Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H
Trigger requires privileged devlink configuration of a VF MAC-list max (PR:H) on local mlx5 hardware (AV:L); impact is a small OOB read causing potential info leak (C:L) and likely panic (A:H), no integrity change.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list
mlx5_query_nic_vport_mac_list() sizes its firmware command buffer using the PF's log_max_current_uc/mc_list capabilities. When querying a VF vport with a larger configured max (via devlink), the firmware response can overflow this buffer:
BUG: KASAN: slab-out-of-bounds in mlx5_query_nic_vport_mac_list+0x453/0x4c0 [mlx5_core] Read of size 4 at addr ff1100013ffc8a12 by task kworker/u96:2/385
CPU: 12 UID: 0 PID: 385 Comm: kworker/u96:2 Not tainted 7.0.0-rc6+ #1 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009) Workqueue: mlx5_esw_wq esw_vport_change_handler [mlx5_core] Call Trace: <TASK> dump_stack_lvl+0x69/0xa0 print_report+0x176/0x4e4 kasan_report+0xc8/0x100 mlx5_query_nic_vport_mac_list+0x453/0x4c0 [mlx5_core] esw_update_vport_addr_list+0x2e3/0xda0 [mlx5_core] esw_vport_change_handle_locked+0xa1f/0x1060 [mlx5_core] esw_vport_change_handler+0x6a/0x90 [mlx5_core] process_one_work+0x87f/0x15e0 worker_thread+0x62b/0x1020 kthread+0x375/0x490 ret_from_fork+0x4dc/0x810 ret_from_fork_asm+0x11/0x20 </TASK>
Fix by querying the vport's own HCA caps to size the buffer correctly. Refactor the function to allocate and return the MAC list internally, removing the caller's dependency on knowing the correct max.
AnalysisAI
Out-of-bounds kernel memory read in the Linux mlx5_core driver's mlx5_query_nic_vport_mac_list() function allows a slab-out-of-bounds access when querying a VF vport whose configured MAC-list maximum exceeds the PF's log_max_current_uc/mc_list capability. The driver sizes its firmware command buffer using the PF capabilities rather than the vport's own HCA caps, so an oversized firmware response overflows the buffer during eswitch vport-change handling. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a system using the mlx5_core driver with NVIDIA/Mellanox ConnectX hardware operating in SR-IOV / e-switch (switchdev) mode, AND a virtual function whose configured MAC-list maximum (log_max_current_uc_list / log_max_current_mc_list) has been set larger than the physical function's capability via devlink - this non-default, privileged configuration is the concrete prerequisite. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward moderate, config-gated risk rather than urgent mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a host with an mlx5 NIC in SR-IOV mode, a privileged operator (or compromised management plane) raises a virtual function's MAC-list maximum via devlink above the PF's capability; when that VF's address list subsequently changes, the kernel's eswitch worker queries the vport and reads past the undersized slab buffer, leaking adjacent kernel memory or panicking the host. No public exploit code is identified at time of analysis, and the local attack vector plus dependency on privileged devlink configuration make opportunistic exploitation unlikely. |
| Remediation | Vendor-released patch: update to a fixed Linux stable kernel - 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later) on the matching branch, drawing the corresponding stable commit from https://git.kernel.org/stable/c/ (e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems running Linux mlx5_core driver with ConnectX NICs in SR-IOV/switchdev mode; document current driver versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39321
GHSA-pw9r-h2m6-6vvg