{
  "threat_severity" : "Moderate",
  "public_date" : "2025-02-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: padata: avoid UAF for reorder_work",
    "id" : "2348600",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2348600"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\npadata: avoid UAF for reorder_work\nAlthough the previous patch can avoid ps and ps UAF for _do_serial, it\ncan not avoid potential UAF issue for reorder_work. This issue can\nhappen just as below:\ncrypto_requestcrypto_requestcrypto_del_alg\npadata_do_serial\n...\npadata_reorder\n// processes all remaining\n// requests then breaks\nwhile (1) {\nif (!padata)\nbreak;\n...\n}\npadata_do_serial\n// new request added\nlist_add\n// sees the new request\nqueue_work(reorder_work)\npadata_reorder\nqueue_work_on(squeue->work)\n...\n<kworker context>\npadata_serial_worker\n// completes new request,\n// no more outstanding\n// requests\ncrypto_del_alg\n// free pd\n<kworker context>\ninvoke_padata_reorder\n// UAF of pd\nTo avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work'\ninto the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish." ],
  "statement" : "There is no known way to trigger the bug. This is a purely theroretical concern, the problem has never been actually observed -- it would require multiple pcrypt request submissions racing against each other, ultimately a pcrypt instance destruction\n(DELALG) short after request completions as well as unfortunate timing. As result of this observation keeping impact level Moderate (based on that attack complexity is high).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20095",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "kernel-0:6.12.0-124.8.1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12746",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.32.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-08-04T00:00:00Z",
    "advisory" : "RHSA-2025:12746",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.32.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20518",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-611.5.1.el9_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-21726\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-21726\nhttps://lore.kernel.org/linux-cve-announce/2025022648-CVE-2025-21726-73b1@gregkh/T" ],
  "name" : "CVE-2025-21726",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}