CVE-2025-22086: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow When cur_qp isn't NULL, in order to avoid fetching the QP from the radix tree again we check if the next cqe QP is identical to the one we already have. The bug however is that we are checking if the QP is identical by checking the QP number inside the CQE against the QP number inside the mlx5_ib_qp, but that's wrong since the QP number from the CQE is from FW so it should be matched against mlx5_core_qp which is our FW QP number. Otherwise we could use the wrong QP when handling a CQE which could cause the kernel trace below. This issue is mainly noticeable over QPs 0 & 1, since for now they are the only QPs in our driver whereas the QP number inside mlx5_ib_qp doesn't match the QP number inside mlx5_core_qp. BUG: kernel NULL pointer dereference, address: 0000000000000012 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core] RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21 RSP: 0018:ffff88810511bd60 EFLAGS: 00010046 RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000 R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0 FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0 Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] __ib_process_cq+0x5a/0x150 [ib_core] ib_cq_poll_work+0x31/0x90 [ib_core] process_one_work+0x169/0x320 worker_thread+0x288/0x3a0 ? work_busy+0xb0/0xb0 kthread+0xd7/0x1f0 ? kthreads_online_cpu+0x130/0x130 ? kthreads_online_cpu+0x130/0x130 ret_from_fork+0x2d/0x50 ? kthreads_online_cpu+0x130/0x130 ret_from_fork_asm+0x11/0x20 </TASK>
AI Analysis
Technical Summary
CVE-2025-22086 is a vulnerability identified in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically within the Mellanox mlx5 driver component. The issue arises in the function mlx5_poll_one(), which is responsible for polling completion queue entries (CQEs) and updating the current queue pair (cur_qp) state. The vulnerability stems from an incorrect comparison logic where the QP (queue pair) number extracted from the CQE, which originates from firmware (FW), is compared against the QP number stored in mlx5_ib_qp, a software structure that does not correspond to the firmware's QP numbering scheme. The correct comparison should be against mlx5_core_qp, which holds the FW QP number. This mismatch can lead to the driver using an incorrect QP when processing CQEs, resulting in a NULL pointer dereference and consequent kernel oops (crash). The bug is particularly evident with QPs 0 and 1, which are the only QPs currently handled by the driver, where the discrepancy between mlx5_ib_qp and mlx5_core_qp QP numbers is present. The kernel crash manifests as a supervisor read access fault due to dereferencing a NULL pointer, causing a denial of service (DoS) condition on affected systems. The vulnerability affects specific Linux kernel versions identified by the commit hash e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c and was publicly disclosed on April 16, 2025. No known exploits are reported in the wild at this time, and no CVSS score has been assigned. The issue is technical and low-level, impacting the stability and reliability of systems using the mlx5 RDMA driver, which is common in high-performance computing and data center environments relying on Mellanox hardware for RDMA capabilities.
Potential Impact
For European organizations, the impact of CVE-2025-22086 can be significant, particularly for enterprises and research institutions that utilize Linux servers with Mellanox RDMA-enabled network interfaces. These environments often include data centers, cloud service providers, and HPC clusters where RDMA is leveraged for low-latency, high-throughput networking. The kernel crash caused by this vulnerability results in denial of service, potentially disrupting critical applications and services dependent on RDMA communication. This can lead to downtime, loss of productivity, and increased operational costs due to system instability and required reboots. While the vulnerability does not directly lead to privilege escalation or data leakage, the availability impact alone is critical for sectors such as finance, telecommunications, and scientific research, where continuous uptime is essential. Additionally, the complexity of the bug and its manifestation in kernel space may complicate incident response and recovery efforts. Given the absence of known exploits, the immediate risk is moderate, but the potential for future exploitation exists if attackers develop methods to trigger the NULL pointer dereference remotely or via crafted workloads.
