CVE-2025-21779: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and only if the local API is emulated/virtualized by KVM, and explicitly reject said hypercalls if the local APIC is emulated in userspace, i.e. don't rely on userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID. Rejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if Hyper-V enlightenments are exposed to the guest without an in-kernel local APIC: dump_stack+0xbe/0xfd __kasan_report.cold+0x34/0x84 kasan_report+0x3a/0x50 __apic_accept_irq+0x3a/0x5c0 kvm_hv_send_ipi.isra.0+0x34e/0x820 kvm_hv_hypercall+0x8d9/0x9d0 kvm_emulate_hypercall+0x506/0x7e0 __vmx_handle_exit+0x283/0xb60 vmx_handle_exit+0x1d/0xd0 vcpu_enter_guest+0x16b0/0x24c0 vcpu_run+0xc0/0x550 kvm_arch_vcpu_ioctl_run+0x170/0x6d0 kvm_vcpu_ioctl+0x413/0xb20 __se_sys_ioctl+0x111/0x160 do_syscal1_64+0x30/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Note, checking the sending vCPU is sufficient, as the per-VM irqchip_mode can't be modified after vCPUs are created, i.e. if one vCPU has an in-kernel local APIC, then all vCPUs have an in-kernel local APIC.
AI Analysis
Technical Summary
CVE-2025-21779 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically affecting the handling of Hyper-V hypercalls related to inter-processor interrupts (IPIs) on x86 architectures. The vulnerability arises from improper validation of SEND_IPI and SEND_IPI_EX hypercalls when the local Advanced Programmable Interrupt Controller (APIC) is not managed within the kernel but instead emulated in userspace. The Linux kernel incorrectly advertises support for these Hyper-V hypercalls regardless of whether the local APIC is in-kernel or userspace-emulated. This leads to a scenario where SEND_IPI hypercalls can be accepted without proper kernel-side APIC emulation, resulting in a NULL-pointer dereference and consequent kernel crash or denial of service. The vulnerability is triggered when a guest virtual machine running under KVM with Hyper-V enlightenments attempts to send IPIs, but the local APIC is not handled by the kernel. The fix involves rejecting SEND_IPI and SEND_IPI_EX hypercalls unless the local APIC is emulated by KVM in the kernel, thereby preventing reliance on userspace to enforce capability opt-in. The technical call stack indicates the crash occurs during the handling of these hypercalls, involving kernel address sanitizer (KASAN) reports and APIC interrupt acceptance routines. Since the per-VM irqchip_mode is immutable after vCPU creation, checking the sending vCPU's APIC mode suffices for enforcement. This vulnerability affects Linux kernel versions identified by the commit hash 214ff83d4473a7757fa18a64dc7efe3b0e158486 and was published on February 27, 2025. No known exploits are reported in the wild as of publication.
Potential Impact
For European organizations, the impact of CVE-2025-21779 primarily concerns environments utilizing KVM virtualization with Hyper-V enlightenments on x86 platforms. Organizations running Linux-based virtualized infrastructure, especially those leveraging mixed virtualization technologies or nested virtualization scenarios involving Hyper-V features, may experience denial of service conditions due to kernel crashes triggered by this vulnerability. This could disrupt critical services, cloud workloads, or virtualized applications, impacting availability. Confidentiality and integrity impacts are less direct since the vulnerability leads to a NULL-pointer dereference rather than arbitrary code execution. However, repeated crashes could be exploited to cause operational disruptions or trigger failover mechanisms, potentially exposing other attack surfaces. European data centers, cloud providers, and enterprises with hybrid virtualization stacks are at risk of service interruptions if unpatched. Given the Linux kernel's widespread use in European IT infrastructure, the vulnerability's scope is broad, but exploitation requires specific virtualization configurations, limiting the attack surface. The absence of known exploits reduces immediate risk, but the vulnerability's presence in kernel virtualization code warrants prompt attention to prevent future exploitation attempts.
Mitigation Recommendations
To mitigate CVE-2025-21779, European organizations should: 1) Apply the latest Linux kernel patches that explicitly reject SEND_IPI and SEND_IPI_EX hypercalls when the local APIC is not in-kernel, ensuring the fix is included in their kernel versions. 2) Audit virtualization configurations to identify KVM guests using Hyper-V enlightenments and verify the local APIC emulation mode. 3) Avoid relying on userspace APIC emulation for workloads that require Hyper-V hypercall support; instead, ensure in-kernel APIC handling is enabled. 4) Implement monitoring for kernel oops or crash logs related to KVM hypercall handling to detect potential exploitation attempts or misconfigurations. 5) For critical production environments, consider isolating or restricting virtual machines that might trigger this vulnerability until patches are applied. 6) Coordinate with Linux distribution vendors and virtualization platform providers to confirm patch availability and deployment timelines. 7) Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid remediation and detection.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Belgium, Italy
CVE-2025-21779: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and only if the local API is emulated/virtualized by KVM, and explicitly reject said hypercalls if the local APIC is emulated in userspace, i.e. don't rely on userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID. Rejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if Hyper-V enlightenments are exposed to the guest without an in-kernel local APIC: dump_stack+0xbe/0xfd __kasan_report.cold+0x34/0x84 kasan_report+0x3a/0x50 __apic_accept_irq+0x3a/0x5c0 kvm_hv_send_ipi.isra.0+0x34e/0x820 kvm_hv_hypercall+0x8d9/0x9d0 kvm_emulate_hypercall+0x506/0x7e0 __vmx_handle_exit+0x283/0xb60 vmx_handle_exit+0x1d/0xd0 vcpu_enter_guest+0x16b0/0x24c0 vcpu_run+0xc0/0x550 kvm_arch_vcpu_ioctl_run+0x170/0x6d0 kvm_vcpu_ioctl+0x413/0xb20 __se_sys_ioctl+0x111/0x160 do_syscal1_64+0x30/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Note, checking the sending vCPU is sufficient, as the per-VM irqchip_mode can't be modified after vCPUs are created, i.e. if one vCPU has an in-kernel local APIC, then all vCPUs have an in-kernel local APIC.
