CVE-2025-71101 Overview
CVE-2025-71101 is an out-of-bounds array access vulnerability in the Linux kernel's hp-bioscfg driver. The vulnerability exists in the hp_populate_*_elements_from_package() functions which parse ACPI packages into internal data structures. These functions contain a bounds checking flaw that can allow access to memory outside the intended array boundaries.
Critical Impact
Kernel-level out-of-bounds array access in the hp-bioscfg driver could lead to memory corruption, information disclosure, or potential privilege escalation on affected HP systems.
Affected Products
- Linux kernel with hp-bioscfg driver (platform/x86)
- HP systems utilizing BIOS configuration via ACPI
Discovery Timeline
- 2026-01-13 - CVE CVE-2025-71101 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-71101
Vulnerability Analysis
The vulnerability resides in the hp-bioscfg driver's ACPI package parsing functionality. Multiple functions including those handling enum, integer, order, password, and string objects are affected. These functions iterate through ACPI package elements using a for loop with an index variable elem that traverses through their respective object arrays.
The core issue emerges when processing multi-element fields such as PREREQUISITES and ENUM_POSSIBLE_VALUES. During processing, nested loops access array elements using expressions like enum_obj[elem + reqs] and enum_obj[elem + pos_values]. The original bounds checking only validated the base elem index but failed to account for the additional offset values (reqs or pos_values) that are added during element access. This oversight allows memory access beyond the allocated array boundaries when the combined index exceeds the array size.
Root Cause
The root cause is an incomplete bounds checking implementation in the ACPI package parsing functions. The validation logic verified only the loop index elem against array bounds, but when accessing elements at elem + offset positions, the combined index was not validated. This is a classic pattern for out-of-bounds vulnerabilities where computed indices bypass boundary checks.
Attack Vector
An attacker with local access could potentially craft or manipulate ACPI tables to trigger the out-of-bounds access. Since this vulnerability affects kernel-level code processing ACPI data, exploitation could occur during system initialization or when the hp-bioscfg driver parses maliciously crafted ACPI packages. The vulnerability requires local access or the ability to influence ACPI table contents.
The vulnerability mechanism involves the following pattern: when the driver processes ACPI packages with PREREQUISITES or ENUM_POSSIBLE_VALUES fields, nested iteration adds offset values to the current element index. Without proper validation of the computed index, the driver may read or write memory outside the intended array, potentially corrupting adjacent kernel memory structures.
Detection Methods for CVE-2025-71101
Indicators of Compromise
- Unexpected kernel crashes or panics in the hp-bioscfg driver
- Kernel log entries indicating memory access violations in hp_populate_*_elements_from_package() functions
- KASAN (Kernel Address Sanitizer) reports showing out-of-bounds access in the hp-bioscfg module
Detection Strategies
- Enable KASAN in kernel builds to detect out-of-bounds memory access attempts
- Monitor kernel logs for warnings or errors from the hp-bioscfg driver subsystem
- Use static analysis tools to scan for similar bounds checking issues in kernel drivers
Monitoring Recommendations
- Implement kernel logging for ACPI parsing errors and anomalies
- Deploy endpoint detection solutions capable of monitoring kernel-level memory operations
- Enable kernel crash dump analysis to identify exploitation attempts
How to Mitigate CVE-2025-71101
Immediate Actions Required
- Update the Linux kernel to a patched version containing the security fix
- If updating is not immediately possible, consider disabling the hp-bioscfg driver on affected systems
- Review and restrict physical access to affected systems to limit ACPI manipulation risks
Patch Information
The vulnerability has been resolved in the Linux kernel stable tree. The fix modifies the bounds checking logic to validate the actual computed index (elem + offset) rather than just the base index. Patches are available through the following kernel git commits:
- Kernel Git Commit 79cab730
- Kernel Git Commit cf7ae870
- Kernel Git Commit db4c26ad
- Kernel Git Commit e44c42c8
Workarounds
- Blacklist the hp-bioscfg module if BIOS configuration functionality is not required
- Implement additional access controls on systems where the driver must remain active
- Monitor for abnormal ACPI-related activity on HP systems
# Configuration example
# Temporarily blacklist hp-bioscfg driver if not needed
echo "blacklist hp-bioscfg" >> /etc/modprobe.d/blacklist-hp-bioscfg.conf
# Unload the module if currently loaded
modprobe -r hp-bioscfg
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
