CVE-2025-22013: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state There are several problems with the way hyp code lazily saves the host's FPSIMD/SVE state, including: * Host SVE being discarded unexpectedly due to inconsistent configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to result in QEMU crashes where SVE is used by memmove(), as reported by Eric Auger: https://issues.redhat.com/browse/RHEL-68997 * Host SVE state is discarded *after* modification by ptrace, which was an unintentional ptrace ABI change introduced with lazy discarding of SVE state. * The host FPMR value can be discarded when running a non-protected VM, where FPMR support is not exposed to a VM, and that VM uses FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR before unbinding the host's FPSIMD/SVE/SME state, leaving a stale value in memory. Avoid these by eagerly saving and "flushing" the host's FPSIMD/SVE/SME state when loading a vCPU such that KVM does not need to save any of the host's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is removed and the necessary call to fpsimd_save_and_flush_cpu_state() is placed in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr' should not be used, they are set to NULL; all uses of these will be removed in subsequent patches. Historical problems go back at least as far as v5.17, e.g. erroneous assumptions about TIF_SVE being clear in commit: 8383741ab2e773a9 ("KVM: arm64: Get rid of host SVE tracking/saving") ... and so this eager save+flush probably needs to be backported to ALL stable trees.
AI Analysis
Technical Summary
CVE-2025-22013 is a vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) implementation for the ARM64 architecture, specifically related to the handling of the host's FPSIMD (Floating Point and SIMD), SVE (Scalable Vector Extension), and SME (Scalable Matrix Extension) CPU state during virtual CPU (vCPU) context switches. The vulnerability arises from the hyp (hypervisor) code's lazy saving and flushing of the host's FPSIMD/SVE/SME state, which leads to several issues: 1) Host SVE state can be discarded unexpectedly due to inconsistent configuration flags (TIF_SVE and CPACR_ELx.ZEN), causing crashes in QEMU when SVE instructions are used, such as in memmove() operations. 2) The host SVE state is discarded after modification by ptrace, unintentionally changing the ptrace ABI and potentially causing incorrect behavior in debugging or tracing scenarios. 3) The host FPMR (Floating Point Mode Register) value can be discarded when running non-protected VMs that do not expose FPMR support but use FPSIMD/SVE, leaving stale values in memory and potentially causing incorrect state restoration. The fix involves eagerly saving and flushing the host's FPSIMD/SVE/SME state when loading a vCPU, removing the previous lazy approach. This change eliminates the need for the fpsimd_kvm_prepare() function and ensures that KVM does not rely on saving the host's FPSIMD/SVE/SME state during vCPU load. The vulnerability has historical roots dating back to Linux kernel version 5.17, indicating a long-standing issue. The fix is recommended to be backported to all stable kernel trees supporting ARM64 KVM. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability primarily affects those using ARM64-based Linux servers or virtualization infrastructure with KVM. The impact includes potential system instability or crashes in virtualized environments due to improper handling of advanced CPU state extensions (SVE/SME). This can lead to denial of service conditions in critical workloads running on ARM64 VMs, especially where SVE instructions are utilized. Additionally, the unintended ptrace ABI change could disrupt debugging and monitoring tools, complicating incident response and system diagnostics. Although no direct data leakage or privilege escalation is indicated, the stale or discarded CPU state could cause unpredictable behavior, potentially affecting the integrity and availability of virtualized services. Organizations relying on ARM64 virtualization for cloud services, edge computing, or specialized compute workloads may experience operational disruptions until patched. Given the increasing adoption of ARM64 architectures in Europe, particularly in telecom, research, and cloud sectors, the vulnerability poses a moderate risk to service continuity and system reliability.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2025-22013. Specifically, they should: 1) Identify all ARM64-based systems running KVM virtualization and verify kernel versions against vendor advisories for patches addressing this vulnerability. 2) Apply kernel updates from trusted Linux distributions that have backported the eager save and flush fix for FPSIMD/SVE/SME state handling. 3) Test updated kernels in staging environments to ensure stability and compatibility with existing virtualization workloads, especially those using SVE instructions. 4) Review and update ptrace-dependent debugging and monitoring tools to accommodate any ABI changes introduced by the fix. 5) Implement enhanced monitoring for VM crashes or unusual behavior related to floating point or SIMD operations to detect potential exploitation attempts or instability. 6) Engage with hardware and software vendors to confirm support for the updated kernel features and ensure coordinated patch management. 7) For environments where immediate patching is not feasible, consider restricting or disabling SVE/SME usage in VMs as a temporary mitigation, understanding the potential performance impact. These steps go beyond generic advice by focusing on ARM64-specific virtualization nuances and the interplay between CPU state management and debugging interfaces.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy
CVE-2025-22013: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state There are several problems with the way hyp code lazily saves the host's FPSIMD/SVE state, including: * Host SVE being discarded unexpectedly due to inconsistent configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to result in QEMU crashes where SVE is used by memmove(), as reported by Eric Auger: https://issues.redhat.com/browse/RHEL-68997 * Host SVE state is discarded *after* modification by ptrace, which was an unintentional ptrace ABI change introduced with lazy discarding of SVE state. * The host FPMR value can be discarded when running a non-protected VM, where FPMR support is not exposed to a VM, and that VM uses FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR before unbinding the host's FPSIMD/SVE/SME state, leaving a stale value in memory. Avoid these by eagerly saving and "flushing" the host's FPSIMD/SVE/SME state when loading a vCPU such that KVM does not need to save any of the host's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is removed and the necessary call to fpsimd_save_and_flush_cpu_state() is placed in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr' should not be used, they are set to NULL; all uses of these will be removed in subsequent patches. Historical problems go back at least as far as v5.17, e.g. erroneous assumptions about TIF_SVE being clear in commit: 8383741ab2e773a9 ("KVM: arm64: Get rid of host SVE tracking/saving") ... and so this eager save+flush probably needs to be backported to ALL stable trees.
