CVE-2025-39823
Description
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: use array_index_nospec with indices that come from guest
min and dest_id are guest-controlled indices. Using array_index_nospec() after the bounds checks clamps these values to mitigate speculative execution side-channels.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
KVM x86 fails to use array_index_nospec for guest-controlled indices, enabling speculative side-channel attacks that may leak host kernel memory.
Vulnerability
Details
The Linux kernel's KVM subsystem for x86 contains a vulnerability where guest-controlled indices (min and dest_id) used in interrupt delivery are not protected against speculative execution side-channels. The fix adds array_index_nospec() after bounds checks to clamp these values, mitigating potential information disclosure via Spectre-type attacks [1].
Exploitation
An attacker with the ability to run code inside a guest VM can supply crafted values for these indices. While bounds checks are performed, speculative execution may bypass them, allowing an attacker to infer sensitive host kernel memory contents through timing or cache side-channels. No additional privileges are required beyond guest access.
Impact
Successful exploitation could lead to the disclosure of host kernel memory, potentially exposing cryptographic keys, passwords, or other sensitive data. The CVSS score of 7.8 (High) reflects the significant confidentiality impact.
Mitigation
The fix has been applied in the Linux kernel stable tree via commits [2][3][4]. Users should update to the latest kernel version. The Siemens advisory [1] lists this CVE among affected products, indicating that embedded systems using the kernel may also require patching.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Linux/Linuxv5Range: 4.19
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- git.kernel.org/stable/c/31a0ad2f60cb4816e06218b63e695eb72ce74974nvdPatch
- git.kernel.org/stable/c/33e974c2d5a82b2f9d9ba0ad9cbaabc1c8e3985fnvdPatch
- git.kernel.org/stable/c/67a05679621b7f721bdba37a5d18665d3aceb695nvdPatch
- git.kernel.org/stable/c/72777fc31aa7ab2ce00f44bfa3929c6eabbeaf48nvdPatch
- git.kernel.org/stable/c/c87bd4dd43a624109c3cc42d843138378a7f4548nvdPatch
- git.kernel.org/stable/c/d51e381beed5e2f50f85f49f6c90e023754efa12nvdPatch
- git.kernel.org/stable/c/f49161646e03d107ce81a99c6ca5da682fe5fb69nvdPatch
- git.kernel.org/stable/c/f57a4bd8d6cb5af05b8ac1be9098e249034639fbnvdPatch
- lists.debian.org/debian-lts-announce/2025/10/msg00007.htmlnvdMailing ListThird Party Advisory
- lists.debian.org/debian-lts-announce/2025/10/msg00008.htmlnvdMailing ListThird Party Advisory
- cert-portal.siemens.com/productcert/html/ssa-032379.htmlnvd
News mentions
1- Siemens SIMATICCISA ICS Advisories