CVE-2025-23135: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: RISC-V: KVM: Teardown riscv specific bits after kvm_exit During a module removal, kvm_exit invokes arch specific disable call which disables AIA. However, we invoke aia_exit before kvm_exit resulting in the following warning. KVM kernel module can't be inserted afterwards due to inconsistent state of IRQ. [25469.031389] percpu IRQ 31 still enabled on CPU0! [25469.031732] WARNING: CPU: 3 PID: 943 at kernel/irq/manage.c:2476 __free_percpu_irq+0xa2/0x150 [25469.031804] Modules linked in: kvm(-) [25469.031848] CPU: 3 UID: 0 PID: 943 Comm: rmmod Not tainted 6.14.0-rc5-06947-g91c763118f47-dirty #2 [25469.031905] Hardware name: riscv-virtio,qemu (DT) [25469.031928] epc : __free_percpu_irq+0xa2/0x150 [25469.031976] ra : __free_percpu_irq+0xa2/0x150 [25469.032197] epc : ffffffff8007db1e ra : ffffffff8007db1e sp : ff2000000088bd50 [25469.032241] gp : ffffffff8131cef8 tp : ff60000080b96400 t0 : ff2000000088baf8 [25469.032285] t1 : fffffffffffffffc t2 : 5249207570637265 s0 : ff2000000088bd90 [25469.032329] s1 : ff60000098b21080 a0 : 037d527a15eb4f00 a1 : 037d527a15eb4f00 [25469.032372] a2 : 0000000000000023 a3 : 0000000000000001 a4 : ffffffff8122dbf8 [25469.032410] a5 : 0000000000000fff a6 : 0000000000000000 a7 : ffffffff8122dc10 [25469.032448] s2 : ff60000080c22eb0 s3 : 0000000200000022 s4 : 000000000000001f [25469.032488] s5 : ff60000080c22e00 s6 : ffffffff80c351c0 s7 : 0000000000000000 [25469.032582] s8 : 0000000000000003 s9 : 000055556b7fb490 s10: 00007ffff0e12fa0 [25469.032621] s11: 00007ffff0e13e9a t3 : ffffffff81354ac7 t4 : ffffffff81354ac7 [25469.032664] t5 : ffffffff81354ac8 t6 : ffffffff81354ac7 [25469.032698] status: 0000000200000100 badaddr: ffffffff8007db1e cause: 0000000000000003 [25469.032738] [<ffffffff8007db1e>] __free_percpu_irq+0xa2/0x150 [25469.032797] [<ffffffff8007dbfc>] free_percpu_irq+0x30/0x5e [25469.032856] [<ffffffff013a57dc>] kvm_riscv_aia_exit+0x40/0x42 [kvm] [25469.033947] [<ffffffff013b4e82>] cleanup_module+0x10/0x32 [kvm] [25469.035300] [<ffffffff8009b150>] __riscv_sys_delete_module+0x18e/0x1fc [25469.035374] [<ffffffff8000c1ca>] syscall_handler+0x3a/0x46 [25469.035456] [<ffffffff809ec9a4>] do_trap_ecall_u+0x72/0x134 [25469.035536] [<ffffffff809f5e18>] handle_exception+0x148/0x156 Invoke aia_exit and other arch specific cleanup functions after kvm_exit so that disable gets a chance to be called first before exit.
AI Analysis
Technical Summary
CVE-2025-23135 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture's Kernel-based Virtual Machine (KVM) module. The issue arises during the teardown process of the KVM module, where the sequence of cleanup operations is incorrect. Specifically, the kernel invokes the architecture-specific disable call (which disables the Advanced Interrupt Architecture - AIA) after calling aia_exit, leading to an inconsistent state of the interrupt request (IRQ) system. This inconsistency manifests as warnings about percpu IRQs still being enabled on CPUs after module removal, and critically, it prevents the KVM kernel module from being reinserted due to the IRQ subsystem being left in an inconsistent state. The root cause is that aia_exit is called before kvm_exit, whereas the correct order should be to invoke aia_exit and other architecture-specific cleanup functions after kvm_exit. This sequencing ensures that the disable function is called first, properly disabling AIA before the exit routines proceed. The vulnerability is specific to the RISC-V architecture implementation of KVM within the Linux kernel and affects kernel versions around 6.14.0-rc5. While the vulnerability does not appear to be exploitable remotely or by unprivileged users, it impacts the stability and reliability of the KVM module on affected systems, potentially causing denial of service conditions due to module insertion failures and IRQ inconsistencies. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations utilizing Linux systems on RISC-V architectures with KVM virtualization, this vulnerability could disrupt virtualization operations by preventing the KVM module from being reloaded after removal. This can lead to system instability, denial of service for virtualized workloads, and increased downtime during maintenance or updates involving KVM modules. Organizations relying on RISC-V based virtualization for development, testing, or production workloads may face operational challenges. Although the vulnerability does not directly lead to privilege escalation or remote code execution, the inability to properly manage KVM modules can impact availability and reliability of critical services. Given the emerging adoption of RISC-V in certain European research institutions and technology companies, the impact is more pronounced in environments where RISC-V virtualization is actively used. The vulnerability may also complicate kernel module management and debugging efforts, increasing operational overhead and risk of misconfiguration.
