{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-15T01:42:32.102","vulnerabilities":[{"cve":{"id":"CVE-2025-21727","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2025-02-27T02:15:16.423","lastModified":"2025-11-03T20:17:12.810","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npadata: fix UAF in padata_reorder\n\nA bug was found when run ltp test:\n\nBUG: KASAN: slab-use-after-free in padata_find_next+0x29\/0x1a0\nRead of size 4 at addr ffff88bbfe003524 by task kworker\/u113:2\/3039206\n\nCPU: 0 PID: 3039206 Comm: kworker\/u113:2 Kdump: loaded Not tainted 6.6.0+\nWorkqueue: pdecrypt_parallel padata_parallel_worker\nCall Trace:\n<TASK>\ndump_stack_lvl+0x32\/0x50\nprint_address_description.constprop.0+0x6b\/0x3d0\nprint_report+0xdd\/0x2c0\nkasan_report+0xa5\/0xd0\npadata_find_next+0x29\/0x1a0\npadata_reorder+0x131\/0x220\npadata_parallel_worker+0x3d\/0xc0\nprocess_one_work+0x2ec\/0x5a0\n\nIf 'mdelay(10)' is added before calling 'padata_find_next' in the\n'padata_reorder' function, this issue could be reproduced easily with\nltp test (pcrypt_aead01).\n\nThis can be explained as bellow:\n\npcrypt_aead_encrypt\n...\npadata_do_parallel\nrefcount_inc(&pd->refcnt); \/\/ add refcnt\n...\npadata_do_serial\npadata_reorder \/\/ pd\nwhile (1) {\npadata_find_next(pd, true); \/\/ using pd\nqueue_work_on\n...\npadata_serial_worker\t\t\t\tcrypto_del_alg\npadata_put_pd_cnt \/\/ sub refcnt\n\t\t\t\t\t\tpadata_free_shell\n\t\t\t\t\t\tpadata_put_pd(ps->pd);\n\t\t\t\t\t\t\/\/ pd is freed\n\/\/ loop again, but pd is freed\n\/\/ call padata_find_next, UAF\n}\n\nIn the padata_reorder function, when it loops in 'while', if the alg is\ndeleted, the refcnt may be decreased to 0 before entering\n'padata_find_next', which leads to UAF.\n\nAs mentioned in [1], do_serial is supposed to be called with BHs disabled\nand always happen under RCU protection, to address this issue, add\nsynchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls\nto finish.\n\n[1] https:\/\/lore.kernel.org\/all\/20221028160401.cccypv4euxikusiq@parnassus.localdomain\/\n[2] https:\/\/lore.kernel.org\/linux-kernel\/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm\/"},{"lang":"es","value":"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: padata: corrección de UAF en padata_reorder Se encontró un error al ejecutar la prueba ltp: ERROR: KASAN: slab-use-after-free in padata_find_next+0x29\/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker\/u113:2\/3039206 CPU: 0 PID: 3039206 Comm: kworker\/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace:  dump_stack_lvl+0x32\/0x50 print_address_description.constprop.0+0x6b\/0x3d0 print_report+0xdd\/0x2c0 kasan_report+0xa5\/0xd0 padata_find_next+0x29\/0x1a0 padata_reorder+0x131\/0x220 padata_parallel_worker+0x3d\/0xc0 process_one_work+0x2ec\/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). This can be explained as bellow: pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(&amp;pd-&gt;refcnt); \/\/ add refcnt ... padata_do_serial padata_reorder \/\/ pd while (1) { padata_find_next(pd, true); \/\/ using pd queue_work_on ... padata_serial_worker crypto_del_alg padata_put_pd_cnt \/\/ sub refcnt padata_free_shell padata_put_pd(ps-&gt;pd); \/\/ pd is freed \/\/ loop again, but pd is freed \/\/ call padata_find_next, UAF } En la función padata_reorder, cuando se repite en 'while', si se elimina el alg, el refcnt puede disminuirse a 0 antes de ingresar a 'padata_find_next', lo que lleva a UAF. Como se mencionó en [1], se supone que do_serial se debe llamar con los BH deshabilitados y siempre ocurre bajo la protección de RCU, para abordar este problema, agreguesynchronous_rcu() en 'padata_free_shell' y espere a que finalicen todas las llamadas a _do_serial. [1] https:\/\/lore.kernel.org\/all\/20221028160401.cccypv4euxikusiq@parnassus.localdomain\/ [2] https:\/\/lore.kernel.org\/linux-kernel\/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm\/"}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-416"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4","versionEndExcluding":"5.10.235","matchCriteriaId":"5FEF389E-870E-4BCB-A3FF-0B8042738CF0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.179","matchCriteriaId":"C708062C-4E1B-465F-AE6D-C09C46400875"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.129","matchCriteriaId":"2DA5009C-C9B9-4A1D-9B96-78427E8F232C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.76","matchCriteriaId":"A6D70701-9CB6-4222-A957-00A419878993"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.13","matchCriteriaId":"2897389C-A8C3-4D69-90F2-E701B3D66373"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.2","matchCriteriaId":"6D4116B1-1BFD-4F23-BA84-169CC05FC5A3"}]}]}],"references":[{"url":"https:\/\/git.kernel.org\/stable\/c\/0ae2f332cfd2d74cf3ce344ec9938cf3e29c3ccd","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/573ac9c70bf7885dc85d82fa44550581bfc3b738","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/80231f069240d52e98b6a317456c67b2eafd0781","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/bbccae982e9fa1d7abcb23a5ec81cb0ec883f7de","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/e01780ea4661172734118d2a5f41bc9720765668","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/f3e0b9f790f8e8065d59e67b565a83154d9f3079","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/git.kernel.org\/stable\/c\/f78170bee51469734b1a306a74fc5f777bb22ba6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https:\/\/lists.debian.org\/debian-lts-announce\/2025\/03\/msg00028.html","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https:\/\/lists.debian.org\/debian-lts-announce\/2025\/05\/msg00030.html","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}