{"uuid": "a60fc798-e8b1-479d-9f38-a1dcd926df29", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-21727", "type": "seen", "source": "https://t.me/cvedetector/18979", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-21727 - Linux Kernel padata UAF Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2025-21727 \nPublished : Feb. 27, 2025, 2:15 a.m. | 50\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \npadata: fix UAF in padata_reorder  \n  \nA bug was found when run ltp test:  \n  \nBUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0  \nRead of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206  \n  \nCPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+  \nWorkqueue: pdecrypt_parallel padata_parallel_worker  \nCall Trace:  \n  \ndump_stack_lvl+0x32/0x50  \nprint_address_description.constprop.0+0x6b/0x3d0  \nprint_report+0xdd/0x2c0  \nkasan_report+0xa5/0xd0  \npadata_find_next+0x29/0x1a0  \npadata_reorder+0x131/0x220  \npadata_parallel_worker+0x3d/0xc0  \nprocess_one_work+0x2ec/0x5a0  \n  \nIf 'mdelay(10)' is added before calling 'padata_find_next' in the  \n'padata_reorder' function, this issue could be reproduced easily with  \nltp test (pcrypt_aead01).  \n  \nThis can be explained as bellow:  \n  \npcrypt_aead_encrypt  \n...  \npadata_do_parallel  \nrefcount_inc(&pd->refcnt); // add refcnt  \n...  \npadata_do_serial  \npadata_reorder // pd  \nwhile (1) {  \npadata_find_next(pd, true); // using pd  \nqueue_work_on  \n...  \npadata_serial_worker    crypto_del_alg  \npadata_put_pd_cnt // sub refcnt  \n      padata_free_shell  \n      padata_put_pd(ps->pd);  \n      // pd is freed  \n// loop again, but pd is freed  \n// call padata_find_next, UAF  \n}  \n  \nIn the padata_reorder function, when it loops in 'while', if the alg is  \ndeleted, the refcnt may be decreased to 0 before entering  \n'padata_find_next', which leads to UAF.  \n  \nAs mentioned in [1], do_serial is supposed to be called with BHs disabled  \nand always happen under RCU protection, to address this issue, add  \nsynchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls  \nto finish.  \n  \n[1]   \n[2]  \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"27 Feb 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-02-27T04:30:11.000000Z"}