KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses
Summary
| CVE | CVE-2025-23141 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-05-01 13:15:49 UTC |
| Updated | 2026-06-01 17:16:34 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case where "accepting" APIC events, i.e. processing pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP state will trigger a nested VM-Exit by way of ->check_nested_events(), and emuating the nested VM-Exit can access guest memory. The splat was originally hit by syzkaller on a Google-internal kernel, and reproduced on an upstream kernel by hacking the triple_fault_event_test selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario. ============================= WARNING: suspicious RCU usage 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted ----------------------------- include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by triple_fault_ev/1256: #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm] stack backtrace: CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x144/0x190 kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] read_and_check_msr_entry+0x2e/0x180 [kvm_intel] __nested_vmx_vmexit+0x550/0xde0 [kvm_intel] kvm_check_nested_events+0x1b/0x30 [kvm] kvm_apic_accept_events+0x33/0x100 [kvm] kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm] kvm_vcpu_ioctl+0x33e/0x9a0 [kvm] __x64_sys_ioctl+0x8b/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> |
Risk And Classification
Primary CVSS: v3.1 5.5 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Problem Types: NVD-CWE-noinfo
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 1c96dcceaeb3a99aaf0d548eef2223e0b02a7e40 56d997b257075951a46663970cd350cd5e34c041 git | Not specified |
| CNA | Linux | Linux | affected 1c96dcceaeb3a99aaf0d548eef2223e0b02a7e40 0357c8406dfa09430dd9858ebe813feb65524b6e git | Not specified |
| CNA | Linux | Linux | affected 1c96dcceaeb3a99aaf0d548eef2223e0b02a7e40 8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be git | Not specified |
| CNA | Linux | Linux | affected 1c96dcceaeb3a99aaf0d548eef2223e0b02a7e40 7bc5c360375d28ba5ef6298b0d53e735c81d66a1 git | Not specified |
| CNA | Linux | Linux | affected 1c96dcceaeb3a99aaf0d548eef2223e0b02a7e40 f5cbe725b7477b4cd677be1b86b4e08f90572997 git | Not specified |
| CNA | Linux | Linux | affected 1c96dcceaeb3a99aaf0d548eef2223e0b02a7e40 592e040572f216d916f465047c8ce4a308fcca44 git | Not specified |
| CNA | Linux | Linux | affected 1c96dcceaeb3a99aaf0d548eef2223e0b02a7e40 ef01cac401f18647d62720cf773d7bb0541827da git | Not specified |
| CNA | Linux | Linux | affected 5.11 | Not specified |
| CNA | Linux | Linux | unaffected 5.11 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.209 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.135 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.88 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.24 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.13.12 6.13.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.14.3 6.14.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.15 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/592e040572f216d916f465047c8ce4a308fcca44 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/0357c8406dfa09430dd9858ebe813feb65524b6e | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/ef01cac401f18647d62720cf773d7bb0541827da | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/f5cbe725b7477b4cd677be1b86b4e08f90572997 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/56d997b257075951a46663970cd350cd5e34c041 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | |
| lists.debian.org/debian-lts-announce/2025/05/msg00045.html | af854a3a-2127-422b-91ae-364da2661108 | lists.debian.org | Mailing List, Third Party Advisory |
| git.kernel.org/stable/c/7bc5c360375d28ba5ef6298b0d53e735c81d66a1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.