CVE-2025-68259
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/12/2025
Last modified:
11/01/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
KVM: SVM: Don&#39;t skip unrelated instruction if INT3/INTO is replaced<br />
<br />
When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn<br />
instruction, discard the exception and retry the instruction if the code<br />
stream is changed (e.g. by a different vCPU) between when the CPU<br />
executes the instruction and when KVM decodes the instruction to get the<br />
next RIP.<br />
<br />
As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject<br />
INT3/INTO instead of retrying the instruction"), failure to verify that<br />
the correct INTn instruction was decoded can effectively clobber guest<br />
state due to decoding the wrong instruction and thus specifying the<br />
wrong next RIP.<br />
<br />
The bug most often manifests as "Oops: int3" panics on static branch<br />
checks in Linux guests. Enabling or disabling a static branch in Linux<br />
uses the kernel&#39;s "text poke" code patching mechanism. To modify code<br />
while other CPUs may be executing that code, Linux (temporarily)<br />
replaces the first byte of the original instruction with an int3 (opcode<br />
0xcc), then patches in the new code stream except for the first byte,<br />
and finally replaces the int3 with the first byte of the new code<br />
stream. If a CPU hits the int3, i.e. executes the code while it&#39;s being<br />
modified, then the guest kernel must look up the RIP to determine how to<br />
handle the #BP, e.g. by emulating the new instruction. If the RIP is<br />
incorrect, then this lookup fails and the guest kernel panics.<br />
<br />
The bug reproduces almost instantly by hacking the guest kernel to<br />
repeatedly check a static branch[1] while running a drgn script[2] on<br />
the host to constantly swap out the memory containing the guest&#39;s TSS.<br />
<br />
[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a<br />
[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/152289a51107ef45bbfe9b4aeeaa584a503042b5
- https://git.kernel.org/stable/c/2e84a018c2895c05abe213eb10db128aa45f6ec6
- https://git.kernel.org/stable/c/4da3768e1820cf15cced390242d8789aed34f54d
- https://git.kernel.org/stable/c/53903ac9ca1abffa27327e85075ec496fa55ccf3
- https://git.kernel.org/stable/c/54bcccc2c7805a00af1d7d2faffd6f424c0133aa
- https://git.kernel.org/stable/c/87cc1622c88a4888959d64fa1fc9ba1e264aa3d4