Mitigation Recommendations
Mitigation of CVE-2025-22086 requires applying the official Linux kernel patches that correct the QP number comparison logic in the mlx5 driver. Organizations should prioritize updating to the fixed kernel versions or backporting the patch to their supported kernel branches. Given the kernel-level nature of the vulnerability, kernel updates should be tested in staging environments to ensure compatibility and stability before deployment in production. Additionally, organizations should audit their use of RDMA and Mellanox hardware to identify affected systems. Where immediate patching is not feasible, temporarily disabling RDMA functionality or restricting access to RDMA interfaces can reduce exposure. Monitoring kernel logs for oops or crashes related to mlx5_ib_poll_cq can help detect attempts to trigger the vulnerability. Network segmentation and strict access controls around RDMA-enabled hosts can further limit potential attack vectors. Finally, maintaining an up-to-date inventory of Linux kernel versions and hardware drivers will facilitate timely response to future vulnerabilities in this critical subsystem.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Switzerland, Italy, Spain
CVE-2025-22086: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow When cur_qp isn't NULL, in order to avoid fetching the QP from the radix tree again we check if the next cqe QP is identical to the one we already have. The bug however is that we are checking if the QP is identical by checking the QP number inside the CQE against the QP number inside the mlx5_ib_qp, but that's wrong since the QP number from the CQE is from FW so it should be matched against mlx5_core_qp which is our FW QP number. Otherwise we could use the wrong QP when handling a CQE which could cause the kernel trace below. This issue is mainly noticeable over QPs 0 & 1, since for now they are the only QPs in our driver whereas the QP number inside mlx5_ib_qp doesn't match the QP number inside mlx5_core_qp. BUG: kernel NULL pointer dereference, address: 0000000000000012 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core] RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21 RSP: 0018:ffff88810511bd60 EFLAGS: 00010046 RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10 R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000 R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0 FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0 Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib] __ib_process_cq+0x5a/0x150 [ib_core] ib_cq_poll_work+0x31/0x90 [ib_core] process_one_work+0x169/0x320 worker_thread+0x288/0x3a0 ? work_busy+0xb0/0xb0 kthread+0xd7/0x1f0 ? kthreads_online_cpu+0x130/0x130 ? kthreads_online_cpu+0x130/0x130 ret_from_fork+0x2d/0x50 ? kthreads_online_cpu+0x130/0x130 ret_from_fork_asm+0x11/0x20 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2025-22086 is a vulnerability identified in the Linux kernel's RDMA (Remote Direct Memory Access) subsystem, specifically within the Mellanox mlx5 driver component. The issue arises in the function mlx5_poll_one(), which is responsible for polling completion queue entries (CQEs) and updating the current queue pair (cur_qp) state. The vulnerability stems from an incorrect comparison logic where the QP (queue pair) number extracted from the CQE, which originates from firmware (FW), is compared against the QP number stored in mlx5_ib_qp, a software structure that does not correspond to the firmware's QP numbering scheme. The correct comparison should be against mlx5_core_qp, which holds the FW QP number. This mismatch can lead to the driver using an incorrect QP when processing CQEs, resulting in a NULL pointer dereference and consequent kernel oops (crash). The bug is particularly evident with QPs 0 and 1, which are the only QPs currently handled by the driver, where the discrepancy between mlx5_ib_qp and mlx5_core_qp QP numbers is present. The kernel crash manifests as a supervisor read access fault due to dereferencing a NULL pointer, causing a denial of service (DoS) condition on affected systems. The vulnerability affects specific Linux kernel versions identified by the commit hash e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c and was publicly disclosed on April 16, 2025. No known exploits are reported in the wild at this time, and no CVSS score has been assigned. The issue is technical and low-level, impacting the stability and reliability of systems using the mlx5 RDMA driver, which is common in high-performance computing and data center environments relying on Mellanox hardware for RDMA capabilities.
Potential Impact
For European organizations, the impact of CVE-2025-22086 can be significant, particularly for enterprises and research institutions that utilize Linux servers with Mellanox RDMA-enabled network interfaces. These environments often include data centers, cloud service providers, and HPC clusters where RDMA is leveraged for low-latency, high-throughput networking. The kernel crash caused by this vulnerability results in denial of service, potentially disrupting critical applications and services dependent on RDMA communication. This can lead to downtime, loss of productivity, and increased operational costs due to system instability and required reboots. While the vulnerability does not directly lead to privilege escalation or data leakage, the availability impact alone is critical for sectors such as finance, telecommunications, and scientific research, where continuous uptime is essential. Additionally, the complexity of the bug and its manifestation in kernel space may complicate incident response and recovery efforts. Given the absence of known exploits, the immediate risk is moderate, but the potential for future exploitation exists if attackers develop methods to trigger the NULL pointer dereference remotely or via crafted workloads.
Mitigation Recommendations
Mitigation of CVE-2025-22086 requires applying the official Linux kernel patches that correct the QP number comparison logic in the mlx5 driver. Organizations should prioritize updating to the fixed kernel versions or backporting the patch to their supported kernel branches. Given the kernel-level nature of the vulnerability, kernel updates should be tested in staging environments to ensure compatibility and stability before deployment in production. Additionally, organizations should audit their use of RDMA and Mellanox hardware to identify affected systems. Where immediate patching is not feasible, temporarily disabling RDMA functionality or restricting access to RDMA interfaces can reduce exposure. Monitoring kernel logs for oops or crashes related to mlx5_ib_poll_cq can help detect attempts to trigger the vulnerability. Network segmentation and strict access controls around RDMA-enabled hosts can further limit potential attack vectors. Finally, maintaining an up-to-date inventory of Linux kernel versions and hardware drivers will facilitate timely response to future vulnerabilities in this critical subsystem.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.816Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9831c4522896dcbe807a
Added to database: 5/21/2025, 9:09:05 AM
Last enriched: 7/3/2025, 9:09:59 PM
Last updated: 8/18/2025, 11:28:59 PM
Views: 13
Related Threats
CVE-2025-9165: Memory Leak in LibTIFF
MediumCVE-2025-9157: Use After Free in appneta tcpreplay
MediumCVE-2025-51529: n/a
MediumCVE-2025-50579: n/a
MediumCVE-2025-55740: CWE-1392: Use of Default Credentials in Anipaleja nginx-defender
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.