CVE-2025-38584

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://git.kernel.org/stable/c/71203f68c7749609d7fc8ae6ad054bdedeb24f91", "name": "https://git.kernel.org/stable/c/71203f68c7749609d7fc8ae6ad054bdedeb24f91", "tags": [], "refsource": ""}, {"url": "https://git.kernel.org/stable/c/cdf79bd2e1ecb3cc75631c73d8f4149be6019a52", "name": "https://git.kernel.org/stable/c/cdf79bd2e1ecb3cc75631c73d8f4149be6019a52", "tags": [], "refsource": ""}, {"url": "https://git.kernel.org/stable/c/dbe3e911a59bda6de96e7cae387ff882c2c177fa", "name": "https://git.kernel.org/stable/c/dbe3e911a59bda6de96e7cae387ff882c2c177fa", "tags": [], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix pd UAF once and for all\n\nThere is a race condition/UAF in padata_reorder that goes back\nto the initial commit. A reference count is taken at the start\nof the process in padata_do_parallel, and released at the end in\npadata_serial_worker.\n\nThis reference count is (and only is) required for padata_replace\nto function correctly. If padata_replace is never called then\nthere is no issue.\n\nIn the function padata_reorder which serves as the core of padata,\nas soon as padata is added to queue->serial.list, and the associated\nspin lock released, that padata may be processed and the reference\ncount on pd would go away.\n\nFix this by getting the next padata before the squeue->serial lock\nis released.\n\nIn order to make this possible, simplify padata_reorder by only\ncalling it once the next padata arrives."}]}, "problemtype": {"problemtype_data": [{"description": []}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2025-38584", "ASSIGNER": "cve@kernel.org"}}, "impact": {}, "publishedDate": "2025-08-19T17:15Z", "configurations": {"nodes": [], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-08-19T17:15Z"}