Bug#1110983: marked as done (intel-microcode: CVE-2025-20053 CVE-2025-20109 CVE-2025-21090 CVE-2025-22839 CVE-2025-22840 CVE-2025-22889 CVE-2025-24305 CVE-2025-26403 CVE-2025-32086)

[Debian Bug Tracking System]

Your message dated Sun, 26 Oct 2025 09:03:09 +0000
with message-id <e1vcweb-001ba8...@fasolo.debian.org>
and subject line Bug#1110983: fixed in intel-microcode 3.20250812.1~deb13u1
has caused the Debian Bug report #1110983,
regarding intel-microcode: CVE-2025-20053 CVE-2025-20109 CVE-2025-21090 
CVE-2025-22839 CVE-2025-22840 CVE-2025-22889 CVE-2025-24305 CVE-2025-26403 
CVE-2025-32086
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1110983: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110983
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: intel-microcode
Version: 3.20250512.1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 3.20250512.1~deb12u1

Hi,

The following vulnerabilities were published for intel-microcode.

CVE-2025-20053[0]:
| Improper buffer restrictions for some Intel(R) Xeon(R) Processor
| firmware with SGX enabled may allow a privileged user to potentially
| enable escalation of privilege via local access.


CVE-2025-20109[1]:
| Improper Isolation or Compartmentalization in the stream cache
| mechanism for some Intel(R) Processors may allow an authenticated
| user to potentially enable escalation of privilege via local access.


CVE-2025-21090[2]:
| Missing reference to active allocated resource for some Intel(R)
| Xeon(R) processors may allow an authenticated user to potentially
| enable denial of service via local access.


CVE-2025-22839[3]:
| Insufficient granularity of access control in the OOB-MSM for some
| Intel(R) Xeon(R) 6 Scalable processors may allow a privileged user
| to potentially enable escalation of privilege via adjacent access.


CVE-2025-22840[4]:
| Sequence of processor instructions leads to unexpected behavior for
| some Intel(R) Xeon(R) 6 Scalable processors may allow an
| authenticated user to potentially enable escalation of privilege via
| local access


CVE-2025-22889[5]:
| Improper handling of overlap between protected memory ranges for
| some Intel(R) Xeon(R) 6 processor with Intel(R) TDX may allow a
| privileged user to potentially enable escalation of privilege via
| local access.


CVE-2025-24305[6]:
| Insufficient control flow management in the Alias Checking Trusted
| Module (ACTM) firmware for some Intel(R) Xeon(R) processors may
| allow a privileged user to potentially enable escalation of
| privilege via local access.


CVE-2025-26403[7]:
| Out-of-bounds write in the memory subsystem for some Intel(R)
| Xeon(R) 6 processors when using Intel(R) SGX or Intel(R) TDX may
| allow a privileged user to potentially enable escalation of
| privilege via local access.


CVE-2025-32086[8]:
| Improperly implemented security check for standard in the DDRIO
| configuration for some Intel(R) Xeon(R) 6 Processors when using
| Intel(R) SGX or Intel(R) TDX may allow a privileged user to
| potentially enable escalation of privilege via local access.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-20053
    https://www.cve.org/CVERecord?id=CVE-2025-20053
[1] https://security-tracker.debian.org/tracker/CVE-2025-20109
    https://www.cve.org/CVERecord?id=CVE-2025-20109
[2] https://security-tracker.debian.org/tracker/CVE-2025-21090
    https://www.cve.org/CVERecord?id=CVE-2025-21090
[3] https://security-tracker.debian.org/tracker/CVE-2025-22839
    https://www.cve.org/CVERecord?id=CVE-2025-22839
[4] https://security-tracker.debian.org/tracker/CVE-2025-22840
    https://www.cve.org/CVERecord?id=CVE-2025-22840
[5] https://security-tracker.debian.org/tracker/CVE-2025-22889
    https://www.cve.org/CVERecord?id=CVE-2025-22889
[6] https://security-tracker.debian.org/tracker/CVE-2025-24305
    https://www.cve.org/CVERecord?id=CVE-2025-24305
[7] https://security-tracker.debian.org/tracker/CVE-2025-26403
    https://www.cve.org/CVERecord?id=CVE-2025-26403
[8] https://security-tracker.debian.org/tracker/CVE-2025-32086
    https://www.cve.org/CVERecord?id=CVE-2025-32086
[9] 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250812

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: intel-microcode
Source-Version: 3.20250812.1~deb13u1
Done: Henrique de Moraes Holschuh <h...@debian.org>

