Memory Corruption Vulnerability in AMD Microcode Handling for Linux Kernel
CVE-2025-21991

7.8HIGH

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 2 April 2025

Summary

A vulnerability has been identified in the AMD microcode handling within the Linux kernel, specifically occurring during the loading process across NUMA nodes with no CPUs. The method load_microcode_amd() incorrectly accesses CPU data by assuming the presence of a first CPU, which can lead to out-of-bounds memory access when a NUMA node has no CPUs. This issue, although lacking direct security implications, poses a significant risk to system stability and reliability when flashing microcode updates, potentially resulting in memory corruption. The fix involves refining the iteration process to consider only NUMA nodes with CPUs, thereby preventing this out-of-bounds access.

Affected Version(s)

Linux 979e197968a1e8f09bf0d706801dba4432f85ab3

Linux 44a44b57e88f311c1415be1f567c50050913c149 < 985a536e04bbfffb1770df43c6470f635a6b1073

Linux be2710deaed3ab1402379a2ede30a3754fe6767a < 18b5d857c6496b78ead2fd10001b81ae32d30cac

References

https://git.kernel.org/stable/c/d509c4731090ebd9bbdb72c70...

https://git.kernel.org/stable/c/985a536e04bbfffb1770df43c...

https://git.kernel.org/stable/c/18b5d857c6496b78ead2fd100...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 2, 2025
Vulnerability Reserved
Dec 29, 2024