{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38031","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:23.978Z","datePublished":"2025-06-18T09:33:18.882Z","dateUpdated":"2026-05-11T21:19:56.257Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:19:56.257Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npadata: do not leak refcount in reorder_work\n\nA recent patch that addressed a UAF introduced a reference count leak:\nthe parallel_data refcount is incremented unconditionally, regardless\nof the return value of queue_work(). If the work item is already queued,\nthe incremented refcount is never decremented.\n\nFix this by checking the return value of queue_work() and decrementing\nthe refcount when necessary.\n\nResolves:\n\nUnreferenced object 0xffff9d9f421e3d80 (size 192):\n  comm \"cryptomgr_probe\", pid 157, jiffies 4294694003\n  hex dump (first 32 bytes):\n    80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff  ...A............\n    d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00  ..............#.\n  backtrace (crc 838fb36):\n    __kmalloc_cache_noprof+0x284/0x320\n    padata_alloc_pd+0x20/0x1e0\n    padata_alloc_shell+0x3b/0xa0\n    0xffffffffc040a54d\n    cryptomgr_probe+0x43/0xc0\n    kthread+0xf6/0x1f0\n    ret_from_fork+0x2f/0x50\n    ret_from_fork_asm+0x1a/0x30"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/padata.c"],"versions":[{"version":"f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0","lessThan":"b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1","status":"affected","versionType":"git"},{"version":"4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1","lessThan":"1a426abdf1c86882c9203dd8182f3b8274b89938","status":"affected","versionType":"git"},{"version":"7000507bb0d2ceb545c0a690e0c707c897d102c2","lessThan":"cceb15864e1612ebfbc10ec4e4dcd19a10c0056c","status":"affected","versionType":"git"},{"version":"6f45ef616775b0ce7889b0f6077fc8d681ab30bc","lessThan":"584a729615fa92f4de45480efb7e569d14be1516","status":"affected","versionType":"git"},{"version":"8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac","lessThan":"5300e487487d7a2e3e1e6e9d8f03ed9452e4019e","status":"affected","versionType":"git"},{"version":"dd7d37ccf6b11f3d95e797ebe4e9e886d0332600","lessThan":"1c65ae4988714716101555fe2b9830e33136d6fb","status":"affected","versionType":"git"},{"version":"dd7d37ccf6b11f3d95e797ebe4e9e886d0332600","lessThan":"d6ebcde6d4ecf34f8495fb30516645db3aea8993","status":"affected","versionType":"git"},{"version":"a54091c24220a4cd847d5b4f36d678edacddbaf0","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/padata.c"],"versions":[{"version":"6.14","status":"affected"},{"version":"0","lessThan":"6.14","status":"unaffected","versionType":"semver"},{"version":"5.10.238","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.185","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.141","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.93","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.31","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.14.9","lessThanOrEqual":"6.14.*","status":"unaffected","versionType":"semver"},{"version":"6.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.235","versionEndExcluding":"5.10.238"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.179","versionEndExcluding":"5.15.185"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.129","versionEndExcluding":"6.1.141"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.76","versionEndExcluding":"6.6.93"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.13","versionEndExcluding":"6.12.31"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.14.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.14","versionEndExcluding":"6.15"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13.2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1"},{"url":"https://git.kernel.org/stable/c/1a426abdf1c86882c9203dd8182f3b8274b89938"},{"url":"https://git.kernel.org/stable/c/cceb15864e1612ebfbc10ec4e4dcd19a10c0056c"},{"url":"https://git.kernel.org/stable/c/584a729615fa92f4de45480efb7e569d14be1516"},{"url":"https://git.kernel.org/stable/c/5300e487487d7a2e3e1e6e9d8f03ed9452e4019e"},{"url":"https://git.kernel.org/stable/c/1c65ae4988714716101555fe2b9830e33136d6fb"},{"url":"https://git.kernel.org/stable/c/d6ebcde6d4ecf34f8495fb30516645db3aea8993"}],"title":"padata: do not leak refcount in reorder_work","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:33:10.591Z"}}]}}