CVE-2025-21751: 
Chainguard vulnerability analysis and mitigation

CVE-2025-21751 affects the Linux kernel's net/mlx5 hardware steering (HWS) component. The vulnerability was discovered in early 2025 and involves a firmware failure during matcher disconnect flow that can lead to use-after-free and eventual system crash (Kernel Commit).

The vulnerability occurs when firmware failure happens during matcher disconnect flow. The error flow of the function reconnects the matcher back and returns an error, which continues running the calling function and eventually frees the matcher that is being disconnected. This leads to a case where there is a freed matcher on the matchers list, which in turn leads to use-after-free and eventual crash. The CVSS v3.1 base score for this vulnerability is 5.5 MEDIUM (NVD).

The vulnerability can result in system crashes due to use-after-free errors. Additionally, it may lead to bad steering state (e.g., wrong connection between matchers) and resource leakage during resource destruction (Kernel Commit).

The issue has been fixed by modifying the error handling flow to not attempt reconnecting the matcher back when firmware commands fail during disconnect. Instead, the system now returns an error immediately. The fix is included in the kernel patch that modifies the matcher disconnect behavior (Kernel Commit).