CVE-2025-21727: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace: <TASK> dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). This can be explained as bellow: pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt ... padata_do_serial padata_reorder // pd while (1) { padata_find_next(pd, true); // using pd queue_work_on ... padata_serial_worker crypto_del_alg padata_put_pd_cnt // sub refcnt padata_free_shell padata_put_pd(ps->pd); // pd is freed // loop again, but pd is freed // call padata_find_next, UAF } In the padata_reorder function, when it loops in 'while', if the alg is deleted, the refcnt may be decreased to 0 before entering 'padata_find_next', which leads to UAF. As mentioned in [1], do_serial is supposed to be called with BHs disabled and always happen under RCU protection, to address this issue, add synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls to finish. [1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/ [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/
AI Analysis
Technical Summary
CVE-2025-21727 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's padata subsystem, specifically within the padata_reorder function. The padata subsystem is responsible for parallelized cryptographic operations, improving performance by distributing workloads across multiple CPUs. The vulnerability arises when the reference count (refcnt) of a padata data structure (pd) is decremented to zero and the structure is freed while still being accessed in a loop inside padata_reorder. This occurs if the underlying cryptographic algorithm (alg) is deleted concurrently, causing the refcnt to drop before the call to padata_find_next, which then accesses freed memory. The bug was identified through the Linux Test Project (LTP) test pcrypt_aead01, which triggered a slab-use-after-free detected by Kernel Address Sanitizer (KASAN). The root cause is a race condition between parallel and serial processing paths in padata, where do_serial calls are expected to be protected by Read-Copy-Update (RCU) mechanisms and bottom halves (BHs) disabled. The fix involves adding synchronize_rcu() in padata_free_shell to ensure all do_serial calls complete before freeing memory, preventing premature freeing and subsequent UAF. The vulnerability affects Linux kernel versions around 6.6.0+ and is characterized by a CVSS v3.1 score of 7.8, indicating high impact on confidentiality, integrity, and availability with low attack complexity but requiring local privileges and no user interaction. Exploitation could allow local attackers to execute arbitrary code in kernel context, cause system crashes, or escalate privileges by manipulating kernel memory. No known exploits are reported in the wild yet, but the vulnerability's nature and impact warrant prompt attention and patching.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for those relying on Linux-based infrastructure for critical services, including cloud providers, telecommunications, financial institutions, and government agencies. Exploitation could lead to kernel-level code execution, allowing attackers to bypass security controls, access sensitive data, or disrupt services through denial-of-service conditions. Given the widespread use of Linux in servers, embedded devices, and network equipment across Europe, the vulnerability could affect a broad range of systems. The requirement for local privileges limits remote exploitation but insider threats or compromised accounts could leverage this flaw to escalate privileges or maintain persistence. The impact on confidentiality, integrity, and availability is high, potentially leading to data breaches, service outages, and loss of trust. Organizations with high compliance requirements under GDPR and other regulations must prioritize mitigation to avoid legal and reputational consequences.
Mitigation Recommendations
European organizations should take the following specific actions beyond generic patching advice: 1) Immediately identify and inventory all Linux systems running kernel versions affected by this vulnerability, focusing on versions around 6.6.0+. 2) Apply the official Linux kernel patches that include the synchronize_rcu() fix in padata_free_shell as soon as they are available from trusted sources or vendor distributions. 3) For systems where immediate patching is not feasible, consider temporarily disabling or restricting workloads that utilize the padata subsystem or cryptographic parallelization features, if possible, to reduce attack surface. 4) Enhance monitoring for unusual kernel crashes, KASAN alerts, or suspicious local activity that could indicate exploitation attempts. 5) Limit local user privileges and enforce strict access controls to minimize opportunities for local attackers to exploit the vulnerability. 6) Coordinate with Linux distribution vendors and hardware providers to ensure timely updates and validate kernel versions in use. 7) Conduct thorough testing of patches in staging environments to avoid regressions in cryptographic performance or stability. 8) Educate system administrators about the vulnerability's nature and the importance of applying kernel updates promptly.