CVE-2025-21991

EPSS 0.02%
Veröffentlicht 02.04.2025 13:15:43
Zuletzt bearbeitet 03.11.2025 20:17:34
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes

Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their
CPU masks and unconditionally accesses per-CPU data for the first CPU of each
mask.

According to Documentation/admin-guide/mm/numaperf.rst:

  "Some memory may share the same node as a CPU, and others are provided as
  memory only nodes."

Therefore, some node CPU masks may be empty and wouldn't have a "first CPU".

On a machine with far memory (and therefore CPU-less NUMA nodes):
- cpumask_of_node(nid) is 0
- cpumask_first(0) is CONFIG_NR_CPUS
- cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an
  index that is 1 out of bounds

This does not have any security implications since flashing microcode is
a privileged operation but I believe this has reliability implications by
potentially corrupting memory while flashing a microcode update.

When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes
a microcode update. I get the following splat:

  UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y
  index 512 is out of range for type 'unsigned long[512]'
  [...]
  Call Trace:
   dump_stack
   __ubsan_handle_out_of_bounds
   load_microcode_amd
   request_microcode_amd
   reload_store
   kernfs_fop_write_iter
   vfs_write
   ksys_write
   do_syscall_64
   entry_SYSCALL_64_after_hwframe

Change the loop to go over only NUMA nodes which have CPUs before determining
whether the first CPU on the respective node needs microcode update.

  [ bp: Massage commit message, fix typo. ]

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 13

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 4.14.308 < 4.15

Linux ≫ Linux Kernel Version >= 4.19.276 < 4.20

Linux ≫ Linux Kernel Version >= 5.4.235 < 5.5

Linux ≫ Linux Kernel Version >= 5.10.173 < 5.11

Linux ≫ Linux Kernel Version >= 5.15.99 < 5.16

Linux ≫ Linux Kernel Version >= 6.1.16 < 6.1.132

Linux ≫ Linux Kernel Version >= 6.2.3 < 6.6.84

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.20

Linux ≫ Linux Kernel Version >= 6.13 < 6.13.8

Linux ≫ Linux Kernel Version6.14 Updaterc1

Linux ≫ Linux Kernel Version6.14 Updaterc2

Linux ≫ Linux Kernel Version6.14 Updaterc3

Linux ≫ Linux Kernel Version6.14 Updaterc4

Linux ≫ Linux Kernel Version6.14 Updaterc5

Linux ≫ Linux Kernel Version6.14 Updaterc6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.053

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-129 Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

https://git.kernel.org/stable/c/488ffc0cac38f203979f83634236ee53251ce593

Patch

https://git.kernel.org/stable/c/5ac295dfccb5b015493f86694fa13a0dde4d3665

Patch

https://git.kernel.org/stable/c/e3e89178a9f4a80092578af3ff3c8478f9187d59

Patch

https://git.kernel.org/stable/c/e686349cc19e800dac8971929089ba5ff59abfb0

Patch

https://git.kernel.org/stable/c/ec52240622c4d218d0240079b7c1d3ec2328a9f4

Patch

https://git.kernel.org/stable/c/18b5d857c6496b78ead2fd10001b81ae32d30cac

Patch