In the Linux kernel, the following vulnerability has been resolved: workqueue: Put the pwq after detaching the rescuer from the pool The commit 68f83057b913("workqueue: Reap workers via kthread_stop() and remove detach_completion") adds code to reap the normal workers but mistakenly does not handle the rescuer and also removes the code waiting for the rescuer in put_unbound_pool(), which caused a use-after-free bug reported by Cheung Wall. To avoid the use-after-free bug, the pool’s reference must be held until the detachment is complete. Therefore, move the code that puts the pwq after detaching the rescuer from the pool.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2025022608-CVE-2025-21786-f31d@gregkh/T
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:20095 https://access.redhat.com/errata/RHSA-2025:20095
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:20518 https://access.redhat.com/errata/RHSA-2025:20518