CVE-2025-38031

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-38031
In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak: the parallel_data refcount is incremented unconditionally, regardless of the return value of queue_work(). If the work item is already queued, the incremented refcount is never decremented. Fix this by checking the return value of queue_work() and decrementing the refcount when necessary. Resolves: Unreferenced object 0xffff9d9f421e3d80 (size 192): comm "cryptomgr_probe", pid 157, jiffies 4294694003 hex dump (first 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. backtrace (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/1a426abdf1c86882c9203dd8182f3b8274b89938 Patch
https://git.kernel.org/stable/c/1c65ae4988714716101555fe2b9830e33136d6fb Patch
https://git.kernel.org/stable/c/5300e487487d7a2e3e1e6e9d8f03ed9452e4019e Patch
https://git.kernel.org/stable/c/584a729615fa92f4de45480efb7e569d14be1516 Patch
https://git.kernel.org/stable/c/b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1 Patch
https://git.kernel.org/stable/c/cceb15864e1612ebfbc10ec4e4dcd19a10c0056c Patch
https://git.kernel.org/stable/c/d6ebcde6d4ecf34f8495fb30516645db3aea8993 Patch
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc7:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
History

18 Dec 2025, 21:36

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5
First Time Linux
Debian
Debian debian Linux
Linux linux Kernel
References () https://git.kernel.org/stable/c/1a426abdf1c86882c9203dd8182f3b8274b89938 - () https://git.kernel.org/stable/c/1a426abdf1c86882c9203dd8182f3b8274b89938 - Patch
References () https://git.kernel.org/stable/c/1c65ae4988714716101555fe2b9830e33136d6fb - () https://git.kernel.org/stable/c/1c65ae4988714716101555fe2b9830e33136d6fb - Patch
References () https://git.kernel.org/stable/c/5300e487487d7a2e3e1e6e9d8f03ed9452e4019e - () https://git.kernel.org/stable/c/5300e487487d7a2e3e1e6e9d8f03ed9452e4019e - Patch
References () https://git.kernel.org/stable/c/584a729615fa92f4de45480efb7e569d14be1516 - () https://git.kernel.org/stable/c/584a729615fa92f4de45480efb7e569d14be1516 - Patch
References () https://git.kernel.org/stable/c/b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1 - () https://git.kernel.org/stable/c/b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1 - Patch
References () https://git.kernel.org/stable/c/cceb15864e1612ebfbc10ec4e4dcd19a10c0056c - () https://git.kernel.org/stable/c/cceb15864e1612ebfbc10ec4e4dcd19a10c0056c - Patch
References () https://git.kernel.org/stable/c/d6ebcde6d4ecf34f8495fb30516645db3aea8993 - () https://git.kernel.org/stable/c/d6ebcde6d4ecf34f8495fb30516645db3aea8993 - Patch
References () https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html - () https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html - Third Party Advisory
References () https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html - () https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html - Third Party Advisory
CWE NVD-CWE-Other
CPE cpe:2.3:o:linux:linux_kernel:6.15:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc5:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*

03 Nov 2025, 18:15

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: padata: no se filtra el recuento de referencias en reorder_work. Un parche reciente que solucionó un UAF introdujo una fuga en el recuento de referencias: el recuento de referencias de parallel_data se incrementa incondicionalmente, independientemente del valor de retorno de queue_work(). Si el elemento de trabajo ya está en cola, el recuento incrementado nunca se decrementa. Para solucionar esto, verifique el valor de retorno de queue_work() y decremente el recuento cuando sea necesario. Resuelve: Objeto no referenciado 0xffff9d9f421e3d80 (tamaño 192): comm "cryptomgr_probe", pid 157, jiffies 4294694003 volcado hexadecimal (primeros 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. seguimiento inverso (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30
References
  • () https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html -
  • () https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html -

18 Jun 2025, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-18 10:15

Updated : 2025-12-18 21:36

NVD link : CVE-2025-38031

Mitre link : CVE-2025-38031

CVE.ORG link : CVE-2025-38031

JSON object : View

Products Affected

debian

  • debian_linux

linux

  • linux_kernel
CWE
NVD-CWE-Other