CVE-2025-40300
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-11

Last updated on: 2025-11-17

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-11
Last Modified
2025-11-17
Generated
2026-05-07
AI Q&A
2025-09-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40300
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux kernel 5.10.244-1
linux kernel 6.1.153-1
qemu qemu *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability, known as VMSCAPE, affects the Linux kernel's x86 architecture and involves insufficient branch predictor isolation between a guest virtual machine and a userspace hypervisor like QEMU. It allows a malicious guest to potentially exploit the branch predictor state shared with userspace, which can lead to information leakage or other side-channel attacks. The mitigation involves conditionally issuing an Indirect Branch Prediction Barrier (IBPB) after a VMexit and before returning to userspace to flush the branch predictors and reduce the risk of exploitation.


How can this vulnerability impact me? :

This vulnerability can impact users by allowing a malicious guest virtual machine to exploit the branch predictor state shared with userspace, potentially leading to information leakage or side-channel attacks against the userspace hypervisor or other userspace processes. Workloads that frequently switch between hypervisor and userspace may experience performance overhead due to the additional IBPB instructions used as mitigation.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that your Linux kernel is updated to include the conditional IBPB (Indirect Branch Prediction Barrier) mitigation after VMexit before returning to userspace. This involves applying the patch that adds conditional IBPB flushing of branch predictors to protect userspace from poisoned branch predictors. Additionally, existing mitigations such as speculation control via prctl() at context switch time should be maintained. Since this mitigation may cause overhead for workloads frequently switching between hypervisor and userspace, monitor performance accordingly.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart