cvelistv5 - cve-2025-38351

CVE-2025-38351 (GCVE-0-2025-38351)

Vulnerability from cvelistv5

Published

2025-07-19 11:59

Modified

2025-08-09 14:20

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX allow a guest to request invalidation of portions of a virtual TLB. For this, the hypercall parameter includes a list of GVAs that are supposed to be invalidated. However, when non-canonical GVAs are passed, there is currently no filtering in place and they are eventually passed to checked invocations of INVVPID on Intel / INVLPGA on AMD. While AMD's INVLPGA silently ignores non-canonical addresses (effectively a no-op), Intel's INVVPID explicitly signals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error(): invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000 WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482 invvpid_error+0x91/0xa0 [kvm_intel] Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary) RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel] Call Trace: vmx_flush_tlb_gva+0x320/0x490 [kvm_intel] kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm] kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm] Hyper-V documents that invalid GVAs (those that are beyond a partition's GVA space) are to be ignored. While not completely clear whether this ruling also applies to non-canonical GVAs, it is likely fine to make that assumption, and manual testing on Azure confirms "real" Hyper-V interprets the specification in the same way. Skip non-canonical GVAs when processing the list of address to avoid tripping the INVVPID failure. Alternatively, KVM could filter out "bad" GVAs before inserting into the FIFO, but practically speaking the only downside of pushing validation to the final processing is that doing so is suboptimal for the guest, and no well-behaved guest will request TLB flushes for non-canonical addresses.

References

►

URL

Tags

	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/2d4dea3f76510c0afe3f18c910f647b816f7d566
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/f1b3ad11ec11c88ba9f79a73d27d4cda3f80fb24
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/fa787ac07b3ceb56dd88a62d1866038498e96230

Impacted products

Vendor

Product

Version

►

Linux

Version: 260970862c88b4130e9e12be023c7e2c2d37a966
Version: 260970862c88b4130e9e12be023c7e2c2d37a966
Version: 260970862c88b4130e9e12be023c7e2c2d37a966

Linux

Version: 6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/hyperv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f1b3ad11ec11c88ba9f79a73d27d4cda3f80fb24",
              "status": "affected",
              "version": "260970862c88b4130e9e12be023c7e2c2d37a966",
              "versionType": "git"
            },
            {
              "lessThan": "2d4dea3f76510c0afe3f18c910f647b816f7d566",
              "status": "affected",
              "version": "260970862c88b4130e9e12be023c7e2c2d37a966",
              "versionType": "git"
            },
            {
              "lessThan": "fa787ac07b3ceb56dd88a62d1866038498e96230",
              "status": "affected",
              "version": "260970862c88b4130e9e12be023c7e2c2d37a966",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/hyperv.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.41",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.41",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.7",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush\n\nIn KVM guests with Hyper-V hypercalls enabled, the hypercalls\nHVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX\nallow a guest to request invalidation of portions of a virtual TLB.\nFor this, the hypercall parameter includes a list of GVAs that are supposed\nto be invalidated.\n\nHowever, when non-canonical GVAs are passed, there is currently no\nfiltering in place and they are eventually passed to checked invocations of\nINVVPID on Intel / INVLPGA on AMD.  While AMD\u0027s INVLPGA silently ignores\nnon-canonical addresses (effectively a no-op), Intel\u0027s INVVPID explicitly\nsignals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error():\n\n  invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000\n  WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482\n  invvpid_error+0x91/0xa0 [kvm_intel]\n  Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse\n  CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary)\n  RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel]\n  Call Trace:\n    vmx_flush_tlb_gva+0x320/0x490 [kvm_intel]\n    kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm]\n    kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm]\n\nHyper-V documents that invalid GVAs (those that are beyond a partition\u0027s\nGVA space) are to be ignored.  While not completely clear whether this\nruling also applies to non-canonical GVAs, it is likely fine to make that\nassumption, and manual testing on Azure confirms \"real\" Hyper-V interprets\nthe specification in the same way.\n\nSkip non-canonical GVAs when processing the list of address to avoid\ntripping the INVVPID failure.  Alternatively, KVM could filter out \"bad\"\nGVAs before inserting into the FIFO, but practically speaking the only\ndownside of pushing validation to the final processing is that doing so\nis suboptimal for the guest, and no well-behaved guest will request TLB\nflushes for non-canonical addresses."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-09T14:20:18.470Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f1b3ad11ec11c88ba9f79a73d27d4cda3f80fb24"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d4dea3f76510c0afe3f18c910f647b816f7d566"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa787ac07b3ceb56dd88a62d1866038498e96230"
        }
      ],
      "title": "KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38351",
    "datePublished": "2025-07-19T11:59:34.078Z",
    "dateReserved": "2025-04-16T04:51:24.006Z",
    "dateUpdated": "2025-08-09T14:20:18.470Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38351\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-07-19T12:15:35.383\",\"lastModified\":\"2025-08-01T09:15:33.167\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nKVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush\\n\\nIn KVM guests with Hyper-V hypercalls enabled, the hypercalls\\nHVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX\\nallow a guest to request invalidation of portions of a virtual TLB.\\nFor this, the hypercall parameter includes a list of GVAs that are supposed\\nto be invalidated.\\n\\nHowever, when non-canonical GVAs are passed, there is currently no\\nfiltering in place and they are eventually passed to checked invocations of\\nINVVPID on Intel / INVLPGA on AMD.  While AMD\u0027s INVLPGA silently ignores\\nnon-canonical addresses (effectively a no-op), Intel\u0027s INVVPID explicitly\\nsignals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error():\\n\\n  invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000\\n  WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482\\n  invvpid_error+0x91/0xa0 [kvm_intel]\\n  Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse\\n  CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary)\\n  RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel]\\n  Call Trace:\\n    vmx_flush_tlb_gva+0x320/0x490 [kvm_intel]\\n    kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm]\\n    kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm]\\n\\nHyper-V documents that invalid GVAs (those that are beyond a partition\u0027s\\nGVA space) are to be ignored.  While not completely clear whether this\\nruling also applies to non-canonical GVAs, it is likely fine to make that\\nassumption, and manual testing on Azure confirms \\\"real\\\" Hyper-V interprets\\nthe specification in the same way.\\n\\nSkip non-canonical GVAs when processing the list of address to avoid\\ntripping the INVVPID failure.  Alternatively, KVM could filter out \\\"bad\\\"\\nGVAs before inserting into the FIFO, but practically speaking the only\\ndownside of pushing validation to the final processing is that doing so\\nis suboptimal for the guest, and no well-behaved guest will request TLB\\nflushes for non-canonical addresses.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: x86/Hyper-V: Omisi\u00f3n de direcciones no can\u00f3nicas durante el vaciado de TLB de PV. En invitados KVM con hiperllamadas de Hyper-V habilitadas, las hiperllamadas HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST y HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX permiten que un invitado solicite la invalidaci\u00f3n de partes de una TLB virtual. Para ello, el par\u00e1metro hypercall incluye una lista de GVA que se supone que deben invalidarse. Sin embargo, cuando se pasan GVA no can\u00f3nicos, actualmente no hay ning\u00fan filtrado implementado y finalmente se pasan a invocaciones comprobadas de INVVPID en Intel / INVLPGA en AMD. Mientras que el INVLPGA de AMD ignora silenciosamente las direcciones no can\u00f3nicas (efectivamente, una operaci\u00f3n nula), el INVVPID de Intel se\u00f1ala expl\u00edcitamente VM-Fail y, en \u00faltima instancia, activa WARN_ONCE en invvpid_error(): invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000 WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482 invvpid_error+0x91/0xa0 [kvm_intel] Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary) RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel] Seguimiento de llamadas: vmx_flush_tlb_gva+0x320/0x490 [kvm_intel] kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm] kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm] Hyper-V informa que las GVA no v\u00e1lidas (aquellas que superan el espacio de GVA de una partici\u00f3n) deben ignorarse. Aunque no est\u00e1 del todo claro si esta regla tambi\u00e9n se aplica a las GVA no can\u00f3nicas, es probable que sea correcto asumirlo, y las pruebas manuales en Azure confirman que Hyper-V \\\"real\\\" interpreta la especificaci\u00f3n de la misma manera. Omita las GVA no can\u00f3nicas al procesar la lista de direcciones para evitar el error INVVPID. Como alternativa, KVM podr\u00eda filtrar los GVA \\\"malos\\\" antes de insertarlos en el FIFO, pero en t\u00e9rminos pr\u00e1cticos, la \u00fanica desventaja de trasladar la validaci\u00f3n al procesamiento final es que hacerlo no es \u00f3ptimo para el invitado y ning\u00fan invitado que se comporte bien solicitar\u00e1 vaciados de TLB para direcciones no can\u00f3nicas.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2d4dea3f76510c0afe3f18c910f647b816f7d566\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f1b3ad11ec11c88ba9f79a73d27d4cda3f80fb24\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fa787ac07b3ceb56dd88a62d1866038498e96230\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}

