CVE-2025-21991: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21991 is a vulnerability discovered in the Linux kernel affecting the AMD microcode loading functionality. The issue was disclosed on April 2, 2025, and involves an out-of-bounds condition that occurs on systems with CPU-less NUMA nodes (NVD). The vulnerability affects multiple versions of the Linux kernel, including versions from 4.14.308 to 6.13.8.

The vulnerability exists in the loadmicrocodeamd() function which iterates over all NUMA nodes and retrieves their CPU masks. The function unconditionally accesses per-CPU data for the first CPU of each mask, but some node CPU masks may be empty on systems with memory-only NUMA nodes. When cpumaskofnode(nid) returns 0 and cpumaskfirst(0) is CONFIGNRCPUS, the function attempts to access the cpuinfo per-CPU array at an out-of-bounds index (NVD). The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

While the vulnerability requires privileged access for exploitation since microcode flashing is a privileged operation, it can potentially lead to memory corruption during microcode updates. This could result in system instability or reliability issues on affected systems with CPU-less NUMA nodes (NVD).

The vulnerability has been patched in the Linux kernel by modifying the loop to only iterate over NUMA nodes that have CPUs before determining whether the first CPU on the respective node needs a microcode update. Multiple stable kernel versions have received the fix, and distribution vendors like Debian have released security updates to address this issue (Debian Security).