CVE-2025-38584
Description
In the Linux kernel, the following vulnerability has been resolved:
padata: Fix pd UAF once and for all
There is a race condition/UAF in padata_reorder that goes back to the initial commit. A reference count is taken at the start of the process in padata_do_parallel, and released at the end in padata_serial_worker.
This reference count is (and only is) required for padata_replace to function correctly. If padata_replace is never called then there is no issue.
In the function padata_reorder which serves as the core of padata, as soon as padata is added to queue->serial.list, and the associated spin lock released, that padata may be processed and the reference count on pd would go away.
Fix this by getting the next padata before the squeue->serial lock is released.
In order to make this possible, simplify padata_reorder by only calling it once the next padata arrives.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free (UAF) race condition in the Linux kernel's padata subsystem can be triggered during padata_replace, allowing local privilege escalation possible.
Vulnerability
A use-after-free (UAF) race condition exists in the Linux kernel's padata subsystem, specifically in the padata_reorder function. The bug originates from the initial commit of padata and occurs because a reference count on the parallel data (pd) structure is taken at the start of padata_do_parallel and released only at the end of padata_serial_worker. This reference count is required solely for the correct operation of padata_replace. If padata_replace is never invoked, the race does not manifest. However, when padata_replace is called, a window exists where, after a padata item is added to the serial list and releasing the associated spin lock, that padata may be processed and the reference count on pd could be decremented prematurely, leading to a UAF condition [1].
Exploitation
Exploitation requires the ability to trigger padata_replace while parallel work is being processed. An attacker with local access and the ability to influence padata usage (e.g., through certain cryptographic operations or other kernel subsystems that rely on padata) could potentially exploit this race. The attack surface is limited to systems where padata is actively used and where padata_replace can be invoked concurrently with ongoing parallel operations. No authentication is no direct evidence of remote exploitation, but local privilege escalation is plausible if the UAF is successfully leveraged.
Impact
Successful exploitation could allow an attacker to corrupt kernel memory, potentially leading to a denial of service (system crash) or local privilege escalation. The UAF could be used to overwrite freed memory structures, gain arbitrary code execution in kernel context, and thereby elevate privileges from a local unprivileged user to root or escape container boundaries.
Mitigation
The fix, introduced in Linux kernel stable commits, restructures padata_reorder to obtain the next padata before releasing the serial lock, eliminating the race window. Users should apply the latest stable kernel updates containing commits such as f231d5e... [4] or equivalent backports. No workaround is available; updating the kernel is the only mitigation.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Linux/Linuxv5Range: 2.6.34
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/71203f68c7749609d7fc8ae6ad054bdedeb24f91nvdPatch
- git.kernel.org/stable/c/cdf79bd2e1ecb3cc75631c73d8f4149be6019a52nvdPatch
- git.kernel.org/stable/c/dbe3e911a59bda6de96e7cae387ff882c2c177fanvdPatch
- git.kernel.org/stable/c/a11a12a9880ab37342b73c93cfe1a3ada02ff0dbnvd
- git.kernel.org/stable/c/f231d5d001ec75f5886c02d496a4c79edc383d45nvd
News mentions
0No linked articles in our index yet.