Cyber Resilience

CVE-2025-21724

HighUpdated

Published: 27 February 2025

Published
27 February 2025
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21724 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2025-21724 is a shift-out-of-bounds vulnerability in the Linux kernel's iommufd/iova_bitmap subsystem, specifically within the iova_bitmap_offset_to_index() function. The issue arises when shifting the constant "1" (typed as a 32-bit int) by the bitmap->mapped.pgshift value (an unsigned long), which can exceed 31 and trigger undefined behavior due to overflow in the 32-bit type. This is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 7.8.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), in an unchanged security scope (S:U). Successful exploitation enables high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution or system disruption within the kernel context.

Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, such as 38ac76fc06bc6826a3e4b12a98efbe98432380a9 and others, which resolve the issue by changing the constant to "1UL" to promote it to unsigned long and match the shift operand's type. Security practitioners should update affected Linux kernels to incorporate these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index() where shifting the constant "1" (of type int) by bitmap->mapped.pgshift (an unsigned long value) could result in undefined…

more

behavior. The constant "1" defaults to a 32-bit "int", and when "pgshift" exceeds 31 (e.g., pgshift = 63) the shift operation overflows, as the result cannot be represented in a 32-bit type. To resolve this, the constant is updated to "1UL", promoting it to an unsigned long type to match the operand's type.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel out-of-bounds write vulnerability exploitable by low-privileged attackers for arbitrary code execution and system disruption in kernel context, directly enabling privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2026-31494Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.1 — 6.1.129 · 6.2 — 6.6.76 · 6.7 — 6.12.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of kernel flaws like the shift-out-of-bounds vulnerability in iova_bitmap_offset_to_index(), preventing exploitation via patching.

detect

Enables vulnerability scanning to identify the presence of CVE-2025-21724 in deployed Linux kernels, facilitating remediation.

prevent

Mandates receiving and responding to security advisories on kernel vulnerabilities like CVE-2025-21724 to prompt patching.

References