CVE-2025-21726

HIGH EPSS 10.5%
Published Feb 27, 20251y ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Feb 27, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen just as below: crypto_request crypto_request crypto_del_alg padata_do_serial ... padata_reorder // processes all remaining // requests then breaks while (1) { if (!padata) break; ... } padata_do_serial // new request added list_add // sees the new request queue_work(reorder_work) padata_reorder queue_work_on(squeue->work) ... <kworker context> padata_serial_worker // completes new request, // no more outstanding // requests crypto_del_alg // free pd <kworker context> invoke_padata_reorder // UAF of pd To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work' into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
10.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 7

VendorProductVersionRange
linuxlinux_kernel*≥5.4.19  –  <5.5
linuxlinux_kernel*≥5.5.3  –  <5.10.235
linuxlinux_kernel*≥5.11  –  <5.15.79
linuxlinux_kernel*≥5.16  –  <6.1.129
linuxlinux_kernel*≥6.2  –  <6.6.76
linuxlinux_kernel*≥6.7  –  <6.12.13
linuxlinux_kernel*≥6.13  –  <6.13.2

References 10

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-265688.html
  • git.kernel.org https://git.kernel.org/stable/c/4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6f45ef616775b0ce7889b0f6077fc8d681ab30bc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7000507bb0d2ceb545c0a690e0c707c897d102c2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a54091c24220a4cd847d5b4f36d678edacddbaf0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dd7d37ccf6b11f3d95e797ebe4e9e886d0332600
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/6f45ef616775b0ce7889b0f6077fc8d681ab30bc
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7000507bb0d2ceb545c0a690e0c707c897d102c2
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a54091c24220a4cd847d5b4f36d678edacddbaf0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/dd7d37ccf6b11f3d95e797ebe4e9e886d0332600
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0
    Patch