{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-38031", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T04:51:23.978Z", "datePublished": "2025-06-18T09:33:18.882Z", "dateUpdated": "2025-11-03T17:33:10.591Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-06-18T09:33:18.882Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: do not leak refcount in reorder_work\n\nA recent patch that addressed a UAF introduced a reference count leak:\nthe parallel_data refcount is incremented unconditionally, regardless\nof the return value of queue_work(). If the work item is already queued,\nthe incremented refcount is never decremented.\n\nFix this by checking the return value of queue_work() and decrementing\nthe refcount when necessary.\n\nResolves:\n\nUnreferenced object 0xffff9d9f421e3d80 (size 192):\n comm \"cryptomgr_probe\", pid 157, jiffies 4294694003\n hex dump (first 32 bytes):\n 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............\n d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#.\n backtrace (crc 838fb36):\n __kmalloc_cache_noprof+0x284/0x320\n padata_alloc_pd+0x20/0x1e0\n padata_alloc_shell+0x3b/0xa0\n 0xffffffffc040a54d\n cryptomgr_probe+0x43/0xc0\n kthread+0xf6/0x1f0\n ret_from_fork+0x2f/0x50\n ret_from_fork_asm+0x1a/0x30"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/padata.c"], "versions": [{"version": "f4f1b1169fc3694f9bc3e28c6c68dbbf4cc744c0", "lessThan": "b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1", "status": "affected", "versionType": "git"}, {"version": "4c6209efea2208597dbd3e52dc87a0d1a8f2dbe1", "lessThan": "1a426abdf1c86882c9203dd8182f3b8274b89938", "status": "affected", "versionType": "git"}, {"version": "7000507bb0d2ceb545c0a690e0c707c897d102c2", "lessThan": "cceb15864e1612ebfbc10ec4e4dcd19a10c0056c", "status": "affected", "versionType": "git"}, {"version": "6f45ef616775b0ce7889b0f6077fc8d681ab30bc", "lessThan": "584a729615fa92f4de45480efb7e569d14be1516", "status": "affected", "versionType": "git"}, {"version": "8ca38d0ca8c3d30dd18d311f1a7ec5cb56972cac", "lessThan": "5300e487487d7a2e3e1e6e9d8f03ed9452e4019e", "status": "affected", "versionType": "git"}, {"version": "dd7d37ccf6b11f3d95e797ebe4e9e886d0332600", "lessThan": "1c65ae4988714716101555fe2b9830e33136d6fb", "status": "affected", "versionType": "git"}, {"version": "dd7d37ccf6b11f3d95e797ebe4e9e886d0332600", "lessThan": "d6ebcde6d4ecf34f8495fb30516645db3aea8993", "status": "affected", "versionType": "git"}, {"version": "a54091c24220a4cd847d5b4f36d678edacddbaf0", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/padata.c"], "versions": [{"version": "6.14", "status": "affected"}, {"version": "0", "lessThan": "6.14", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.238", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.185", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.141", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.93", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.31", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.14.9", "lessThanOrEqual": "6.14.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10.235", "versionEndExcluding": "5.10.238"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.179", "versionEndExcluding": "5.15.185"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.129", "versionEndExcluding": "6.1.141"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.76", "versionEndExcluding": "6.6.93"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.13", "versionEndExcluding": "6.12.31"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.14.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13.2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1"}, {"url": "https://git.kernel.org/stable/c/1a426abdf1c86882c9203dd8182f3b8274b89938"}, {"url": "https://git.kernel.org/stable/c/cceb15864e1612ebfbc10ec4e4dcd19a10c0056c"}, {"url": "https://git.kernel.org/stable/c/584a729615fa92f4de45480efb7e569d14be1516"}, {"url": "https://git.kernel.org/stable/c/5300e487487d7a2e3e1e6e9d8f03ed9452e4019e"}, {"url": "https://git.kernel.org/stable/c/1c65ae4988714716101555fe2b9830e33136d6fb"}, {"url": "https://git.kernel.org/stable/c/d6ebcde6d4ecf34f8495fb30516645db3aea8993"}], "title": "padata: do not leak refcount in reorder_work", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T17:33:10.591Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED872180-4736-41CF-AF8A-EE0647EC2341", "versionEndExcluding": "5.10.238", "versionStartIncluding": "5.10.235", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "94482D26-A77D-412B-A082-66839F679C23", "versionEndExcluding": "5.15.185", "versionStartIncluding": "5.15.179", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CED757A3-6224-42EA-8EA1-DB2FA89CBB31", "versionEndExcluding": "6.1.141", "versionStartIncluding": "6.1.129", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6A7D0F1-5932-4545-B658-373A044EFD16", "versionEndExcluding": "6.6.93", "versionStartIncluding": "6.6.76", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF3D9FB1-765E-4C16-93DD-ACDEDDF20C86", "versionEndExcluding": "6.12.31", "versionStartIncluding": "6.12.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D8AD79A-92F3-4A6E-AE21-C4AE1A29E3CE", "versionEndExcluding": "6.14.9", "versionStartIncluding": "6.13.