{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-21991","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.800Z","datePublished":"2025-04-02T12:53:14.230Z","dateUpdated":"2026-05-11T21:10:31.756Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:10:31.756Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes\n\nCurrently, load_microcode_amd() iterates over all NUMA nodes, retrieves their\nCPU masks and unconditionally accesses per-CPU data for the first CPU of each\nmask.\n\nAccording to Documentation/admin-guide/mm/numaperf.rst:\n\n  \"Some memory may share the same node as a CPU, and others are provided as\n  memory only nodes.\"\n\nTherefore, some node CPU masks may be empty and wouldn't have a \"first CPU\".\n\nOn a machine with far memory (and therefore CPU-less NUMA nodes):\n- cpumask_of_node(nid) is 0\n- cpumask_first(0) is CONFIG_NR_CPUS\n- cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an\n  index that is 1 out of bounds\n\nThis does not have any security implications since flashing microcode is\na privileged operation but I believe this has reliability implications by\npotentially corrupting memory while flashing a microcode update.\n\nWhen booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes\na microcode update. I get the following splat:\n\n  UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y\n  index 512 is out of range for type 'unsigned long[512]'\n  [...]\n  Call Trace:\n   dump_stack\n   __ubsan_handle_out_of_bounds\n   load_microcode_amd\n   request_microcode_amd\n   reload_store\n   kernfs_fop_write_iter\n   vfs_write\n   ksys_write\n   do_syscall_64\n   entry_SYSCALL_64_after_hwframe\n\nChange the loop to go over only NUMA nodes which have CPUs before determining\nwhether the first CPU on the respective node needs microcode update.\n\n  [ bp: Massage commit message, fix typo. ]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/kernel/cpu/microcode/amd.c"],"versions":[{"version":"979e197968a1e8f09bf0d706801dba4432f85ab3","lessThan":"d509c4731090ebd9bbdb72c70a2d70003ae81f4f","status":"affected","versionType":"git"},{"version":"44a44b57e88f311c1415be1f567c50050913c149","lessThan":"985a536e04bbfffb1770df43c6470f635a6b1073","status":"affected","versionType":"git"},{"version":"be2710deaed3ab1402379a2ede30a3754fe6767a","lessThan":"18b5d857c6496b78ead2fd10001b81ae32d30cac","status":"affected","versionType":"git"},{"version":"d576547f489c935b9897d4acf8beee3325dea8a5","lessThan":"ec52240622c4d218d0240079b7c1d3ec2328a9f4","status":"affected","versionType":"git"},{"version":"7ff6edf4fef38ab404ee7861f257e28eaaeed35f","lessThan":"e686349cc19e800dac8971929089ba5ff59abfb0","status":"affected","versionType":"git"},{"version":"7ff6edf4fef38ab404ee7861f257e28eaaeed35f","lessThan":"488ffc0cac38f203979f83634236ee53251ce593","status":"affected","versionType":"git"},{"version":"7ff6edf4fef38ab404ee7861f257e28eaaeed35f","lessThan":"5ac295dfccb5b015493f86694fa13a0dde4d3665","status":"affected","versionType":"git"},{"version":"7ff6edf4fef38ab404ee7861f257e28eaaeed35f","lessThan":"e3e89178a9f4a80092578af3ff3c8478f9187d59","status":"affected","versionType":"git"},{"version":"d6353e2fc12c5b8f00f86efa30ed73d2da2f77be","status":"affected","versionType":"git"},{"version":"1b1e0eb1d2971a686b9f7bdc146115bcefcbb960","status":"affected","versionType":"git"},{"version":"eaf5dea1eb8c2928554b3ca717575cbe232b843c","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/kernel/cpu/microcode/amd.c"],"versions":[{"version":"6.3","status":"affected"},{"version":"0","lessThan":"6.3","status":"unaffected","versionType":"semver"},{"version":"5.4.292","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.236","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.180","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.132","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.84","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.20","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.8","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.235","versionEndExcluding":"5.4.292"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.173","versionEndExcluding":"5.10.236"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.99","versionEndExcluding":"5.15.180"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.16","versionEndExcluding":"6.1.132"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.6.84"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.12.20"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.13.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.3","versionEndExcluding":"6.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.14.308"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.276"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2.3"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/d509c4731090ebd9bbdb72c70a2d70003ae81f4f"},{"url":"https://git.kernel.org/stable/c/985a536e04bbfffb1770df43c6470f635a6b1073"},{"url":"https://git.kernel.org/stable/c/18b5d857c6496b78ead2fd10001b81ae32d30cac"},{"url":"https://git.kernel.org/stable/c/ec52240622c4d218d0240079b7c1d3ec2328a9f4"},{"url":"https://git.kernel.org/stable/c/e686349cc19e800dac8971929089ba5ff59abfb0"},{"url":"https://git.kernel.org/stable/c/488ffc0cac38f203979f83634236ee53251ce593"},{"url":"https://git.kernel.org/stable/c/5ac295dfccb5b015493f86694fa13a0dde4d3665"},{"url":"https://git.kernel.org/stable/c/e3e89178a9f4a80092578af3ff3c8478f9187d59"}],"title":"x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-129","lang":"en","description":"CWE-129 Improper Validation of Array Index"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.8,"attackVector":"LOCAL","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-10-01T17:13:39.419226Z","id":"CVE-2025-21991","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T17:13:42.269Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:40:28.243Z"}}]}}