CVE-2025-38031

padata: do not leak refcount in reorder_work

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak:
the parallel_data refcount is incremented unconditionally, regardless
of the return value of queue_work(). If the work item is already queued,
the incremented refcount is never decremented. Fix this by checking the return value of queue_work() and decrementing
the refcount when necessary. Resolves: Unreferenced object 0xffff9d9f421e3d80 (size 192): comm "cryptomgr_probe", pid 157, jiffies 4294694003 hex dump (first 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. backtrace (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30

In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decremented. Fix this by checking the return value of queue_work() and decrementing the refcount when necessary. Resolves: Unreferenced object 0xffff9d9f421e3d80 (size 192): comm "cryptomgr_probe", pid 157, jiffies 4294694003 hex dump (first 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. backtrace (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30

This update provides the initial livepatch for this kernel update. This update does not contain any fixes and will be updated with livepatches later.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-04-16 CVE Reserved
2025-06-18 CVE Published
2025-06-18 CVE Updated
2025-07-20 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (14)

URL	Tag	Source
https://git.kernel.org/stable/c/f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0	Vuln. Introduced
https://git.kernel.org/stable/c/4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1	Vuln. Introduced
https://git.kernel.org/stable/c/7000507bb0d2ceb545c0a690e0c707c897d102c2	Vuln. Introduced
https://git.kernel.org/stable/c/6f45ef616775b0ce7889b0f6077fc8d681ab30bc	Vuln. Introduced
https://git.kernel.org/stable/c/8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac	Vuln. Introduced
https://git.kernel.org/stable/c/dd7d37ccf6b11f3d95e797ebe4e9e886d0332600	Vuln. Introduced
https://git.kernel.org/stable/c/a54091c24220a4cd847d5b4f36d678edacddbaf0	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1	2025-06-04
https://git.kernel.org/stable/c/1a426abdf1c86882c9203dd8182f3b8274b89938	2025-06-04
https://git.kernel.org/stable/c/cceb15864e1612ebfbc10ec4e4dcd19a10c0056c	2025-06-04
https://git.kernel.org/stable/c/584a729615fa92f4de45480efb7e569d14be1516	2025-06-04
https://git.kernel.org/stable/c/5300e487487d7a2e3e1e6e9d8f03ed9452e4019e	2025-05-29
https://git.kernel.org/stable/c/1c65ae4988714716101555fe2b9830e33136d6fb	2025-05-29
https://git.kernel.org/stable/c/d6ebcde6d4ecf34f8495fb30516645db3aea8993	2025-05-19

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.235 < 5.10.238 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.235 < 5.10.238"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.179 < 5.15.185 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.179 < 5.15.185"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.129 < 6.1.141 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.129 < 6.1.141"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.76 < 6.6.93 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.76 < 6.6.93"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.12.13 < 6.12.31 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.12.13 < 6.12.31"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.14 < 6.14.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.14 < 6.14.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.14 < 6.15 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.14 < 6.15"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.13.2 Search vendor "Linux" for product "Linux Kernel" and version "6.13.2"		en		Affected