CVE-2025-21872: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: efi: Don't map the entire mokvar table to determine its size Currently, when validating the mokvar table, we (re)map the entire table on each iteration of the loop, adding space as we discover new entries. If the table grows over a certain size, this fails due to limitations of early_memmap(), and we get a failure and traceback: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 0 at mm/early_ioremap.c:139 __early_ioremap+0xef/0x220 ... Call Trace: <TASK> ? __early_ioremap+0xef/0x220 ? __warn.cold+0x93/0xfa ? __early_ioremap+0xef/0x220 ? report_bug+0xff/0x140 ? early_fixup_exception+0x5d/0xb0 ? early_idt_handler_common+0x2f/0x3a ? __early_ioremap+0xef/0x220 ? efi_mokvar_table_init+0xce/0x1d0 ? setup_arch+0x864/0xc10 ? start_kernel+0x6b/0xa10 ? x86_64_start_reservations+0x24/0x30 ? x86_64_start_kernel+0xed/0xf0 ? common_startup_64+0x13e/0x141 </TASK> ---[ end trace 0000000000000000 ]--- mokvar: Failed to map EFI MOKvar config table pa=0x7c4c3000, size=265187. Mapping the entire structure isn't actually necessary, as we don't ever need more than one entry header mapped at once. Changes efi_mokvar_table_init() to only map each entry header, not the entire table, when determining the table size. Since we're not mapping any data past the variable name, it also changes the code to enforce that each variable name is NUL terminated, rather than attempting to verify it in place.
AI Analysis
Technical Summary
CVE-2025-21872 is a vulnerability identified in the Linux kernel related to the handling of the EFI (Extensible Firmware Interface) MOK (Machine Owner Key) variable table during early boot. The issue arises from the kernel's approach to mapping the entire MOK variable table repeatedly to determine its size. Specifically, the kernel remaps the entire mokvar table on each iteration while validating it, dynamically adding space as new entries are discovered. This approach leads to failures when the table grows beyond a certain size due to limitations in the early_memmap() function, which is responsible for memory mapping during early boot stages. The failure manifests as a kernel warning and traceback, indicating an inability to map the EFI MOKvar configuration table at a given physical address and size. This can cause boot failures or kernel panics during system startup. The root cause is that mapping the entire table is unnecessary since only one entry header needs to be mapped at a time to determine the table size. The fix implemented changes the efi_mokvar_table_init() function to map only each entry header individually rather than the entire table. Additionally, the code now enforces that each variable name within the table is NUL-terminated, improving validation and preventing attempts to verify variable names in place, which could lead to memory access issues. This vulnerability affects Linux kernel versions identified by the commit hash 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5 and likely other versions with similar EFI MOKvar handling logic. The vulnerability is not known to be exploited in the wild as of the published date (March 27, 2025). The issue occurs during the early boot process, which means exploitation would require control over EFI variables or the ability to influence the MOK variable table, typically a privileged or physical access scenario. Overall, this vulnerability is a memory mapping and validation flaw in the EFI MOK variable handling during Linux kernel initialization, which can cause boot failures or kernel warnings, potentially impacting system availability.
Potential Impact
For European organizations, the impact of CVE-2025-21872 primarily concerns system availability and reliability, especially for servers and critical infrastructure running Linux kernels with EFI Secure Boot enabled and utilizing MOK variables. Systems affected may experience boot failures or kernel panics if the MOK variable table grows large enough to trigger the mapping failure. This can lead to downtime, disruption of services, and increased operational costs due to recovery efforts. Given that EFI Secure Boot and MOK are commonly used in enterprise Linux deployments to ensure boot integrity and trusted firmware, organizations relying on these security features may face challenges maintaining secure and stable boot processes until patches are applied. Although the vulnerability does not directly expose confidentiality or integrity risks, the denial of service caused by boot failures can indirectly affect business continuity. Moreover, organizations with automated or large-scale deployments might encounter this issue if MOK variable tables accumulate entries over time, especially in environments with frequent key enrollments or updates. The lack of known exploits reduces immediate risk, but the potential for accidental or maliciously induced boot failures remains a concern. In summary, the main impact is on system availability and operational stability, with potential cascading effects on business operations relying on affected Linux systems.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2025-21872 as soon as they become available from trusted sources or Linux distributions. This patch modifies the EFI MOKvar table handling to prevent the mapping failure. 2. Monitor EFI MOK variable table sizes and manage the enrollment of MOK keys carefully to avoid excessive growth of the table. Remove obsolete or unnecessary keys to keep the table size manageable. 3. For environments using automated provisioning or configuration management, implement checks to detect abnormal increases in MOK variable entries and alert administrators. 4. Test kernel updates in staging environments to ensure compatibility and stability before deploying to production, especially for systems with Secure Boot enabled. 5. Maintain robust backup and recovery procedures to quickly restore systems in case of boot failures caused by this vulnerability. 6. Limit physical and administrative access to systems to prevent unauthorized modification of EFI variables, reducing the risk of malicious exploitation. 7. Stay informed through Linux kernel mailing lists and security advisories to track updates and related vulnerabilities in EFI and Secure Boot components.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2025-21872: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: efi: Don't map the entire mokvar table to determine its size Currently, when validating the mokvar table, we (re)map the entire table on each iteration of the loop, adding space as we discover new entries. If the table grows over a certain size, this fails due to limitations of early_memmap(), and we get a failure and traceback: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 0 at mm/early_ioremap.c:139 __early_ioremap+0xef/0x220 ... Call Trace: <TASK> ? __early_ioremap+0xef/0x220 ? __warn.cold+0x93/0xfa ? __early_ioremap+0xef/0x220 ? report_bug+0xff/0x140 ? early_fixup_exception+0x5d/0xb0 ? early_idt_handler_common+0x2f/0x3a ? __early_ioremap+0xef/0x220 ? efi_mokvar_table_init+0xce/0x1d0 ? setup_arch+0x864/0xc10 ? start_kernel+0x6b/0xa10 ? x86_64_start_reservations+0x24/0x30 ? x86_64_start_kernel+0xed/0xf0 ? common_startup_64+0x13e/0x141 </TASK> ---[ end trace 0000000000000000 ]--- mokvar: Failed to map EFI MOKvar config table pa=0x7c4c3000, size=265187. Mapping the entire structure isn't actually necessary, as we don't ever need more than one entry header mapped at once. Changes efi_mokvar_table_init() to only map each entry header, not the entire table, when determining the table size. Since we're not mapping any data past the variable name, it also changes the code to enforce that each variable name is NUL terminated, rather than attempting to verify it in place.