We believe that the bug you reported is fixed in the latest version of
intel-microcode, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1110...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Henrique de Moraes Holschuh <h...@debian.org> (supplier of updated 
intel-microcode package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 18 Oct 2025 15:41:39 -0300
Source: intel-microcode
Architecture: source
Version: 3.20250812.1~deb13u1
Distribution: trixie-security
Urgency: medium
Maintainer: Henrique de Moraes Holschuh <h...@debian.org>
Changed-By: Henrique de Moraes Holschuh <h...@debian.org>
Closes: 1110983 1112168
Changes:
 intel-microcode (3.20250812.1~deb13u1) trixie-security; urgency=medium
 .
   * Security upload, no changes.
 .
 intel-microcode (3.20250812.1) unstable; urgency=medium
 .
   [ Henrique de Moraes Holschuh ]
   * New upstream microcode datafile 20250812 (closes: #1110983, #1112168)
     - Mitgations for INTEL-SA-01249 (processor Stream Cache):
       CVE-2025-20109: Improper Isolation or Compartmentalization in the
       stream cache mechanism for some Intel Processors may allow an
       authenticated user to potentially enable escalation of privilege via
       local access.  Intel also disclosed that several processors models
       had already received this mitigation on the previous microcode
       release, 20250512.
     - Mitigations for INTEL-SA-01308:
       CVE-2025-22840: Sequence of processor instructions leads to
       unexpected behavior for some Intel Xeon 6 Scalable processors may
       allow an authenticated user to potentially enable escalation of
       privilege via local access.
     - Mitigations for INTEL-SA-01310 (OOBM services module):
       CVE-2025-22839: Insufficient granularity of access control in the
       OOB-MSM for some Intel Xeon 6 Scalable processors may allow a
       privileged user to potentially enable escalation of privilege via
       adjacent access.
     - Mitigations for INTEL-SA-01311 (Intel TDX):
       CVE-2025-22889: Improper handling of overlap between protected
       memory ranges for some Intel Xeon 6 processors with Intel TDX may
       allow a privileged user to potentially enable escalation of
       privilege via local access.
     - Mitigations for INTEL-SA-01313:
       CVE-2025-20053: Improper buffer restrictions for some Intel Xeon
       Processor firmware with SGX enabled may allow a privileged user to
       potentially enable escalation of privilege via local access.
       CVE-2025-21090: Missing reference to active allocated resource for
       some Intel Xeon processors may allow an authenticated user to
       potentially enable denial of service via local access.
       CVE-2025-24305: Insufficient control flow management in the Alias
       Checking Trusted Module (ACTM) firmware for some Intel Xeon
       processors may allow a privileged user to potentially enable
       escalation of privilege via local access.
     - Mitigations for INTEL-SA-01367 (Intel SGX, TDX):
       CVE-2025-26403: Out-of-bounds write in the memory subsystem for some
       Intel Xeon 6 processors when using Intel SGX or Intel TDX may allow
       a privileged user to potentially enable escalation of privilege via
       local access.
       CVE-2025-32086: Improperly implemented security check for standard
       in the DDRIO configuration for some Intel Xeon 6 Processors when
       using Intel SGX or Intel TDX may allow a privileged user to
       potentially enable escalation of privilege via local access.
     - Fixes for unspecified functional issues on several Intel Core and
       Intel Xeon processor models.
   * Updated microcodes:
     sig 0x000606a6, pf_mask 0x87, 2025-03-11, rev 0xd000410, size 309248
     sig 0x000606c1, pf_mask 0x10, 2025-03-06, rev 0x10002e0, size 301056
