{"id":"AZL-59843","summary":"CVE-2025-21991 affecting package kernel for versions less than 6.6.85.1-2","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes\n\nCurrently, load_microcode_amd() iterates over all NUMA nodes, retrieves their\nCPU masks and unconditionally accesses per-CPU data for the first CPU of each\nmask.\n\nAccording to Documentation/admin-guide/mm/numaperf.rst:\n\n  \"Some memory may share the same node as a CPU, and others are provided as\n  memory only nodes.\"\n\nTherefore, some node CPU masks may be empty and wouldn't have a \"first CPU\".\n\nOn a machine with far memory (and therefore CPU-less NUMA nodes):\n- cpumask_of_node(nid) is 0\n- cpumask_first(0) is CONFIG_NR_CPUS\n- cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an\n  index that is 1 out of bounds\n\nThis does not have any security implications since flashing microcode is\na privileged operation but I believe this has reliability implications by\npotentially corrupting memory while flashing a microcode update.\n\nWhen booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes\na microcode update. I get the following splat:\n\n  UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y\n  index 512 is out of range for type 'unsigned long[512]'\n  [...]\n  Call Trace:\n   dump_stack\n   __ubsan_handle_out_of_bounds\n   load_microcode_amd\n   request_microcode_amd\n   reload_store\n   kernfs_fop_write_iter\n   vfs_write\n   ksys_write\n   do_syscall_64\n   entry_SYSCALL_64_after_hwframe\n\nChange the loop to go over only NUMA nodes which have CPUs before determining\nwhether the first CPU on the respective node needs microcode update.\n\n  [ bp: Massage commit message, fix typo. ]","modified":"2026-04-01T05:19:33.030680Z","published":"2025-04-02T13:15:43Z","upstream":["CVE-2025-21991"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21991"}],"affected":[{"package":{"name":"kernel","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/kernel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.6.85.1-2"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-59843.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}