{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68209", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-12-16T13:41:40.255Z", "datePublished": "2025-12-16T13:48:36.098Z", "dateUpdated": "2025-12-16T13:48:36.098Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-12-16T13:48:36.098Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlx5: Fix default values in create CQ\n\nCurrently, CQs without a completion function are assigned the\nmlx5_add_cq_to_tasklet function by default. This is problematic since\nonly user CQs created through the mlx5_ib driver are intended to use\nthis function.\n\nAdditionally, all CQs that will use doorbells instead of polling for\ncompletions must call mlx5_cq_arm. However, the default CQ creation flow\nleaves a valid value in the CQ's arm_db field, allowing FW to send\ninterrupts to polling-only CQs in certain corner cases.\n\nThese two factors would allow a polling-only kernel CQ to be triggered\nby an EQ interrupt and call a completion function intended only for user\nCQs, causing a null pointer exception.\n\nSome areas in the driver have prevented this issue with one-off fixes\nbut did not address the root cause.\n\nThis patch fixes the described issue by adding defaults to the create CQ\nflow. It adds a default dummy completion function to protect against\nnull pointer exceptions, and it sets an invalid command sequence number\nby default in kernel CQs to prevent the FW from sending an interrupt to\nthe CQ until it is armed. User CQs are responsible for their own\ninitialization values.\n\nCallers of mlx5_core_create_cq are responsible for changing the\ncompletion function and arming the CQ per their needs."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/hw/mlx5/cq.c", "drivers/net/ethernet/mellanox/mlx5/core/cq.c", "drivers/net/ethernet/mellanox/mlx5/core/en_main.c", "drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c", "drivers/net/ethernet/mellanox/mlx5/core/steering/hws/send.c", "drivers/net/ethernet/mellanox/mlx5/core/steering/sws/dr_send.c", "drivers/vdpa/mlx5/net/mlx5_vnet.c", "include/linux/mlx5/cq.h"], "versions": [{"version": "cdd04f4d4d71cbf93d0d9abe63bc838f47c467fa", "lessThan": "08469f5393a1a39f26a6e2eb2e8c33187665c1f4", "status": "affected", "versionType": "git"}, {"version": "cdd04f4d4d71cbf93d0d9abe63bc838f47c467fa", "lessThan": "e5eba42f01340f73888dfe560be2806057c25913", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/infiniband/hw/mlx5/cq.c", "drivers/net/ethernet/mellanox/mlx5/core/cq.c", "drivers/net/ethernet/mellanox/mlx5/core/en_main.c", "drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c", "drivers/net/ethernet/mellanox/mlx5/core/steering/hws/send.c", "drivers/net/ethernet/mellanox/mlx5/core/steering/sws/dr_send.c", "drivers/vdpa/mlx5/net/mlx5_vnet.c", "include/linux/mlx5/cq.h"], "versions": [{"version": "6.0", "status": "affected"}, {"version": "0", "lessThan": "6.0", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.9", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.17.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.18"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/08469f5393a1a39f26a6e2eb2e8c33187665c1f4"}, {"url": "https://git.kernel.org/stable/c/e5eba42f01340f73888dfe560be2806057c25913"}], "title": "mlx5: Fix default values in create CQ", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlx5: Fix default values in create CQ\n\nCurrently, CQs without a completion function are assigned the\nmlx5_add_cq_to_tasklet function by default. This is problematic since\nonly user CQs created through the mlx5_ib driver are intended to use\nthis function.\n\nAdditionally, all CQs that will use doorbells instead of polling for\ncompletions must call mlx5_cq_arm. However, the default CQ creation flow\nleaves a valid value in the CQ's arm_db field, allowing FW to send\ninterrupts to polling-only CQs in certain corner cases.\n\nThese two factors would allow a polling-only kernel CQ to be triggered\nby an EQ interrupt and call a completion function intended only for user\nCQs, causing a null pointer exception.\n\nSome areas in the driver have prevented this issue with one-off fixes\nbut did not address the root cause.\n\nThis patch fixes the described issue by adding defaults to the create CQ\nflow. It adds a default dummy completion function to protect against\nnull pointer exceptions, and it sets an invalid command sequence number\nby default in kernel CQs to prevent the FW from sending an interrupt to\nthe CQ until it is armed. User CQs are responsible for their own\ninitialization values.\n\nCallers of mlx5_core_create_cq are responsible for changing the\ncompletion function and arming the CQ per their needs."}], "id": "CVE-2025-68209", "lastModified": "2025-12-16T14:15:53.813", "metrics": {}, "published": "2025-12-16T14:15:53.813", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/08469f5393a1a39f26a6e2eb2e8c33187665c1f4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e5eba42f01340f73888dfe560be2806057c25913"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{}