CVE-2025-21687

High

Published: 10 February 2025

Published

10 February 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21687 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of user-supplied count and offset parameters in VFIO read/write syscalls to prevent out-of-bounds access to device memory.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of flaws like missing bounds checks in the Linux kernel VFIO platform module via upstream patches.

SI-16 Memory Protection partial match

prevent

Provides memory protection mechanisms that restrict out-of-bounds reads and writes beyond allocated device regions in kernel drivers.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The kernel out-of-bounds read/write in VFIO directly enables local exploitation for privilege escalation via memory corruption.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: vfio/platform: check the bounds of read/write syscalls count and offset are passed from user space and not checked, only offset is capped to 40 bits, which can be used to…

read/write out of bounds of the device.

Deeper analysisAI

CVE-2025-21687 is a vulnerability in the Linux kernel's VFIO platform module, which handles device passthrough for virtual machines. The issue stems from insufficient bounds checking on the count and offset parameters passed from user space during read and write syscalls. While the offset is capped at 40 bits, the count is not validated, enabling out-of-bounds reads and writes beyond the allocated device memory region. This flaw is classified under CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 7.8.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction required (UI:N). Successful exploitation allows high-impact arbitrary reads and writes (C:H/I:H/A:H) on the targeted device memory without elevating privileges (S:U), potentially leading to kernel memory corruption, data leakage, or denial of service.

Mitigation involves applying the upstream kernel patches available in the referenced stable branch commits, including 1485932496a1b025235af8aa1e21988d6b7ccd54, 665cfd1083866f87301bbd232cb8ba48dcf4acce, 6bcb8a5b70b80143db9bf12dfa7d53636f824d53, 92340e6c5122d823ad064984ef7513eba9204048, and 9377cdc118cf327248f1a9dde7b87de067681dc9, which add proper bounds checks for both count and offset parameters.

Details

CWE(s): CWE-125 CWE-787

Affected Products

linux

linux kernel

6.13 · 4.1 — 5.4.290 · 5.5 — 5.10.234 · 5.11 — 5.15.178

CVEs Like This One

CVE-2026-31743Same product: Linux Linux Kernel

CVE-2026-23099Same product: Linux Linux Kernel

CVE-2025-21735Same product: Linux Linux Kernel

CVE-2025-71137Same product: Linux Linux Kernel

CVE-2026-23073Same product: Linux Linux Kernel

CVE-2025-21734Same product: Linux Linux Kernel

CVE-2025-21724Same product: Linux Linux Kernel

CVE-2026-23407Same product: Linux Linux Kernel

CVE-2025-71155Same product: Linux Linux Kernel

CVE-2024-54456Same product: Linux Linux Kernel

References

https://git.kernel.org/stable/c/1485932496a1b025235af8aa1e21988d6b7ccd54
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/665cfd1083866f87301bbd232cb8ba48dcf4acce
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6bcb8a5b70b80143db9bf12dfa7d53636f824d53
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/92340e6c5122d823ad064984ef7513eba9204048
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/9377cdc118cf327248f1a9dde7b87de067681dc9
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a20fcaa230f7472456d12cf761ed13938e320ac3
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/c981c32c38af80737a2fedc16e270546d139ccdd
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ce9ff21ea89d191e477a02ad7eabf4f996b80a69
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d19a8650fd3d7aed8d1af1d9a77f979a8430eba1
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ed81d82bb6e9df3a137f2c343ed689e6c68268ef
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f21636f24b6786c8b13f1af4319fa75ffcf17f38
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/f65ce06387f8c1fb54bd59e18a8428248ec68eaf
416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
af854a3a-2127-422b-91ae-364da2661108
https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
af854a3a-2127-422b-91ae-364da2661108