CVE-2025-21687 Overview
CVE-2025-21687 is an out-of-bounds read/write vulnerability in the Linux kernel's vfio/platform subsystem. The flaw exists because the count and offset parameters passed from user space to read and write syscalls are not properly validated. Only the offset value is capped to 40 bits, leaving the count parameter unchecked. A local authenticated user with access to a VFIO platform device can craft syscalls that read or write outside the bounds of the device memory region. The issue is classified as [CWE-125] Out-of-bounds Read and affects Linux kernel branches up to and including the 6.13 release candidates.
Critical Impact
A local attacker with low privileges can read or write memory outside the intended VFIO platform device boundaries, potentially leading to information disclosure, kernel memory corruption, or privilege escalation.
Affected Products
- Linux Kernel (multiple stable branches prior to the fix)
- Linux Kernel 6.13 (including release candidates rc1 through rc7)
- Debian distributions referenced in Debian LTS advisories from March 2025
Discovery Timeline
- 2025-02-10 - CVE-2025-21687 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-21687
Vulnerability Analysis
The vulnerability resides in the Linux kernel's Virtual Function I/O (VFIO) platform driver, which provides userspace direct access to platform devices for driver development and virtualization workloads. The driver exposes read and write file operations that accept a buffer pointer, a count length, and an offset from user space.
The pre-patch implementation only enforces an upper bound on offset by masking it to 40 bits. The count argument is never validated against the actual size of the underlying device memory region. As a result, a user with permission to open the VFIO device file can issue syscalls that begin at a valid offset but extend beyond the mapped device region.
Because VFIO platform devices commonly map memory-mapped I/O (MMIO) regions belonging to physical hardware, an out-of-bounds access can touch adjacent kernel memory or unrelated device registers. This can disclose sensitive kernel data, corrupt device state, or be leveraged as a primitive for further privilege escalation.
Root Cause
The root cause is missing input validation [CWE-125] in the VFIO platform driver's read and write handlers. The code path checks the offset but does not verify that offset + count remains within the bounds of the device memory region. The patch series adds explicit bounds checking to ensure both parameters fall within the allocated device range before any access is performed.
Attack Vector
Exploitation requires local access and permission to interact with a VFIO platform device node, typically /dev/vfio/*. An attacker with such access invokes read() or write() syscalls with a carefully chosen count value that causes the kernel to traverse past the device region. No user interaction is required, and the attack complexity is low. The impact spans confidentiality, integrity, and availability, since attackers can both read and write out-of-bounds memory.
No public proof-of-concept exploit code has been published, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability remains low at the time of analysis.
Detection Methods for CVE-2025-21687
Indicators of Compromise
- Unexpected user processes opening /dev/vfio/* device nodes on systems that do not normally use VFIO passthrough.
- Kernel log entries showing unusual read or write activity, oops messages, or page faults referencing the vfio_platform module.
- Anomalous syscall patterns where read() or write() to a VFIO file descriptor uses very large count values relative to the device size.
Detection Strategies
- Audit systems for the presence and load state of the vfio_platform kernel module using lsmod | grep vfio_platform.
- Enable kernel auditing via auditd to log open, read, and write syscalls targeting VFIO device files by non-root or unexpected accounts.
- Compare installed kernel versions against the fixed commits referenced in the kernel.org stable tree patches.
Monitoring Recommendations
- Monitor for kernel crashes, oops events, or KASAN reports referencing vfio_platform_read or vfio_platform_write handlers.
- Track which users and containers are granted access to VFIO device nodes and alert on new grants outside change-control windows.
- Forward kernel and audit logs to a centralized SIEM to correlate VFIO syscall anomalies with privilege escalation indicators.
How to Mitigate CVE-2025-21687
Immediate Actions Required
- Apply the latest stable Linux kernel update from your distribution vendor that includes the bounds-checking fix for the VFIO platform driver.
- On Debian systems, install the kernel updates announced in the Debian LTS Announcement March 2025 and the follow-up advisory.
- Restrict access to VFIO device nodes so that only trusted virtualization services and administrators can open them.
Patch Information
The Linux kernel maintainers released fixes across multiple stable branches. The patch adds explicit validation so that both count and offset are checked against the device region size before any read or write operation. Reference commits include f21636f2, a20fcaa2, c981c32c, and d19a8650. Administrators should select the patch matching their kernel branch and rebuild or install the corresponding distribution package.
Workarounds
- Unload the vfio_platform module on systems that do not require platform device passthrough using modprobe -r vfio_platform.
- Blacklist the vfio_platform module in /etc/modprobe.d/ to prevent it from loading at boot when passthrough is not needed.
- Tighten permissions on /dev/vfio/* so that only specific service accounts can access platform device nodes, reducing the local attack surface.
# Configuration example: disable vfio_platform on systems that do not need it
echo "blacklist vfio_platform" | sudo tee /etc/modprobe.d/blacklist-vfio-platform.conf
sudo modprobe -r vfio_platform 2>/dev/null || true
# Verify the module is no longer loaded
lsmod | grep vfio_platform || echo "vfio_platform not loaded"
# Confirm the running kernel version against the patched release for your distribution
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
