CVE-2025-21991

EUVD-2025-9538
In the Linux kernel, the following vulnerability has been resolved:

x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes

Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their
CPU masks and unconditionally accesses per-CPU data for the first CPU of each
mask.

According to Documentation/admin-guide/mm/numaperf.rst:

  "Some memory may share the same node as a CPU, and others are provided as
  memory only nodes."

Therefore, some node CPU masks may be empty and wouldn't have a "first CPU".

On a machine with far memory (and therefore CPU-less NUMA nodes):
- cpumask_of_node(nid) is 0
- cpumask_first(0) is CONFIG_NR_CPUS
- cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an
  index that is 1 out of bounds

This does not have any security implications since flashing microcode is
a privileged operation but I believe this has reliability implications by
potentially corrupting memory while flashing a microcode update.

When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes
a microcode update. I get the following splat:

  UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y
  index 512 is out of range for type 'unsigned long[512]'
  [...]
  Call Trace:
   dump_stack
   __ubsan_handle_out_of_bounds
   load_microcode_amd
   request_microcode_amd
   reload_store
   kernfs_fop_write_iter
   vfs_write
   ksys_write
   do_syscall_64
   entry_SYSCALL_64_after_hwframe

Change the loop to go over only NUMA nodes which have CPUs before determining
whether the first CPU on the respective node needs microcode update.

  [ bp: Massage commit message, fix typo. ]
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
4.14.308 ≤
𝑥
< 4.15
linuxlinux_kernel
4.19.276 ≤
𝑥
< 4.20
linuxlinux_kernel
5.4.235 ≤
𝑥
< 5.5
linuxlinux_kernel
5.10.173 ≤
𝑥
< 5.11
linuxlinux_kernel
5.15.99 ≤
𝑥
< 5.16
linuxlinux_kernel
6.1.16 ≤
𝑥
< 6.1.132
linuxlinux_kernel
6.2.3 ≤
𝑥
< 6.6.84
linuxlinux_kernel
6.7 ≤
𝑥
< 6.12.20
linuxlinux_kernel
6.13 ≤
𝑥
< 6.13.8
linuxlinux_kernel
6.14:rc1
linuxlinux_kernel
6.14:rc2
linuxlinux_kernel
6.14:rc3
linuxlinux_kernel
6.14:rc4
linuxlinux_kernel
6.14:rc5
linuxlinux_kernel
6.14:rc6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.174-1
fixed
bullseye
vulnerable
bullseye (security)
5.10.257-1
fixed
forky
7.0.10-1
fixed
sid
7.0.10-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.90-2
fixed
linux-6.1
bullseye (security)
6.1.174-1~deb11u1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
kernel-64kb
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.37.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.37.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.3.1
fixed
kernel-default
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-default-base
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1.150600.12.22.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1.150700.17.2.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1.150600.12.22.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1.150700.17.2.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1.150600.12.22.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1.150700.17.2.1
fixed
kernel-docs
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-macros
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-obs-build
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-source
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-source-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.37.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.37.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.3.1
fixed
kernel-syms
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
kernel-syms-azure
suse enterprise sap 15 SP6
6.4.0-150600.8.37.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.20.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.8.37.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.20.3.1
fixed
kernel-zfcpdump
suse enterprise desktop 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise desktop 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise sap 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise sap 15 SP7
6.4.0-150700.53.3.1
fixed
suse enterprise server 15 SP6
6.4.0-150600.23.50.1
fixed
suse enterprise server 15 SP7
6.4.0-150700.53.3.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
bpftool
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
kernel
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-64k
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-64k-core
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-64k-debug
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-64k-debug-core
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-64k-debug-devel
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-64k-debug-devel-matched
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-64k-debug-modules
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-64k-debug-modules-core
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-64k-debug-modules-extra
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-64k-devel
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-64k-devel-matched
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-64k-modules
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-64k-modules-core
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-64k-modules-extra
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-abi-stablelists
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-core
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-debug
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-debug-core
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-debug-devel
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-debug-devel-matched
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-debug-modules
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-debug-modules-core
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-debug-modules-extra
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-debug-uki-virt
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-devel
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-devel-matched
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-doc
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-modules
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-modules-core
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-modules-extra
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt
RHEL 8
0:4.18.0-553.62.1.rt7.403.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-64k
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-64k-core
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-64k-debug
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-64k-debug-core
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-64k-debug-devel
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-64k-debug-modules
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-64k-debug-modules-core
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-64k-debug-modules-extra
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-64k-devel
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-64k-modules
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-64k-modules-core
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-64k-modules-extra
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-core
RHEL 8
0:4.18.0-553.62.1.rt7.403.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-debug
RHEL 8
0:4.18.0-553.62.1.rt7.403.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-debug-core
RHEL 8
0:4.18.0-553.62.1.rt7.403.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-debug-devel
RHEL 8
0:4.18.0-553.62.1.rt7.403.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-debug-kvm
RHEL 8
0:4.18.0-553.62.1.rt7.403.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-debug-modules
RHEL 8
0:4.18.0-553.62.1.rt7.403.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-debug-modules-core
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-debug-modules-extra
RHEL 8
0:4.18.0-553.62.1.rt7.403.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-devel
RHEL 8
0:4.18.0-553.62.1.rt7.403.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-kvm
RHEL 8
0:4.18.0-553.62.1.rt7.403.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-modules
RHEL 8
0:4.18.0-553.62.1.rt7.403.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-modules-core
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-rt-modules-extra
RHEL 8
0:4.18.0-553.62.1.rt7.403.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-tools
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-tools-libs
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-tools-libs-devel
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-uki-virt
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-uki-virt-addons
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-zfcpdump
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-zfcpdump-core
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-zfcpdump-devel
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-zfcpdump-devel-matched
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-zfcpdump-modules
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-zfcpdump-modules-core
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
kernel-zfcpdump-modules-extra
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
libperf
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
perf
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
python3-perf
RHEL 8
0:4.18.0-553.62.1.el8_10
fixed
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
rtla
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
rv
RHEL 9
0:5.14.0-570.26.1.el9_6
fixed
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/18b5d857c6496b78ead2fd10001b81ae32d30cac
https://git.kernel.org/stable/c/488ffc0cac38f203979f83634236ee53251ce593
https://git.kernel.org/stable/c/5ac295dfccb5b015493f86694fa13a0dde4d3665
https://git.kernel.org/stable/c/985a536e04bbfffb1770df43c6470f635a6b1073
https://git.kernel.org/stable/c/d509c4731090ebd9bbdb72c70a2d70003ae81f4f
https://git.kernel.org/stable/c/e3e89178a9f4a80092578af3ff3c8478f9187d59
https://git.kernel.org/stable/c/e686349cc19e800dac8971929089ba5ff59abfb0
https://git.kernel.org/stable/c/ec52240622c4d218d0240079b7c1d3ec2328a9f4
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html