In the Linux kernel, the following vulnerability has been resolved:
KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state
There are several problems with the way hyp code lazily saves the host's FPSIMD/SVE state, including:
Host SVE being discarded unexpectedly due to inconsistent configuration of TIFSVE and CPACRELx.ZEN. This has been seen to result in QEMU crashes where SVE is used by memmove(), as reported by Eric Auger:
https://issues.redhat.com/browse/RHEL-68997
Host SVE state is discarded after modification by ptrace, which was an unintentional ptrace ABI change introduced with lazy discarding of SVE state.
The host FPMR value can be discarded when running a non-protected VM, where FPMR support is not exposed to a VM, and that VM uses FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR before unbinding the host's FPSIMD/SVE/SME state, leaving a stale value in memory.
Avoid these by eagerly saving and "flushing" the host's FPSIMD/SVE/SME state when loading a vCPU such that KVM does not need to save any of the host's FPSIMD/SVE/SME state. For clarity, fpsimdkvmprepare() is removed and the necessary call to fpsimdsaveandflushcpustate() is placed in kvmarchvcpuloadfp(). As 'fpsimdstate' and 'fpmr_ptr' should not be used, they are set to NULL; all uses of these will be removed in subsequent patches.
Historical problems go back at least as far as v5.17, e.g. erroneous assumptions about TIF_SVE being clear in commit:
8383741ab2e773a9 ("KVM: arm64: Get rid of host SVE tracking/saving")
... and so this eager save+flush probably needs to be backported to ALL stable trees.
[
{
"id": "CVE-2025-22013-01c654ac",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"length": 576.0,
"function_hash": "245243319511868544651274605520407658799"
},
"target": {
"function": "kvm_arch_vcpu_load_fp",
"file": "arch/arm64/kvm/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82e",
"deprecated": false
},
{
"id": "CVE-2025-22013-0bda461e",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"253296798997303435849899587034152132868",
"67190694822932075734393819311788469332",
"306121804174472938851324086906928679788",
"80660029007130300038863363575508587124",
"190814023629845422253454349925993739911",
"280399190222903880415964399551638336657",
"214461033453092060784794158322316877741",
"331453692821503539747127254043419761198",
"20086751350414965792756014853057707513",
"35203923008245915745672093718467148648",
"332337011972942846125650537139899158198",
"139056664268084206770705941575584888547",
"98588523966142432960944948898454340971",
"262219452066590172049596037794441631774"
],
"threshold": 0.9
},
"target": {
"file": "arch/arm64/kernel/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@806d5c1e1d2e5502175a24bf70f251648d99c36a",
"deprecated": false
},
{
"id": "CVE-2025-22013-167fa45c",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"length": 192.0,
"function_hash": "125266100398636134882998040035804479282"
},
"target": {
"function": "fpsimd_kvm_prepare",
"file": "arch/arm64/kernel/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@79e140bba70bcacc5fe15bf8c0b958793fd7d56f",
"deprecated": false
},
{
"id": "CVE-2025-22013-1d895c91",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"253296798997303435849899587034152132868",
"67190694822932075734393819311788469332",
"306121804174472938851324086906928679788",
"80660029007130300038863363575508587124",
"190814023629845422253454349925993739911",
"280399190222903880415964399551638336657",
"214461033453092060784794158322316877741",
"331453692821503539747127254043419761198",
"20086751350414965792756014853057707513",
"35203923008245915745672093718467148648",
"332337011972942846125650537139899158198",
"139056664268084206770705941575584888547",
"98588523966142432960944948898454340971",
"262219452066590172049596037794441631774"
],
"threshold": 0.9
},
"target": {
"file": "arch/arm64/kernel/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fbc7e61195e23f744814e78524b73b59faa54ab4",
"deprecated": false
},
{
"id": "CVE-2025-22013-2b3df9dd",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"length": 192.0,
"function_hash": "125266100398636134882998040035804479282"
},
"target": {
"function": "fpsimd_kvm_prepare",
"file": "arch/arm64/kernel/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82e",
"deprecated": false
},
{
"id": "CVE-2025-22013-2ec0ac25",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"length": 769.0,
"function_hash": "102920343287672982344976223071660635251"
},
"target": {
"function": "kvm_arch_vcpu_load_fp",
"file": "arch/arm64/kvm/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fbc7e61195e23f744814e78524b73b59faa54ab4",
"deprecated": false
},
{
"id": "CVE-2025-22013-2ec5779c",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"length": 192.0,
"function_hash": "125266100398636134882998040035804479282"
},
"target": {
"function": "fpsimd_kvm_prepare",
"file": "arch/arm64/kernel/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@900b444be493b7f404898c785d6605b177a093d0",
"deprecated": false
},
{
"id": "CVE-2025-22013-3a190ae1",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"length": 576.0,
"function_hash": "245243319511868544651274605520407658799"
