CVE-2025-22086 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow

When cur_qp isn't NULL, in order to avoid fetching the QP from the radix tree again we check if the next cqe QP is identical to the one we already have.

The bug however is that we are checking if the QP is identical by checking the QP number inside the CQE against the QP number inside the mlx5_ib_qp, but that's wrong since the QP number from the CQE is from FW so it should be matched against mlx5_core_qp which is our FW QP number.

Otherwise we could use the wrong QP when handling a CQE which could cause the kernel trace below.

This issue is mainly noticeable over QPs 0 & 1, since for now they are the only QPs in our driver whereas the QP number inside mlx5_ib_qp doesn't match the QP number inside mlx5_core_qp.

BUG: kernel NULL pointer dereference, address: 0000000000000012 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP
CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]
RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]
Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21 RSP: 0018:ffff88810511bd60 EFLAGS: 00010046 RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000 R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0 FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0 Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]
__ib_process_cq+0x5a/0x150 [ib_core]
ib_cq_poll_work+0x31/0x90 [ib_core]
process_one_work+0x169/0x320 worker_thread+0x288/0x3a0 ? work_busy+0xb0/0xb0 kthread+0xd7/0x1f0 ? kthreads_online_cpu+0x130/0x130 ? kthreads_online_cpu+0x130/0x130 ret_from_fork+0x2d/0x50 ? kthreads_online_cpu+0x130/0x130 ret_from_fork_asm+0x11/0x20 </TASK>

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability CVE-2025-22086 resides within the Linux kernel's RDMA mlx5 driver, specifically affecting the mlx5_poll_one() function responsible for processing completion queue entries. This flaw represents a critical mismatch in QP (Queue Pair) identification logic that can lead to kernel NULL pointer dereferences and system instability. The issue manifests when the driver attempts to optimize performance by reusing previously fetched QP information from the radix tree, but incorrectly compares QP numbers from different sources. The root cause lies in the improper comparison between QP numbers from the firmware (CQE) and those stored in the driver's internal mlx5_ib_qp structure, rather than matching against the corresponding mlx5_core_qp structure which contains the correct firmware QP identifiers.

The technical flaw occurs during the processing of completion queue entries where the driver checks if the next CQE QP matches the currently cached QP to avoid redundant lookups. However, this optimization fails because the driver compares the QP number from the firmware completion entry against the QP number stored in the mlx5_ib_qp structure, which does not align with the actual firmware QP numbers stored in mlx5_core_qp. This mismatch becomes particularly problematic for QP numbers 0 and 1, which are the only QPs currently supported in the driver implementation, as their internal representations do not correspond to the firmware identifiers. The resulting inconsistency causes the kernel to reference incorrect QP structures, leading to memory access violations and ultimately kernel oops conditions.

The operational impact of this vulnerability is severe as it can trigger kernel NULL pointer dereferences, causing system crashes and potential denial of service conditions. The specific error pattern shows a supervisor read access violation at address 0x12, indicating that the kernel attempts to access invalid memory locations when processing completion queue entries. The affected kernel thread kworker/u62:1 executing ib_cq_poll_work demonstrates that this vulnerability impacts the core InfiniBand completion queue processing mechanism. The crash occurs in the mlx5_ib_poll_cq function where the driver attempts to dereference a corrupted QP pointer, resulting in a complete system halt and requiring manual intervention or reboot to restore normal operation.

Mitigation strategies for CVE-2025-22086 should focus on immediate kernel updates that correct the QP number comparison logic within the mlx5_poll_one() function. System administrators should prioritize patching affected kernel versions to ensure proper alignment between firmware QP numbers and driver internal representations. Additionally, monitoring systems should be configured to detect unusual kernel oops patterns or completion queue processing failures that may indicate exploitation attempts. The fix involves correcting the comparison logic to ensure QP numbers from CQE entries are matched against the appropriate mlx5_core_qp structure rather than the mlx5_ib_qp structure, thereby preventing the incorrect QP reference that leads to the NULL pointer dereference. Organizations should also consider implementing runtime protections such as kernel lockdown modes and enhanced memory protection mechanisms to limit the potential impact of similar vulnerabilities in the RDMA subsystem.

This vulnerability aligns with CWE-476 which describes NULL pointer dereference conditions, and maps to ATT&CK technique T1059.001 for kernel-level code execution and T1484.001 for privilege escalation through kernel exploitation. The flaw represents a classic case of incorrect data type comparison in kernel space, where improper abstraction layer handling leads to critical system instability. The vulnerability demonstrates the importance of maintaining consistency between different kernel subsystem interfaces and the potential for seemingly minor logic errors to cause catastrophic system failures in high-performance networking drivers.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00176

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!