CVE-2025-21991 Overview
CVE-2025-21991 is an out-of-bounds memory access vulnerability in the Linux kernel's AMD microcode loading mechanism. The flaw exists in the load_microcode_amd() function, which incorrectly iterates over all NUMA nodes without checking whether each node has associated CPUs. On systems with CPU-less NUMA nodes (such as those with far memory configurations), this leads to accessing the cpu_info per-CPU array at an out-of-bounds index, potentially causing memory corruption during microcode updates.
Critical Impact
Local attackers with privileged access can trigger out-of-bounds memory access during AMD microcode updates on systems with CPU-less NUMA nodes, potentially corrupting kernel memory and causing system instability.
Affected Products
- Linux Kernel (multiple versions prior to patch)
- Linux Kernel 6.14-rc1 through 6.14-rc6
- Systems with AMD processors and CPU-less NUMA nodes (far memory configurations)
Discovery Timeline
- April 2, 2025 - CVE-2025-21991 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-21991
Vulnerability Analysis
The vulnerability resides in the x86 microcode loading subsystem for AMD processors. The load_microcode_amd() function iterates over all NUMA nodes to determine which CPUs require microcode updates. However, the implementation fails to account for memory-only NUMA nodes that have no associated CPUs.
When the function encounters a CPU-less NUMA node, cpumask_of_node(nid) returns 0, and subsequently cpumask_first(0) returns CONFIG_NR_CPUS (typically 512). The code then attempts to access cpu_data(CONFIG_NR_CPUS), which reads from the cpu_info per-CPU array at an index that is exactly one position beyond the valid array bounds.
While the vulnerability requires local privileged access (microcode flashing is a privileged operation), it poses reliability concerns as it can corrupt adjacent kernel memory during legitimate microcode update operations. This is particularly problematic on enterprise systems with complex NUMA topologies that include far memory or memory-only nodes.
Root Cause
The root cause is improper validation of NUMA node CPU masks before accessing per-CPU data structures. The load_microcode_amd() function assumes all NUMA nodes have at least one CPU, but this assumption is violated on systems with memory-only NUMA nodes as documented in Documentation/admin-guide/mm/numaperf.rst. The code lacks a boundary check to skip nodes with empty CPU masks.
Attack Vector
Exploitation requires local access with elevated privileges (typically root or CAP_SYS_RAWIO). The attack vector involves triggering a microcode update on an AMD system that has CPU-less NUMA nodes. This can occur through:
- Writing to the /sys/devices/system/cpu/microcode/reload sysfs interface
- Triggering automatic microcode loading during system boot
- Manual microcode update operations via the kernel interface
The UBSAN (Undefined Behavior Sanitizer) stack trace from the vulnerability disclosure shows the following call chain leading to the out-of-bounds access:
Call Trace:
dump_stack
__ubsan_handle_out_of_bounds
load_microcode_amd
request_microcode_amd
reload_store
kernfs_fop_write_iter
vfs_write
ksys_write
do_syscall_64
entry_SYSCALL_64_after_hwframe
The fix modifies the loop to iterate only over NUMA nodes that have associated CPUs before checking whether the first CPU on each node requires a microcode update.
Detection Methods for CVE-2025-21991
Indicators of Compromise
- UBSAN warnings in kernel logs showing "array-index-out-of-bounds" in arch/x86/kernel/cpu/microcode/amd.c
- Kernel log messages indicating index 512 is out of range for type unsigned long[512]
- Unexpected system instability or memory corruption following microcode update operations on AMD systems
Detection Strategies
- Monitor kernel logs (dmesg) for UBSAN boundary violation warnings during microcode operations
- Enable CONFIG_UBSAN_BOUNDS=y in kernel configuration to detect out-of-bounds accesses at runtime
- Audit systems for NUMA configurations with memory-only nodes using numactl --hardware command
Monitoring Recommendations
- Implement kernel log monitoring for UBSAN violations on AMD-based systems
- Track microcode reload events on systems with complex NUMA topologies
- Review system stability reports following AMD microcode updates
How to Mitigate CVE-2025-21991
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix
- Avoid triggering manual microcode reloads on affected systems until patched
- Verify NUMA topology on AMD systems to identify those at risk using numactl --hardware
Patch Information
The Linux kernel maintainers have released patches across multiple stable kernel branches. The fix modifies the microcode loading loop to only iterate over NUMA nodes that have associated CPUs, preventing the out-of-bounds access.
Official kernel patches are available from the following commits:
- Kernel Commit 18b5d857c6496b78ead2fd10001b81ae32d30cac
- Kernel Commit 488ffc0cac38f203979f83634236ee53251ce593
- Kernel Commit 5ac295dfccb5b015493f86694fa13a0dde4d3665
- Kernel Commit 985a536e04bbfffb1770df43c6470f635a6b1073
Debian users should consult the Debian LTS Security Announcements for distribution-specific updates.
Workarounds
- Avoid initiating microcode reloads via the sysfs interface on vulnerable systems
- If NUMA nodes with far memory are not required, consider reconfiguring the system to exclude memory-only NUMA nodes
- Monitor systems for signs of memory corruption following any microcode update operations
# Check NUMA topology for CPU-less nodes
numactl --hardware
# Verify kernel version for patch status
uname -r
# Monitor kernel logs for UBSAN violations
dmesg | grep -i ubsan
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
