CVE-2025-21726 Overview
CVE-2025-21726 is a Use-After-Free (UAF) vulnerability in the Linux kernel's padata (parallel data processing) subsystem. The vulnerability exists in the reorder_work handling mechanism, where a race condition between crypto request processing and algorithm deletion can lead to accessing freed memory. This memory corruption issue could allow a local attacker with low privileges to potentially achieve code execution or cause system instability.
Critical Impact
Local attackers can exploit this race condition in the padata subsystem to trigger a use-after-free condition, potentially leading to privilege escalation, arbitrary code execution, or denial of service on affected Linux systems.
Affected Products
- Linux Kernel (multiple versions)
- Debian Linux (see LTS announcements)
- Linux distributions using vulnerable kernel versions
Discovery Timeline
- 2025-02-27 - CVE-2025-21726 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-21726
Vulnerability Analysis
The vulnerability resides in the Linux kernel's padata subsystem, which provides parallel processing capabilities used extensively by the crypto subsystem. The flaw occurs due to improper reference counting of the pd (padata descriptor) structure when reorder_work is queued to the serial_wq work queue.
When processing cryptographic requests in parallel, the padata subsystem uses work queues to serialize the final processing of completed requests. The issue manifests when a new crypto request is added via padata_do_serial() while another request is being processed in padata_reorder(). If crypto_del_alg frees the padata descriptor (pd) between the time reorder_work is queued and when invoke_padata_reorder executes, the worker context accesses freed memory.
The race condition window exists because the previous patch only addressed UAF issues for _do_serial but failed to protect reorder_work from similar memory safety issues.
Root Cause
The root cause is a missing reference count increment on the padata descriptor (pd) before queuing reorder_work to the serial work queue. Without proper reference counting, the padata descriptor can be freed by crypto_del_alg while there are still pending work items that reference it. The fix involves getting a reference to pd before putting reorder_work into serial_wq and releasing that reference only after the work queue finishes processing.
Attack Vector
This vulnerability requires local access to the system with the ability to trigger cryptographic operations. The attack exploits a race condition in the kernel's parallel data processing:
- An attacker initiates multiple concurrent crypto requests
- During padata_reorder() processing, a new request is added
- The reorder_work is queued to handle the new request
- Before the worker executes, crypto_del_alg frees the padata descriptor
- The worker thread accesses the freed pd structure, causing UAF
The race window as described in the kernel commit shows the interleaving of crypto_request processing with crypto_del_alg that creates this exploitable condition. Successful exploitation requires precise timing but could lead to kernel memory corruption.
Detection Methods for CVE-2025-21726
Indicators of Compromise
- Kernel panic or oops messages referencing padata_reorder, invoke_padata_reorder, or padata_serial_worker functions
- KASAN (Kernel Address Sanitizer) reports indicating use-after-free in padata-related functions
- Unexpected system crashes during heavy cryptographic workloads
- Memory corruption artifacts in kernel logs related to crypto subsystem operations
Detection Strategies
- Enable KASAN in debug kernels to detect UAF conditions in padata subsystem
- Monitor kernel logs for stack traces involving padata_do_serial, padata_reorder, or related functions
- Deploy kernel live patching monitoring to track padata-related security updates
- Use SentinelOne's kernel-level behavioral detection to identify abnormal memory access patterns
Monitoring Recommendations
- Enable kernel audit logging for cryptographic subsystem operations
- Configure alerting for kernel oops or panic events related to padata or crypto modules
- Monitor system stability metrics during high crypto workload periods
- Review kernel version against patched releases listed in vendor advisories
How to Mitigate CVE-2025-21726
Immediate Actions Required
- Update to a patched Linux kernel version that includes the reference counting fix
- Review affected systems for kernel versions matching the vulnerable range
- Prioritize patching on systems with heavy cryptographic workloads or multi-tenant environments
- Consider temporarily reducing concurrent crypto operations on critical unpatched systems
Patch Information
Multiple commits have been released to stable kernel branches to address this vulnerability. The fix ensures proper reference counting by getting a pd reference before queuing reorder_work and releasing it after completion. Apply the appropriate patch for your kernel version:
- Linux Kernel Commit 4c6209ef
- Linux Kernel Commit 6f45ef61
- Linux Kernel Commit 7000507b
- Linux Kernel Commit 8ca38d0c
- Linux Kernel Commit a54091c2
- Linux Kernel Commit dd7d37cc
- Linux Kernel Commit f4f1b116
Debian users should refer to the Debian LTS Announcement March 2025 and Debian LTS Announcement May 2025 for distribution-specific guidance.
Workarounds
- No complete workaround exists; applying the kernel patch is the recommended remediation
- Reduce exposure by limiting local user access to systems running vulnerable kernels
- Monitor for exploitation attempts using kernel-level security tools
- Consider live patching solutions if immediate reboot for kernel updates is not feasible
# Check current kernel version
uname -r
# Verify if padata module is loaded
lsmod | grep padata
# Check for available kernel updates (Debian/Ubuntu)
apt update && apt list --upgradable | grep linux-image
# Check for available kernel updates (RHEL/CentOS)
yum check-update kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
