partition table handling: Linux kernel partitions: mac partition table handling out-of-bounds memory (DoS) (CVE-2025-21772) #shorts

Summary

Welcome to Security Spotlight. Today we’re unpacking CVE-2025-21772, a Linux kernel vulnerability that mishandles malformed partition tables. Disclosed in late February 2025 and patched in early spring, this flaw can lead to out-of-bounds memory access and denial of service on affected systems. SUSE recently released critical updates for both regular and real-time kernels.

Product details

This issue lives in the Linux kernel’s partition probing code, specifically the mac partition table handler. Any distribution or device running a kernel built from Git commits prior to the official fix (merged around commit 6.14) is at risk. SUSE has published updates for their SUSE Linux Enterprise and RT kernels, and other vendors are expected to follow suit.

Vulnerability type summary

CVE-2025-21772 is a memory-safety defect: improper bounds checks and string operations in partition table parsing. It can be triggered by a crafted storage device or disk image, causing kernel crashes or hangs and resulting in a denial of service condition.

Details of the vulnerability

Under the hood, three coding errors were identified: 1) on encountering a bad partition offset, the code failed to call put_dev_sector(), leaking resources; 2) if the table claims an abnormal sector size—such as 0xfff bytes—entries may straddle boundaries, leading to out-of-bounds reads; and 3) the code used strlen() and strcmp() on untrusted table data instead of safe alternatives, risking buffer overruns. Together these flaws can be weaponized by feeding a system a malicious partition table and driving the kernel into a panic loop or hang.

Conclusion

To stay safe, update your Linux kernels immediately—install SUSE’s published fixes or pull in the 6.14 upstream commit that addresses CVE-2025-21772. Validate your disk utilities and ensure any custom storage appliances are rebuilt with the patched code. That’s it for today’s deep dive—stay tuned for more security updates on Security Spotlight.

Watch the full video on YouTube: CVE-2025-21772

Remediation and exploitation details

This chain involves the following actors

  • Malicious user: Creates or supplies malformed partition tables
  • System administrator: Maintains systems and applies security updates
  • Kernel developer: Implements and reviews kernel fixes

This following systems are involved

  • Linux kernel (Manage hardware resources and provide core system services): Contains vulnerable partition probing code
  • Disk partition table (Describe layout of a storage device): Carrier of malformed data that triggers the bug

Attack entry point

  • Partition probing routine: Kernel code path that reads, validates and parses the partition table from a storage device

Remediation actions

System administrator
Upgrade to the latest kernel version that includes the fix or apply vendor security patches
Linux kernel
Kernel developer
Merge and test the patch that adds proper sector-size checks, balanced resource release, and safe string operations
Partition probing code

Exploitation actions

Create out-of-bounds memory layout

Malicious user
Craft a partition table with a nonsensical sector size (for example 0xfff bytes) so that entries straddle sector boundaries and omit proper string termination
Disk partition table
Examples:
  • Use a disk image tool to set the reported sector size to 4095 bytes
  • Populate partition name fields without a terminating zero byte

Trigger the kernel’s partition probing path

Malicious user
Attach the crafted disk image to the target system (via USB or as a virtual disk)
Boot loader and kernel partition loader
Examples:
  • Boot a physical machine from a USB stick containing the crafted image
  • Start a virtual machine with the malicious disk file attached

Access memory beyond the allocated buffer

Linux kernel
Invoke the partition probing code which reads the bogus table without sufficient boundary checks and uses string functions that assume safe termination
Partition probing code in the kernel
Examples:
  • read_part_sector succeeds but put_dev_sector is not called on bailout
  • Use of strlen and strcmp past the end of a non-terminated field

Denial of service by kernel panic

Kernel
Crash or panic due to invalid memory access
Kernel core
Examples:
  • OOPS: Kernel panic due to out-of-bounds read
  • System halt with call trace showing partition driver

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-21772
Description
In the Linux kernel, the following vulnerability has been resolved: partitions: mac: fix handling of bogus partition table Fix several issues in partition probing: - The bailout for a bad partoffset must use put_dev_sector(), since the preceding read_part_sector() succeeded. - If the partition table claims a silly sector size like 0xfff bytes (which results in partition table entries straddling sector boundaries), bail out instead of accessing out-of-bounds memory. - We must not assume that the partition table contains proper NUL termination - use strnlen() and strncmp() instead of strlen() and strcmp().
Provider
Linux
CWE / problem types
Affected Software Versions
Linux:Linux:[{'version': '1da177e4c3f41524e886b7f1b8a0c1fc7321cac2', 'lessThan': 'a3e77da9f843e4ab93917d30c314f0283e28c124', 'status': 'affected', 'versionType': 'git'}, {'version': '1da177e4c3f41524e886b7f1b8a0c1fc7321cac2', 'lessThan': '213ba5bd81b7e97ac6e6190b8f3bc6ba76123625', 'status': 'affected', 'versionType': 'git'}, {'version': '1da177e4c3f41524e886b7f1b8a0c1fc7321cac2', 'lessThan': '40a35d14f3c0dc72b689061ec72fc9b193f37d1f', 'status': 'affected', 'versionType': 'git'}, {'version': '1da177e4c3f41524e886b7f1b8a0c1fc7321cac2', 'lessThan': '27a39d006f85e869be68c1d5d2ce05e5d6445bf5', 'status': 'affected', 'versionType': 'git'}, {'version': '1da177e4c3f41524e886b7f1b8a0c1fc7321cac2', 'lessThan': '92527100be38ede924768f4277450dfe8a40e16b', 'status': 'affected', 'versionType': 'git'}, {'version': '1da177e4c3f41524e886b7f1b8a0c1fc7321cac2', 'lessThan': '6578717ebca91678131d2b1f4ba4258e60536e9f', 'status': 'affected', 'versionType': 'git'}, {'version': '1da177e4c3f41524e886b7f1b8a0c1fc7321cac2', 'lessThan': '7fa9706722882f634090bfc9af642bf9ed719e27', 'status': 'affected', 'versionType': 'git'}, {'version': '1da177e4c3f41524e886b7f1b8a0c1fc7321cac2', 'lessThan': '80e648042e512d5a767da251d44132553fe04ae0', 'status': 'affected', 'versionType': 'git'}],Linux:Linux:[{'version': '5.4.291', 'lessThanOrEqual': '5.4.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '5.10.235', 'lessThanOrEqual': '5.10.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '5.15.179', 'lessThanOrEqual': '5.15.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.1.129', 'lessThanOrEqual': '6.1.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.6.79', 'lessThanOrEqual': '6.6.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.12.16', 'lessThanOrEqual': '6.12.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.13.4', 'lessThanOrEqual': '6.13.*', 'status': 'unaffected', 'versionType': 'semver'}, {'version': '6.14', 'lessThanOrEqual': '*', 'status': 'unaffected', 'versionType': 'original_commit_for_fix'}]
Date Published
2025-02-27T02:18:19.528Z
Last Updated
2025-05-04T07:20:46.575Z