{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T14:15:24.459","vulnerabilities":[{"cve":{"id":"CVE-2025-21714","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-02-27T02:15:15.050","lastModified":"2025-03-24T17:50:26.843","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix implicit ODP use after free\n\nPrevent double queueing of implicit ODP mr destroy work by using\n__xa_cmpxchg() to make sure this is the only time we are destroying this\nspecific mr.\n\nWithout this change, we could try to invalidate this mr twice, which in\nturn could result in queuing a MR work destroy twice, and eventually the\nsecond work could execute after the MR was freed due to the first work,\ncausing a user after free and trace below.\n\n   refcount_t: underflow; use-after-free.\n   WARNING: CPU: 2 PID: 12178 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x130\n   Modules linked in: bonding ib_ipoib vfio_pci ip_gre geneve nf_tables ip6_gre gre ip6_tunnel tunnel6 ipip tunnel4 ib_umad rdma_ucm mlx5_vfio_pci vfio_pci_core vfio_iommu_type1 mlx5_ib vfio ib_uverbs mlx5_core iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs]\n   CPU: 2 PID: 12178 Comm: kworker/u20:5 Not tainted 6.5.0-rc1_net_next_mlx5_58c644e #1\n   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n   Workqueue: events_unbound free_implicit_child_mr_work [mlx5_ib]\n   RIP: 0010:refcount_warn_saturate+0x12b/0x130\n   Code: 48 c7 c7 38 95 2a 82 c6 05 bc c6 fe 00 01 e8 0c 66 aa ff 0f 0b 5b c3 48 c7 c7 e0 94 2a 82 c6 05 a7 c6 fe 00 01 e8 f5 65 aa ff <0f> 0b 5b c3 90 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 13 8d 50 ff\n   RSP: 0018:ffff8881008e3e40 EFLAGS: 00010286\n   RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027\n   RDX: ffff88852c91b5c8 RSI: 0000000000000001 RDI: ffff88852c91b5c0\n   RBP: ffff8881dacd4e00 R08: 00000000ffffffff R09: 0000000000000019\n   R10: 000000000000072e R11: 0000000063666572 R12: ffff88812bfd9e00\n   R13: ffff8881c792d200 R14: ffff88810011c005 R15: ffff8881002099c0\n   FS:  0000000000000000(0000) GS:ffff88852c900000(0000) knlGS:0000000000000000\n   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n   CR2: 00007f5694b5e000 CR3: 00000001153f6003 CR4: 0000000000370ea0\n   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n   Call Trace:\n    <TASK>\n    ? refcount_warn_saturate+0x12b/0x130\n    free_implicit_child_mr_work+0x180/0x1b0 [mlx5_ib]\n    process_one_work+0x1cc/0x3c0\n    worker_thread+0x218/0x3c0\n    kthread+0xc6/0xf0\n    ret_from_fork+0x1f/0x30\n    </TASK>"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: RDMA/mlx5: Arreglar el uso implícito de ODP después de la liberación Evitar la puesta en cola doble del trabajo de destrucción de mr de ODP implícito mediante __xa_cmpxchg() para asegurarse de que esta sea la única vez que destruyamos este mr específico. Sin este cambio, podríamos intentar invalidar este mr dos veces, lo que a su vez podría resultar en poner en cola una destrucción de trabajo de MR dos veces, y eventualmente el segundo trabajo podría ejecutarse después de que el MR se liberara debido al primer trabajo, causando un user after free y un seguimiento a continuación. refcount_t: desbordamiento insuficiente; use after free. ADVERTENCIA: CPU: 2 PID: 12178 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x130 Modules linked in: bonding ib_ipoib vfio_pci ip_gre geneve nf_tables ip6_gre gre ip6_tunnel tunnel6 ipip tunnel4 ib_umad rdma_ucm mlx5_vfio_pci vfio_pci_core vfio_iommu_type1 mlx5_ib vfio ib_uverbs mlx5_core iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: ib_uverbs] CPU: 2 PID: 12178 Comm: kworker/u20:5 Not tainted 6.5.0-rc1_net_next_mlx5_58c644e #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: events_unbound free_implicit_child_mr_work [mlx5_ib] RIP: 0010:refcount_warn_saturate+0x12b/0x130 Code: 48 c7 c7 38 95 2a 82 c6 05 bc c6 fe 00 01 e8 0c 66 aa ff 0f 0b 5b c3 48 c7 c7 e0 94 2a 82 c6 05 a7 c6 fe 00 01 e8 f5 65 aa ff &lt;0f&gt; 0b 5b c3 90 8b 07 3d 00 00 00 c0 74 12 83 f8 01 74 13 8d 50 ff RSP: 0018:ffff8881008e3e40 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027 RDX: ffff88852c91b5c8 RSI: 0000000000000001 RDI: ffff88852c91b5c0 RBP: ffff8881dacd4e00 R08: 00000000ffffffff R09: 0000000000000019 R10: 000000000000072e R11: 0000000063666572 R12: ffff88812bfd9e00 R13: ffff8881c792d200 R14: ffff88810011c005 R15: ffff8881002099c0 FS: 0000000000000000(0000) GS:ffff88852c900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5694b5e000 CR3: 00000001153f6003 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace:  ? refcount_warn_saturate+0x12b/0x130 free_implicit_child_mr_work+0x180/0x1b0 [mlx5_ib] process_one_work+0x1cc/0x3c0 worker_thread+0x218/0x3c0 kthread+0xc6/0xf0 ret_from_fork+0x1f/0x30  "}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"6.12.13","matchCriteriaId":"B933A002-DFC5-4A26-9D4C-8D837AD213ED"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.2","matchCriteriaId":"6D4116B1-1BFD-4F23-BA84-169CC05FC5A3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7cc8f681f6d4ae4478ae0f60485fc768f2b450da","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/d3d930411ce390e532470194296658a960887773","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/edfb65dbb9ffd3102f3ff4dd21316158e56f1976","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]}]}}]}