fkie_cve-2025-38351

Vulnerability from fkie_nvd

Published

2025-07-19 12:15

Modified

2025-08-01 09:15

Severity ?

Summary

References

▶	URL	Tags
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/2d4dea3f76510c0afe3f18c910f647b816f7d566
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/f1b3ad11ec11c88ba9f79a73d27d4cda3f80fb24
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/fa787ac07b3ceb56dd88a62d1866038498e96230

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush\n\nIn KVM guests with Hyper-V hypercalls enabled, the hypercalls\nHVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX\nallow a guest to request invalidation of portions of a virtual TLB.\nFor this, the hypercall parameter includes a list of GVAs that are supposed\nto be invalidated.\n\nHowever, when non-canonical GVAs are passed, there is currently no\nfiltering in place and they are eventually passed to checked invocations of\nINVVPID on Intel / INVLPGA on AMD.  While AMD\u0027s INVLPGA silently ignores\nnon-canonical addresses (effectively a no-op), Intel\u0027s INVVPID explicitly\nsignals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error():\n\n  invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000\n  WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482\n  invvpid_error+0x91/0xa0 [kvm_intel]\n  Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse\n  CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary)\n  RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel]\n  Call Trace:\n    vmx_flush_tlb_gva+0x320/0x490 [kvm_intel]\n    kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm]\n    kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm]\n\nHyper-V documents that invalid GVAs (those that are beyond a partition\u0027s\nGVA space) are to be ignored.  While not completely clear whether this\nruling also applies to non-canonical GVAs, it is likely fine to make that\nassumption, and manual testing on Azure confirms \"real\" Hyper-V interprets\nthe specification in the same way.\n\nSkip non-canonical GVAs when processing the list of address to avoid\ntripping the INVVPID failure.  Alternatively, KVM could filter out \"bad\"\nGVAs before inserting into the FIFO, but practically speaking the only\ndownside of pushing validation to the final processing is that doing so\nis suboptimal for the guest, and no well-behaved guest will request TLB\nflushes for non-canonical addresses."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: x86/Hyper-V: Omisi\u00f3n de direcciones no can\u00f3nicas durante el vaciado de TLB de PV. En invitados KVM con hiperllamadas de Hyper-V habilitadas, las hiperllamadas HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST y HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX permiten que un invitado solicite la invalidaci\u00f3n de partes de una TLB virtual. Para ello, el par\u00e1metro hypercall incluye una lista de GVA que se supone que deben invalidarse. Sin embargo, cuando se pasan GVA no can\u00f3nicos, actualmente no hay ning\u00fan filtrado implementado y finalmente se pasan a invocaciones comprobadas de INVVPID en Intel / INVLPGA en AMD. Mientras que el INVLPGA de AMD ignora silenciosamente las direcciones no can\u00f3nicas (efectivamente, una operaci\u00f3n nula), el INVVPID de Intel se\u00f1ala expl\u00edcitamente VM-Fail y, en \u00faltima instancia, activa WARN_ONCE en invvpid_error(): invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000 WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482 invvpid_error+0x91/0xa0 [kvm_intel] Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary) RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel] Seguimiento de llamadas: vmx_flush_tlb_gva+0x320/0x490 [kvm_intel] kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm] kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm] Hyper-V informa que las GVA no v\u00e1lidas (aquellas que superan el espacio de GVA de una partici\u00f3n) deben ignorarse. Aunque no est\u00e1 del todo claro si esta regla tambi\u00e9n se aplica a las GVA no can\u00f3nicas, es probable que sea correcto asumirlo, y las pruebas manuales en Azure confirman que Hyper-V \"real\" interpreta la especificaci\u00f3n de la misma manera. Omita las GVA no can\u00f3nicas al procesar la lista de direcciones para evitar el error INVVPID. Como alternativa, KVM podr\u00eda filtrar los GVA \"malos\" antes de insertarlos en el FIFO, pero en t\u00e9rminos pr\u00e1cticos, la \u00fanica desventaja de trasladar la validaci\u00f3n al procesamiento final es que hacerlo no es \u00f3ptimo para el invitado y ning\u00fan invitado que se comporte bien solicitar\u00e1 vaciados de TLB para direcciones no can\u00f3nicas."
    }
  ],
  "id": "CVE-2025-38351",
  "lastModified": "2025-08-01T09:15:33.167",
  "metrics": {},
  "published": "2025-07-19T12:15:35.383",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2d4dea3f76510c0afe3f18c910f647b816f7d566"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f1b3ad11ec11c88ba9f79a73d27d4cda3f80fb24"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/fa787ac07b3ceb56dd88a62d1866038498e96230"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}

