logo_clicknbuy.png

CVE-2025-21726 – Linux Kernel padata Reorder Work Use-After-Free Vulnerability

The following table lists the changes that have been made to the
CVE-2025-21726 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Feb. 27, 2025

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved:

    padata: avoid UAF for reorder_work

    Although the previous patch can avoid ps and ps UAF for _do_serial, it
    can not avoid potential UAF issue for reorder_work. This issue can
    happen just as below:

    crypto_request crypto_request crypto_del_alg
    padata_do_serial

    padata_reorder
    // processes all remaining
    // requests then breaks
    while (1) {
    if (!padata)
    break;

    }

    padata_do_serial
    // new request added
    list_add
    // sees the new request
    queue_work(reorder_work)
    padata_reorder
    queue_work_on(squeue->work)

    padata_serial_worker
    // completes new request,
    // no more outstanding
    // requests

    crypto_del_alg
    // free pd

    invoke_padata_reorder
    // UAF of pd

    To avoid UAF for ‘reorder_work’, get ‘pd’ ref before put ‘reorder_work’
    into the ‘serial_wq’ and put ‘pd’ ref until the ‘serial_wq’ finish.
    Added Reference https://git.kernel.org/stable/c/6f45ef616775b0ce7889b0f6077fc8d681ab30bc
    Added Reference https://git.kernel.org/stable/c/7000507bb0d2ceb545c0a690e0c707c897d102c2
    Added Reference https://git.kernel.org/stable/c/8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac
    Added Reference https://git.kernel.org/stable/c/a54091c24220a4cd847d5b4f36d678edacddbaf0
    Added Reference https://git.kernel.org/stable/c/dd7d37ccf6b11f3d95e797ebe4e9e886d0332600
Share the Post:

Related Posts