CVE-2025-21785: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21785 is a vulnerability discovered in the Linux kernel's ARM64 cache information handling system. The issue was identified in February 2025 and affects the cache information array population mechanism in the ARM64 architecture. The vulnerability stems from a bounds checking issue where the code does not properly account for cache levels with separate data and instruction caches (NVD).

The vulnerability exists in the ARM64 kernel's cacheinfo subsystem where the loop that detects and populates cache information has a bounds check on the array size but fails to account for cache levels with separate data/instructions cache. This could lead to an out-of-bounds write to the cacheinfo array. The issue originates from the initial implementation in commit 5d425c186537 ('arm64: kernel: add support for cpu cache information'). The CVSS v3.1 score for this vulnerability is 7.8 HIGH, with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow an attacker to perform an out-of-bounds write to the cacheinfo array, potentially leading to memory corruption. This could affect system stability and potentially lead to privilege escalation due to the kernel-level nature of the vulnerability (NVD).

A fix has been developed and committed to the Linux kernel that modifies the index increment logic to account for populated leaves instead of populated levels. The fix includes additional bounds checking before initializing cache information for separate data and instruction caches. The patch has been backported to multiple stable kernel versions (Kernel Patch).