CVE-2025-21779

Summary

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel

Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and only if the local API is emulated/virtualized by KVM, and explicitly reject said hypercalls if the local APIC is emulated in userspace, i.e. don't rely on userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID.

Rejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if Hyper-V enlightenments are exposed to the guest without an in-kernel local APIC:

dump_stack+0xbe/0xfd __kasan_report.cold+0x34/0x84 kasan_report+0x3a/0x50 __apic_accept_irq+0x3a/0x5c0 kvm_hv_send_ipi.isra.0+0x34e/0x820 kvm_hv_hypercall+0x8d9/0x9d0 kvm_emulate_hypercall+0x506/0x7e0 __vmx_handle_exit+0x283/0xb60 vmx_handle_exit+0x1d/0xd0 vcpu_enter_guest+0x16b0/0x24c0 vcpu_run+0xc0/0x550 kvm_arch_vcpu_ioctl_run+0x170/0x6d0 kvm_vcpu_ioctl+0x413/0xb20 __se_sys_ioctl+0x111/0x160 do_syscal1_64+0x30/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1

Note, checking the sending vCPU is sufficient, as the per-VM irqchip_mode can't be modified after vCPUs are created, i.e. if one vCPU has an in-kernel local APIC, then all vCPUs have an in-kernel local APIC.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux214ff83d4473a7757fa18a64dc7efe3b0e158486 < 61224533f2b61e252b03e214195d27d64b22989aaffected
LinuxLinux214ff83d4473a7757fa18a64dc7efe3b0e158486 < 45fa526b0f5a34492ed0536c3cdf88b78380e4deaffected
LinuxLinux214ff83d4473a7757fa18a64dc7efe3b0e158486 < 5393cf22312418262679eaadb130d608c75fe690affected
LinuxLinux214ff83d4473a7757fa18a64dc7efe3b0e158486 < 874ff13c73c45ecb38cb82191e8c1d523f0dc81baffected
LinuxLinux214ff83d4473a7757fa18a64dc7efe3b0e158486 < aca8be4403fb90db7adaf63830e27ebe787a76e8affected
LinuxLinux214ff83d4473a7757fa18a64dc7efe3b0e158486 < ca29f58ca374c40a0e69c5306fc5c940a0069074affected
LinuxLinux214ff83d4473a7757fa18a64dc7efe3b0e158486 < a8de7f100bb5989d9c3627d3a223ee1c863f3b69affected
LinuxLinux4.20affected
LinuxLinux0 < 4.20unaffected
LinuxLinux5.10.236 <= 5.10.*unaffected
LinuxLinux5.15.179 <= 5.15.*unaffected
LinuxLinux6.1.129 <= 6.1.*unaffected
LinuxLinux6.6.79 <= 6.6.*unaffected
LinuxLinux6.12.16 <= 6.12.*unaffected
LinuxLinux6.13.4 <= 6.13.*unaffected
LinuxLinux6.14 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References