},
"target": {
"function": "kvm_arch_vcpu_load_fp",
"file": "arch/arm64/kvm/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@806d5c1e1d2e5502175a24bf70f251648d99c36a",
"deprecated": false
},
{
"id": "CVE-2025-22013-3b237ab9",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"255698866908179204036765230245358037273",
"27107227586867005129295241312708081938",
"72593530801112766432675774515871030350",
"208184156919643050684576085900373609786",
"53374943690535254450940607177863902597",
"280112474427109108053960207835117299946",
"27240147889565265327947712753777286491",
"68554845670311539069534982127328382239",
"18951029576966343545254788542128510648",
"163363232131794783149368060962830288866",
"145110582866656088065361324127615876842",
"314367482117705560885110244077770283451",
"25563117396899668546070850663391638726",
"143542558757282282835324080155826397980"
],
"threshold": 0.9
},
"target": {
"file": "arch/arm64/kvm/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@900b444be493b7f404898c785d6605b177a093d0",
"deprecated": false
},
{
"id": "CVE-2025-22013-4e8ff357",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"8891807601914469756151034605283047875",
"67190694822932075734393819311788469332",
"306121804174472938851324086906928679788",
"80660029007130300038863363575508587124",
"190814023629845422253454349925993739911",
"280399190222903880415964399551638336657",
"214461033453092060784794158322316877741",
"331453692821503539747127254043419761198",
"20086751350414965792756014853057707513",
"35203923008245915745672093718467148648",
"332337011972942846125650537139899158198",
"139056664268084206770705941575584888547",
"98588523966142432960944948898454340971",
"12365296467251226086559002419198734469"
],
"threshold": 0.9
},
"target": {
"file": "arch/arm64/kernel/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5289ac43b69c61a49c75720921f2008005a31c43",
"deprecated": false
},
{
"id": "CVE-2025-22013-4f336db3",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"253296798997303435849899587034152132868",
"67190694822932075734393819311788469332",
"306121804174472938851324086906928679788",
"80660029007130300038863363575508587124",
"190814023629845422253454349925993739911",
"280399190222903880415964399551638336657",
"214461033453092060784794158322316877741",
"331453692821503539747127254043419761198",
"20086751350414965792756014853057707513",
"35203923008245915745672093718467148648",
"332337011972942846125650537139899158198",
"139056664268084206770705941575584888547",
"98588523966142432960944948898454340971",
"262219452066590172049596037794441631774"
],
"threshold": 0.9
},
"target": {
"file": "arch/arm64/kernel/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@900b444be493b7f404898c785d6605b177a093d0",
"deprecated": false
},
{
"id": "CVE-2025-22013-59c0c072",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"8891807601914469756151034605283047875",
"67190694822932075734393819311788469332",
"306121804174472938851324086906928679788",
"80660029007130300038863363575508587124",
"190814023629845422253454349925993739911",
"280399190222903880415964399551638336657",
"214461033453092060784794158322316877741",
"331453692821503539747127254043419761198",
"20086751350414965792756014853057707513",
"35203923008245915745672093718467148648",
"332337011972942846125650537139899158198",
"139056664268084206770705941575584888547",
"98588523966142432960944948898454340971",
"12365296467251226086559002419198734469"
],
"threshold": 0.9
},
"target": {
"file": "arch/arm64/kernel/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82e",
"deprecated": false
},
{
"id": "CVE-2025-22013-6d0016db",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"length": 801.0,
"function_hash": "333380643809806792361757583643044360740"
},
"target": {
"function": "kvm_arch_vcpu_load_fp",
"file": "arch/arm64/kvm/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@79e140bba70bcacc5fe15bf8c0b958793fd7d56f",
"deprecated": false
},
{
"id": "CVE-2025-22013-74acfcf9",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"length": 192.0,
"function_hash": "125266100398636134882998040035804479282"
},
"target": {
"function": "fpsimd_kvm_prepare",
"file": "arch/arm64/kernel/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5289ac43b69c61a49c75720921f2008005a31c43",
"deprecated": false
},
{
"id": "CVE-2025-22013-76528450",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"255698866908179204036765230245358037273",
"232016570696088066167834516663154093288",
"207919548470775303523680681206523636244",
"72194003748151608852118521698413206126",
"156831640870543223317240514588230532160",
"68554845670311539069534982127328382239",
"129058334681429634156328897024518453121",
"147517548147459505172991303562625924468",
"1840309381219433534973890018865277617",
"172854503629380948087146562019987807775",
"226905357493272651564947586358285119462",
"333884568573647602731513241356022757390"
],
"threshold": 0.9
},
"target": {
"file": "arch/arm64/kvm/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@806d5c1e1d2e5502175a24bf70f251648d99c36a",
"deprecated": false
},
{
"id": "CVE-2025-22013-92077179",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"length": 192.0,
