CVE-2025-21991

Advisory lineage Upstream: 0 Downstream: 65
Modified
Published: 02 Apr 2025, 12:53
Last modified:23 May 2026, 15:57

Vulnerability Summary

Overall Risk (default)
medium
31/100
CVSS Score
7.8 HIGH
v3.1 (cve.org)
EPSS Score
0.04% LOW
0% probability -0.03%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

02 Apr 2025, 12:53
Published
Vulnerability first disclosed
23 May 2026, 15:57
Last Modified
Vulnerability information updated

Description

In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't have a "first CPU". On a machine with far memory (and therefore CPU-less NUMA nodes): - cpumask_of_node(nid) is 0 - cpumask_first(0) is CONFIG_NR_CPUS - cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds This does not have any security implications since flashing microcode is a privileged operation but I believe this has reliability implications by potentially corrupting memory while flashing a microcode update. When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes a microcode update. I get the following splat: UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' [...] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Change the loop to go over only NUMA nodes which have CPUs before determining whether the first CPU on the respective node needs microcode update. [ bp: Massage commit message, fix typo. ]

CVSS Metrics

  • v3.1HIGHScore: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.04% Percentile: 12%

Techniques & Countermeasures

  • CWE-129Improper Validation of Array Index

    The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

Affected Systems

  • linuxlinux

    ≥ 979e197968a1e8f09bf0d706801dba4432f85ab3, < d509c4731090ebd9bbdb72c70a2d70003ae81f4f | ≥ 44a44b57e88f311c1415be1f567c50050913c149, < 985a536e04bbfffb1770df43c6470f635a6b1073 | ≥ be2710deaed3ab1402379a2ede30a3754fe6767a, < 18b5d857c6496b78ead2fd10001b81ae32d30cac | ≥ d576547f489c935b9897d4acf8beee3325dea8a5, < ec52240622c4d218d0240079b7c1d3ec2328a9f4 | ≥ 7ff6edf4fef38ab404ee7861f257e28eaaeed35f, < e686349cc19e800dac8971929089ba5ff59abfb0 | ≥ 7ff6edf4fef38ab404ee7861f257e28eaaeed35f, < 488ffc0cac38f203979f83634236ee53251ce593 | ≥ 7ff6edf4fef38ab404ee7861f257e28eaaeed35f, < 5ac295dfccb5b015493f86694fa13a0dde4d3665 | ≥ 7ff6edf4fef38ab404ee7861f257e28eaaeed35f, < e3e89178a9f4a80092578af3ff3c8478f9187d59 | d6353e2fc12c5b8f00f86efa30ed73d2da2f77be | 1b1e0eb1d2971a686b9f7bdc146115bcefcbb960 | eaf5dea1eb8c2928554b3ca717575cbe232b843c | ≥ 5.4.235, < 5.4.292 | ≥ 5.10.173, < 5.10.236 | ≥ 5.15.99, < 5.15.180 | ≥ 6.1.16, < 6.1.132 | ≥ 4.14.308, < 4.15 | ≥ 4.19.276, < 4.20 | ≥ 6.2.3, < 6.3 | 6.3

  • linuxlinux_kernel

    ≥ 4.14.308, < 4.15 | ≥ 4.19.276, < 4.20 | ≥ 5.4.235, < 5.5 | ≥ 5.10.173, < 5.11 | ≥ 5.15.99, < 5.16 | ≥ 6.1.16, < 6.1.132 | ≥ 6.2.3, < 6.6.84 | ≥ 6.7, < 6.12.20 | ≥ 6.13, < 6.13.8 | 6.14:rc1 | 6.14:rc2 | 6.14:rc3 | 6.14:rc4 | 6.14:rc5 | 6.14:rc6

References (10)