CVE-2025-21724
Published: 27 February 2025
Summary
CVE-2025-21724 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of kernel flaws like the shift-out-of-bounds vulnerability in iova_bitmap_offset_to_index(), preventing exploitation via patching.
Enables vulnerability scanning to identify the presence of CVE-2025-21724 in deployed Linux kernels, facilitating remediation.
Mandates receiving and responding to security advisories on kernel vulnerabilities like CVE-2025-21724 to prompt patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel out-of-bounds write vulnerability exploitable by low-privileged attackers for arbitrary code execution and system disruption in kernel context, directly enabling privilege escalation.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index() where shifting the constant "1" (of type int) by bitmap->mapped.pgshift (an unsigned long value) could result in undefined…
more
behavior. The constant "1" defaults to a 32-bit "int", and when "pgshift" exceeds 31 (e.g., pgshift = 63) the shift operation overflows, as the result cannot be represented in a 32-bit type. To resolve this, the constant is updated to "1UL", promoting it to an unsigned long type to match the operand's type.
Deeper analysisAI
CVE-2025-21724 is a shift-out-of-bounds vulnerability in the Linux kernel's iommufd/iova_bitmap subsystem, specifically within the iova_bitmap_offset_to_index() function. The issue arises when shifting the constant "1" (typed as a 32-bit int) by the bitmap->mapped.pgshift value (an unsigned long), which can exceed 31 and trigger undefined behavior due to overflow in the 32-bit type. This is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 7.8.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), in an unchanged security scope (S:U). Successful exploitation enables high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution or system disruption within the kernel context.
Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, such as 38ac76fc06bc6826a3e4b12a98efbe98432380a9 and others, which resolve the issue by changing the constant to "1UL" to promote it to unsigned long and match the shift operand's type. Security practitioners should update affected Linux kernels to incorporate these fixes.
Details
- CWE(s)