+0x87/0xc0\n do_syscall_64+0x59/0x90"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/fs_core.c", "drivers/net/ethernet/mellanox/mlx5/core/fs_core.h", "drivers/net/ethernet/mellanox/mlx5/core/fs_counters.c", "drivers/net/ethernet/mellanox/mlx5/core/steering/hws/fs_hws_pools.c", "include/linux/mlx5/fs.h"], "versions": [{"version": "b581f4266928d3b5d1bbe711e39623d9a1696091", "lessThan": "3c77f6d244188c3fb11f6aec40bbfe884f1803b5", "status": "affected", "versionType": "git"}, {"version": "b581f4266928d3b5d1bbe711e39623d9a1696091", "lessThan": "6043819e707cefb1c9e59d6e431dcfa735c4f975", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/mellanox/mlx5/core/fs_core.c", "drivers/net/ethernet/mellanox/mlx5/core/fs_core.h", "drivers/net/ethernet/mellanox/mlx5/core/fs_counters.c", "drivers/net/ethernet/mellanox/mlx5/core/steering/hws/fs_hws_pools.c", "include/linux/mlx5/fs.h"], "versions": [{"version": "6.14", "status": "affected"}, {"version": "0", "lessThan": "6.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.16.10", "lessThanOrEqual": "6.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.16.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3c77f6d244188c3fb11f6aec40bbfe884f1803b5"}, {"url": "https://git.kernel.org/stable/c/6043819e707cefb1c9e59d6e431dcfa735c4f975"}], "title": "net/mlx5: fs, fix UAF in flow counter release", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: fs, fix UAF in flow counter release\n\nFix a kernel trace [1] caused by releasing an HWS action of a local flow\ncounter in mlx5_cmd_hws_delete_fte(), where the HWS action refcount and\nmutex were not initialized and the counter struct could already be freed\nwhen deleting the rule.\n\nFix it by adding the missing initializations and adding refcount for the\nlocal flow counter struct.\n\n[1] Kernel log:\n Call Trace:\n <TASK>\n dump_stack_lvl+0x34/0x48\n mlx5_fs_put_hws_action.part.0.cold+0x21/0x94 [mlx5_core]\n mlx5_fc_put_hws_action+0x96/0xad [mlx5_core]\n mlx5_fs_destroy_fs_actions+0x8b/0x152 [mlx5_core]\n mlx5_cmd_hws_delete_fte+0x5a/0xa0 [mlx5_core]\n del_hw_fte+0x1ce/0x260 [mlx5_core]\n mlx5_del_flow_rules+0x12d/0x240 [mlx5_core]\n ? ttwu_queue_wakelist+0xf4/0x110\n mlx5_ib_destroy_flow+0x103/0x1b0 [mlx5_ib]\n uverbs_free_flow+0x20/0x50 [ib_uverbs]\n destroy_hw_idr_uobject+0x1b/0x50 [ib_uverbs]\n uverbs_destroy_uobject+0x34/0x1a0 [ib_uverbs]\n uobj_destroy+0x3c/0x80 [ib_uverbs]\n ib_uverbs_run_method+0x23e/0x360 [ib_uverbs]\n ? uverbs_finalize_object+0x60/0x60 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x14f/0x2c0 [ib_uverbs]\n ? do_tty_write+0x1a9/0x270\n ? file_tty_write.constprop.0+0x98/0xc0\n ? new_sync_write+0xfc/0x190\n ib_uverbs_ioctl+0xd7/0x160 [ib_uverbs]\n __x64_sys_ioctl+0x87/0xc0\n do_syscall_64+0x59/0x90"}], "id": "CVE-2025-39979", "lastModified": "2025-10-16T15:29:11.563", "metrics": {}, "published": "2025-10-15T08:15:35.767", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3c77f6d244188c3fb11f6aec40bbfe884f1803b5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6043819e707cefb1c9e59d6e431dcfa735c4f975"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net/mlx5: fs, fix UAF in flow counter release", "id": "2404109", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404109"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-39979", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-10-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-39979\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-39979\nhttps://lore.kernel.org/linux-cve-announce/2025101559-CVE-2025-39979-f1e9@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-10-20T13:27:13.692412+00:00", "updated": "2025-10-20T13:27:13.692436+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}