Mitigation Recommendations
To mitigate CVE-2025-23135, European organizations should: 1) Apply the official Linux kernel patch that corrects the order of cleanup calls in the KVM RISC-V module teardown process as soon as it becomes available from trusted Linux kernel sources or distributions. 2) Avoid removing and reinserting the KVM module on affected RISC-V systems until patched, to prevent encountering the inconsistent IRQ state. 3) For environments requiring module reloads, consider rebooting the system as a temporary workaround to reset IRQ states. 4) Monitor kernel logs for warnings related to percpu IRQs and KVM module insertion failures to detect potential issues early. 5) Engage with Linux distribution vendors to ensure timely updates and backports of the fix for enterprise kernels. 6) For critical production systems, test kernel updates in staging environments to validate the fix and ensure no regression in virtualization stability. 7) Maintain robust backup and recovery procedures to minimize downtime if module issues cause service disruptions. These steps go beyond generic advice by focusing on the specific module management and kernel update practices relevant to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Switzerland
CVE-2025-23135: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: RISC-V: KVM: Teardown riscv specific bits after kvm_exit During a module removal, kvm_exit invokes arch specific disable call which disables AIA. However, we invoke aia_exit before kvm_exit resulting in the following warning. KVM kernel module can't be inserted afterwards due to inconsistent state of IRQ. [25469.031389] percpu IRQ 31 still enabled on CPU0! [25469.031732] WARNING: CPU: 3 PID: 943 at kernel/irq/manage.c:2476 __free_percpu_irq+0xa2/0x150 [25469.031804] Modules linked in: kvm(-) [25469.031848] CPU: 3 UID: 0 PID: 943 Comm: rmmod Not tainted 6.14.0-rc5-06947-g91c763118f47-dirty #2 [25469.031905] Hardware name: riscv-virtio,qemu (DT) [25469.031928] epc : __free_percpu_irq+0xa2/0x150 [25469.031976] ra : __free_percpu_irq+0xa2/0x150 [25469.032197] epc : ffffffff8007db1e ra : ffffffff8007db1e sp : ff2000000088bd50 [25469.032241] gp : ffffffff8131cef8 tp : ff60000080b96400 t0 : ff2000000088baf8 [25469.032285] t1 : fffffffffffffffc t2 : 5249207570637265 s0 : ff2000000088bd90 [25469.032329] s1 : ff60000098b21080 a0 : 037d527a15eb4f00 a1 : 037d527a15eb4f00 [25469.032372] a2 : 0000000000000023 a3 : 0000000000000001 a4 : ffffffff8122dbf8 [25469.032410] a5 : 0000000000000fff a6 : 0000000000000000 a7 : ffffffff8122dc10 [25469.032448] s2 : ff60000080c22eb0 s3 : 0000000200000022 s4 : 000000000000001f [25469.032488] s5 : ff60000080c22e00 s6 : ffffffff80c351c0 s7 : 0000000000000000 [25469.032582] s8 : 0000000000000003 s9 : 000055556b7fb490 s10: 00007ffff0e12fa0 [25469.032621] s11: 00007ffff0e13e9a t3 : ffffffff81354ac7 t4 : ffffffff81354ac7 [25469.032664] t5 : ffffffff81354ac8 t6 : ffffffff81354ac7 [25469.032698] status: 0000000200000100 badaddr: ffffffff8007db1e cause: 0000000000000003 [25469.032738] [<ffffffff8007db1e>] __free_percpu_irq+0xa2/0x150 [25469.032797] [<ffffffff8007dbfc>] free_percpu_irq+0x30/0x5e [25469.032856] [<ffffffff013a57dc>] kvm_riscv_aia_exit+0x40/0x42 [kvm] [25469.033947] [<ffffffff013b4e82>] cleanup_module+0x10/0x32 [kvm] [25469.035300] [<ffffffff8009b150>] __riscv_sys_delete_module+0x18e/0x1fc [25469.035374] [<ffffffff8000c1ca>] syscall_handler+0x3a/0x46 [25469.035456] [<ffffffff809ec9a4>] do_trap_ecall_u+0x72/0x134 [25469.035536] [<ffffffff809f5e18>] handle_exception+0x148/0x156 Invoke aia_exit and other arch specific cleanup functions after kvm_exit so that disable gets a chance to be called first before exit.
