CVE-2025-40300

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/vmscape: Add conditional IBPB mitigation<br /> <br /> VMSCAPE is a vulnerability that exploits insufficient branch predictor<br /> isolation between a guest and a userspace hypervisor (like QEMU). Existing<br /> mitigations already protect kernel/KVM from a malicious guest. Userspace<br /> can additionally be protected by flushing the branch predictors after a<br /> VMexit.<br /> <br /> Since it is the userspace that consumes the poisoned branch predictors,<br /> conditionally issue an IBPB after a VMexit and before returning to<br /> userspace. Workloads that frequently switch between hypervisor and<br /> userspace will incur the most overhead from the new IBPB.<br /> <br /> This new IBPB is not integrated with the existing IBPB sites. For<br /> instance, a task can use the existing speculation control prctl() to<br /> get an IBPB at context switch time. With this implementation, the<br /> IBPB is doubled up: one at context switch and another before running<br /> userspace.<br /> <br /> The intent is to integrate and optimize these cases post-embargo.<br /> <br /> [ dhansen: elaborate on suboptimal IBPB solution ]