#VU106111 Use-after-free in Linux kernel - CVE-2025-21888
Vulnerability identifier: #VU106111
Vulnerability risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-416
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Linux kernel
Operating systems & Components /
Operating system
Vendor: Linux Foundation
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the mlx5_free_priv_descs() function in drivers/infiniband/hw/mlx5/mr.c. A local user can escalate privileges on the system.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Linux kernel: 6.13, 6.13.1, 6.13.2, 6.13.3, 6.13.4, 6.13.5
External links
https://git.kernel.org/stable/c/0bd34bdd468e93a779c403de3cf7d43ee633b3e0
https://git.kernel.org/stable/c/abc7b3f1f056d69a8f11d6dceecc0c9549ace770
https://git.kernel.org/stable/c/f1298cad47ae29828c5c5be77e733ccfcaef6a7f
https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.13.6
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
