CVE-2025-21779: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel
First published: Thu Feb 27 2025(Updated: )
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and only if the local API is emulated/virtualized by KVM, and explicitly reject said hypercalls if the local APIC is emulated in userspace, i.e. don't rely on userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID. Rejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if Hyper-V enlightenments are exposed to the guest without an in-kernel local APIC: dump_stack+0xbe/0xfd __kasan_report.cold+0x34/0x84 kasan_report+0x3a/0x50 __apic_accept_irq+0x3a/0x5c0 kvm_hv_send_ipi.isra.0+0x34e/0x820 kvm_hv_hypercall+0x8d9/0x9d0 kvm_emulate_hypercall+0x506/0x7e0 __vmx_handle_exit+0x283/0xb60 vmx_handle_exit+0x1d/0xd0 vcpu_enter_guest+0x16b0/0x24c0 vcpu_run+0xc0/0x550 kvm_arch_vcpu_ioctl_run+0x170/0x6d0 kvm_vcpu_ioctl+0x413/0xb20 __se_sys_ioctl+0x111/0x160 do_syscal1_64+0x30/0x40 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Note, checking the sending vCPU is sufficient, as the per-VM irqchip_mode can't be modified after vCPUs are created, i.e. if one vCPU has an in-kernel local APIC, then all vCPUs have an in-kernel local APIC.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Kernel | ||
| >=4.20<6.1.129 | ||
| >=6.2<6.6.79 | ||
| >=6.7<6.12.16 | ||
| >=6.13<6.13.4 | ||
| =6.14-rc1 | ||
| =6.14-rc2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/45fa526b0f5a34492ed0536c3cdf88b78380e4de
- https://git.kernel.org/stable/c/5393cf22312418262679eaadb130d608c75fe690
- https://git.kernel.org/stable/c/874ff13c73c45ecb38cb82191e8c1d523f0dc81b
- https://git.kernel.org/stable/c/a8de7f100bb5989d9c3627d3a223ee1c863f3b69
- https://git.kernel.org/stable/c/aca8be4403fb90db7adaf63830e27ebe787a76e8
- https://git.kernel.org/stable/c/ca29f58ca374c40a0e69c5306fc5c940a0069074
- https://git.kernel.org/stable/c/61224533f2b61e252b03e214195d27d64b22989a
Frequently Asked Questions
What is the severity of CVE-2025-21779?
CVE-2025-21779 has a moderate severity level that affects the Linux kernel's handling of Hyper-V's SEND_IPI hypercalls.
How do I fix CVE-2025-21779?
To fix CVE-2025-21779, update your Linux kernel to the latest version where this vulnerability has been addressed.
Which software versions are affected by CVE-2025-21779?
CVE-2025-21779 affects the versions of Linux kernel prior to the patch that resolves this specific vulnerability.
What types of attacks can CVE-2025-21779 facilitate?
CVE-2025-21779 could potentially be exploited to enable unauthorized access to the APIC, impacting virtualization security.
Is CVE-2025-21779 a hardware or software vulnerability?
CVE-2025-21779 is a software vulnerability within the Linux kernel's virtualization implementation.
- agent/first-publish-date
- agent/type
- agent/title
- agent/author
- agent/source
- agent/description
- agent/remedy
- agent/weakness
- agent/severity
- agent/softwarecombine
- agent/event
- agent/references
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/guess-ai
- agent/software-canonical-lookup-request
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/linux
- canonical/linux kernel
- version/linux kernel/4.20
- version/linux kernel/6.2
- version/linux kernel/6.7
- version/linux kernel/6.13
- version/linux kernel/6.14-rc1
- version/linux kernel/6.14-rc2