Moshe Shemesh

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.65 **Description** A null pointer dereference issue has been resolved in the Linux kernel. The issue occurs in the error flow of the `mlx5 tc ct entry add rule()` function, where the `zone rule->attr` is used without initialization. This can lead to a kernel NULL pointer dereference. The kernel log shows a BUG message with a RIP address of `0010:mlx5 tc ct entry add rule+0x2b1/0x2f0 [mlx5 core]`. The call trace includes functions such as `mlx5 tc ct block flow offload()`, `nf flow offload tuple()`, and `flow offload work handler()`. **Recommendations** To resolve the issue, update to Linux kernel version 6.6.65 or later. As a temporary workaround, consider disabling the `mlx5 tc ct entry add rule()` function until a patch is available. Restrict access to the vulnerable module `mlx5 core` to minimize the risk of exploitation. Avoid using the `zone rule->attr` variable in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability has been resolved in the Linux kernel, specifically in the net/mlx5 module. The issue occurs when a command fails while the driver is reloading and cannot accept firmware commands until the command interface is reinitialized. This results in a NULL pointer access as the command stats structure is being freed and reallocated during the mlx5 devlink reload. The fix involves making the command stats statically allocated on driver probe. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a race condition in the net/mlx5 component of the Linux kernel, which can lead to a refcount use after free warning. This occurs when one command releases its last refcount and frees its index and entry, while another process running the command flush flow takes a refcount to this command entry. The process handling commands flush may see this command as needed to be flushed if the other process released its refcount but didn't release the index yet. The fix involves adding a needed spin lock to resolve the race condition. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.