ghsa-x77v-68j6-p42v

Vulnerability from github

Published

2025-07-19 12:30

Modified

2025-08-01 09:31

Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush

In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX allow a guest to request invalidation of portions of a virtual TLB. For this, the hypercall parameter includes a list of GVAs that are supposed to be invalidated.

However, when non-canonical GVAs are passed, there is currently no filtering in place and they are eventually passed to checked invocations of INVVPID on Intel / INVLPGA on AMD. While AMD's INVLPGA silently ignores non-canonical addresses (effectively a no-op), Intel's INVVPID explicitly signals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error():

invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000 WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482 invvpid_error+0x91/0xa0 [kvm_intel] Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary) RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel] Call Trace: vmx_flush_tlb_gva+0x320/0x490 [kvm_intel] kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm] kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm]

Hyper-V documents that invalid GVAs (those that are beyond a partition's GVA space) are to be ignored. While not completely clear whether this ruling also applies to non-canonical GVAs, it is likely fine to make that assumption, and manual testing on Azure confirms "real" Hyper-V interprets the specification in the same way.

Skip non-canonical GVAs when processing the list of address to avoid tripping the INVVPID failure. Alternatively, KVM could filter out "bad" GVAs before inserting into the FIFO, but practically speaking the only downside of pushing validation to the final processing is that doing so is suboptimal for the guest, and no well-behaved guest will request TLB flushes for non-canonical addresses.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-38351"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-19T12:15:35Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush\n\nIn KVM guests with Hyper-V hypercalls enabled, the hypercalls\nHVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX\nallow a guest to request invalidation of portions of a virtual TLB.\nFor this, the hypercall parameter includes a list of GVAs that are supposed\nto be invalidated.\n\nHowever, when non-canonical GVAs are passed, there is currently no\nfiltering in place and they are eventually passed to checked invocations of\nINVVPID on Intel / INVLPGA on AMD.  While AMD\u0027s INVLPGA silently ignores\nnon-canonical addresses (effectively a no-op), Intel\u0027s INVVPID explicitly\nsignals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error():\n\n  invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000\n  WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482\n  invvpid_error+0x91/0xa0 [kvm_intel]\n  Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse\n  CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary)\n  RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel]\n  Call Trace:\n    vmx_flush_tlb_gva+0x320/0x490 [kvm_intel]\n    kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm]\n    kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm]\n\nHyper-V documents that invalid GVAs (those that are beyond a partition\u0027s\nGVA space) are to be ignored.  While not completely clear whether this\nruling also applies to non-canonical GVAs, it is likely fine to make that\nassumption, and manual testing on Azure confirms \"real\" Hyper-V interprets\nthe specification in the same way.\n\nSkip non-canonical GVAs when processing the list of address to avoid\ntripping the INVVPID failure.  Alternatively, KVM could filter out \"bad\"\nGVAs before inserting into the FIFO, but practically speaking the only\ndownside of pushing validation to the final processing is that doing so\nis suboptimal for the guest, and no well-behaved guest will request TLB\nflushes for non-canonical addresses.",
  "id": "GHSA-x77v-68j6-p42v",
  "modified": "2025-08-01T09:31:23Z",
  "published": "2025-07-19T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38351"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2d4dea3f76510c0afe3f18c910f647b816f7d566"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f1b3ad11ec11c88ba9f79a73d27d4cda3f80fb24"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fa787ac07b3ceb56dd88a62d1866038498e96230"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