AI-Powered Analysis
Technical Analysis
CVE-2025-21872 is a vulnerability identified in the Linux kernel related to the handling of the EFI (Extensible Firmware Interface) MOK (Machine Owner Key) variable table during early boot. The issue arises from the kernel's approach to mapping the entire MOK variable table repeatedly to determine its size. Specifically, the kernel remaps the entire mokvar table on each iteration while validating it, dynamically adding space as new entries are discovered. This approach leads to failures when the table grows beyond a certain size due to limitations in the early_memmap() function, which is responsible for memory mapping during early boot stages. The failure manifests as a kernel warning and traceback, indicating an inability to map the EFI MOKvar configuration table at a given physical address and size. This can cause boot failures or kernel panics during system startup. The root cause is that mapping the entire table is unnecessary since only one entry header needs to be mapped at a time to determine the table size. The fix implemented changes the efi_mokvar_table_init() function to map only each entry header individually rather than the entire table. Additionally, the code now enforces that each variable name within the table is NUL-terminated, improving validation and preventing attempts to verify variable names in place, which could lead to memory access issues. This vulnerability affects Linux kernel versions identified by the commit hash 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5 and likely other versions with similar EFI MOKvar handling logic. The vulnerability is not known to be exploited in the wild as of the published date (March 27, 2025). The issue occurs during the early boot process, which means exploitation would require control over EFI variables or the ability to influence the MOK variable table, typically a privileged or physical access scenario. Overall, this vulnerability is a memory mapping and validation flaw in the EFI MOK variable handling during Linux kernel initialization, which can cause boot failures or kernel warnings, potentially impacting system availability.
Potential Impact
For European organizations, the impact of CVE-2025-21872 primarily concerns system availability and reliability, especially for servers and critical infrastructure running Linux kernels with EFI Secure Boot enabled and utilizing MOK variables. Systems affected may experience boot failures or kernel panics if the MOK variable table grows large enough to trigger the mapping failure. This can lead to downtime, disruption of services, and increased operational costs due to recovery efforts. Given that EFI Secure Boot and MOK are commonly used in enterprise Linux deployments to ensure boot integrity and trusted firmware, organizations relying on these security features may face challenges maintaining secure and stable boot processes until patches are applied. Although the vulnerability does not directly expose confidentiality or integrity risks, the denial of service caused by boot failures can indirectly affect business continuity. Moreover, organizations with automated or large-scale deployments might encounter this issue if MOK variable tables accumulate entries over time, especially in environments with frequent key enrollments or updates. The lack of known exploits reduces immediate risk, but the potential for accidental or maliciously induced boot failures remains a concern. In summary, the main impact is on system availability and operational stability, with potential cascading effects on business operations relying on affected Linux systems.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2025-21872 as soon as they become available from trusted sources or Linux distributions. This patch modifies the EFI MOKvar table handling to prevent the mapping failure. 2. Monitor EFI MOK variable table sizes and manage the enrollment of MOK keys carefully to avoid excessive growth of the table. Remove obsolete or unnecessary keys to keep the table size manageable. 3. For environments using automated provisioning or configuration management, implement checks to detect abnormal increases in MOK variable entries and alert administrators. 4. Test kernel updates in staging environments to ensure compatibility and stability before deploying to production, especially for systems with Secure Boot enabled. 5. Maintain robust backup and recovery procedures to quickly restore systems in case of boot failures caused by this vulnerability. 6. Limit physical and administrative access to systems to prevent unauthorized modification of EFI variables, reducing the risk of malicious exploitation. 7. Stay informed through Linux kernel mailing lists and security advisories to track updates and related vulnerabilities in EFI and Secure Boot components.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.781Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9817c4522896dcbd718d
Added to database: 5/21/2025, 9:08:39 AM
Last enriched: 7/4/2025, 10:41:35 PM
Last updated: 8/12/2025, 8:35:38 AM
Views: 15
Related Threats
CVE-2025-52351: n/a
HighCVE-2025-52352: n/a
HighCVE-2025-7051: CWE-284 in N-able N-central
HighCVE-2025-57768: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Alanaktion phproject
MediumCVE-2025-55524: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.