CVE-2025-23141: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case where "accepting" APIC events, i.e. processing pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP state will trigger a nested VM-Exit by way of ->check_nested_events(), and emuating the nested VM-Exit can access guest memory. The splat was originally hit by syzkaller on a Google-internal kernel, and reproduced on an upstream kernel by hacking the triple_fault_event_test selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario. ============================= WARNING: suspicious RCU usage 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted ----------------------------- include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by triple_fault_ev/1256: #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm] stack backtrace: CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x144/0x190 kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] read_and_check_msr_entry+0x2e/0x180 [kvm_intel] __nested_vmx_vmexit+0x550/0xde0 [kvm_intel] kvm_check_nested_events+0x1b/0x30 [kvm] kvm_apic_accept_events+0x33/0x100 [kvm] kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm] kvm_vcpu_ioctl+0x33e/0x9a0 [kvm] __x64_sys_ioctl+0x8b/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK>
AI Analysis
Technical Summary
CVE-2025-23141 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically affecting the x86 architecture virtualization implementation. The issue arises from improper synchronization when userspace requests the multiprocessor (MP) state of a virtual CPU (vCPU) via the KVM_GET_MP_STATE ioctl. In certain edge cases, particularly when a vCPU is running a nested virtualization scenario (L2 guest) with a pending INIT signal and a TRIPLE_FAULT request, the kernel fails to properly acquire the SRCU (Sleepable Read-Copy Update) lock protecting guest memory accesses. This can lead to a nested VM-Exit event triggered during the retrieval of the MP state, which in turn causes the kernel to access guest memory without proper synchronization. The vulnerability was initially discovered through fuzzing with syzkaller on an internal Google kernel and reproduced upstream by manipulating the triple_fault_event_test selftest to simulate the problematic conditions. The kernel's lockdep debugging output indicates suspicious RCU usage and a stack trace involving KVM functions such as kvm_vcpu_ioctl, kvm_check_nested_events, and kvm_apic_accept_events. This flaw could potentially lead to race conditions or memory corruption within the KVM module when handling nested virtualization events, possibly causing system instability or crashes. Although no direct exploit in the wild is known, the vulnerability affects Linux kernel versions containing the specified commit hashes and requires a scenario involving nested virtualization with specific vCPU states and ioctl calls. The lack of a CVSS score suggests this is a newly disclosed issue requiring careful assessment and patching by Linux kernel maintainers and users running KVM with nested virtualization enabled.
Potential Impact
For European organizations, the impact of CVE-2025-23141 is primarily relevant to environments utilizing Linux-based virtualization infrastructure, especially those leveraging nested virtualization capabilities for cloud services, testing, or development. Organizations running KVM on servers or cloud platforms that host nested virtual machines could experience system instability, crashes, or potential denial of service if this vulnerability is exploited or triggered unintentionally. While there is no evidence of remote code execution or privilege escalation directly from this flaw, the risk of memory corruption or race conditions in the hypervisor layer could undermine the reliability and security of virtualized workloads. This is particularly critical for data centers, cloud service providers, and enterprises relying on Linux virtualization for multi-tenant environments or sensitive workloads. Disruptions caused by this vulnerability could affect service availability and data integrity, impacting business continuity and compliance with European data protection regulations. Additionally, the complexity of nested virtualization scenarios means that only specialized setups are at risk, but these are common in advanced cloud and research infrastructures prevalent in Europe.