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-21727: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace: <TASK> dump_stack_lvl+0x32/0x50 print_address_description.constprop.0+0x6b/0x3d0 print_report+0xdd/0x2c0 kasan_report+0xa5/0xd0 padata_find_next+0x29/0x1a0 padata_reorder+0x131/0x220 padata_parallel_worker+0x3d/0xc0 process_one_work+0x2ec/0x5a0 If 'mdelay(10)' is added before calling 'padata_find_next' in the 'padata_reorder' function, this issue could be reproduced easily with ltp test (pcrypt_aead01). This can be explained as bellow: pcrypt_aead_encrypt ... padata_do_parallel refcount_inc(&pd->refcnt); // add refcnt ... padata_do_serial padata_reorder // pd while (1) { padata_find_next(pd, true); // using pd queue_work_on ... padata_serial_worker crypto_del_alg padata_put_pd_cnt // sub refcnt padata_free_shell padata_put_pd(ps->pd); // pd is freed // loop again, but pd is freed // call padata_find_next, UAF } In the padata_reorder function, when it loops in 'while', if the alg is deleted, the refcnt may be decreased to 0 before entering 'padata_find_next', which leads to UAF. As mentioned in [1], do_serial is supposed to be called with BHs disabled and always happen under RCU protection, to address this issue, add synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls to finish. [1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/ [2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/
AI-Powered Analysis
Technical Analysis
CVE-2025-21727 is a high-severity use-after-free (UAF) vulnerability in the Linux kernel's padata subsystem, specifically within the padata_reorder function. The padata subsystem is responsible for parallelized cryptographic operations, improving performance by distributing workloads across multiple CPUs. The vulnerability arises when the reference count (refcnt) of a padata data structure (pd) is decremented to zero and the structure is freed while still being accessed in a loop inside padata_reorder. This occurs if the underlying cryptographic algorithm (alg) is deleted concurrently, causing the refcnt to drop before the call to padata_find_next, which then accesses freed memory. The bug was identified through the Linux Test Project (LTP) test pcrypt_aead01, which triggered a slab-use-after-free detected by Kernel Address Sanitizer (KASAN). The root cause is a race condition between parallel and serial processing paths in padata, where do_serial calls are expected to be protected by Read-Copy-Update (RCU) mechanisms and bottom halves (BHs) disabled. The fix involves adding synchronize_rcu() in padata_free_shell to ensure all do_serial calls complete before freeing memory, preventing premature freeing and subsequent UAF. The vulnerability affects Linux kernel versions around 6.6.0+ and is characterized by a CVSS v3.1 score of 7.8, indicating high impact on confidentiality, integrity, and availability with low attack complexity but requiring local privileges and no user interaction. Exploitation could allow local attackers to execute arbitrary code in kernel context, cause system crashes, or escalate privileges by manipulating kernel memory. No known exploits are reported in the wild yet, but the vulnerability's nature and impact warrant prompt attention and patching.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for those relying on Linux-based infrastructure for critical services, including cloud providers, telecommunications, financial institutions, and government agencies. Exploitation could lead to kernel-level code execution, allowing attackers to bypass security controls, access sensitive data, or disrupt services through denial-of-service conditions. Given the widespread use of Linux in servers, embedded devices, and network equipment across Europe, the vulnerability could affect a broad range of systems. The requirement for local privileges limits remote exploitation but insider threats or compromised accounts could leverage this flaw to escalate privileges or maintain persistence. The impact on confidentiality, integrity, and availability is high, potentially leading to data breaches, service outages, and loss of trust. Organizations with high compliance requirements under GDPR and other regulations must prioritize mitigation to avoid legal and reputational consequences.
Mitigation Recommendations
European organizations should take the following specific actions beyond generic patching advice: 1) Immediately identify and inventory all Linux systems running kernel versions affected by this vulnerability, focusing on versions around 6.6.0+. 2) Apply the official Linux kernel patches that include the synchronize_rcu() fix in padata_free_shell as soon as they are available from trusted sources or vendor distributions. 3) For systems where immediate patching is not feasible, consider temporarily disabling or restricting workloads that utilize the padata subsystem or cryptographic parallelization features, if possible, to reduce attack surface. 4) Enhance monitoring for unusual kernel crashes, KASAN alerts, or suspicious local activity that could indicate exploitation attempts. 5) Limit local user privileges and enforce strict access controls to minimize opportunities for local attackers to exploit the vulnerability. 6) Coordinate with Linux distribution vendors and hardware providers to ensure timely updates and validate kernel versions in use. 7) Conduct thorough testing of patches in staging environments to avoid regressions in cryptographic performance or stability. 8) Educate system administrators about the vulnerability's nature and the importance of applying kernel updates promptly.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.754Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe85fc
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 4:26:31 AM
Last updated: 8/14/2025, 5:23:48 PM
Views: 20
Related Threats
CVE-2025-41242: Vulnerability in VMware Spring Framework
MediumCVE-2025-47206: CWE-787 in QNAP Systems Inc. File Station 5
HighCVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.