CVE-2025-21727 Overview
CVE-2025-21727 is a Use-After-Free (UAF) vulnerability in the Linux kernel's padata (parallel data) subsystem, specifically within the padata_reorder function. This vulnerability was discovered during LTP (Linux Test Project) testing and can be triggered when parallel cryptographic operations race with algorithm deletion. The flaw allows an attacker with local access to potentially achieve code execution, privilege escalation, or cause system instability by exploiting the memory corruption condition.
Critical Impact
A local attacker with low privileges can exploit this UAF vulnerability to potentially execute arbitrary code with kernel privileges, compromise system integrity, or cause denial of service through kernel memory corruption.
Affected Products
- Linux Kernel (multiple versions)
- Systems using the padata parallel processing framework
- Systems utilizing parallel cryptographic operations (pcrypt)
Discovery Timeline
- February 27, 2025 - CVE-2025-21727 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-21727
Vulnerability Analysis
This vulnerability exists in the Linux kernel's padata subsystem, which provides parallel processing capabilities for computationally intensive operations. The flaw manifests as a classic Use-After-Free condition triggered by a race between the padata_reorder function's processing loop and concurrent algorithm deletion through crypto_del_alg.
The issue occurs when parallel cryptographic operations are being processed through the padata framework. During the reorder phase, the padata_reorder function iterates in a while loop, repeatedly calling padata_find_next to locate the next work item. However, if the cryptographic algorithm is deleted during this loop iteration, the reference count on the padata descriptor (pd) may drop to zero, causing the memory to be freed while the loop is still attempting to access it.
The race condition specifically manifests in the following execution flow: while padata_reorder is iterating and using the padata descriptor, a concurrent operation invokes crypto_del_alg, which triggers padata_serial_worker to decrement the reference count via padata_put_pd_cnt. This eventually leads to padata_free_shell calling padata_put_pd, freeing the descriptor. When padata_reorder loops back and calls padata_find_next, it accesses the already-freed memory, resulting in KASAN detecting a slab-use-after-free at address ffff88bbfe003524.
Root Cause
The root cause is a missing synchronization mechanism between the padata reorder loop and the shell/descriptor cleanup path. The padata_free_shell function does not wait for all in-flight do_serial calls to complete before freeing the padata descriptor. According to the kernel's design, do_serial is supposed to be called with bottom halves (BHs) disabled and always happen under RCU protection, but this guarantee was not being properly enforced during cleanup.
Attack Vector
Exploitation requires local access to the system with low privileges. An attacker would need to:
- Initiate parallel cryptographic operations that utilize the padata framework (such as through the pcrypt_aead interface)
- Trigger concurrent algorithm deletion to race against the padata reorder operation
- Win the race condition to cause the reference count to drop to zero while the padata descriptor is still in use
- The resulting UAF could potentially be leveraged for arbitrary read/write primitives in kernel memory
The vulnerability was reproducible using the LTP test pcrypt_aead01 with an artificially added mdelay(10) before padata_find_next, widening the race window.
Detection Methods for CVE-2025-21727
Indicators of Compromise
- KASAN (Kernel Address Sanitizer) reports indicating slab-use-after-free in padata_find_next or padata_reorder functions
- Kernel crash dumps or oops messages referencing the padata subsystem or pdecrypt_parallel workqueue
- Unexpected system instability when performing parallel cryptographic operations
Detection Strategies
- Enable KASAN in kernel configurations to detect UAF conditions during runtime testing
- Monitor kernel logs for BUG reports referencing padata_find_next, padata_reorder, or related functions
- Deploy runtime memory corruption detection tools on systems performing heavy parallel cryptographic workloads
Monitoring Recommendations
- Configure kernel logging to capture and alert on KASAN reports and kernel oops messages
- Monitor systems running parallel encryption workloads for unexpected crashes or stability issues
- Implement centralized log collection for kernel panic and BUG messages across Linux infrastructure
How to Mitigate CVE-2025-21727
Immediate Actions Required
- Update affected Linux kernel installations to patched versions immediately
- Prioritize systems performing parallel cryptographic operations or using the pcrypt interface
- Review deployed kernel versions against the provided patch commits to determine exposure
Patch Information
The fix adds synchronize_rcu() in the padata_free_shell function to ensure all in-flight do_serial calls complete before freeing the padata descriptor. This properly enforces the RCU protection guarantees required by the padata subsystem design.
Multiple patch commits have been released across stable kernel branches:
- Kernel Git Commit 0ae2f332cfd2
- Kernel Git Commit 573ac9c70bf7
- Kernel Git Commit 80231f069240
- Kernel Git Commit bbccae982e9f
- Kernel Git Commit e01780ea4661
- Kernel Git Commit f3e0b9f790f8
- Kernel Git Commit f78170bee514
Debian users should refer to the Debian LTS Advisory (March 2025) and Debian LTS Advisory (May 2025) for distribution-specific updates.
Workarounds
- If patching is not immediately possible, consider limiting access to cryptographic subsystems for unprivileged users
- Monitor systems closely for kernel crashes or stability issues related to padata operations
- Enable KASAN in non-production environments to detect potential exploitation attempts
# Check current kernel version for vulnerability assessment
uname -r
# Verify if padata module is loaded
lsmod | grep padata
# Review kernel logs for UAF indicators
dmesg | grep -E "(KASAN|padata|use-after-free)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
