{"id":"CVE-2025-21991","summary":"x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes\n\nCurrently, load_microcode_amd() iterates over all NUMA nodes, retrieves their\nCPU masks and unconditionally accesses per-CPU data for the first CPU of each\nmask.\n\nAccording to Documentation/admin-guide/mm/numaperf.rst:\n\n  \"Some memory may share the same node as a CPU, and others are provided as\n  memory only nodes.\"\n\nTherefore, some node CPU masks may be empty and wouldn't have a \"first CPU\".\n\nOn a machine with far memory (and therefore CPU-less NUMA nodes):\n- cpumask_of_node(nid) is 0\n- cpumask_first(0) is CONFIG_NR_CPUS\n- cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an\n  index that is 1 out of bounds\n\nThis does not have any security implications since flashing microcode is\na privileged operation but I believe this has reliability implications by\npotentially corrupting memory while flashing a microcode update.\n\nWhen booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes\na microcode update. I get the following splat:\n\n  UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y\n  index 512 is out of range for type 'unsigned long[512]'\n  [...]\n  Call Trace:\n   dump_stack\n   __ubsan_handle_out_of_bounds\n   load_microcode_amd\n   request_microcode_amd\n   reload_store\n   kernfs_fop_write_iter\n   vfs_write\n   ksys_write\n   do_syscall_64\n   entry_SYSCALL_64_after_hwframe\n\nChange the loop to go over only NUMA nodes which have CPUs before determining\nwhether the first CPU on the respective node needs microcode update.\n\n  [ bp: Massage commit message, fix typo. ]","modified":"2026-04-16T04:35:33.691712824Z","published":"2025-04-02T12:53:14.230Z","related":["ALSA-2025:10371","ALSA-2025:10837","ALSA-2025:11298","ALSA-2025:11299","SUSE-SU-2025:01614-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:20192-1","SUSE-SU-2025:20206-1","SUSE-SU-2025:20270-1","SUSE-SU-2025:20283-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21991.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/18b5d857c6496b78ead2fd10001b81ae32d30cac"},{"type":"WEB","url":"https://git.kernel.org/stable/c/488ffc0cac38f203979f83634236ee53251ce593"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5ac295dfccb5b015493f86694fa13a0dde4d3665"},{"type":"WEB","url":"https://git.kernel.org/stable/c/985a536e04bbfffb1770df43c6470f635a6b1073"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d509c4731090ebd9bbdb72c70a2d70003ae81f4f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e3e89178a9f4a80092578af3ff3c8478f9187d59"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e686349cc19e800dac8971929089ba5ff59abfb0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ec52240622c4d218d0240079b7c1d3ec2328a9f4"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/21xxx/CVE-2025-21991.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21991"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"979e197968a1e8f09bf0d706801dba4432f85ab3"},{"fixed":"d509c4731090ebd9bbdb72c70a2d70003ae81f4f"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"44a44b57e88f311c1415be1f567c50050913c149"},{"fixed":"985a536e04bbfffb1770df43c6470f635a6b1073"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"be2710deaed3ab1402379a2ede30a3754fe6767a"},{"fixed":"18b5d857c6496b78ead2fd10001b81ae32d30cac"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d576547f489c935b9897d4acf8beee3325dea8a5"},{"fixed":"ec52240622c4d218d0240079b7c1d3ec2328a9f4"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"7ff6edf4fef38ab404ee7861f257e28eaaeed35f"},{"fixed":"e686349cc19e800dac8971929089ba5ff59abfb0"},{"fixed":"488ffc0cac38f203979f83634236ee53251ce593"},{"fixed":"5ac295dfccb5b015493f86694fa13a0dde4d3665"},{"fixed":"e3e89178a9f4a80092578af3ff3c8478f9187d59"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"d6353e2fc12c5b8f00f86efa30ed73d2da2f77be"},{"last_affected":"1b1e0eb1d2971a686b9f7bdc146115bcefcbb960"},{"last_affected":"eaf5dea1eb8c2928554b3ca717575cbe232b843c"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-21991.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}