CVE-2025-21726
Published: 27 February 2025
Summary
CVE-2025-21726 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2025-21726 is a use-after-free (UAF) vulnerability in the Linux kernel's padata subsystem, specifically affecting the handling of reorder_work. The issue arises during concurrent operations involving padata_do_serial, padata_reorder, and crypto_del_alg, where a new crypto request can be added to a list after padata_reorder processes remaining requests and breaks. This leads to queue_work(reorder_work) being invoked, but the underlying pd structure is freed by crypto_del_alg before the kworker context executes invoke_padata_reorder, resulting in a UAF. The vulnerability is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Exploitation involves triggering the described race condition in the padata serial processing path, potentially during cryptographic operations. Successful exploitation could allow the attacker to achieve high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution, data corruption, or system crashes via the UAF dereference.
Kernel stable patches addressing this issue are available via the referenced commits, which implement a fix by acquiring a reference to the pd structure before queuing reorder_work on the serial_wq and releasing it only after the serial_wq completes. Security practitioners should update affected Linux kernel versions to incorporate these patches, such as those in the stable branches linked in the references: https://git.kernel.org/stable/c/4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1, https://git.kernel.org/stable/c/6f45ef616775b0ce7889b0f6077fc8d681ab30bc, https://git.kernel.org/stable/c/7000507bb0d2ceb545c0a690e0c707c897d102c2, https://git.kernel.org/stable/c/8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac, and https://git.kernel.org/stable/c/a54091c24220a4cd847d5b4f36d678edacddbaf0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5234
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen…
more
just as below: crypto_request crypto_request crypto_del_alg padata_do_serial ... padata_reorder // processes all remaining // requests then breaks while (1) { if (!padata) break; ... } padata_do_serial // new request added list_add // sees the new request queue_work(reorder_work) padata_reorder queue_work_on(squeue->work) ... <kworker context> padata_serial_worker // completes new request, // no more outstanding // requests crypto_del_alg // free pd <kworker context> invoke_padata_reorder // UAF of pd To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work' into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The Linux kernel UAF vulnerability enables local privilege escalation via arbitrary code execution in kernel context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates identification, reporting, and timely correction of flaws such as the UAF in Linux kernel padata reorder_work via patching stable kernel updates.
Implements memory protection mechanisms like ASLR, DEP, and stack canaries that mitigate exploitation of the UAF vulnerability by local low-privilege attackers.
Requires vulnerability scanning and monitoring to identify the presence of CVE-2025-21726 in deployed Linux kernels for prompt remediation.