Cyber Resilience

CVE-2025-21687

High

Published: 10 February 2025

Published
10 February 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21687 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-21687 is a vulnerability in the Linux kernel's VFIO platform module, which handles device passthrough for virtual machines. The issue stems from insufficient bounds checking on the count and offset parameters passed from user space during read and write syscalls. While the offset is capped at 40 bits, the count is not validated, enabling out-of-bounds reads and writes beyond the allocated device memory region. This flaw is classified under CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write), with a CVSS v3.1 base score of 7.8.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction required (UI:N). Successful exploitation allows high-impact arbitrary reads and writes (C:H/I:H/A:H) on the targeted device memory without elevating privileges (S:U), potentially leading to kernel memory corruption, data leakage, or denial of service.

Mitigation involves applying the upstream kernel patches available in the referenced stable branch commits, including 1485932496a1b025235af8aa1e21988d6b7ccd54, 665cfd1083866f87301bbd232cb8ba48dcf4acce, 6bcb8a5b70b80143db9bf12dfa7d53636f824d53, 92340e6c5122d823ad064984ef7513eba9204048, and 9377cdc118cf327248f1a9dde7b87de067681dc9, which add proper bounds checks for both count and offset parameters.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: vfio/platform: check the bounds of read/write syscalls count and offset are passed from user space and not checked, only offset is capped to 40 bits, which can be used to…

more

read/write out of bounds of the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The kernel out-of-bounds read/write in VFIO directly enables local exploitation for privilege escalation via memory corruption.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-43048Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.13 · 4.1 — 5.4.290 · 5.5 — 5.10.234 · 5.11 — 5.15.178

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied count and offset parameters in VFIO read/write syscalls to prevent out-of-bounds access to device memory.

prevent

Mandates timely remediation of flaws like missing bounds checks in the Linux kernel VFIO platform module via upstream patches.

prevent

Provides memory protection mechanisms that restrict out-of-bounds reads and writes beyond allocated device regions in kernel drivers.

References