CVE-2025-21786
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
workqueue: Put the pwq after detaching the rescuer from the pool
The commit 68f83057b913("workqueue: Reap workers via kthread_stop() and remove detach_completion") adds code to reap the normal workers but mistakenly does not handle the rescuer and also removes the code waiting for the rescuer in put_unbound_pool(), which caused a use-after-free bug reported by Cheung Wall.
To avoid the use-after-free bug, the pool’s reference must be held until the detachment is complete. Therefore, move the code that puts the pwq after detaching the rescuer from the pool.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 68f83057b913467a999e1bf9e0da6a119668f769 < e7c16028a424dd35be1064a68fa318be4359310f | affected |
| Linux | Linux | 68f83057b913467a999e1bf9e0da6a119668f769 < 835b69c868f53f959d4986bbecd561ba6f38e492 | affected |
| Linux | Linux | 68f83057b913467a999e1bf9e0da6a119668f769 < e76946110137703c16423baf6ee177b751a34b7e | affected |
| Linux | Linux | 6.11 | affected |
| Linux | Linux | 0 < 6.11 | unaffected |
| Linux | Linux | 6.12.16 <= 6.12.* | unaffected |
| Linux | Linux | 6.13.4 <= 6.13.* | unaffected |
| Linux | Linux | 6.14 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://git.kernel.org/stable/c/e7c16028a424dd35be1064a68fa318be4359310f
- https://git.kernel.org/stable/c/835b69c868f53f959d4986bbecd561ba6f38e492
- https://git.kernel.org/stable/c/e76946110137703c16423baf6ee177b751a34b7e
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.