CVE-2025-21779 (GCVE-0-2025-21779)
Vulnerability from cvelistv5
Published
2025-02-27 02:18
Modified
2025-05-04 07:21
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and only if the local API is emulated/virtualized by KVM, and explicitly reject said hypercalls if the local APIC is emulated in userspace, i.e. don't rely on userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID. Rejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if Hyper-V enlightenments are exposed to the guest without an in-kernel local APIC: dump_stack+0xbe/0xfd __kasan_report.cold+0x34/0x84 kasan_report+0x3a/0x50 __apic_accept_irq+0x3a/0x5c0 kvm_hv_send_ipi.isra.0+0x34e/0x820 kvm_hv_hypercall+0x8d9/0x9d0 kvm_emulate_hypercall+0x506/0x7e0 __vmx_handle_exit+0x283/0xb60 vmx_handle_exit+0x1d/0xd0 vcpu_enter_guest+0x16b0/0x24c0 vcpu_run+0xc0/0x550 kvm_arch_vcpu_ioctl_run+0x170/0x6d0 kvm_vcpu_ioctl+0x413/0xb20 __se_sys_ioctl+0x111/0x160 do_syscal1_64+0x30/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Note, checking the sending vCPU is sufficient, as the per-VM irqchip_mode can't be modified after vCPUs are created, i.e. if one vCPU has an in-kernel local APIC, then all vCPUs have an in-kernel local APIC.
References
Impacted products
Vendor Product Version
Linux Linux Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486
Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486
Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486
Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486
Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486
Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486
Version: 214ff83d4473a7757fa18a64dc7efe3b0e158486
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/hyperv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "61224533f2b61e252b03e214195d27d64b22989a",
              "status": "affected",
              "version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
              "versionType": "git"
            },
            {
              "lessThan": "45fa526b0f5a34492ed0536c3cdf88b78380e4de",
              "status": "affected",
              "version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
              "versionType": "git"
            },
            {
              "lessThan": "5393cf22312418262679eaadb130d608c75fe690",
              "status": "affected",
              "version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
              "versionType": "git"
            },
            {
              "lessThan": "874ff13c73c45ecb38cb82191e8c1d523f0dc81b",
              "status": "affected",
              "version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
              "versionType": "git"
            },
            {
              "lessThan": "aca8be4403fb90db7adaf63830e27ebe787a76e8",
              "status": "affected",
              "version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
              "versionType": "git"
            },
            {
              "lessThan": "ca29f58ca374c40a0e69c5306fc5c940a0069074",
              "status": "affected",
              "version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
              "versionType": "git"
            },
            {
              "lessThan": "a8de7f100bb5989d9c3627d3a223ee1c863f3b69",
              "status": "affected",
              "version": "214ff83d4473a7757fa18a64dc7efe3b0e158486",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/hyperv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Reject Hyper-V\u0027s SEND_IPI hypercalls if local APIC isn\u0027t in-kernel\n\nAdvertise support for Hyper-V\u0027s SEND_IPI and SEND_IPI_EX hypercalls if and\nonly if the local API is emulated/virtualized by KVM, and explicitly reject\nsaid hypercalls if the local APIC is emulated in userspace, i.e. don\u0027t rely\non userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID.\n\nRejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if\nHyper-V enlightenments are exposed to the guest without an in-kernel local\nAPIC:\n\n  dump_stack+0xbe/0xfd\n  __kasan_report.cold+0x34/0x84\n  kasan_report+0x3a/0x50\n  __apic_accept_irq+0x3a/0x5c0\n  kvm_hv_send_ipi.isra.0+0x34e/0x820\n  kvm_hv_hypercall+0x8d9/0x9d0\n  kvm_emulate_hypercall+0x506/0x7e0\n  __vmx_handle_exit+0x283/0xb60\n  vmx_handle_exit+0x1d/0xd0\n  vcpu_enter_guest+0x16b0/0x24c0\n  vcpu_run+0xc0/0x550\n  kvm_arch_vcpu_ioctl_run+0x170/0x6d0\n  kvm_vcpu_ioctl+0x413/0xb20\n  __se_sys_ioctl+0x111/0x160\n  do_syscal1_64+0x30/0x40\n  entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nNote, checking the sending vCPU is sufficient, as the per-VM irqchip_mode\ncan\u0027t be modified after vCPUs are created, i.e. if one vCPU has an\nin-kernel local APIC, then all vCPUs have an in-kernel local APIC."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:00.210Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/61224533f2b61e252b03e214195d27d64b22989a"
        },
        {
          "url": "https://git.kernel.org/stable/c/45fa526b0f5a34492ed0536c3cdf88b78380e4de"
        },
        {
          "url": "https://git.kernel.org/stable/c/5393cf22312418262679eaadb130d608c75fe690"
