CVE-2025-21772

High

Published: 27 February 2025

Published

27 February 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 14.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: partitions: mac: fix handling of bogus partition table Fix several issues in partition probing: - The bailout for a bad partoffset must use put_dev_sector(), since the preceding read_part_sector() succeeded. - If the partition table claims a silly sector size like 0xfff bytes (which results in partition table entries straddling sector boundaries), bail out instead of accessing out-of-bounds memory. - We must not assume that the partition table contains proper NUL termination - use strnlen() and strncmp() instead of strlen() and strcmp().

Security Summary

CVE-2025-21772 is a vulnerability in the Linux kernel's MAC partition table parsing code, stemming from improper handling of malformed or bogus partition tables. Specifically, it addresses issues such as failing to call put_dev_sector() after a successful read_part_sector() during bailout for invalid partoffset values, processing absurd sector sizes (e.g., 0xfff bytes) that cause partition entries to straddle sector boundaries and lead to out-of-bounds memory access, and assuming NUL-terminated strings in partition names by using strlen() and strcmp() instead of safer strnlen() and strncmp(). This results in a CWE-787 (Out-of-bounds Write) condition with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity by presenting a crafted disk image or device with a malicious MAC partition table to a system during partition probing. Successful exploitation grants high-impact confidentiality, integrity, and availability consequences, potentially allowing arbitrary code execution, data corruption, or denial of service through out-of-bounds memory writes.

Mitigation requires applying the upstream kernel patches from the provided stable branch commits, including 213ba5bd81b7e97ac6e6190b8f3bc6ba76123625, 27a39d006f85e869be68c1d5d2ce05e5d6445bf5, 40a35d14f3c0dc72b689061ec72fc9b193f37d1f, 6578717ebca91678131d2b1f4ba4258e60536e9f, and 7fa9706722882f634090bfc9af642bf9ed719e27, which resolve the parsing flaws and prevent the identified memory safety issues.

Details

CWE(s): CWE-787

Affected Products

linux

linux kernel

6.14 · ≤ 5.4.291 · 5.5 — 5.10.235 · 5.11 — 5.15.179

References

https://git.kernel.org/stable/c/213ba5bd81b7e97ac6e6190b8f3bc6ba76123625
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/27a39d006f85e869be68c1d5d2ce05e5d6445bf5
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/40a35d14f3c0dc72b689061ec72fc9b193f37d1f
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/6578717ebca91678131d2b1f4ba4258e60536e9f
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7fa9706722882f634090bfc9af642bf9ed719e27
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/80e648042e512d5a767da251d44132553fe04ae0
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/92527100be38ede924768f4277450dfe8a40e16b
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a3e77da9f843e4ab93917d30c314f0283e28c124
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
af854a3a-2127-422b-91ae-364da2661108
https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
af854a3a-2127-422b-91ae-364da2661108