CVE-2025-21991
x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their
CPU masks and unconditionally accesses per-CPU data for the first CPU of each
mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't have a "first CPU". On a machine with far memory (and therefore CPU-less NUMA nodes):
- cpumask_of_node(nid) is 0
- cpumask_first(0) is CONFIG_NR_CPUS
- cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds This does not have any security implications since flashing microcode is
a privileged operation but I believe this has reliability implications by
potentially corrupting memory while flashing a microcode update. When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes
a microcode update. I get the following splat: UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' [...] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Change the loop to go over only NUMA nodes which have CPUs before determining
whether the first CPU on the respective node needs microcode update. [ bp: Massage commit message, fix typo. ]
In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't have a "first CPU". On a machine with far memory (and therefore CPU-less NUMA nodes): - cpumask_of_node(nid) is 0 - cpumask_first(0) is CONFIG_NR_CPUS - cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds This does not have any security implications since flashing microcode is a privileged operation but I believe this has reliability implications by potentially corrupting memory while flashing a microcode update. When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes a microcode update. I get the following splat: UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' [...] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Change the loop to go over only NUMA nodes which have CPUs before determining whether the first CPU on the respective node needs microcode update. [ bp: Massage commit message, fix typo. ]
Michael Randrianantenaina discovered that the Bluetooth driver in the Linux Kernel contained an improper access control vulnerability. A nearby attacker could use this to connect a rougue device and possibly execute arbitrary code. It was discovered that the CIFS network file system implementation in the Linux kernel did not properly verify the target namespace when handling upcalls. An attacker could use this to expose sensitive information.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2024-12-29 CVE Reserved
- 2025-04-02 CVE Published
- 2025-05-04 CVE Updated
- 2025-06-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (16)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/979e197968a1e8f09bf0d706801dba4432f85ab3 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/44a44b57e88f311c1415be1f567c50050913c149 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/be2710deaed3ab1402379a2ede30a3754fe6767a | Vuln. Introduced | |
| https://git.kernel.org/stable/c/d576547f489c935b9897d4acf8beee3325dea8a5 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/7ff6edf4fef38ab404ee7861f257e28eaaeed35f | Vuln. Introduced | |
| https://git.kernel.org/stable/c/d6353e2fc12c5b8f00f86efa30ed73d2da2f77be | Vuln. Introduced | |
| https://git.kernel.org/stable/c/1b1e0eb1d2971a686b9f7bdc146115bcefcbb960 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/eaf5dea1eb8c2928554b3ca717575cbe232b843c | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.4.235 < 5.4.292 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.235 < 5.4.292" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.10.173 < 5.10.236 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.173 < 5.10.236" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.15.99 < 5.15.180 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.99 < 5.15.180" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.1.16 < 6.1.132 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.16 < 6.1.132" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.3 < 6.6.84 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.6.84" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.3 < 6.12.20 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.12.20" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.3 < 6.13.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.13.8" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.3 < 6.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.14" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 4.14.308 Search vendor "Linux" for product "Linux Kernel" and version "4.14.308" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 4.19.276 Search vendor "Linux" for product "Linux Kernel" and version "4.19.276" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.2.3 Search vendor "Linux" for product "Linux Kernel" and version "6.2.3" | en |
Affected
| ||||||