PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-38584 Linux CVE debrief

CVE-2025-38584 is a Linux kernel use-after-free in the padata path, specifically a race in padata_reorder that can let the pd reference go away after work is queued and the serial lock is released. NVD rates it 7.8 High with local, low-privilege attack conditions and high confidentiality, integrity, and availability impact. The kernel fix changes the ordering so the next padata is obtained before releasing the serial lock, and simplifies padata_reorder to only run once the next padata arrives.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2025-08-19
Original CVE updated
2026-05-17
Advisory published
2025-08-19
Advisory updated
2026-05-17

Who should care

Linux kernel maintainers, distribution security teams, embedded/OEM kernel integrators, and administrators running affected Linux kernel releases should care. Systems that use or expose the padata code path are the most relevant to review.

Technical summary

The issue is a race condition leading to a use-after-free in padata_reorder. The CVE description states that a reference count is taken in padata_do_parallel and released in padata_serial_worker, and that padata_replace depends on this reference count. In padata_reorder, once padata is added to queue->serial.list and the spin lock is released, the associated pd can be processed and freed before the next step completes. The fix moves acquisition of the next padata earlier, before releasing the squeue->serial lock, and restructures the reorder logic so it is called only when the next padata is available.

Defensive priority

High. This is a kernel memory-safety issue with local attack prerequisites and high potential impact, and NVD lists it as affecting widely deployed Linux kernel version ranges.

Recommended defensive actions

  • Apply the kernel updates that include the padata_reorder fix from the referenced stable branches.
  • Prioritize patching systems running Linux kernel versions in the NVD-affected ranges: 2.6.34 through before 6.15.10, and 6.16 through before 6.16.1.
  • Verify whether your kernels or downstream vendor builds include the stable patch references linked in the source data.
  • Treat affected hosts as high priority if they use padata-related functionality or vendor kernels derived from the impacted upstream releases.
  • Use your normal kernel update and reboot process to ensure the fix is actually running, not just staged.

Evidence notes

Based only on the supplied CVE description and NVD metadata. The CVE text identifies a long-standing race/use-after-free in padata_reorder and describes the fix. NVD assigns CWE-416 and CVSS v3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and lists affected Linux kernel version ranges as 2.6.34 through before 6.15.10 and 6.16 through before 6.16.1. The supplied source references include kernel.org stable patch links.

Official resources

CVE published at 2025-08-19T17:15:35.723Z and last modified at 2026-05-17T16:16:14.363Z. The supplied data does not include a CISA KEV entry or ransomware-campaign attribution.