AI-Powered Analysis
Technical Analysis
CVE-2025-22013 is a vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) implementation for the ARM64 architecture, specifically related to the handling of the host's FPSIMD (Floating Point and SIMD), SVE (Scalable Vector Extension), and SME (Scalable Matrix Extension) CPU state during virtual CPU (vCPU) context switches. The vulnerability arises from the hyp (hypervisor) code's lazy saving and flushing of the host's FPSIMD/SVE/SME state, which leads to several issues: 1) Host SVE state can be discarded unexpectedly due to inconsistent configuration flags (TIF_SVE and CPACR_ELx.ZEN), causing crashes in QEMU when SVE instructions are used, such as in memmove() operations. 2) The host SVE state is discarded after modification by ptrace, unintentionally changing the ptrace ABI and potentially causing incorrect behavior in debugging or tracing scenarios. 3) The host FPMR (Floating Point Mode Register) value can be discarded when running non-protected VMs that do not expose FPMR support but use FPSIMD/SVE, leaving stale values in memory and potentially causing incorrect state restoration. The fix involves eagerly saving and flushing the host's FPSIMD/SVE/SME state when loading a vCPU, removing the previous lazy approach. This change eliminates the need for the fpsimd_kvm_prepare() function and ensures that KVM does not rely on saving the host's FPSIMD/SVE/SME state during vCPU load. The vulnerability has historical roots dating back to Linux kernel version 5.17, indicating a long-standing issue. The fix is recommended to be backported to all stable kernel trees supporting ARM64 KVM. No known exploits are reported in the wild at this time, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability primarily affects those using ARM64-based Linux servers or virtualization infrastructure with KVM. The impact includes potential system instability or crashes in virtualized environments due to improper handling of advanced CPU state extensions (SVE/SME). This can lead to denial of service conditions in critical workloads running on ARM64 VMs, especially where SVE instructions are utilized. Additionally, the unintended ptrace ABI change could disrupt debugging and monitoring tools, complicating incident response and system diagnostics. Although no direct data leakage or privilege escalation is indicated, the stale or discarded CPU state could cause unpredictable behavior, potentially affecting the integrity and availability of virtualized services. Organizations relying on ARM64 virtualization for cloud services, edge computing, or specialized compute workloads may experience operational disruptions until patched. Given the increasing adoption of ARM64 architectures in Europe, particularly in telecom, research, and cloud sectors, the vulnerability poses a moderate risk to service continuity and system reliability.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the fix for CVE-2025-22013. Specifically, they should: 1) Identify all ARM64-based systems running KVM virtualization and verify kernel versions against vendor advisories for patches addressing this vulnerability. 2) Apply kernel updates from trusted Linux distributions that have backported the eager save and flush fix for FPSIMD/SVE/SME state handling. 3) Test updated kernels in staging environments to ensure stability and compatibility with existing virtualization workloads, especially those using SVE instructions. 4) Review and update ptrace-dependent debugging and monitoring tools to accommodate any ABI changes introduced by the fix. 5) Implement enhanced monitoring for VM crashes or unusual behavior related to floating point or SIMD operations to detect potential exploitation attempts or instability. 6) Engage with hardware and software vendors to confirm support for the updated kernel features and ensure coordinated patch management. 7) For environments where immediate patching is not feasible, consider restricting or disabling SVE/SME usage in VMs as a temporary mitigation, understanding the potential performance impact. These steps go beyond generic advice by focusing on ARM64-specific virtualization nuances and the interplay between CPU state management and debugging interfaces.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.806Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9833c4522896dcbe8f1c
Added to database: 5/21/2025, 9:09:07 AM
Last enriched: 6/30/2025, 11:56:34 AM
Last updated: 8/11/2025, 11:35:56 AM
Views: 16
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.