Out-of-Bounds Access Vulnerability in Linux Kernel's mlx5e Module
CVE-2025-21717

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 27 February 2025

Summary

A vulnerability exists in the Linux kernel's mlx5e module where the kvzalloc_node function does not perform a runtime check on the node argument. This lack of validation can lead to out-of-bounds access during ethtool and netlink operations, particularly when the mlx5e_open function is called on a CPU that exceeds the maximum number of nodes. The scenario can result in a kernel panic due to memory access violations, potentially destabilizing the system. Adding a missing cpu_to_node call has been identified as a necessary fix to ensure proper node ID conversion.

Affected Version(s)

Linux bb135e40129ddd254cfb474b58981313be79a631

Linux bb135e40129ddd254cfb474b58981313be79a631 < 979284535aaf12a287a2f43d9d5dfcbdc1dc4cac

Linux 6.13

References

https://git.kernel.org/stable/c/a275db45b4161d01716559dd7...

https://git.kernel.org/stable/c/979284535aaf12a287a2f43d9...

Timeline

Vulnerability published
Feb 27, 2025
Vulnerability Reserved
Dec 29, 2024