Mitigation Recommendations
To mitigate CVE-2025-23141, European organizations should: 1) Apply the latest Linux kernel updates and patches that address this vulnerability as soon as they become available from trusted sources such as the Linux kernel mailing list or vendor distributions. 2) Review and restrict the use of nested virtualization features in KVM environments, disabling nested virtualization where it is not strictly necessary to reduce the attack surface. 3) Implement strict access controls on userspace interfaces that can invoke KVM ioctls, ensuring only trusted and authorized users or processes can interact with the virtualization subsystem. 4) Monitor kernel logs and virtualization subsystem behavior for anomalies or crashes related to VM-Exit handling or MP state retrieval, enabling early detection of exploitation attempts or instability. 5) Conduct thorough testing of virtualization workloads after patching to confirm stability and absence of regressions, especially in nested VM scenarios. 6) Engage with Linux distribution security advisories and virtualization vendors for coordinated updates and guidance tailored to specific deployment environments. These steps go beyond generic advice by focusing on controlling nested virtualization usage and securing the ioctl interface, which are critical vectors for this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Belgium, Italy, Spain
CVE-2025-23141: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case where "accepting" APIC events, i.e. processing pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP state will trigger a nested VM-Exit by way of ->check_nested_events(), and emuating the nested VM-Exit can access guest memory. The splat was originally hit by syzkaller on a Google-internal kernel, and reproduced on an upstream kernel by hacking the triple_fault_event_test selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario. ============================= WARNING: suspicious RCU usage 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted ----------------------------- include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by triple_fault_ev/1256: #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm] stack backtrace: CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x144/0x190 kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] read_and_check_msr_entry+0x2e/0x180 [kvm_intel] __nested_vmx_vmexit+0x550/0xde0 [kvm_intel] kvm_check_nested_events+0x1b/0x30 [kvm] kvm_apic_accept_events+0x33/0x100 [kvm] kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm] kvm_vcpu_ioctl+0x33e/0x9a0 [kvm] __x64_sys_ioctl+0x8b/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2025-23141 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically affecting the x86 architecture virtualization implementation. The issue arises from improper synchronization when userspace requests the multiprocessor (MP) state of a virtual CPU (vCPU) via the KVM_GET_MP_STATE ioctl. In certain edge cases, particularly when a vCPU is running a nested virtualization scenario (L2 guest) with a pending INIT signal and a TRIPLE_FAULT request, the kernel fails to properly acquire the SRCU (Sleepable Read-Copy Update) lock protecting guest memory accesses. This can lead to a nested VM-Exit event triggered during the retrieval of the MP state, which in turn causes the kernel to access guest memory without proper synchronization. The vulnerability was initially discovered through fuzzing with syzkaller on an internal Google kernel and reproduced upstream by manipulating the triple_fault_event_test selftest to simulate the problematic conditions. The kernel's lockdep debugging output indicates suspicious RCU usage and a stack trace involving KVM functions such as kvm_vcpu_ioctl, kvm_check_nested_events, and kvm_apic_accept_events. This flaw could potentially lead to race conditions or memory corruption within the KVM module when handling nested virtualization events, possibly causing system instability or crashes. Although no direct exploit in the wild is known, the vulnerability affects Linux kernel versions containing the specified commit hashes and requires a scenario involving nested virtualization with specific vCPU states and ioctl calls. The lack of a CVSS score suggests this is a newly disclosed issue requiring careful assessment and patching by Linux kernel maintainers and users running KVM with nested virtualization enabled.
Potential Impact
For European organizations, the impact of CVE-2025-23141 is primarily relevant to environments utilizing Linux-based virtualization infrastructure, especially those leveraging nested virtualization capabilities for cloud services, testing, or development. Organizations running KVM on servers or cloud platforms that host nested virtual machines could experience system instability, crashes, or potential denial of service if this vulnerability is exploited or triggered unintentionally. While there is no evidence of remote code execution or privilege escalation directly from this flaw, the risk of memory corruption or race conditions in the hypervisor layer could undermine the reliability and security of virtualized workloads. This is particularly critical for data centers, cloud service providers, and enterprises relying on Linux virtualization for multi-tenant environments or sensitive workloads. Disruptions caused by this vulnerability could affect service availability and data integrity, impacting business continuity and compliance with European data protection regulations. Additionally, the complexity of nested virtualization scenarios means that only specialized setups are at risk, but these are common in advanced cloud and research infrastructures prevalent in Europe.
Mitigation Recommendations
To mitigate CVE-2025-23141, European organizations should: 1) Apply the latest Linux kernel updates and patches that address this vulnerability as soon as they become available from trusted sources such as the Linux kernel mailing list or vendor distributions. 2) Review and restrict the use of nested virtualization features in KVM environments, disabling nested virtualization where it is not strictly necessary to reduce the attack surface. 3) Implement strict access controls on userspace interfaces that can invoke KVM ioctls, ensuring only trusted and authorized users or processes can interact with the virtualization subsystem. 4) Monitor kernel logs and virtualization subsystem behavior for anomalies or crashes related to VM-Exit handling or MP state retrieval, enabling early detection of exploitation attempts or instability. 5) Conduct thorough testing of virtualization workloads after patching to confirm stability and absence of regressions, especially in nested VM scenarios. 6) Engage with Linux distribution security advisories and virtualization vendors for coordinated updates and guidance tailored to specific deployment environments. These steps go beyond generic advice by focusing on controlling nested virtualization usage and securing the ioctl interface, which are critical vectors for this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T14:28:41.512Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8228
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 10:09:41 PM
Last updated: 8/16/2025, 1:13:53 AM
Views: 19
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.