CVE-2025-21991

x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their
CPU masks and unconditionally accesses per-CPU data for the first CPU of each
mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't have a "first CPU". On a machine with far memory (and therefore CPU-less NUMA nodes):
- cpumask_of_node(nid) is 0
- cpumask_first(0) is CONFIG_NR_CPUS
- cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds This does not have any security implications since flashing microcode is
a privileged operation but I believe this has reliability implications by
potentially corrupting memory while flashing a microcode update. When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes
a microcode update. I get the following splat: UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' [...] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Change the loop to go over only NUMA nodes which have CPUs before determining
whether the first CPU on the respective node needs microcode update. [ bp: Massage commit message, fix typo. ]

In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't have a "first CPU". On a machine with far memory (and therefore CPU-less NUMA nodes): - cpumask_of_node(nid) is 0 - cpumask_first(0) is CONFIG_NR_CPUS - cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds This does not have any security implications since flashing microcode is a privileged operation but I believe this has reliability implications by potentially corrupting memory while flashing a microcode update. When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes a microcode update. I get the following splat: UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' [...] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Change the loop to go over only NUMA nodes which have CPUs before determining whether the first CPU on the respective node needs microcode update. [ bp: Massage commit message, fix typo. ]

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-12-29 CVE Reserved
2025-04-02 CVE Published
2025-04-02 CVE Updated
2025-04-03 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (13)

URL	Tag	Source
https://git.kernel.org/stable/c/d576547f489c935b9897d4acf8beee3325dea8a5	Vuln. Introduced
https://git.kernel.org/stable/c/7ff6edf4fef38ab404ee7861f257e28eaaeed35f	Vuln. Introduced
https://git.kernel.org/stable/c/d6353e2fc12c5b8f00f86efa30ed73d2da2f77be	Vuln. Introduced
https://git.kernel.org/stable/c/1b1e0eb1d2971a686b9f7bdc146115bcefcbb960	Vuln. Introduced
https://git.kernel.org/stable/c/979e197968a1e8f09bf0d706801dba4432f85ab3	Vuln. Introduced
https://git.kernel.org/stable/c/44a44b57e88f311c1415be1f567c50050913c149	Vuln. Introduced
https://git.kernel.org/stable/c/be2710deaed3ab1402379a2ede30a3754fe6767a	Vuln. Introduced
https://git.kernel.org/stable/c/eaf5dea1eb8c2928554b3ca717575cbe232b843c	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/ec52240622c4d218d0240079b7c1d3ec2328a9f4	2025-03-28
https://git.kernel.org/stable/c/e686349cc19e800dac8971929089ba5ff59abfb0	2025-03-22
https://git.kernel.org/stable/c/488ffc0cac38f203979f83634236ee53251ce593	2025-03-22
https://git.kernel.org/stable/c/5ac295dfccb5b015493f86694fa13a0dde4d3665	2025-03-22
https://git.kernel.org/stable/c/e3e89178a9f4a80092578af3ff3c8478f9187d59	2025-03-10

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.16 < 6.1.132 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.16 < 6.1.132"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.3 < 6.6.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.6.84"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.3 < 6.12.20 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.12.20"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.3 < 6.13.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.13.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.3 < 6.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.14"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.14.308 Search vendor "Linux" for product "Linux Kernel" and version "4.14.308"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.19.276 Search vendor "Linux" for product "Linux Kernel" and version "4.19.276"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.4.235 Search vendor "Linux" for product "Linux Kernel" and version "5.4.235"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.10.173 Search vendor "Linux" for product "Linux Kernel" and version "5.10.173"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.15.99 Search vendor "Linux" for product "Linux Kernel" and version "5.15.99"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.2.3 Search vendor "Linux" for product "Linux Kernel" and version "6.2.3"		en		Affected