CVE-2025-68810

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-68810
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68810.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-68810
Downstream
Published
2026-01-13T15:29:16.475Z
Modified
2026-02-09T19:34:46.292712Z
Summary
KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot
Details

In the Linux kernel, the following vulnerability has been resolved:

KVM: Disallow toggling KVMMEMGUEST_MEMFD on an existing memslot

Reject attempts to disable KVMMEMGUESTMEMFD on a memslot that was initially created with a guestmemfd binding, as KVM doesn't support toggling KVMMEMGUESTMEMFD on existing memslots. KVM prevents enabling KVMMEMGUESTMEMFD, but doesn't prevent clearing the flag.

Failure to reject the new memslot results in a use-after-free due to KVM not unbinding from the guestmemfd instance. Unbinding on a FLAGSONLY change is easy enough, and can/will be done as a hardening measure (in anticipation of KVM supporting dirty logging on guest_memfd at some point), but fixing the use-after-free would only address the immediate symptom.

================================================================== BUG: KASAN: slab-use-after-free in kvmgmemrelease+0x362/0x400 [kvm] Write of size 8 at addr ffff8881111ae908 by task repro/745

CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dumpstacklvl+0x51/0x60 printreport+0xcb/0x5c0 kasanreport+0xb4/0xe0 kvmgmemrelease+0x362/0x400 [kvm] _fput+0x2fa/0x9d0 taskworkrun+0x12c/0x200 doexit+0x6ae/0x2100 dogroupexit+0xa8/0x230 _x64sysexitgroup+0x3a/0x50 x64syscall+0x737/0x740 dosyscall64+0x5b/0x900 entrySYSCALL64afterhwframe+0x4b/0x53 RIP: 0033:0x7f581f2eac31 </TASK>

Allocated by task 745 on cpu 6 at 9.746971s: kasansavestack+0x20/0x40 kasansavetrack+0x13/0x50 _kasankmalloc+0x77/0x90 kvmsetmemoryregion.part.0+0x652/0x1110 [kvm] kvmvmioctl+0x14b0/0x3290 [kvm] _x64sysioctl+0x129/0x1a0 dosyscall64+0x5b/0x900 entrySYSCALL64afterhwframe+0x4b/0x53

Freed by task 745 on cpu 6 at 9.747467s: kasansavestack+0x20/0x40 kasansavetrack+0x13/0x50 _kasansavefreeinfo+0x37/0x50 _kasanslabfree+0x3b/0x60 kfree+0xf5/0x440 kvmsetmemslot+0x3c2/0x1160 [kvm] kvmsetmemoryregion.part.0+0x86a/0x1110 [kvm] kvmvmioctl+0x14b0/0x3290 [kvm] _x64sysioctl+0x129/0x1a0 dosyscall64+0x5b/0x900 entrySYSCALL64after_hwframe+0x4b/0x53

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/68xxx/CVE-2025-68810.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a7800aa80ea4d5356b8474c2302812e9d4926fa6
Fixed
89dbbe6ff323fc34659621a577fe0af913f47386
Fixed
cb51bef465d8ec60a968507330e01020e35dc127
Fixed
9935df5333aa503a18de5071f53762b65c783c4c

Affected versions

v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.34
v6.12.35
v6.12.36
v6.12.37
v6.12.38
v6.12.39
v6.12.4
v6.12.40
v6.12.41
v6.12.42
v6.12.43
v6.12.44
v6.12.45
v6.12.46
v6.12.47
v6.12.48
v6.12.49
v6.12.5
v6.12.50
v6.12.51
v6.12.52
v6.12.53
v6.12.54
v6.12.55
v6.12.56
v6.12.57
v6.12.58
v6.12.59
v6.12.6
v6.12.60
v6.12.61
v6.12.62
v6.12.63
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.17
v6.17-rc1
v6.17-rc2
v6.17-rc3
v6.17-rc4
v6.17-rc5
v6.17-rc6
v6.17-rc7
v6.18
v6.18-rc1
v6.18-rc2
v6.18-rc3
v6.18-rc4
v6.18-rc5
v6.18-rc6
v6.18-rc7
v6.18.1
v6.18.2
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68810.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.12.64
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-68810.json"