CVE-2025-21991: Vulnerability in Linux Linux

Severity: mediumType: vulnerabilityCVE-2025-21991

In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't have a "first CPU". On a machine with far memory (and therefore CPU-less NUMA nodes): - cpumask_of_node(nid) is 0 - cpumask_first(0) is CONFIG_NR_CPUS - cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds This does not have any security implications since flashing microcode is a privileged operation but I believe this has reliability implications by potentially corrupting memory while flashing a microcode update. When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes a microcode update. I get the following splat: UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' [...] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Change the loop to go over only NUMA nodes which have CPUs before determining whether the first CPU on the respective node needs microcode update. [ bp: Massage commit message, fix typo. ]

AI Analysis

Technical Summary

CVE-2025-21991 is a vulnerability identified in the Linux kernel specifically affecting the AMD microcode loading mechanism on x86 architectures. The issue arises in the function load_microcode_amd(), which iterates over all NUMA (Non-Uniform Memory Access) nodes to retrieve CPU masks and access per-CPU data for the first CPU in each mask. However, some NUMA nodes may be CPU-less (memory-only nodes), resulting in empty CPU masks. The current implementation does not check for empty CPU masks before accessing the first CPU, leading to an out-of-bounds array access when it tries to index cpu_data with an invalid CPU number (CONFIG_NR_CPUS). This out-of-bounds access can cause memory corruption during microcode flashing, which is a privileged operation. While this vulnerability does not directly expose security risks such as privilege escalation or information disclosure, it can impact system reliability and stability by corrupting memory during microcode updates. The vulnerability was detected with the help of the Undefined Behavior Sanitizer (UBSAN) when booting with CONFIG_UBSAN_BOUNDS=y, which flagged an array-index-out-of-bounds error. The fix involves modifying the iteration to only consider NUMA nodes that actually have CPUs before attempting to access per-CPU data. This prevents the out-of-bounds access and ensures safe microcode loading on systems with CPU-less NUMA nodes, such as those with far memory configurations. The affected Linux kernel versions include multiple recent commits prior to the fix, and no known exploits are reported in the wild. The vulnerability is primarily a reliability issue rather than a direct security threat, but it affects a critical kernel component responsible for CPU microcode updates.

Potential Impact

For European organizations, the impact of CVE-2025-21991 is mainly related to system stability and reliability rather than direct security compromise. Organizations running Linux on AMD-based servers or workstations with NUMA architectures that include CPU-less nodes could experience system crashes or memory corruption during microcode updates, potentially leading to downtime or degraded performance. This could affect data centers, cloud providers, and enterprises relying on Linux infrastructure for critical applications. Although exploitation requires privileged access to perform microcode flashing, accidental triggering of this bug could disrupt operations. In environments with strict uptime requirements, such as financial institutions, telecommunications, and healthcare providers in Europe, such reliability issues could have operational and financial consequences. However, since the vulnerability does not allow privilege escalation or remote code execution, the risk of a targeted attack exploiting this flaw is low. The main concern is ensuring that kernel updates are applied promptly to avoid stability problems during microcode updates.

Mitigation Recommendations

European organizations should ensure that their Linux kernel versions are updated to include the patch that restricts microcode loading to NUMA nodes with CPUs only. Specifically, they should track kernel releases after the fix for CVE-2025-21991 and apply these updates in a timely manner. Systems with AMD CPUs and NUMA configurations should be prioritized for patching. Additionally, organizations should enable kernel hardening features such as CONFIG_UBSAN_BOUNDS during testing phases to detect similar out-of-bounds issues early. It is also advisable to monitor microcode update processes and logs for any anomalies or crashes that could indicate memory corruption. For critical systems, testing kernel updates in staging environments that replicate production NUMA configurations can prevent unexpected downtime. Since microcode flashing is a privileged operation, limiting access to trusted administrators and automating microcode updates through secure, controlled mechanisms will reduce the risk of accidental triggering. Finally, maintaining comprehensive backups and recovery plans will mitigate the impact of any stability issues arising from this vulnerability.