CVE-2025-21950 in Linuxinfo

Summary

by MITRE • 04/01/2025

In the Linux kernel, the following vulnerability has been resolved:

drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl

In the "pmcmd_ioctl" function, three memory objects allocated by kmalloc are initialized by "hcall_get_cpu_state", which are then copied to user space. The initializer is indeed implemented in "acrn_hypercall2" (arch/x86/include/asm/acrn.h). There is a risk of information leakage due to uninitialized bytes.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/01/2026

The vulnerability identified as CVE-2025-21950 resides within the Linux kernel's ACRN virtualization driver component, specifically in the hypervisor state management subsystem. This issue affects the acrn driver's handling of power management commands through the pmcmd_ioctl interface, representing a critical information disclosure weakness that could potentially expose sensitive data to unauthorized userspace processes. The vulnerability manifests in the improper initialization of memory objects during the power management command processing, creating a pathway for information leakage that violates fundamental security principles of data sanitization and memory management.

The technical flaw stems from the improper use of memory allocation functions within the pmcmd_ioctl handler function where three memory objects are allocated using kmalloc instead of the safer kzalloc function. The kmalloc function allocates memory without zeroing it, leaving uninitialized bytes that may contain residual data from previous operations or kernel memory contents. When these uninitialized memory segments are subsequently copied to user space through the ioctl interface, they inadvertently expose potentially sensitive information that could include kernel stack contents, previous data structures, or other confidential memory artifacts. This vulnerability directly corresponds to CWE-119, which addresses improper access to memory locations, and CWE-248, which deals with exposure of uninitialized memory.

The operational impact of this vulnerability extends beyond simple information disclosure, as it creates potential attack vectors for sophisticated adversaries who could leverage the leaked information to perform more advanced exploitation techniques. Attackers could potentially reconstruct sensitive kernel memory layouts, identify running processes, or extract cryptographic keys and other confidential data that remains in the uninitialized memory regions. This information leakage could enable privilege escalation attacks or facilitate further exploitation by providing attackers with insights into kernel memory structures and state information that would normally remain hidden from user space processes. The vulnerability operates at the intersection of virtualization security and kernel memory management, making it particularly concerning in virtualized environments where multiple tenants share the same physical hardware.

Mitigation strategies for this vulnerability require immediate patching of affected Linux kernel versions through the application of the upstream fix that implements kzalloc instead of kmalloc for the affected memory allocations. System administrators should prioritize deployment of kernel updates that include the resolved code changes, as this vulnerability represents a direct threat to the confidentiality and integrity of virtualized environments. Additional defensive measures include implementing proper memory sanitization practices, conducting thorough security reviews of memory allocation patterns in kernel modules, and establishing monitoring protocols to detect potential information leakage incidents. Organizations should also consider implementing runtime protections such as kernel memory protection mechanisms and regular security scanning of virtualization components to identify similar vulnerabilities in other kernel subsystems. The fix aligns with ATT&CK technique T1003.001, which covers OS credential dumping, as information leakage could potentially expose credentials or authentication data stored in memory.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00194

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!