- Vulnerability/
- CVE-2025-21991
CVE-2025-21991: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes
First published: Wed Apr 02 2025(Updated: )
In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't have a "first CPU". On a machine with far memory (and therefore CPU-less NUMA nodes): - cpumask_of_node(nid) is 0 - cpumask_first(0) is CONFIG_NR_CPUS - cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds This does not have any security implications since flashing microcode is a privileged operation but I believe this has reliability implications by potentially corrupting memory while flashing a microcode update. When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes a microcode update. I get the following splat: UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' [...] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Change the loop to go over only NUMA nodes which have CPUs before determining whether the first CPU on the respective node needs microcode update. [ bp: Massage commit message, fix typo. ]
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/ec52240622c4d218d0240079b7c1d3ec2328a9f4
- https://git.kernel.org/stable/c/e686349cc19e800dac8971929089ba5ff59abfb0
- https://git.kernel.org/stable/c/488ffc0cac38f203979f83634236ee53251ce593
- https://git.kernel.org/stable/c/5ac295dfccb5b015493f86694fa13a0dde4d3665
- https://git.kernel.org/stable/c/e3e89178a9f4a80092578af3ff3c8478f9187d59
Frequently Asked Questions
What systems are affected by CVE-2025-21991?
CVE-2025-21991 affects Linux kernel versions that utilize x86 microcode on systems with CPU-less NUMA nodes.
What is the severity of CVE-2025-21991?
The severity of CVE-2025-21991 is classified as moderate due to potential out-of-bounds access.
How do I fix CVE-2025-21991?
To fix CVE-2025-21991, update to the latest stable version of the Linux kernel that includes the security patch.
What type of vulnerability is CVE-2025-21991?
CVE-2025-21991 is an out-of-bounds access vulnerability in the Linux kernel related to microcode handling.
Is CVE-2025-21991 a remote exploit?
CVE-2025-21991 is not classified as a remote exploit; it requires specific conditions related to CPU-less NUMA nodes.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/description
- agent/type
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/source
- agent/last-modified-date
- agent/author
- agent/tags
- agent/event
- vendor/linux
- canonical/linux kernel