wid-sec-w-2025-1613

Vulnerability from csaf_certbund

Published

2025-07-20 22:00

Modified

2025-08-18 22:00

Summary

Linux Kernel: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Der Kernel stellt den Kern des Linux Betriebssystems dar.

Angriff

Ein lokaler Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuführen oder andere nicht spezifizierte Angriffe durchzuführen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Der Kernel stellt den Kern des Linux Betriebssystems dar.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann mehrere Schwachstellen in Linux Kernel ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren  oder andere nicht spezifizierte Angriffe durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1613 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1613.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1613 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1613"
      },
      {
        "category": "external",
        "summary": "Kernel CVE Announce Mailingliste",
        "url": "https://lore.kernel.org/linux-cve-announce/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38350",
        "url": "https://lore.kernel.org/linux-cve-announce/2025071933-CVE-2025-38350-262a@gregkh/"
      },
      {
        "category": "external",
        "summary": "Linux Kernel CVE Announcement CVE-2025-38351",
        "url": "https://lore.kernel.org/linux-cve-announce/2025071951-CVE-2025-38351-75ea@gregkh/"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2025-13589 vom 2025-08-12",
        "url": "https://linux.oracle.com/errata/ELSA-2025-13589.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5973 vom 2025-08-12",
        "url": "https://lists.debian.org/debian-security-announce/2025/msg00137.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5975 vom 2025-08-13",
        "url": "https://lists.debian.org/debian-security-announce/2025/msg00139.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2025-13602 vom 2025-08-14",
        "url": "https://linux.oracle.com/errata/ELSA-2025-13602.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2025-13598 vom 2025-08-15",
        "url": "https://linux.oracle.com/errata/ELSA-2025-13598.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:02851-1 vom 2025-08-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022202.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:02849-1 vom 2025-08-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022204.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:02852-1 vom 2025-08-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022201.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:02846-1 vom 2025-08-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022192.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2025:02853-1 vom 2025-08-18",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2025-August/022200.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Linux Kernel: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-08-18T22:00:00.000+00:00",
      "generator": {
        "date": "2025-08-19T05:55:28.978+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-1613",
      "initial_release_date": "2025-07-20T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-07-20T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-08-11T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2025-08-12T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2025-08-13T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Debian und Oracle Linux aufgenommen"
        },
        {
          "date": "2025-08-17T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Oracle Linux aufgenommen"
        },
        {
          "date": "2025-08-18T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "6"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source Linux Kernel",
            "product": {
              "name": "Open Source Linux Kernel",
              "product_id": "T008144",
              "product_identification_helper": {
                "cpe": "cpe:/a:linux:linux_kernel:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-38350",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T004914",
          "T008144"
        ]
      },
      "release_date": "2025-07-20T22:00:00.000+00:00",
      "title": "CVE-2025-38350"
    },
    {
      "cve": "CVE-2025-38351",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "T004914",
          "T008144"
        ]
      },
      "release_date": "2025-07-20T22:00:00.000+00:00",
      "title": "CVE-2025-38351"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-38351 (GCVE-0-2025-38351)

Vulnerability from cvelistv5

fkie_cve-2025-38351

Vulnerability from fkie_nvd

ghsa-x77v-68j6-p42v

Vulnerability from github

wid-sec-w-2025-1613

Vulnerability from csaf_certbund

Tags

Sightings

Nomenclature