     sig 0x000806f8, pf_mask 0x87, 2025-04-04, rev 0x2b000643, size 592896
     sig 0x000806f7, pf_mask 0x87, 2025-04-04, rev 0x2b000643
     sig 0x000806f6, pf_mask 0x87, 2025-04-04, rev 0x2b000643
     sig 0x000806f5, pf_mask 0x87, 2025-04-04, rev 0x2b000643
     sig 0x000806f4, pf_mask 0x87, 2025-04-04, rev 0x2b000643
     sig 0x000806f8, pf_mask 0x10, 2025-04-08, rev 0x2c000401, size 625664
     sig 0x000806f6, pf_mask 0x10, 2025-04-08, rev 0x2c000401
     sig 0x000806f5, pf_mask 0x10, 2025-04-08, rev 0x2c000401
     sig 0x000806f4, pf_mask 0x10, 2025-04-08, rev 0x2c000401
     sig 0x000a06a4, pf_mask 0xe6, 2025-03-19, rev 0x0025, size 140288
     sig 0x000a06d1, pf_mask 0x95, 2025-05-15, rev 0x10003d0, size 1667072
     sig 0x000a06d1, pf_mask 0x20, 2025-05-15, rev 0xa000100, size 1638400
     sig 0x000a06f3, pf_mask 0x01, 2025-05-03, rev 0x3000362, size 1530880
     sig 0x000b06a2, pf_mask 0xe0, 2025-02-24, rev 0x4129, size 224256
     sig 0x000b06a3, pf_mask 0xe0, 2025-02-24, rev 0x4129
     sig 0x000b06a8, pf_mask 0xe0, 2025-02-24, rev 0x4129
     sig 0x000b06d1, pf_mask 0x80, 2025-05-21, rev 0x0123, size 80896
     sig 0x000c0662, pf_mask 0x82, 2025-05-14, rev 0x0119, size 90112
     sig 0x000c06a2, pf_mask 0x82, 2025-05-14, rev 0x0119
     sig 0x000c0652, pf_mask 0x82, 2025-05-14, rev 0x0119
     sig 0x000c0664, pf_mask 0x82, 2025-05-14, rev 0x0119
     sig 0x000c06f2, pf_mask 0x87, 2025-04-15, rev 0x210002b3, size 564224
     sig 0x000c06f1, pf_mask 0x87, 2025-04-15, rev 0x210002b3
   * update entry for 3.20250512.1 with new information
   * source: update symlinks to reflect id of the latest release, 20250812
 .
   [ Ben Hutchings ]
   * debian/tests/initramfs: Update to work with forky's initramfs-tools.
     In version 0.149 of initramfs-tools, unmkinitramfs was changed to no
     longer create early/ and main/ subdirectories.  Update the microcode
     file check to work with both old and new behaviours.
Checksums-Sha1:
 043c258749f634b13efba5ce4046b90490685afd 1932 
intel-microcode_3.20250812.1~deb13u1.dsc
 a0f795312c2344aa4be08047d3c31bfff811440e 12001704 
intel-microcode_3.20250812.1~deb13u1.tar.xz
 f450a128aca3f7f660a52d3ce857e6d1d4e63566 6179 
intel-microcode_3.20250812.1~deb13u1_source.buildinfo
Checksums-Sha256:
 a551fdc3c696f9d7bb2e36786b7119b3c22621db3edaf5e79f3decad555f866a 1932 
intel-microcode_3.20250812.1~deb13u1.dsc
 93a8e350766cf84c5debb109e4bb13e842abae13ae4302ecd8ac3d8276818b43 12001704 
intel-microcode_3.20250812.1~deb13u1.tar.xz
 7655099567a29d5aecae60354365af67607aa3f4dc7d82d4305e7afaf1d81e9e 6179 
intel-microcode_3.20250812.1~deb13u1_source.buildinfo
Files:
 d3dc12a81cac47d4e864e9657d9be862 1932 non-free-firmware/admin standard 
intel-microcode_3.20250812.1~deb13u1.dsc
 aff08237c540d9c357046da7d6757f51 12001704 non-free-firmware/admin standard 
intel-microcode_3.20250812.1~deb13u1.tar.xz
 44174dbd11e5fc428dbfceba52fc219c 6179 non-free-firmware/admin standard 
intel-microcode_3.20250812.1~deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEpvbMGUAhfu+gsYOwlOXoPKamj0cFAmjz7uEPHGhtaEBkZWJp
YW4ub3JnAAoJEJTl6Dympo9H0U4QAJEXXRljT2STImkE/DxcTxt3F62OU5PoNA+o
pYnKxTp9U3W0Y8TgBLws27HIwNktdaQBbBntudbEeiBFb3MTTOF122lUC5sEha7/
rSdC2baFTGS1VScSGmVqRZIamrOU8OVVSPMbNToTTYaPp+xVhmi2tMrPRw5n08LP
ggCVDeSd9pf2kcrOcQNDxjdchn18TooXQAk5R0wCY8nfGi6Pe2yWDqabhjHKX0Dp
yePH8Laza0PP2dvKn/Gje/SDz5UCwHngFizjULqLWK/x6i8HnFDhcZsH/ErqmvL8
eiW3yxssrO+kSN+TmrrG5Dr04AAiq+JDRV2oCGtCzW06tWz1mHJtb9nCXu53BeYo
3p88BhHtCRUP+FydZG5IeP4xtEFA+sqq1pJW4Wd/kA/37QUxwilp9p+lpVlm/Gt0
vYKjgVv8sZ4F2SuwbJJhtyfOZIw46LfyzRTayv8Ur6pEOsQ29RdOixJ7jyG1i3Yf
b+4wSux4RZF9SL8kgSrTGE1+7QX2fgUCIgrzjH+5lpKq2nKzoLuFo6OoSCksGRKv
MgTsCdgz5ej0i8B/vwsoe3q8XXcMHkqpdzECB9haF2iirgSo8s+IJF/h4n3VKYyz
QawpabCNwoXOG7HVTywGfcTAoCgbRZ588QUdwmswh8bAU6dKqucxRTOSwQXjZZqT
6+VOHW8b
=9co0
-----END PGP SIGNATURE-----

pgpzIR7W6kRQR.pgp
Description: PGP signature

--- End Message ---