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D465631-2980-487A-8E65-40AE2B9F8ED1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*", "matchCriteriaId": "4C9D071F-B28E-46EC-AC61-22B913390211", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*", "matchCriteriaId": "13FC0DDE-E513-465E-9E81-515702D49B74", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc4:*:*:*:*:*:*", "matchCriteriaId": "8C7B5B0E-4EEB-48F5-B4CF-0935A7633845", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc5:*:*:*:*:*:*", "matchCriteriaId": "2D240580-3048-49B2-9E27-F115A9DF8224", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc6:*:*:*:*:*:*", "matchCriteriaId": "90320558-E553-4EF5-8A0B-0F5D20113BD2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:rc7:*:*:*:*:*:*", "matchCriteriaId": "C300BA32-5854-4B59-A00A-18A402F291D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: do not leak refcount in reorder_work\n\nA recent patch that addressed a UAF introduced a reference count leak:\nthe parallel_data refcount is incremented unconditionally, regardless\nof the return value of queue_work(). If the work item is already queued,\nthe incremented refcount is never decremented.\n\nFix this by checking the return value of queue_work() and decrementing\nthe refcount when necessary.\n\nResolves:\n\nUnreferenced object 0xffff9d9f421e3d80 (size 192):\n comm \"cryptomgr_probe\", pid 157, jiffies 4294694003\n hex dump (first 32 bytes):\n 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............\n d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#.\n backtrace (crc 838fb36):\n __kmalloc_cache_noprof+0x284/0x320\n padata_alloc_pd+0x20/0x1e0\n padata_alloc_shell+0x3b/0xa0\n 0xffffffffc040a54d\n cryptomgr_probe+0x43/0xc0\n kthread+0xf6/0x1f0\n ret_from_fork+0x2f/0x50\n ret_from_fork_asm+0x1a/0x30"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: padata: no se filtra el recuento de referencias en reorder_work. Un parche reciente que solucion\u00f3 un UAF introdujo una fuga en el recuento de referencias: el recuento de referencias de parallel_data se incrementa incondicionalmente, independientemente del valor de retorno de queue_work(). Si el elemento de trabajo ya est\u00e1 en cola, el recuento incrementado nunca se decrementa. Para solucionar esto, verifique el valor de retorno de queue_work() y decremente el recuento cuando sea necesario. Resuelve: Objeto no referenciado 0xffff9d9f421e3d80 (tama\u00f1o 192): comm \"cryptomgr_probe\", pid 157, jiffies 4294694003 volcado hexadecimal (primeros 32 bytes): 80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............ d0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#. seguimiento inverso (crc 838fb36): __kmalloc_cache_noprof+0x284/0x320 padata_alloc_pd+0x20/0x1e0 padata_alloc_shell+0x3b/0xa0 0xffffffffc040a54d cryptomgr_probe+0x43/0xc0 kthread+0xf6/0x1f0 ret_from_fork+0x2f/0x50 ret_from_fork_asm+0x1a/0x30"}], "id": "CVE-2025-38031", "lastModified": "2025-12-18T21:36:36.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-06-18T10:15:35.230", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1a426abdf1c86882c9203dd8182f3b8274b89938"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1c65ae4988714716101555fe2b9830e33136d6fb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5300e487487d7a2e3e1e6e9d8f03ed9452e4019e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/584a729615fa92f4de45480efb7e569d14be1516"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b9ad8e50e8589607e68e6c4cefa7f72bf35a2cb1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/cceb15864e1612ebfbc10ec4e4dcd19a10c0056c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d6ebcde6d4ecf34f8495fb30516645db3aea8993"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: padata: do not leak refcount in reorder_work", "id": "2373336", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373336"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\npadata: do not leak refcount in reorder_work\nA recent patch that addressed a UAF introduced a reference count leak:\nthe parallel_data refcount is incremented unconditionally, regardless\nof the return value of queue_work(). If the work item is already queued,\nthe incremented refcount is never decremented.\nFix this by checking the return value of queue_work() and decrementing\nthe refcount when necessary.\nResolves:\nUnreferenced object 0xffff9d9f421e3d80 (size 192):\ncomm \"cryptomgr_probe\", pid 157, jiffies 4294694003\nhex dump (first 32 bytes):\n80 8b cf 41 9f 9d ff ff b8 97 e0 89 ff ff ff ff ...A............\nd0 97 e0 89 ff ff ff ff 19 00 00 00 1f 88 23 00 ..............#.\nbacktrace (crc 838fb36):\n__kmalloc_cache_noprof+0x284/0x320\npadata_alloc_pd+0x20/0x1e0\npadata_alloc_shell+0x3b/0xa0\n0xffffffffc040a54d\ncryptomgr_probe+0x43/0xc0\nkthread+0xf6/0x1f0\nret_from_fork+0x2f/0x50\nret_from_fork_asm+0x1a/0x30"], "name": "CVE-2025-38031", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-06-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-38031\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-38031\nhttps://lore.kernel.org/linux-cve-announce/2025061824-CVE-2025-38031-6272@gregkh/T"], "threat_severity": "Moderate"}