VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 28, 2025· Updated Apr 15, 2026

CVE-2025-40038

CVE-2025-40038

Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid

Skip the WRMSR and HLT fastpaths in SVM's VM-Exit handler if the next RIP isn't valid, e.g. because KVM is running with nrips=false. SVM must decode and emulate to skip the instruction if the CPU doesn't provide the next RIP, and getting the instruction bytes to decode requires reading guest memory. Reading guest memory through the emulator can fault, i.e. can sleep, which is disallowed since the fastpath handlers run with IRQs disabled.

BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:106 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 32611, name: qemu preempt_count: 1, expected: 0 INFO: lockdep is turned off. irq event stamp: 30580 hardirqs last enabled at (30579): [] vcpu_run+0x1787/0x1db0 [kvm] hardirqs last disabled at (30580): [] __schedule+0x1e2/0xed0 softirqs last enabled at (30570): [] fpu_swap_kvm_fpstate+0x44/0x210 softirqs last disabled at (30568): [] fpu_swap_kvm_fpstate+0x44/0x210 CPU: 298 UID: 0 PID: 32611 Comm: qemu Tainted: G U 6.16.0-smp--e6c618b51cfe-sleep #782 NONE Tainted: [U]=USER Hardware name: Google Astoria-Turin/astoria, BIOS 0.20241223.2-0 01/17/2025 Call Trace:

dump_stack_lvl+0x7d/0xb0 __might_resched+0x271/0x290 __might_fault+0x28/0x80 kvm_vcpu_read_guest_page+0x8d/0xc0 [kvm] kvm_fetch_guest_virt+0x92/0xc0 [kvm] __do_insn_fetch_bytes+0xf3/0x1e0 [kvm] x86_decode_insn+0xd1/0x1010 [kvm] x86_emulate_instruction+0x105/0x810 [kvm] __svm_skip_emulated_instruction+0xc4/0x140 [kvm_amd] handle_fastpath_invd+0xc4/0x1a0 [kvm] vcpu_run+0x11a1/0x1db0 [kvm] kvm_arch_vcpu_ioctl_run+0x5cc/0x730 [kvm] kvm_vcpu_ioctl+0x578/0x6a0 [kvm] __se_sys_ioctl+0x6d/0xb0 do_syscall_64+0x8a/0x2c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f479d57a94b

Note, this is essentially a reapply of commit 5c30e8101e8d ("KVM: SVM: Skip WRMSR fastpath on VM-Exit if next RIP isn't valid"), but with different justification (KVM now grabs SRCU when skipping the instruction for other reasons).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

KVM SVM fastpath emulation on VM-Exit can trigger a kernel sleep-in-atomic bug when next RIP is invalid (nrips=false), enabling guest-to-host DoS.

Vulnerability

Overview

In the Linux kernel's KVM subsystem for AMD SVM, the VM-Exit fastpath handlers for WRMSR and HLT operations incorrectly assume that the next RIP is always available. When KVM is configured with nrips=false, the CPU does not provide the next RIP, and the code must fetch and decode the instruction to skip it. This requires reading guest memory via the emulator, which may fault and attempt to sleep—an operation disallowed in the atomic context of the fastpath [1][2].

Exploitation

Conditions

An attacker with the ability to execute code inside a virtual machine can trigger this bug by causing a VM-Exit that enters the fastpath when the next RIP is invalid. The specific prerequisite is that the host runs with nrips=false, a configuration that forces KVM to rely on instruction emulation for skipping. The guest can induce a WRMSR or HLT VM-Exit under these conditions to provoke the sleeping function call [1].

Impact

A successful trigger results in a kernel BUG: sleeping function called from invalid context, as shown in the kernel call trace. This leads to a denial-of-service condition on the host, potentially crashing or hanging the system. There is no evidence of privilege escalation beyond the guest-to-host DoS [1][2].

Mitigation

The fix, committed as commits da2a3c231f7f2a5ac146d972b8c1d7d84aff6d70 and cd3efb93677c4b0cf76348882fb429165fee33fd, adds a check for the validity of the next RIP before entering the fastpath. If the next RIP is invalid, the fastpath is skipped, forcing the slower but safe emulation path that can handle potential faults properly. The patch has been applied to the stable kernel tree [1][2].

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
cd3efb93677c
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
f994e9c790ce
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
da2a3c231f7f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
0910dd7c9ad4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.