CVE-2025-68379 in Linuxinfo

Summary

by MITRE • 12/24/2025

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix null deref on srq->rq.queue after resize failure

A NULL pointer dereference can occur in rxe_srq_chk_attr() when ibv_modify_srq() is invoked twice in succession under certain error conditions. The first call may fail in rxe_queue_resize(), which leads rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then triggers a crash (null deref) when accessing srq->rq.queue->buf->index_mask.

Call Trace: <TASK> rxe_modify_srq+0x170/0x480 [rdma_rxe]
? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe]
? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs]
? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs]
ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs]
? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs]
? tryinc_node_nr_active+0xe6/0x150 ? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs]
? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs]
? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs]
? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs]
? __pfx___raw_spin_lock_irqsave+0x10/0x10 ? __pfx_do_vfs_ioctl+0x10/0x10 ? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0 ? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10 ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs]
? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs]
__x64_sys_ioctl+0x138/0x1c0 do_syscall_64+0x82/0x250 ? fdget_pos+0x58/0x4c0 ? ksys_write+0xf3/0x1c0 ? __pfx_ksys_write+0x10/0x10 ? do_syscall_64+0xc8/0x250 ? __pfx_vm_mmap_pgoff+0x10/0x10 ? fget+0x173/0x230 ? fput+0x2a/0x80 ? ksys_mmap_pgoff+0x224/0x4c0 ? do_syscall_64+0xc8/0x250 ? do_user_addr_fault+0x37b/0xfe0 ? clear_bhb_loop+0x50/0xa0 ? clear_bhb_loop+0x50/0xa0 ? clear_bhb_loop+0x50/0xa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 01/12/2026

The vulnerability CVE-2025-68379 represents a critical null pointer dereference flaw within the Linux kernel's RDMA/rxe subsystem, specifically affecting the rxe_srq_chk_attr() function. This issue arises from improper handling of SRQ (Shared Receive Queue) resize operations when ibv_modify_srq() is invoked consecutively under specific error conditions. The flaw demonstrates characteristics consistent with CWE-476 Null Pointer Dereference, a well-documented weakness that can lead to system crashes and potential privilege escalation scenarios. The vulnerability exists in the rdma_rxe kernel module which implements the software RDMA implementation, making it particularly concerning for systems relying on virtualized RDMA functionality.

The technical execution path begins with a failed call to rxe_queue_resize() during the first invocation of ibv_modify_srq(), which causes rxe_srq_from_attr() to set srq->rq.queue = NULL as a defensive measure. When the second consecutive call to ibv_modify_srq() occurs, the system attempts to access srq->rq.queue->buf->index_mask without proper null checking, resulting in immediate kernel panic. This sequence of events creates a classic race condition scenario where error handling logic fails to account for subsequent operations on already-nullified pointers. The call trace demonstrates the execution flow from user-space ioctl handlers through the ib_uverbs module down to the rxe_modify_srq function, highlighting the multi-layered nature of the vulnerability across kernel subsystem boundaries.

The operational impact of this vulnerability extends beyond simple system crashes, as it can be exploited to cause denial of service attacks against RDMA-enabled systems. Attackers could potentially leverage this flaw to repeatedly trigger the resize failure scenario, leading to persistent system instability. The vulnerability affects systems running Linux kernels with RDMA/rxe support, particularly those utilizing software-based RDMA implementations for virtualized environments or testing scenarios. From an attacker perspective, this represents a reliable crash exploit with minimal prerequisites, aligning with ATT&CK technique T1499.004 for network denial of service. The flaw also demonstrates poor defensive programming practices in kernel space, where error recovery paths fail to properly validate state transitions before proceeding with subsequent operations.

Mitigation strategies for CVE-2025-68379 should prioritize applying the relevant kernel security patches as soon as they become available from the Linux kernel security team. System administrators should also implement monitoring for abnormal RDMA-related system calls and consider temporarily disabling RDMA functionality in affected systems until patches are deployed. Additionally, the vulnerability highlights the importance of robust error handling in kernel modules, particularly those managing hardware resources like RDMA queues. Organizations should conduct thorough testing of updated kernel versions to ensure compatibility with existing RDMA workloads while implementing proper input validation and state checking mechanisms. The fix should include explicit null pointer checks before accessing queue structures and proper state management during resize operations to prevent similar issues in related subsystems.

Responsible

Linux

Reservation

12/16/2025

Disclosure

12/24/2025

Moderation

accepted

CPE

ready

EPSS

0.00157

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!