CVE-2025-22091

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.14.0-rc4

Description A vulnerability has been resolved in the Linux kernel related to RDMA/mlx5, where the page size variable overflowed when trying to register large amounts of contiguous memory. This issue occurred because the page size variable was stored as an unsigned int, which could not support values larger than 31, causing an overflow. For example, when attempting to register 4GB of memory, the driver would optimize the page size and try to use an mkey with a 4GB entity size, resulting in the page size variable overflowing to '0'. This would trigger a WARN ON() in alloc cacheable mr(). The vulnerability is related to the mlx5 umem mkc find best pgsz() function and the alloc cacheable mr() function.

Recommendations To resolve this issue, update the Linux kernel to a version that includes the fix for the page size variable overflow. As a temporary workaround, consider restricting the use of the mlx5 umem mkc find best pgsz() function and the alloc cacheable mr() function until a patch is available.