{"id":"CVE-2025-21726","summary":"padata: avoid UAF for reorder_work","details":"In the Linux kernel, the following vulnerability has been resolved:\n\npadata: avoid UAF for reorder_work\n\nAlthough the previous patch can avoid ps and ps UAF for _do_serial, it\ncan not avoid potential UAF issue for reorder_work. This issue can\nhappen just as below:\n\ncrypto_request\t\t\tcrypto_request\t\tcrypto_del_alg\npadata_do_serial\n  ...\n  padata_reorder\n    // processes all remaining\n    // requests then breaks\n    while (1) {\n      if (!padata)\n        break;\n      ...\n    }\n\n\t\t\t\tpadata_do_serial\n\t\t\t\t  // new request added\n\t\t\t\t  list_add\n    // sees the new request\n    queue_work(reorder_work)\n\t\t\t\t  padata_reorder\n\t\t\t\t    queue_work_on(squeue-\u003ework)\n...\n\n\t\t\t\t\u003ckworker context\u003e\n\t\t\t\tpadata_serial_worker\n\t\t\t\t// completes new request,\n\t\t\t\t// no more outstanding\n\t\t\t\t// requests\n\n\t\t\t\t\t\t\tcrypto_del_alg\n\t\t\t\t\t\t\t  // free pd\n\n\u003ckworker context\u003e\ninvoke_padata_reorder\n  // UAF of pd\n\nTo avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work'\ninto the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish.","modified":"2026-04-02T12:45:12.109407Z","published":"2025-02-27T02:07:32.861Z","related":["ALSA-2025:20095","ALSA-2025:20518","SUSE-SU-2025:01620-1","SUSE-SU-2025:01627-1","SUSE-SU-2025:01633-1","SUSE-SU-2025:01640-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:1177-1","SUSE-SU-2025:1178-1","SUSE-SU-2025:1180-1","SUSE-SU-2025:1573-1","SUSE-SU-2025:1574-1","SUSE-SU-2025:20190-1","SUSE-SU-2025:20192-1","SUSE-SU-2025:20260-1","SUSE-SU-2025:20270-1","USN-7521-2"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21726.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6f45ef616775b0ce7889b0f6077fc8d681ab30bc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7000507bb0d2ceb545c0a690e0c707c897d102c2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a54091c24220a4cd847d5b4f36d678edacddbaf0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/dd7d37ccf6b11f3d95e797ebe4e9e886d0332600"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21726.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21726"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"bbefa1dd6a6d53537c11624752219e39959d04fb"},{"fixed":"f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0"},{"fixed":"4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1"},{"fixed":"7000507bb0d2ceb545c0a690e0c707c897d102c2"},{"fixed":"6f45ef616775b0ce7889b0f6077fc8d681ab30bc"},{"fixed":"8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac"},{"fixed":"a54091c24220a4cd847d5b4f36d678edacddbaf0"},{"fixed":"dd7d37ccf6b11f3d95e797ebe4e9e886d0332600"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"b4c8ed0bf977760a206997b6429a7ac91978f440"},{"last_affected":"e43d65719527043f1ef79ecba9d4ede58cbc7ffe"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21726.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}