CVE-2025-21726: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21726 is a Use-After-Free (UAF) vulnerability discovered in the Linux kernel's padata (parallel algorithm data) subsystem, specifically affecting the reorder_work functionality. The vulnerability was discovered on January 10, 2025, and was publicly disclosed on February 26, 2025. The issue affects the kernel's crypto subsystem and its parallel processing capabilities (Kernel Git).

The vulnerability stems from a race condition in the padata subsystem where a Use-After-Free condition can occur for the reorderwork functionality. The issue arises when cryptorequest operations are processed and can be triggered during the interaction between padatadoserial and padata_reorder functions. The vulnerability has received a CVSS v3.1 base score of 7.8 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements but high impact potential (NVD).

The vulnerability can lead to a Use-After-Free condition in the Linux kernel's padata subsystem, potentially allowing an attacker with local access to cause system crashes, execute arbitrary code with elevated privileges, or compromise system security. The high CVSS score indicates potential for complete compromise of system confidentiality, integrity, and availability (CISA-ADP).

A patch has been developed and committed to the Linux kernel that addresses the UAF vulnerability by implementing proper reference counting. The fix involves getting a 'pd' reference before putting 'reorderwork' into the 'serialwq' and maintaining the reference until the 'serial_wq' finishes. The patch has been backported to multiple stable kernel versions (Kernel Git).