CVE-2025-71101
Published: 13 January 2026
Summary
CVE-2025-71101 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-71101 is an out-of-bounds array access vulnerability (CWE-125) in the Linux kernel's platform/x86 hp-bioscfg driver. The issue affects functions such as hp_populate_*_elements_from_package(), which parse ACPI packages into internal data structures. These functions use a for loop with index 'elem' to iterate through arrays like enum_obj, integer_obj, and others, but when handling multi-element fields such as PREREQUISITES and ENUM_POSSIBLE_VALUES, they access elements via offsets (e.g., enum_obj[elem + reqs] or enum_obj[elem + pos_values]) without validating the full index, leading to potential out-of-bounds reads.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality (C:H) and availability (A:H) in the unchanged security scope (S:U), but no integrity impact (I:N). The CVSS v3.1 base score is 7.1. Exploitation requires local access to the system running the vulnerable kernel.
Mitigation is available via patches in Linux kernel stable releases, which update the bounds checks in the affected functions to validate the actual accessed indices, including offsets. Relevant commits include: https://git.kernel.org/stable/c/79cab730dbaaac03b946c7f5681bd08c986e2abd, https://git.kernel.org/stable/c/cf7ae870560b988247a4bbbe5399edd326632680, https://git.kernel.org/stable/c/db4c26adf7117b1a4431d1197ae7109fee3230ad, and https://git.kernel.org/stable/c/e44c42c830b7ab36e3a3a86321c619f24def5206.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2219
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI packages into internal data…
more
structures using a for loop with index variable 'elem' that iterates through enum_obj/integer_obj/order_obj/password_obj/string_obj arrays. When processing multi-element fields like PREREQUISITES and ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array elements using expressions like 'enum_obj[elem + reqs]' and 'enum_obj[elem + pos_values]' within nested loops. The bug is that the bounds check only validated elem, but did not consider the additional offset when accessing elem + reqs or elem + pos_values. The fix changes the bounds check to validate the actual accessed index.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read in kernel driver enables local low-priv exploitation for credential/memory disclosure (T1212) or system DoS (T1499.004); potential escalation path exists despite unchanged scope (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input data (ACPI packages) and computed indices before array access, which is exactly the missing check that caused the OOB read.
Mandates timely application of patches that correct the flawed bounds checks in hp_populate_*_elements_from_package().
Provides memory-protection mechanisms that can limit the impact of out-of-bounds reads in kernel drivers.