VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 12, 2025· Updated Apr 15, 2026

CVE-2025-40122

CVE-2025-40122

Description

In the Linux kernel, the following vulnerability has been resolved:

perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error

When running perf_fuzzer on PTL, sometimes the below "unchecked MSR access error" is seen when accessing IA32_PMC_x_CFG_B MSRs.

[ 55.611268] unchecked MSR access error: WRMSR to 0x1986 (tried to write 0x0000000200000001) at rIP: 0xffffffffac564b28 (native_write_msr+0x8/0x30) [ 55.611280] Call Trace: [ 55.611282] [ 55.611284] ? intel_pmu_config_acr+0x87/0x160 [ 55.611289] intel_pmu_enable_acr+0x6d/0x80 [ 55.611291] intel_pmu_enable_event+0xce/0x460 [ 55.611293] x86_pmu_start+0x78/0xb0 [ 55.611297] x86_pmu_enable+0x218/0x3a0 [ 55.611300] ? x86_pmu_enable+0x121/0x3a0 [ 55.611302] perf_pmu_enable+0x40/0x50 [ 55.611307] ctx_resched+0x19d/0x220 [ 55.611309] __perf_install_in_context+0x284/0x2f0 [ 55.611311] ? __pfx_remote_function+0x10/0x10 [ 55.611314] remote_function+0x52/0x70 [ 55.611317] ? __pfx_remote_function+0x10/0x10 [ 55.611319] generic_exec_single+0x84/0x150 [ 55.611323] smp_call_function_single+0xc5/0x1a0 [ 55.611326] ? __pfx_remote_function+0x10/0x10 [ 55.611329] perf_install_in_context+0xd1/0x1e0 [ 55.611331] ? __pfx___perf_install_in_context+0x10/0x10 [ 55.611333] __do_sys_perf_event_open+0xa76/0x1040 [ 55.611336] __x64_sys_perf_event_open+0x26/0x30 [ 55.611337] x64_sys_call+0x1d8e/0x20c0 [ 55.611339] do_syscall_64+0x4f/0x120 [ 55.611343] entry_SYSCALL_64_after_hwframe+0x76/0x7e

On PTL, GP counter 0 and 1 doesn't support auto counter reload feature, thus it would trigger a #GP when trying to write 1 on bit 0 of CFG_B MSR which requires to enable auto counter reload on GP counter 0.

The root cause of causing this issue is the check for auto counter reload (ACR) counter mask from user space is incorrect in intel_pmu_acr_late_setup() helper. It leads to an invalid ACR counter mask from user space could be set into hw.config1 and then written into CFG_B MSRs and trigger the MSR access warning.

e.g., User may create a perf event with ACR counter mask (config2=0xcb), and there is only 1 event created, so "cpuc->n_events" is 1.

The correct check condition should be "i + idx >= cpuc->n_events" instead of "i + idx > cpuc->n_events" (it looks a typo). Otherwise, the counter mask would traverse twice and an invalid "cpuc->assign[1]" bit (bit 0) is set into hw.config1 and cause MSR accessing error.

Besides, also check if the ACR counter mask corresponding events are ACR events. If not, filter out these counter mask. If a event is not a ACR event, it could be scheduled to an HW counter which doesn't support ACR. It's invalid to add their counter index in ACR counter mask.

Furthermore, remove the WARN_ON_ONCE() since it's easily triggered as user could set any invalid ACR counter mask and the warning message could mislead users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel perf/x86/intel: incorrect ACR counter mask check leads to MSR access error (#GP) when enabling events on PTL.

Vulnerability

Description

In the Linux kernel, a flaw in the perf/x86/intel subsystem's handling of auto counter reload (ACR) for performance monitoring counters on certain Intel processors (e.g., PTL) allows an attacker to trigger a general protection fault (#GP). The root cause is an incorrect validation of the ACR counter mask in the intel_pmu_acr_late_setup() helper function. On PTL, GP counters 0 and 1 do not support the ACR feature, but the kernel's check fails to exclude them, enabling a user-supplied mask that includes these counters to be written into the IA32_PMC_x_CFG_B MSRs. Writing bit 0 (enable ACR) to a counter that does not support ACR causes a #GP, resulting in an "unchecked MSR access error" warning [1].

Exploitation

An attacker with local access and the ability to open performance monitoring events via the perf_event_open syscall can exploit this vulnerability. By crafting a perf_event_attr structure with an invalid ACR mask that includes GP counters 0 or 1, the attacker causes the kernel to write an invalid value to the CFG_B MSR during event configuration. No special privileges beyond those required for perf_event_open (typically CAP_PERFMON or CAP_SYS_ADMIN) are needed. The attack is triggered when the kernel attempts to enable the event, as shown in the call trace from the description.

Impact

The primary impact is a denial of service condition. The #GP and subsequent kernel warning can cause system instability, log flooding, or potentially a system crash. The vulnerability does not appear to allow privilege escalation or information disclosure based on the available information.

Mitigation

The fix is included in the Linux kernel commit referenced [1]. Users should apply the patch or update to a kernel version that includes this commit. The fix corrects the ACR counter mask validation to properly check which counters support ACR, preventing invalid masks from being written to the MSRs.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

2
c6cca4213b61
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
43796f305078
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.