padata: Fix pd UAF once and for all
Summary
| CVE | CVE-2025-38584 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-08-19 17:15:35 UTC |
| Updated | 2026-06-01 17:16:35 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: padata: Fix pd UAF once and for all There is a race condition/UAF in padata_reorder that goes back to the initial commit. A reference count is taken at the start of the process in padata_do_parallel, and released at the end in padata_serial_worker. This reference count is (and only is) required for padata_replace to function correctly. If padata_replace is never called then there is no issue. In the function padata_reorder which serves as the core of padata, as soon as padata is added to queue->serial.list, and the associated spin lock released, that padata may be processed and the reference count on pd would go away. Fix this by getting the next padata before the squeue->serial lock is released. In order to make this possible, simplify padata_reorder by only calling it once the next padata arrives. |
Risk And Classification
Primary CVSS: v3.1 7.8 HIGH from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Problem Types: CWE-416
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 a2048e475e22b13dc3e53d485b7e6e11464ed9a6 git | Not specified |
| CNA | Linux | Linux | affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 73f132e60857038416540c3599b1de6033d7575a git | Not specified |
| CNA | Linux | Linux | affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 609e59193fc6d9dd323f1c6ae1fdd721f1c79680 git | Not specified |
| CNA | Linux | Linux | affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 a11a12a9880ab37342b73c93cfe1a3ada02ff0db git | Not specified |
| CNA | Linux | Linux | affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 f231d5d001ec75f5886c02d496a4c79edc383d45 git | Not specified |
| CNA | Linux | Linux | affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 dbe3e911a59bda6de96e7cae387ff882c2c177fa git | Not specified |
| CNA | Linux | Linux | affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 cdf79bd2e1ecb3cc75631c73d8f4149be6019a52 git | Not specified |
| CNA | Linux | Linux | affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 71203f68c7749609d7fc8ae6ad054bdedeb24f91 git | Not specified |
| CNA | Linux | Linux | affected 2.6.34 | Not specified |
| CNA | Linux | Linux | unaffected 2.6.34 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.258 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.209 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.175 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.140 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.86 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.15.10 6.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.16.1 6.16.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.17 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/a2048e475e22b13dc3e53d485b7e6e11464ed9a6 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/609e59193fc6d9dd323f1c6ae1fdd721f1c79680 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/71203f68c7749609d7fc8ae6ad054bdedeb24f91 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/f231d5d001ec75f5886c02d496a4c79edc383d45 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/dbe3e911a59bda6de96e7cae387ff882c2c177fa | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/cdf79bd2e1ecb3cc75631c73d8f4149be6019a52 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/73f132e60857038416540c3599b1de6033d7575a | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| git.kernel.org/stable/c/a11a12a9880ab37342b73c93cfe1a3ada02ff0db | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.