CVE-2025-21785 Overview
CVE-2025-21785 is an out-of-bounds write vulnerability discovered in the Linux kernel's arm64 architecture cacheinfo subsystem. The vulnerability exists in the cache information detection and population loop, which fails to properly account for cache levels that have separate data and instruction caches. This boundary checking flaw allows writing beyond the allocated cacheinfo array when processing systems with split L1 caches.
Critical Impact
Local attackers with low privileges can exploit this out-of-bounds write to potentially achieve code execution, corrupt kernel memory, or cause system instability on arm64-based Linux systems.
Affected Products
- Linux Kernel versions prior to patched releases
- Linux Kernel 6.14-rc1
- Linux Kernel 6.14-rc2
Discovery Timeline
- February 27, 2025 - CVE-2025-21785 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-21785
Vulnerability Analysis
This vulnerability is classified as CWE-787 (Out-of-bounds Write) and affects the arm64 cacheinfo subsystem in the Linux kernel. The flaw occurs during the kernel's cache topology enumeration process, which runs during system initialization on arm64 platforms.
When the kernel detects cache hierarchy information, it iterates through cache levels to populate a cacheinfo array. The existing bounds check protects against exceeding the array size based on the number of cache levels detected. However, the logic fails to account for scenarios where a single cache level contains both separate instruction and data caches (split cache architecture), which requires two array entries rather than one.
On arm64 systems with split L1 caches (separate L1 instruction cache and L1 data cache), the loop may write beyond the allocated array bounds. This memory corruption can lead to kernel data structure corruption, privilege escalation, or system crashes depending on what adjacent memory is overwritten.
Root Cause
The root cause is an incorrect index increment strategy in the cacheinfo population loop. The original code incremented the array index once per cache level detected, regardless of whether that level contained a unified cache or separate instruction/data caches. The fix modifies the loop to increment the index for each populated leaf (individual cache entry) rather than for each populated cache level, ensuring the array bounds are properly respected.
Attack Vector
This is a local attack vector vulnerability that requires low-privilege access to the system. An attacker with local access to an arm64 Linux system running a vulnerable kernel version could potentially trigger this condition through interactions with the cacheinfo sysfs interface or during specific kernel operations involving cache topology enumeration. The vulnerability requires no user interaction and operates within a local scope, potentially impacting confidentiality, integrity, and availability of the system.
Detection Methods for CVE-2025-21785
Indicators of Compromise
- Unexpected kernel panics or crashes on arm64 systems, particularly during boot or when accessing /sys/devices/system/cpu/cpu*/cache/ entries
- Kernel log messages indicating memory corruption or invalid memory access in cacheinfo-related functions
- System instability on arm64 platforms with split L1 cache configurations
- Anomalous behavior during CPU hotplug operations on affected arm64 systems
Detection Strategies
- Monitor kernel logs for oops or panic messages referencing cacheinfo, cache_leaves_are_shared, or related arm64 cache functions
- Deploy kernel debugging tools such as KASAN (Kernel Address Sanitizer) to detect out-of-bounds memory accesses
- Audit running kernel versions against known patched versions to identify vulnerable systems
- Use SentinelOne's Linux agent to monitor for exploitation attempts and anomalous kernel behavior
Monitoring Recommendations
- Enable kernel debugging features including CONFIG_KASAN in development and testing environments to catch out-of-bounds writes
- Implement centralized logging for kernel messages across arm64 infrastructure to identify patterns of exploitation attempts
- Monitor for unusual access patterns to cache sysfs entries that could indicate exploitation attempts
- Deploy runtime kernel integrity monitoring to detect memory corruption in kernel data structures
How to Mitigate CVE-2025-21785
Immediate Actions Required
- Update affected Linux kernel installations to patched versions as identified in the vendor advisories
- Prioritize patching arm64-based systems, including servers, embedded devices, and container hosts
- For systems that cannot be immediately patched, consider restricting local user access to minimize attack surface
- Review system logs for any evidence of exploitation prior to patching
Patch Information
Linux kernel maintainers have released patches addressing this vulnerability across multiple stable branches. The fix modifies the cacheinfo population loop to correctly increment the array index for each populated cache leaf rather than each cache level, preventing the out-of-bounds write condition.
Patched commits are available from the official kernel git repository:
- Kernel Patch 4ff25f0b18d1
- Kernel Patch 67b99a2b5811
- Kernel Patch 715eb1af6477
- Kernel Patch 875d742cf532
- Kernel Patch ab90894f33c1
Debian users should reference the Debian LTS Security Announcements for distribution-specific patched packages.
Workarounds
- Limit local system access to trusted users only, as exploitation requires local privileges
- Consider disabling non-essential services on arm64 systems to reduce attack surface until patching is complete
- Implement mandatory access controls (SELinux, AppArmor) to restrict access to sensitive kernel interfaces
- Monitor and alert on suspicious local user activity targeting kernel cache interfaces
# Check current kernel version on arm64 systems
uname -r
# Verify arm64 architecture
uname -m
# Check for available kernel updates on Debian-based systems
apt update && apt list --upgradable | grep linux-image
# Apply kernel updates
apt upgrade linux-image-$(uname -r | cut -d- -f1-2)-arm64
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