        },
        {
          "url": "https://git.kernel.org/stable/c/874ff13c73c45ecb38cb82191e8c1d523f0dc81b"
        },
        {
          "url": "https://git.kernel.org/stable/c/aca8be4403fb90db7adaf63830e27ebe787a76e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca29f58ca374c40a0e69c5306fc5c940a0069074"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8de7f100bb5989d9c3627d3a223ee1c863f3b69"
        }
      ],
      "title": "KVM: x86: Reject Hyper-V\u0027s SEND_IPI hypercalls if local APIC isn\u0027t in-kernel",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21779",
    "datePublished": "2025-02-27T02:18:23.001Z",
    "dateReserved": "2024-12-29T08:45:45.764Z",
    "dateUpdated": "2025-05-04T07:21:00.210Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-21779\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-27T03:15:18.690\",\"lastModified\":\"2025-04-10T13:15:47.123\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: x86: Reject Hyper-V\u0027s SEND_IPI hypercalls if local APIC isn\u0027t in-kernel\\n\\nAdvertise support for Hyper-V\u0027s SEND_IPI and SEND_IPI_EX hypercalls if and\\nonly if the local API is emulated/virtualized by KVM, and explicitly reject\\nsaid hypercalls if the local APIC is emulated in userspace, i.e. don\u0027t rely\\non userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID.\\n\\nRejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if\\nHyper-V enlightenments are exposed to the guest without an in-kernel local\\nAPIC:\\n\\n  dump_stack+0xbe/0xfd\\n  __kasan_report.cold+0x34/0x84\\n  kasan_report+0x3a/0x50\\n  __apic_accept_irq+0x3a/0x5c0\\n  kvm_hv_send_ipi.isra.0+0x34e/0x820\\n  kvm_hv_hypercall+0x8d9/0x9d0\\n  kvm_emulate_hypercall+0x506/0x7e0\\n  __vmx_handle_exit+0x283/0xb60\\n  vmx_handle_exit+0x1d/0xd0\\n  vcpu_enter_guest+0x16b0/0x24c0\\n  vcpu_run+0xc0/0x550\\n  kvm_arch_vcpu_ioctl_run+0x170/0x6d0\\n  kvm_vcpu_ioctl+0x413/0xb20\\n  __se_sys_ioctl+0x111/0x160\\n  do_syscal1_64+0x30/0x40\\n  entry_SYSCALL_64_after_hwframe+0x67/0xd1\\n\\nNote, checking the sending vCPU is sufficient, as the per-VM irqchip_mode\\ncan\u0027t be modified after vCPUs are created, i.e. if one vCPU has an\\nin-kernel local APIC, then all vCPUs have an in-kernel local APIC.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: x86: Rechazar las hiperllamadas SEND_IPI de Hyper-V si la API local no est\u00e1 en el kernel Publicitar soporte para las hiperllamadas SEND_IPI y SEND_IPI_EX de Hyper-V si y solo si la API local es emulada/virtualizada por KVM, y rechazar expl\u00edcitamente dichas hiperllamadas si la API local es emulada en el espacio de usuario, es decir, no confiar en el espacio de usuario para optar por KVM_CAP_HYPERV_ENFORCE_CPUID. Rechazar SEND_IPI y SEND_IPI_EX corrige una desreferencia de puntero NULL si las iluminaciones de Hyper-V se exponen al invitado sin una APIC local en el n\u00facleo: dump_stack+0xbe/0xfd __kasan_report.cold+0x34/0x84 kasan_report+0x3a/0x50 __apic_accept_irq+0x3a/0x5c0 kvm_hv_send_ipi.isra.0+0x34e/0x820 kvm_hv_hypercall+0x8d9/0x9d0 kvm_emulate_hypercall+0x506/0x7e0 __vmx_handle_exit+0x283/0xb60 vmx_handle_exit+0x1d/0xd0 vcpu_enter_guest+0x16b0/0x24c0 vcpu_run+0xc0/0x550 kvm_arch_vcpu_ioctl_run+0x170/0x6d0 kvm_vcpu_ioctl+0x413/0xb20 __se_sys_ioctl+0x111/0x160 do_syscal1_64+0x30/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Tenga en cuenta que comprobar la vCPU de env\u00edo es suficiente, ya que el irqchip_mode por VM no se puede modificar despu\u00e9s de crear las vCPU, es decir, si una vCPU tiene una APIC local en el n\u00facleo, entonces todas las vCPU tienen una APIC local en el n\u00facleo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20\",\"versionEndExcluding\":\"6.1.129\",\"matchCriteriaId\":\"66824E11-1AC0-4B97-810E-0A96CEB5FA93\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.79\",\"matchCriteriaId\":\"B16AADE5-B2FD-4C14-B4E4-85E8EDAFE775\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.16\",\"matchCriteriaId\":\"13C8DB18-FC60-425F-84E5-3EDDEC61B2FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.13.4\",\"matchCriteriaId\":\"2A2093ED-74A9-43F9-AC72-50030F374EA4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"186716B6-2B66-4BD0-852E-D48E71C0C85F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.14:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D3E781C-403A-498F-9DA9-ECEE50F41E75\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/45fa526b0f5a34492ed0536c3cdf88b78380e4de\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5393cf22312418262679eaadb130d608c75fe690\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/61224533f2b61e252b03e214195d27d64b22989a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/874ff13c73c45ecb38cb82191e8c1d523f0dc81b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a8de7f100bb5989d9c3627d3a223ee1c863f3b69\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/aca8be4403fb90db7adaf63830e27ebe787a76e8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ca29f58ca374c40a0e69c5306fc5c940a0069074\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Mailing List\",\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.