CVE-2025-21991

Summary

In the Linux kernel, the following vulnerability has been resolved:

x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes

Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask.

According to Documentation/admin-guide/mm/numaperf.rst:

"Some memory may share the same node as a CPU, and others are provided as memory only nodes."

Therefore, some node CPU masks may be empty and wouldn't have a "first CPU".

On a machine with far memory (and therefore CPU-less NUMA nodes):

  • cpumask_of_node(nid) is 0
  • cpumask_first(0) is CONFIG_NR_CPUS
  • cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds

This does not have any security implications since flashing microcode is a privileged operation but I believe this has reliability implications by potentially corrupting memory while flashing a microcode update.

When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes a microcode update. I get the following splat:

UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' […] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe

Change the loop to go over only NUMA nodes which have CPUs before determining whether the first CPU on the respective node needs microcode update.

[ bp: Massage commit message, fix typo. ]

Affected Software

VendorProductVersion RangeStatus
LinuxLinux979e197968a1e8f09bf0d706801dba4432f85ab3 < d509c4731090ebd9bbdb72c70a2d70003ae81f4faffected
LinuxLinux44a44b57e88f311c1415be1f567c50050913c149 < 985a536e04bbfffb1770df43c6470f635a6b1073affected
LinuxLinuxbe2710deaed3ab1402379a2ede30a3754fe6767a < 18b5d857c6496b78ead2fd10001b81ae32d30cacaffected
LinuxLinuxd576547f489c935b9897d4acf8beee3325dea8a5 < ec52240622c4d218d0240079b7c1d3ec2328a9f4affected
LinuxLinux7ff6edf4fef38ab404ee7861f257e28eaaeed35f < e686349cc19e800dac8971929089ba5ff59abfb0affected
LinuxLinux7ff6edf4fef38ab404ee7861f257e28eaaeed35f < 488ffc0cac38f203979f83634236ee53251ce593affected
LinuxLinux7ff6edf4fef38ab404ee7861f257e28eaaeed35f < 5ac295dfccb5b015493f86694fa13a0dde4d3665affected
LinuxLinux7ff6edf4fef38ab404ee7861f257e28eaaeed35f < e3e89178a9f4a80092578af3ff3c8478f9187d59affected
LinuxLinuxd6353e2fc12c5b8f00f86efa30ed73d2da2f77beaffected
LinuxLinux1b1e0eb1d2971a686b9f7bdc146115bcefcbb960affected
LinuxLinuxeaf5dea1eb8c2928554b3ca717575cbe232b843caffected
LinuxLinux5.4.235 < 5.4.292affected
LinuxLinux5.10.173 < 5.10.236affected
LinuxLinux5.15.99 < 5.15.180affected
LinuxLinux6.1.16 < 6.1.132affected
LinuxLinux4.14.308 < 4.15affected
LinuxLinux4.19.276 < 4.20affected
LinuxLinux6.2.3 < 6.3affected
LinuxLinux6.3affected
LinuxLinux0 < 6.3unaffected
LinuxLinux5.4.292 <= 5.4.*unaffected
LinuxLinux5.10.236 <= 5.10.*unaffected
LinuxLinux5.15.180 <= 5.15.*unaffected
LinuxLinux6.1.132 <= 6.1.*unaffected
LinuxLinux6.6.84 <= 6.6.*unaffected
LinuxLinux6.12.20 <= 6.12.*unaffected
LinuxLinux6.13.8 <= 6.13.*unaffected
LinuxLinux6.14 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References