AI-Powered Analysis
Technical Analysis
CVE-2025-23135 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture's Kernel-based Virtual Machine (KVM) module. The issue arises during the teardown process of the KVM module, where the sequence of cleanup operations is incorrect. Specifically, the kernel invokes the architecture-specific disable call (which disables the Advanced Interrupt Architecture - AIA) after calling aia_exit, leading to an inconsistent state of the interrupt request (IRQ) system. This inconsistency manifests as warnings about percpu IRQs still being enabled on CPUs after module removal, and critically, it prevents the KVM kernel module from being reinserted due to the IRQ subsystem being left in an inconsistent state. The root cause is that aia_exit is called before kvm_exit, whereas the correct order should be to invoke aia_exit and other architecture-specific cleanup functions after kvm_exit. This sequencing ensures that the disable function is called first, properly disabling AIA before the exit routines proceed. The vulnerability is specific to the RISC-V architecture implementation of KVM within the Linux kernel and affects kernel versions around 6.14.0-rc5. While the vulnerability does not appear to be exploitable remotely or by unprivileged users, it impacts the stability and reliability of the KVM module on affected systems, potentially causing denial of service conditions due to module insertion failures and IRQ inconsistencies. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations utilizing Linux systems on RISC-V architectures with KVM virtualization, this vulnerability could disrupt virtualization operations by preventing the KVM module from being reloaded after removal. This can lead to system instability, denial of service for virtualized workloads, and increased downtime during maintenance or updates involving KVM modules. Organizations relying on RISC-V based virtualization for development, testing, or production workloads may face operational challenges. Although the vulnerability does not directly lead to privilege escalation or remote code execution, the inability to properly manage KVM modules can impact availability and reliability of critical services. Given the emerging adoption of RISC-V in certain European research institutions and technology companies, the impact is more pronounced in environments where RISC-V virtualization is actively used. The vulnerability may also complicate kernel module management and debugging efforts, increasing operational overhead and risk of misconfiguration.
Mitigation Recommendations
To mitigate CVE-2025-23135, European organizations should: 1) Apply the official Linux kernel patch that corrects the order of cleanup calls in the KVM RISC-V module teardown process as soon as it becomes available from trusted Linux kernel sources or distributions. 2) Avoid removing and reinserting the KVM module on affected RISC-V systems until patched, to prevent encountering the inconsistent IRQ state. 3) For environments requiring module reloads, consider rebooting the system as a temporary workaround to reset IRQ states. 4) Monitor kernel logs for warnings related to percpu IRQs and KVM module insertion failures to detect potential issues early. 5) Engage with Linux distribution vendors to ensure timely updates and backports of the fix for enterprise kernels. 6) For critical production systems, test kernel updates in staging environments to validate the fix and ensure no regression in virtualization stability. 7) Maintain robust backup and recovery procedures to minimize downtime if module issues cause service disruptions. These steps go beyond generic advice by focusing on the specific module management and kernel update practices relevant to this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T14:28:41.511Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8209
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 9:57:47 PM
Last updated: 7/25/2025, 6:07:45 PM
Views: 10
Related Threats
CVE-2025-8859: Unrestricted Upload in code-projects eBlog Site
MediumCVE-2025-8865: CWE-476 NULL Pointer Dereference in YugabyteDB Inc YugabyteDB
MediumCVE-2025-8852: Information Exposure Through Error Message in WuKongOpenSource WukongCRM
MediumCVE-2025-8864: CWE-532 Insertion of Sensitive Information into Log File in YugabyteDB Inc YugabyteDB Anywhere
MediumCVE-2025-8851: Stack-based Buffer Overflow in LibTIFF
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.