"function_hash": "125266100398636134882998040035804479282"
},
"target": {
"function": "fpsimd_kvm_prepare",
"file": "arch/arm64/kernel/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@806d5c1e1d2e5502175a24bf70f251648d99c36a",
"deprecated": false
},
{
"id": "CVE-2025-22013-b6287731",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"255698866908179204036765230245358037273",
"232016570696088066167834516663154093288",
"207919548470775303523680681206523636244",
"72194003748151608852118521698413206126",
"156831640870543223317240514588230532160",
"68554845670311539069534982127328382239",
"129058334681429634156328897024518453121",
"147517548147459505172991303562625924468",
"1840309381219433534973890018865277617",
"172854503629380948087146562019987807775",
"226905357493272651564947586358285119462",
"333884568573647602731513241356022757390"
],
"threshold": 0.9
},
"target": {
"file": "arch/arm64/kvm/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82e",
"deprecated": false
},
{
"id": "CVE-2025-22013-c4efb000",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"19480281405495920887047930401832014807",
"58234884383538713291011203667935683745",
"310489833918990645215992768342528307852",
"102381010600209952254512455592616232803",
"34754849365211862106115699425572908895"
],
"threshold": 0.9
},
"target": {
"file": "arch/arm64/kvm/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5289ac43b69c61a49c75720921f2008005a31c43",
"deprecated": false
},
{
"id": "CVE-2025-22013-cce8eab8",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"length": 337.0,
"function_hash": "197868326113991075853391331111192700526"
},
"target": {
"function": "kvm_arch_vcpu_load_fp",
"file": "arch/arm64/kvm/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5289ac43b69c61a49c75720921f2008005a31c43",
"deprecated": false
},
{
"id": "CVE-2025-22013-ccf7ddbc",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"length": 192.0,
"function_hash": "125266100398636134882998040035804479282"
},
"target": {
"function": "fpsimd_kvm_prepare",
"file": "arch/arm64/kernel/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fbc7e61195e23f744814e78524b73b59faa54ab4",
"deprecated": false
},
{
"id": "CVE-2025-22013-e0ef40f6",
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"length": 801.0,
"function_hash": "333380643809806792361757583643044360740"
},
"target": {
"function": "kvm_arch_vcpu_load_fp",
"file": "arch/arm64/kvm/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@900b444be493b7f404898c785d6605b177a093d0",
"deprecated": false
},
{
"id": "CVE-2025-22013-e94cc623",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"255698866908179204036765230245358037273",
"27107227586867005129295241312708081938",
"72593530801112766432675774515871030350",
"208184156919643050684576085900373609786",
"53374943690535254450940607177863902597",
"280112474427109108053960207835117299946",
"27240147889565265327947712753777286491",
"68554845670311539069534982127328382239",
"18951029576966343545254788542128510648",
"163363232131794783149368060962830288866",
"145110582866656088065361324127615876842",
"314367482117705560885110244077770283451",
"25563117396899668546070850663391638726",
"143542558757282282835324080155826397980"
],
"threshold": 0.9
},
"target": {
"file": "arch/arm64/kvm/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@79e140bba70bcacc5fe15bf8c0b958793fd7d56f",
"deprecated": false
},
{
"id": "CVE-2025-22013-f6efe467",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"255698866908179204036765230245358037273",
"27107227586867005129295241312708081938",
"72593530801112766432675774515871030350",
"208184156919643050684576085900373609786",
"249233510502027057222825690451439632338",
"106883848068020434984733210930332653945",
"313850914143680808577881353734864401810",
"110494889289600757204408842231264920473",
"271345488270873613352562296592769615590",
"166620778592618091032968251371591643066",
"145110582866656088065361324127615876842",
"314367482117705560885110244077770283451",
"25563117396899668546070850663391638726",
"143542558757282282835324080155826397980"
],
"threshold": 0.9
},
"target": {
"file": "arch/arm64/kvm/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fbc7e61195e23f744814e78524b73b59faa54ab4",
"deprecated": false
},
{
"id": "CVE-2025-22013-f87aaeef",
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"253296798997303435849899587034152132868",
"67190694822932075734393819311788469332",
"306121804174472938851324086906928679788",
"80660029007130300038863363575508587124",
"190814023629845422253454349925993739911",
"280399190222903880415964399551638336657",
"214461033453092060784794158322316877741",
"331453692821503539747127254043419761198",
"20086751350414965792756014853057707513",
"35203923008245915745672093718467148648",
"332337011972942846125650537139899158198",
"139056664268084206770705941575584888547",
"98588523966142432960944948898454340971",
"262219452066590172049596037794441631774"
],
"threshold": 0.9
},
"target": {
"file": "arch/arm64/kernel/fpsimd.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@79e140bba70bcacc5fe15bf8c0b958793fd7d56f",
"deprecated": false
}
]