CVE-2025-23141
- Source
- https://cve.org/CVERecord?id=CVE-2025-23141
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-23141.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-23141
- Downstream
- Related
- Published
- 2025-05-01T12:55:31.525Z
- Modified
- 2026-03-12T21:22:13.901065Z
- Summary
- KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Acquire SRCU in KVMGETMP_STATE to protect guest memory accesses
Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case where "accepting" APIC events, i.e. processing pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU is in L2 with INIT and a TRIPLEFAULT request pending, then getting MP state will trigger a nested VM-Exit by way of ->checknested_events(), and emuating the nested VM-Exit can access guest memory.
The splat was originally hit by syzkaller on a Google-internal kernel, and reproduced on an upstream kernel by hacking the triplefaulteventtest selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a memory access on VMX), and do vcpumpstateget() to trigger the scenario.
============================= WARNING: suspicious RCU usage 6.14.0-rc3-b112d356288b-vmx/pilockdepfalse_pos-lock #3 Not tainted
include/linux/kvmhost.h:1058 suspicious rcudereference_check() usage!
other info that might help us debug this:
rcuscheduleractive = 2, debuglocks = 1 1 lock held by triplefaultev/1256: #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvmvcpu_ioctl+0x8b/0x9a0 [kvm]
stack backtrace: CPU: 11 UID: 1000 PID: 1256 Comm: triplefaultev Not tainted 6.14.0-rc3-b112d356288b-vmx #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dumpstacklvl+0x7f/0x90 lockdeprcususpicious+0x144/0x190 kvmvcpugfntomemslot+0x156/0x180 [kvm] kvmvcpureadguest+0x3e/0x90 [kvm] readandcheckmsrentry+0x2e/0x180 [kvmintel] __nestedvmxvmexit+0x550/0xde0 [kvmintel] kvmchecknestedevents+0x1b/0x30 [kvm] kvmapicacceptevents+0x33/0x100 [kvm] kvmarchvcpuioctlgetmpstate+0x30/0x1d0 [kvm] kvmvcpuioctl+0x33e/0x9a0 [kvm] __x64sysioctl+0x8b/0xb0 dosyscall64+0x6c/0x170 entrySYSCALL64afterhwframe+0x4b/0x53 </TASK>
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/23xxx/CVE-2025-23141.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0357c8406dfa09430dd9858ebe813feb65524b6e
- https://git.kernel.org/stable/c/592e040572f216d916f465047c8ce4a308fcca44
- https://git.kernel.org/stable/c/7bc5c360375d28ba5ef6298b0d53e735c81d66a1
- https://git.kernel.org/stable/c/8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1be
- https://git.kernel.org/stable/c/ef01cac401f18647d62720cf773d7bb0541827da
- https://git.kernel.org/stable/c/f5cbe725b7477b4cd677be1b86b4e08f90572997
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/23xxx/CVE-2025-23141.json
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-23141
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced1c96dcceaeb3a99aaf0d548eef2223e0b02a7e40Fixed0357c8406dfa09430dd9858ebe813feb65524b6eFixed8a3df0aa1087a89f5ce55f4aba816bfcb1ecf1beFixed7bc5c360375d28ba5ef6298b0d53e735c81d66a1Fixedf5cbe725b7477b4cd677be1b86b4e08f90572997Fixed592e040572f216d916f465047c8ce4a308fcca44Fixedef01cac401f18647d62720cf773d7bb0541827da
Affected versions
v5.*
v6.*
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-23141.json"
vanir_signatures
[
{
"signature_version": "v1",
"target": {
"file": "arch/x86/kvm/x86.c",
"function": "kvm_arch_vcpu_ioctl_get_mpstate"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f5cbe725b7477b4cd677be1b86b4e08f90572997",
"deprecated": false,
"digest": {
"function_hash": "218462868267550774513152690304811712374",
"length": 504.0
},
"id": "CVE-2025-23141-3285b22d",
"signature_type": "Function"
},
{
"signature_version": "v1",
"target": {
"file": "arch/x86/kvm/x86.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f5cbe725b7477b4cd677be1b86b4e08f90572997",
"deprecated": false,
"digest": {
"line_hashes": [
"78973156357227001041105090336456120945",
"150404242149926826197166241466375139468",
"5450702351412165646354821140656117263",
"157643983218915768570350702413606525264",
"263397154458762077732115296782177120029",
"2000575291319792542070000621195802861",
"192552572899653636485347029507566538959"
],
"threshold": 0.9
},
"id": "CVE-2025-23141-eaf9c7ad",
"signature_type": "Line"
}
]