{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-38584","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T04:51:24.026Z","datePublished":"2025-08-19T17:03:06.172Z","dateUpdated":"2026-05-17T15:21:11.872Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-17T15:21:11.872Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\npadata: Fix pd UAF once and for all\n\nThere is a race condition/UAF in padata_reorder that goes back\nto the initial commit.  A reference count is taken at the start\nof the process in padata_do_parallel, and released at the end in\npadata_serial_worker.\n\nThis reference count is (and only is) required for padata_replace\nto function correctly.  If padata_replace is never called then\nthere is no issue.\n\nIn the function padata_reorder which serves as the core of padata,\nas soon as padata is added to queue->serial.list, and the associated\nspin lock released, that padata may be processed and the reference\ncount on pd would go away.\n\nFix this by getting the next padata before the squeue->serial lock\nis released.\n\nIn order to make this possible, simplify padata_reorder by only\ncalling it once the next padata arrives."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/padata.h","kernel/padata.c"],"versions":[{"version":"16295bec6398a3eedc9377e1af6ff4c71b98c300","lessThan":"a11a12a9880ab37342b73c93cfe1a3ada02ff0db","status":"affected","versionType":"git"},{"version":"16295bec6398a3eedc9377e1af6ff4c71b98c300","lessThan":"f231d5d001ec75f5886c02d496a4c79edc383d45","status":"affected","versionType":"git"},{"version":"16295bec6398a3eedc9377e1af6ff4c71b98c300","lessThan":"dbe3e911a59bda6de96e7cae387ff882c2c177fa","status":"affected","versionType":"git"},{"version":"16295bec6398a3eedc9377e1af6ff4c71b98c300","lessThan":"cdf79bd2e1ecb3cc75631c73d8f4149be6019a52","status":"affected","versionType":"git"},{"version":"16295bec6398a3eedc9377e1af6ff4c71b98c300","lessThan":"71203f68c7749609d7fc8ae6ad054bdedeb24f91","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/padata.h","kernel/padata.c"],"versions":[{"version":"2.6.34","status":"affected"},{"version":"0","lessThan":"2.6.34","status":"unaffected","versionType":"semver"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.10","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16.1","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.6.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.12.86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.15.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.16.1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.34","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a11a12a9880ab37342b73c93cfe1a3ada02ff0db"},{"url":"https://git.kernel.org/stable/c/f231d5d001ec75f5886c02d496a4c79edc383d45"},{"url":"https://git.kernel.org/stable/c/dbe3e911a59bda6de96e7cae387ff882c2c177fa"},{"url":"https://git.kernel.org/stable/c/cdf79bd2e1ecb3cc75631c73d8f4149be6019a52"},{"url":"https://git.kernel.org/stable/c/71203f68c7749609d7fc8ae6ad054bdedeb24f91"}],"title":"padata: Fix pd UAF once and for all","x_generator":{"engine":"bippy-1.2.0"}}}}