CVE-2025-38351

EPSS 0.03%
Published 19.07.2025 11:59:34
Last modified 28.08.2025 15:15:48
Source 416baaa9-dc9f-4396-8d5f-8c081f
Teams watchlist Login
Open Login

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush

In KVM guests with Hyper-V hypercalls enabled, the hypercalls
HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX
allow a guest to request invalidation of portions of a virtual TLB.
For this, the hypercall parameter includes a list of GVAs that are supposed
to be invalidated.

However, when non-canonical GVAs are passed, there is currently no
filtering in place and they are eventually passed to checked invocations of
INVVPID on Intel / INVLPGA on AMD.  While AMD's INVLPGA silently ignores
non-canonical addresses (effectively a no-op), Intel's INVVPID explicitly
signals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error():

  invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000
  WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482
  invvpid_error+0x91/0xa0 [kvm_intel]
  Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse
  CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary)
  RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel]
  Call Trace:
    vmx_flush_tlb_gva+0x320/0x490 [kvm_intel]
    kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm]
    kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm]

Hyper-V documents that invalid GVAs (those that are beyond a partition's
GVA space) are to be ignored.  While not completely clear whether this
ruling also applies to non-canonical GVAs, it is likely fine to make that
assumption, and manual testing on Azure confirms "real" Hyper-V interprets
the specification in the same way.

Skip non-canonical GVAs when processing the list of address to avoid
tripping the INVVPID failure.  Alternatively, KVM could filter out "bad"
GVAs before inserting into the FIFO, but practically speaking the only
downside of pushing validation to the final processing is that doing so
is suboptimal for the guest, and no well-behaved guest will request TLB
flushes for non-canonical addresses.

Affected products Warnungen 0 Metrics 1 CWE 0 References 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorLinux

≫

Product Linux

Default Statusunaffected

Version < d5784ea45663330eaa868c518ea40e7a9f06aa2d

Version 260970862c88b4130e9e12be023c7e2c2d37a966

Status affected

Version < f1b3ad11ec11c88ba9f79a73d27d4cda3f80fb24

Version 260970862c88b4130e9e12be023c7e2c2d37a966

Status affected

Version < 2d4dea3f76510c0afe3f18c910f647b816f7d566

Version 260970862c88b4130e9e12be023c7e2c2d37a966

Status affected

Version < fa787ac07b3ceb56dd88a62d1866038498e96230

Version 260970862c88b4130e9e12be023c7e2c2d37a966

Status affected

VendorLinux

≫

Product Linux

Default Statusaffected

Version 6.2

Status affected

Version < 6.2

Version 0

Status unaffected

Version <= 6.6.*

Version 6.6.103

Status unaffected

Version <= 6.12.*

Version 6.12.41

Status unaffected

Version <= 6.15.*

Version 6.15.7

Status unaffected

Version <= *

Version 6.16

Status unaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.03%	0.081

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string

https://git.kernel.org/stable/c/2d4dea3f76510c0afe3f18c910f647b816f7d566

https://git.kernel.org/stable/c/fa787ac07b3ceb56dd88a62d1866038498e96230

https://git.kernel.org/stable/c/f1b3ad11ec11c88ba9f79a73d27d4cda3f80fb24

https://git.kernel.org/stable/c/d5784ea45663330eaa868c518ea40e7a9f06aa2d

https://nvd.nist.gov/vuln/detail/CVE-2025-38351

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-38351

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-38351

EUVD