CVE-2025-21726

CVE-2025-21726 is a use-after-free (UAF) vulnerability in the Linux kernel's padata subsystem, specifically affecting the handling of reorder_work. The issue arises during concurrent operations involving padata_do_serial, padata_reorder, and crypto_del_alg, where a new crypto request can be added to a list after padata_reorder processes remaining requests and breaks. This leads to queue_work(reorder_work) being invoked, but the underlying pd structure is freed by crypto_del_alg before the kworker context executes invoke_padata_reorder, resulting in a UAF. The vulnerability is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Exploitation involves triggering the described race condition in the padata serial processing path, potentially during cryptographic operations. Successful exploitation could allow the attacker to achieve high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution, data corruption, or system crashes via the UAF dereference.

Kernel stable patches addressing this issue are available via the referenced commits, which implement a fix by acquiring a reference to the pd structure before queuing reorder_work on the serial_wq and releasing it only after the serial_wq completes. Security practitioners should update affected Linux kernel versions to incorporate these patches, such as those in the stable branches linked in the references: https://git.kernel.org/stable/c/4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1, https://git.kernel.org/stable/c/6f45ef616775b0ce7889b0f6077fc8d681ab30bc, https://git.kernel.org/stable/c/7000507bb0d2ceb545c0a690e0c707c897d102c2, https://git.kernel.org/stable/c/8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac, and https://git.kernel.org/stable/c/a54091c24220a4cd847d5b4f36d678edacddbaf0.