{"api_version":"1","generated_at":"2026-07-07T04:12:47+00:00","cve":"CVE-2025-38584","urls":{"html":"https://cve.report/CVE-2025-38584","api":"https://cve.report/api/cve/CVE-2025-38584.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-38584","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-38584"},"summary":{"title":"padata: Fix pd UAF once and for all","description":"In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix pd UAF once and for all\n\nThere is a race condition/UAF in padata_reorder that goes back\nto the initial commit.  A reference count is taken at the start\nof the process in padata_do_parallel, and released at the end in\npadata_serial_worker.\n\nThis reference count is (and only is) required for padata_replace\nto function correctly.  If padata_replace is never called then\nthere is no issue.\n\nIn the function padata_reorder which serves as the core of padata,\nas soon as padata is added to queue->serial.list, and the associated\nspin lock released, that padata may be processed and the reference\ncount on pd would go away.\n\nFix this by getting the next padata before the squeue->serial lock\nis released.\n\nIn order to make this possible, simplify padata_reorder by only\ncalling it once the next padata arrives.","state":"PUBLISHED","assigner":"Linux","published_at":"2025-08-19 17:15:35","updated_at":"2026-06-01 17:16:35"},"problem_types":["CWE-416"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/a2048e475e22b13dc3e53d485b7e6e11464ed9a6","name":"https://git.kernel.org/stable/c/a2048e475e22b13dc3e53d485b7e6e11464ed9a6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/609e59193fc6d9dd323f1c6ae1fdd721f1c79680","name":"https://git.kernel.org/stable/c/609e59193fc6d9dd323f1c6ae1fdd721f1c79680","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/71203f68c7749609d7fc8ae6ad054bdedeb24f91","name":"https://git.kernel.org/stable/c/71203f68c7749609d7fc8ae6ad054bdedeb24f91","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f231d5d001ec75f5886c02d496a4c79edc383d45","name":"https://git.kernel.org/stable/c/f231d5d001ec75f5886c02d496a4c79edc383d45","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/dbe3e911a59bda6de96e7cae387ff882c2c177fa","name":"https://git.kernel.org/stable/c/dbe3e911a59bda6de96e7cae387ff882c2c177fa","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/cdf79bd2e1ecb3cc75631c73d8f4149be6019a52","name":"https://git.kernel.org/stable/c/cdf79bd2e1ecb3cc75631c73d8f4149be6019a52","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/73f132e60857038416540c3599b1de6033d7575a","name":"https://git.kernel.org/stable/c/73f132e60857038416540c3599b1de6033d7575a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a11a12a9880ab37342b73c93cfe1a3ada02ff0db","name":"https://git.kernel.org/stable/c/a11a12a9880ab37342b73c93cfe1a3ada02ff0db","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-38584","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38584","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 a2048e475e22b13dc3e53d485b7e6e11464ed9a6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 73f132e60857038416540c3599b1de6033d7575a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 609e59193fc6d9dd323f1c6ae1fdd721f1c79680 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 a11a12a9880ab37342b73c93cfe1a3ada02ff0db git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 f231d5d001ec75f5886c02d496a4c79edc383d45 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 dbe3e911a59bda6de96e7cae387ff882c2c177fa git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 cdf79bd2e1ecb3cc75631c73d8f4149be6019a52 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 16295bec6398a3eedc9377e1af6ff4c71b98c300 71203f68c7749609d7fc8ae6ad054bdedeb24f91 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2.6.34","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 2.6.34 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.258 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.209 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.175 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.140 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.86 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.15.10 6.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.16.1 6.16.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.17 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2025","cve_id":"38584","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["include/linux/padata.h","kernel/padata.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"a2048e475e22b13dc3e53d485b7e6e11464ed9a6","status":"affected","version":"16295bec6398a3eedc9377e1af6ff4c71b98c300","versionType":"git"},{"lessThan":"73f132e60857038416540c3599b1de6033d7575a","status":"affected","version":"16295bec6398a3eedc9377e1af6ff4c71b98c300","versionType":"git"},{"lessThan":"609e59193fc6d9dd323f1c6ae1fdd721f1c79680","status":"affected","version":"16295bec6398a3eedc9377e1af6ff4c71b98c300","versionType":"git"},{"lessThan":"a11a12a9880ab37342b73c93cfe1a3ada02ff0db","status":"affected","version":"16295bec6398a3eedc9377e1af6ff4c71b98c300","versionType":"git"},{"lessThan":"f231d5d001ec75f5886c02d496a4c79edc383d45","status":"affected","version":"16295bec6398a3eedc9377e1af6ff4c71b98c300","versionType":"git"},{"lessThan":"dbe3e911a59bda6de96e7cae387ff882c2c177fa","status":"affected","version":"16295bec6398a3eedc9377e1af6ff4c71b98c300","versionType":"git"},{"lessThan":"cdf79bd2e1ecb3cc75631c73d8f4149be6019a52","status":"affected","version":"16295bec6398a3eedc9377e1af6ff4c71b98c300","versionType":"git"},{"lessThan":"71203f68c7749609d7fc8ae6ad054bdedeb24f91","status":"affected","version":"16295bec6398a3eedc9377e1af6ff4c71b98c300","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["include/linux/padata.h","kernel/padata.