CVE-2025-22047: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-22047 is a vulnerability discovered in the Linux kernel affecting the AMD microcode update functionality. The issue was disclosed on April 16, 2025, and involves a return value handling error in the _applymicrocodeamd() function. When verifysha256_digest() fails, the function incorrectly returns -1 (which is promoted to true) instead of false, potentially leading to improper microcode verification (NVD, Debian Tracker).

The vulnerability exists in the x86/microcode/AMD subsystem of the Linux kernel. The specific issue occurs in the _applymicrocodeamd() function where a failure in verifysha256_digest() is not properly propagated due to an incorrect return value. Instead of returning false to indicate the verification failure, the function returns -1, which is promoted to true when converted to a boolean value, potentially leading to acceptance of invalid microcode (NVD).

The vulnerability affects various Linux distributions and their kernel packages. Ubuntu reports several affected packages including linux, linux-aws, linux-azure, linux-gcp, linux-raspi, and linux-realtime in their 25.04 plucky and 24.10 oracular releases (Ubuntu). Debian reports that the vulnerability affects their trixie release with linux package version 6.12.22-1, while it has been fixed in sid with version 6.12.25-1 (Debian Tracker).

The vulnerability has been fixed in various Linux distributions. Debian has addressed the issue in their sid release with linux package version 6.12.25-1. Ubuntu has marked several of their newer LTS releases (24.04 noble, 22.04 jammy, 20.04 focal) as not affected, while fixes are in progress for their latest releases (Ubuntu, Debian Tracker).