CVE-2025-71101
Published: 13 January 2026
Summary
CVE-2025-71101 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in kernel driver enables local low-priv exploitation for credential/memory disclosure (T1212) or system DoS (T1499.004); potential escalation path exists despite unchanged scope (T1068).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI packages into internal data…
more
structures using a for loop with index variable 'elem' that iterates through enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. When processing multi-element fields like PREREQUISITES and ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array elements using expressions like 'enum_obj[elem + reqs]' and 'enum_obj[elem + pos_values]' within nested loops. The bug is that the bounds check only validated elem, but did not consider the additional offset when accessing elem + reqs or elem + pos_values. The fix changes the bounds check to validate the actual accessed index.
Deeper analysisAI
CVE-2025-71101 is an out-of-bounds array access vulnerability (CWE-125) in the Linux kernel's platform/x86 hp-bioscfg driver. The issue affects functions such as hp_populate_*_elements_from_package(), which parse ACPI packages into internal data structures. These functions use a for loop with index 'elem' to iterate through arrays like enum_obj, integer_obj, and others, but when handling multi-element fields such as PREREQUISITES and ENUM_POSSIBLE_VALUES, they access elements via offsets (e.g., enum_obj[elem + reqs] or enum_obj[elem + pos_values]) without validating the full index, leading to potential out-of-bounds reads.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality (C:H) and availability (A:H) in the unchanged security scope (S:U), but no integrity impact (I:N). The CVSS v3.1 base score is 7.1. Exploitation requires local access to the system running the vulnerable kernel.
Mitigation is available via patches in Linux kernel stable releases, which update the bounds checks in the affected functions to validate the actual accessed indices, including offsets. Relevant commits include: https://git.kernel.org/stable/c/79cab730dbaaac03b946c7f5681bd08c986e2abd, https://git.kernel.org/stable/c/cf7ae870560b988247a4bbbe5399edd326632680, https://git.kernel.org/stable/c/db4c26adf7117b1a4431d1197ae7109fee3230ad, and https://git.kernel.org/stable/c/e44c42c830b7ab36e3a3a86321c619f24def5206.
Details
- CWE(s)