LiveActive security incident?Get immediate response
CVE Record

CVE-2025-21991: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes

In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes Currently, load_microcode_amd() iterates over all NUMA nodes, retrieves their CPU masks and unconditionally accesses per-CPU data for the first CPU of each mask. According to Documentation/admin-guide/mm/numaperf.rst: "Some memory may share the same node as a CPU, and others are provided as memory only nodes." Therefore, some node CPU masks may be empty and wouldn't have a "first CPU". On a machine with far memory (and therefore CPU-less NUMA nodes): - cpumask_of_node(nid) is 0 - cpumask_first(0) is CONFIG_NR_CPUS - cpu_data(CONFIG_NR_CPUS) accesses the cpu_info per-CPU array at an index that is 1 out of bounds This does not have any security implications since flashing microcode is a privileged operation but I believe this has reliability implications by potentially corrupting memory while flashing a microcode update. When booting with CONFIG_UBSAN_BOUNDS=y on an AMD machine that flashes a microcode update. I get the following splat: UBSAN: array-index-out-of-bounds in arch/x86/kernel/cpu/microcode/amd.c:X:Y index 512 is out of range for type 'unsigned long[512]' [...] Call Trace: dump_stack __ubsan_handle_out_of_bounds load_microcode_amd request_microcode_amd reload_store kernfs_fop_write_iter vfs_write ksys_write do_syscall_64 entry_SYSCALL_64_after_hwframe Change the loop to go over only NUMA nodes which have CPUs before determining whether the first CPU on the respective node needs microcode update. [ bp: Massage commit message, fix typo. ]

HighCVSS 7.8Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2025-21991 is a Linux kernel AMD microcode update bug. On AMD systems with CPU-less NUMA memory nodes, the kernel can read one entry past a CPU data array during microcode loading. The source states this is mainly a reliability risk, not a direct security issue, because microcode flashing is privileged.

Executive priority

Handle through the normal high-priority kernel patch process, with faster attention for AMD servers using advanced NUMA or far-memory configurations. There is no source-supported evidence of active exploitation, but kernel memory corruption during maintenance operations can create operational risk.

Technical view

The AMD microcode loader iterated all NUMA nodes and assumed each node had at least one CPU. For CPU-less NUMA nodes, cpumask_first() can return CONFIG_NR_CPUS, causing cpu_data(CONFIG_NR_CPUS) to access beyond the per-CPU array. The fix limits the loop to NUMA nodes that have CPUs.

Likely exposure

Exposure is likely limited to Linux systems on AMD hardware with CPU-less NUMA nodes, such as far-memory configurations, when AMD microcode update loading is used. The affected version data in the bundle includes multiple Linux stable branches; distribution kernel backports must be checked separately.

Exploitation context

The bundle reports no KEV listing and provides no evidence of active exploitation. The kernel description says microcode flashing is privileged and frames the issue as reliability-focused memory corruption during a microcode update path, not a practical remote attack vector.

Researcher notes

The key condition is an empty CPU mask for a NUMA node during load_microcode_amd(). The source bundle’s CVSS is high, but the upstream text explicitly says there are no security implications because microcode flashing is privileged. Treat exploitability evidence as incomplete and validate against vendor kernels.

Mitigation direction

  • Update affected Linux kernels to vendor-supported fixed builds.
  • Check Linux distribution advisories for backported fixes.
  • Prioritize AMD NUMA or far-memory systems using microcode updates.
  • Avoid direct wrangler-style deploy assumptions; follow vendor kernel update guidance.
  • Monitor Debian LTS and kernel stable advisories for package status.

Validation and detection

  • Inventory AMD Linux hosts and kernel versions.
  • Identify systems with NUMA nodes that have memory but no CPUs.
  • Confirm installed kernel includes the relevant stable fix.
  • Review boot or update logs for UBSAN out-of-bounds reports.
  • Verify distribution package advisories mark the kernel fixed.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-129: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-21991 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
2ADP providers
11Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.8CVSS 3.1HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H1.85.9CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

7.8High
CVSS 3.1 vector shape for CVE-2025-21991Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux979e197968a1e8f09bf0d706801dba4432f85ab3, 44a44b57e88f311c1415be1f567c50050913c149, be2710deaed3ab1402379a2ede30a3754fe6767a, d576547f489c935b9897d4acf8beee3325dea8a5, 7ff6edf4fef38ab404ee7861f257e28eaaeed35f, 7ff6edf4fef38ab404ee7861f257e28eaaeed35f, 7ff6edf4fef38ab404ee7861f257e28eaaeed35f, 7ff6edf4fef38ab404ee7861f257e28eaaeed35f, d6353e2fc12c5b8f00f86efa30ed73d2da2f77be, 1b1e0eb1d2971a686b9f7bdc146115bcefcbb960, eaf5dea1eb8c2928554b3ca717575cbe232b843c, 5.4.235, 5.10.173, 5.15.99, 6.1.16, 4.14.308, 4.19.276, 6.2.3unaffected
LinuxLinux6.3, 0, 5.4.292, 5.10.236, 5.15.180, 6.1.132, 6.6.84, 6.12.20, 6.13.8, 6.14affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-129 · source CWE mapping

Improper Validation of Array Index

Improper Validation of Array Index represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.