CVE-2025-21727

Summary

CVE-2025-21727 is a Linux kernel vulnerability that leads to a Use-After-Free (UAF) condition in the padata subsystem. The issue arises when the refcount of a padata object is decreased to zero before being used in the padata_find_next function, resulting in a null pointer dereference. This can be triggered by deleting an algorithm while a parallel workqueue processes padata objects. To mitigate this issue, synchronize_rcu() should be added to padata_free_shell to ensure all _do_serial calls have completed before freeing padata objects. The vulnerability was discovered during the ltp test with pcrypt_aead01 and could be easily reproduced by adding 'mdelay(10)' before calling padata_find_next in padata_reorder.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.