AI-Powered Analysis
Technical Analysis
CVE-2025-21779 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically affecting the handling of Hyper-V hypercalls related to inter-processor interrupts (IPIs) on x86 architectures. The vulnerability arises from improper validation of SEND_IPI and SEND_IPI_EX hypercalls when the local Advanced Programmable Interrupt Controller (APIC) is not managed within the kernel but instead emulated in userspace. The Linux kernel incorrectly advertises support for these Hyper-V hypercalls regardless of whether the local APIC is in-kernel or userspace-emulated. This leads to a scenario where SEND_IPI hypercalls can be accepted without proper kernel-side APIC emulation, resulting in a NULL-pointer dereference and consequent kernel crash or denial of service. The vulnerability is triggered when a guest virtual machine running under KVM with Hyper-V enlightenments attempts to send IPIs, but the local APIC is not handled by the kernel. The fix involves rejecting SEND_IPI and SEND_IPI_EX hypercalls unless the local APIC is emulated by KVM in the kernel, thereby preventing reliance on userspace to enforce capability opt-in. The technical call stack indicates the crash occurs during the handling of these hypercalls, involving kernel address sanitizer (KASAN) reports and APIC interrupt acceptance routines. Since the per-VM irqchip_mode is immutable after vCPU creation, checking the sending vCPU's APIC mode suffices for enforcement. This vulnerability affects Linux kernel versions identified by the commit hash 214ff83d4473a7757fa18a64dc7efe3b0e158486 and was published on February 27, 2025. No known exploits are reported in the wild as of publication.
Potential Impact
For European organizations, the impact of CVE-2025-21779 primarily concerns environments utilizing KVM virtualization with Hyper-V enlightenments on x86 platforms. Organizations running Linux-based virtualized infrastructure, especially those leveraging mixed virtualization technologies or nested virtualization scenarios involving Hyper-V features, may experience denial of service conditions due to kernel crashes triggered by this vulnerability. This could disrupt critical services, cloud workloads, or virtualized applications, impacting availability. Confidentiality and integrity impacts are less direct since the vulnerability leads to a NULL-pointer dereference rather than arbitrary code execution. However, repeated crashes could be exploited to cause operational disruptions or trigger failover mechanisms, potentially exposing other attack surfaces. European data centers, cloud providers, and enterprises with hybrid virtualization stacks are at risk of service interruptions if unpatched. Given the Linux kernel's widespread use in European IT infrastructure, the vulnerability's scope is broad, but exploitation requires specific virtualization configurations, limiting the attack surface. The absence of known exploits reduces immediate risk, but the vulnerability's presence in kernel virtualization code warrants prompt attention to prevent future exploitation attempts.
Mitigation Recommendations
To mitigate CVE-2025-21779, European organizations should: 1) Apply the latest Linux kernel patches that explicitly reject SEND_IPI and SEND_IPI_EX hypercalls when the local APIC is not in-kernel, ensuring the fix is included in their kernel versions. 2) Audit virtualization configurations to identify KVM guests using Hyper-V enlightenments and verify the local APIC emulation mode. 3) Avoid relying on userspace APIC emulation for workloads that require Hyper-V hypercall support; instead, ensure in-kernel APIC handling is enabled. 4) Implement monitoring for kernel oops or crash logs related to KVM hypercall handling to detect potential exploitation attempts or misconfigurations. 5) For critical production environments, consider isolating or restricting virtual machines that might trigger this vulnerability until patches are applied. 6) Coordinate with Linux distribution vendors and virtualization platform providers to confirm patch availability and deployment timelines. 7) Incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid remediation and detection.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.764Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe87bb
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 6/30/2025, 8:58:40 AM
Last updated: 8/18/2025, 11:35:28 PM
Views: 19
Related Threats
CVE-2025-43770: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-55455: n/a
HighCVE-2025-8193
UnknownCVE-2025-9356: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9355: Stack-based Buffer Overflow in Linksys RE6250
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.