CVE-2025-38455
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
25/07/2025
Last modified:
22/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight<br />
<br />
Reject migration of SEV{-ES} state if either the source or destination VM<br />
is actively creating a vCPU, i.e. if kvm_vm_ioctl_create_vcpu() is in the<br />
section between incrementing created_vcpus and online_vcpus. The bulk of<br />
vCPU creation runs _outside_ of kvm->lock to allow creating multiple vCPUs<br />
in parallel, and so sev_info.es_active can get toggled from false=>true in<br />
the destination VM after (or during) svm_vcpu_create(), resulting in an<br />
SEV{-ES} VM effectively having a non-SEV{-ES} vCPU.<br />
<br />
The issue manifests most visibly as a crash when trying to free a vCPU&#39;s<br />
NULL VMSA page in an SEV-ES VM, but any number of things can go wrong.<br />
<br />
BUG: unable to handle page fault for address: ffffebde00000000<br />
#PF: supervisor read access in kernel mode<br />
#PF: error_code(0x0000) - not-present page<br />
PGD 0 P4D 0<br />
Oops: Oops: 0000 [#1] SMP KASAN NOPTI<br />
CPU: 227 UID: 0 PID: 64063 Comm: syz.5.60023 Tainted: G U O 6.15.0-smp-DEV #2 NONE<br />
Tainted: [U]=USER, [O]=OOT_MODULE<br />
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024<br />
RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:206 [inline]<br />
RIP: 0010:arch_test_bit arch/x86/include/asm/bitops.h:238 [inline]<br />
RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline]<br />
RIP: 0010:PageHead include/linux/page-flags.h:866 [inline]<br />
RIP: 0010:___free_pages+0x3e/0x120 mm/page_alloc.c:5067<br />
Code: f7 06 40 00 00 00 75 05 45 31 ff eb 0c 66 90 4c 89 f0 4c 39 f0<br />
RSP: 0018:ffff8984551978d0 EFLAGS: 00010246<br />
RAX: 0000777f80000001 RBX: 0000000000000000 RCX: ffffffff918aeb98<br />
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffebde00000000<br />
RBP: 0000000000000000 R08: ffffebde00000007 R09: 1ffffd7bc0000000<br />
R10: dffffc0000000000 R11: fffff97bc0000001 R12: dffffc0000000000<br />
R13: ffff8983e19751a8 R14: ffffebde00000000 R15: 1ffffd7bc0000000<br />
FS: 0000000000000000(0000) GS:ffff89ee661d3000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: ffffebde00000000 CR3: 000000793ceaa000 CR4: 0000000000350ef0<br />
DR0: 0000000000000000 DR1: 0000000000000b5f DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400<br />
Call Trace:<br />
<br />
sev_free_vcpu+0x413/0x630 arch/x86/kvm/svm/sev.c:3169<br />
svm_vcpu_free+0x13a/0x2a0 arch/x86/kvm/svm/svm.c:1515<br />
kvm_arch_vcpu_destroy+0x6a/0x1d0 arch/x86/kvm/x86.c:12396<br />
kvm_vcpu_destroy virt/kvm/kvm_main.c:470 [inline]<br />
kvm_destroy_vcpus+0xd1/0x300 virt/kvm/kvm_main.c:490<br />
kvm_arch_destroy_vm+0x636/0x820 arch/x86/kvm/x86.c:12895<br />
kvm_put_kvm+0xb8e/0xfb0 virt/kvm/kvm_main.c:1310<br />
kvm_vm_release+0x48/0x60 virt/kvm/kvm_main.c:1369<br />
__fput+0x3e4/0x9e0 fs/file_table.c:465<br />
task_work_run+0x1a9/0x220 kernel/task_work.c:227<br />
exit_task_work include/linux/task_work.h:40 [inline]<br />
do_exit+0x7f0/0x25b0 kernel/exit.c:953<br />
do_group_exit+0x203/0x2d0 kernel/exit.c:1102<br />
get_signal+0x1357/0x1480 kernel/signal.c:3034<br />
arch_do_signal_or_restart+0x40/0x690 arch/x86/kernel/signal.c:337<br />
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]<br />
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]<br />
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]<br />
syscall_exit_to_user_mode+0x67/0xb0 kernel/entry/common.c:218<br />
do_syscall_64+0x7c/0x150 arch/x86/entry/syscall_64.c:100<br />
entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />
RIP: 0033:0x7f87a898e969<br />
<br />
Modules linked in: gq(O)<br />
gsmi: Log Shutdown Reason 0x03<br />
CR2: ffffebde00000000<br />
---[ end trace 0000000000000000 ]---<br />
<br />
Deliberately don&#39;t check for a NULL VMSA when freeing the vCPU, as crashing<br />
the host is likely desirable due to the VMSA being consumed by hardware.<br />
E.g. if KVM manages to allow VMRUN on the vCPU, hardware may read/write a<br />
bogus VMSA page. Accessing P<br />
---truncated---
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.146 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.99 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.39 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.15.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.16:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.16:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/8c8e8d4d7544bb783e15078eda8ba2580e192246
- https://git.kernel.org/stable/c/b5725213149597cd9c2b075b87bc4e0f87e906c1
- https://git.kernel.org/stable/c/e0d9a7cf37ca09c513420dc88e0d0e805a4f0820
- https://git.kernel.org/stable/c/ecf371f8b02d5e31b9aa1da7f159f1b2107bdb01
- https://git.kernel.org/stable/c/fd044c99d831e9f837518816c7c366b04014d405
- https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html