Cyber Resilience

CVE-2025-21726

HighUpdated

Published: 27 February 2025

Published
27 February 2025
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 8.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21726 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2025-21726 is a use-after-free (UAF) vulnerability in the Linux kernel's padata subsystem, specifically affecting the handling of reorder_work. The issue arises during concurrent operations involving padata_do_serial, padata_reorder, and crypto_del_alg, where a new crypto request can be added to a list after padata_reorder processes remaining requests and breaks. This leads to queue_work(reorder_work) being invoked, but the underlying pd structure is freed by crypto_del_alg before the kworker context executes invoke_padata_reorder, resulting in a UAF. The vulnerability is classified under CWE-416 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Exploitation involves triggering the described race condition in the padata serial processing path, potentially during cryptographic operations. Successful exploitation could allow the attacker to achieve high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution, data corruption, or system crashes via the UAF dereference.

Kernel stable patches addressing this issue are available via the referenced commits, which implement a fix by acquiring a reference to the pd structure before queuing reorder_work on the serial_wq and releasing it only after the serial_wq completes. Security practitioners should update affected Linux kernel versions to incorporate these patches, such as those in the stable branches linked in the references: https://git.kernel.org/stable/c/4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1, https://git.kernel.org/stable/c/6f45ef616775b0ce7889b0f6077fc8d681ab30bc, https://git.kernel.org/stable/c/7000507bb0d2ceb545c0a690e0c707c897d102c2, https://git.kernel.org/stable/c/8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac, and https://git.kernel.org/stable/c/a54091c24220a4cd847d5b4f36d678edacddbaf0.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen…

more

just as below: crypto_request crypto_request crypto_del_alg padata_do_serial ... padata_reorder // processes all remaining // requests then breaks while (1) { if (!padata) break; ... } padata_do_serial // new request added list_add // sees the new request queue_work(reorder_work) padata_reorder queue_work_on(squeue->work) ... <kworker context> padata_serial_worker // completes new request, // no more outstanding // requests crypto_del_alg // free pd <kworker context> invoke_padata_reorder // UAF of pd To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work' into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The Linux kernel UAF vulnerability enables local privilege escalation via arbitrary code execution in kernel context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.4.19 — 5.5 · 5.5.3 — 5.10.235 · 5.11 — 5.15.79

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly mandates identification, reporting, and timely correction of flaws such as the UAF in Linux kernel padata reorder_work via patching stable kernel updates.

prevent

Implements memory protection mechanisms like ASLR, DEP, and stack canaries that mitigate exploitation of the UAF vulnerability by local low-privilege attackers.

detect

Requires vulnerability scanning and monitoring to identify the presence of CVE-2025-21726 in deployed Linux kernels for prompt remediation.

References