{"id":"CVE-2025-38031","summary":"padata: do not leak refcount in reorder_work","details":"In the Linux kernel, the following vulnerability has been resolved:\n\npadata: do not leak refcount in reorder_work\n\nA recent patch that addressed a UAF introduced a reference count leak:\nthe parallel_data refcount is incremented unconditionally, regardless\nof the return value of queue_work(). If the work item is already queued,\nthe incremented refcount is never decremented.\n\nFix this by checking the return value of queue_work() and decrementing\nthe refcount when necessary.\n\nResolves:\n\nUnreferenced object 0xffff9d9f421e3d80 (size 192):\n  comm \"cryptomgr_probe\", pid 157, jiffies 4294694003\n  hex dump (first 32 bytes):\n    80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff  ...A............\n    d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00  ..............#.\n  backtrace (crc 838fb36):\n    __kmalloc_cache_noprof+0x284/0x320\n    padata_alloc_pd+0x20/0x1e0\n    padata_alloc_shell+0x3b/0xa0\n    0xffffffffc040a54d\n    cryptomgr_probe+0x43/0xc0\n    kthread+0xf6/0x1f0\n    ret_from_fork+0x2f/0x50\n    ret_from_fork_asm+0x1a/0x30","modified":"2026-04-02T12:47:45.281312Z","published":"2025-06-18T09:33:18.882Z","related":["SUSE-SU-2025:02249-1","SUSE-SU-2025:02254-1","SUSE-SU-2025:02307-1","SUSE-SU-2025:02333-1","SUSE-SU-2025:02335-1","SUSE-SU-2025:02538-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:20475-1","SUSE-SU-2025:20483-1","SUSE-SU-2025:20493-1","SUSE-SU-2025:20498-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38031.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1a426abdf1c86882c9203dd8182f3b8274b89938"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1c65ae4988714716101555fe2b9830e33136d6fb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5300e487487d7a2e3e1e6e9d8f03ed9452e4019e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/584a729615fa92f4de45480efb7e569d14be1516"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cceb15864e1612ebfbc10ec4e4dcd19a10c0056c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d6ebcde6d4ecf34f8495fb30516645db3aea8993"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38031.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38031"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0"},{"fixed":"b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1"},{"fixed":"1a426abdf1c86882c9203dd8182f3b8274b89938"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7000507bb0d2ceb545c0a690e0c707c897d102c2"},{"fixed":"cceb15864e1612ebfbc10ec4e4dcd19a10c0056c"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"6f45ef616775b0ce7889b0f6077fc8d681ab30bc"},{"fixed":"584a729615fa92f4de45480efb7e569d14be1516"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac"},{"fixed":"5300e487487d7a2e3e1e6e9d8f03ed9452e4019e"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"dd7d37ccf6b11f3d95e797ebe4e9e886d0332600"},{"fixed":"1c65ae4988714716101555fe2b9830e33136d6fb"},{"fixed":"d6ebcde6d4ecf34f8495fb30516645db3aea8993"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"a54091c24220a4cd847d5b4f36d678edacddbaf0"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38031.json"}}],"schema_version":"1.7.5"}