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"2.6.34"},{"lessThan":"2.6.34","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.258","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.209","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.175","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.140","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.86","versionType":"semver"},{"lessThanOrEqual":"6.15.*","status":"unaffected","version":"6.15.10","versionType":"semver"},{"lessThanOrEqual":"6.16.*","status":"unaffected","version":"6.16.1","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.17","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.258","versionStartIncluding":"2.6.34","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.209","versionStartIncluding":"2.6.34","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.175","versionStartIncluding":"2.6.34","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.140","versionStartIncluding":"2.6.34","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.86","versionStartIncluding":"2.6.34","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.15.10","versionStartIncluding":"2.6.34","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.16.1","versionStartIncluding":"2.6.34","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.17","versionStartIncluding":"2.6.34","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix pd UAF once and for all\n\nThere is a race condition/UAF in padata_reorder that goes back\nto the initial commit.  A reference count is taken at the start\nof the process in padata_do_parallel, and released at the end in\npadata_serial_worker.\n\nThis reference count is (and only is) required for padata_replace\nto function correctly.  If padata_replace is never called then\nthere is no issue.\n\nIn the function padata_reorder which serves as the core of padata,\nas soon as padata is added to queue->serial.list, and the associated\nspin lock released, that padata may be processed and the reference\ncount on pd would go away.\n\nFix this by getting the next padata before the squeue->serial lock\nis released.\n\nIn order to make this possible, simplify padata_reorder by only\ncalling it once the next padata arrives."}],"providerMetadata":{"dateUpdated":"2026-06-01T16:05:23.819Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/a2048e475e22b13dc3e53d485b7e6e11464ed9a6"},{"url":"https://git.kernel.org/stable/c/73f132e60857038416540c3599b1de6033d7575a"},{"url":"https://git.kernel.org/stable/c/609e59193fc6d9dd323f1c6ae1fdd721f1c79680"},{"url":"https://git.kernel.org/stable/c/a11a12a9880ab37342b73c93cfe1a3ada02ff0db"},{"url":"https://git.kernel.org/stable/c/f231d5d001ec75f5886c02d496a4c79edc383d45"},{"url":"https://git.kernel.org/stable/c/dbe3e911a59bda6de96e7cae387ff882c2c177fa"},{"url":"https://git.kernel.org/stable/c/cdf79bd2e1ecb3cc75631c73d8f4149be6019a52"},{"url":"https://git.kernel.org/stable/c/71203f68c7749609d7fc8ae6ad054bdedeb24f91"}],"title":"padata: Fix pd UAF once and for all","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2025-38584","datePublished":"2025-08-19T17:03:06.172Z","dateReserved":"2025-04-16T04:51:24.026Z","dateUpdated":"2026-06-01T16:05:23.819Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-08-19 17:15:35","lastModifiedDate":"2026-06-01 17:16:35","problem_types":["CWE-416"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.15.10","matchCriteriaId":"70708DCC-6F9D-4EFE-AF47-0CA615284AD2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.16","versionEndExcluding":"6.16.1","matchCriteriaId":"58182352-D7DF-4CC9-841E-03C1D852C3FB"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"38584","Ordinal":"1","Title":"padata: Fix pd UAF once and for all","CVE":"CVE-2025-38584","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"38584","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix pd UAF once and for all\n\nThere is a race condition/UAF in padata_reorder that goes back\nto the initial commit.  A reference count is taken at the start\nof the process in padata_do_parallel, and released at the end in\npadata_serial_worker.\n\nThis reference count is (and only is) required for padata_replace\nto function correctly.  If padata_replace is never called then\nthere is no issue.\n\nIn the function padata_reorder which serves as the core of padata,\nas soon as padata is added to queue->serial.list, and the associated\nspin lock released, that padata may be processed and the reference\ncount on pd would go away.\n\nFix this by getting the next padata before the squeue->serial lock\nis released.\n\nIn order to make this possible, simplify padata_reorder by only\ncalling it once the next padata arrives.","Type":"Description","Title":"padata: Fix pd UAF once and for all"}]}}}