VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 13, 2026· Updated Apr 15, 2026

CVE-2025-68810

CVE-2025-68810

Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot

Reject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was initially created with a guest_memfd binding, as KVM doesn't support toggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling KVM_MEM_GUEST_MEMFD, but doesn't prevent clearing the flag.

Failure to reject the new memslot results in a use-after-free due to KVM not unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY change is easy enough, and can/will be done as a hardening measure (in anticipation of KVM supporting dirty logging on guest_memfd at some point), but fixing the use-after-free would only address the immediate symptom.

================================================================== BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm] Write of size 8 at addr ffff8881111ae908 by task repro/745

CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace:

dump_stack_lvl+0x51/0x60 print_report+0xcb/0x5c0 kasan_report+0xb4/0xe0 kvm_gmem_release+0x362/0x400 [kvm] __fput+0x2fa/0x9d0 task_work_run+0x12c/0x200 do_exit+0x6ae/0x2100 do_group_exit+0xa8/0x230 __x64_sys_exit_group+0x3a/0x50 x64_sys_call+0x737/0x740 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7f581f2eac31

Allocated by task 745 on cpu 6 at 9.746971s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_kmalloc+0x77/0x90 kvm_set_memory_region.part.0+0x652/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Freed by task 745 on cpu 6 at 9.747467s: kasan_save_stack+0x20/0x40 kasan_save_track+0x13/0x50 __kasan_save_free_info+0x37/0x50 __kasan_slab_free+0x3b/0x60 kfree+0xf5/0x440 kvm_set_memslot+0x3c2/0x1160 [kvm] kvm_set_memory_region.part.0+0x86a/0x1110 [kvm] kvm_vm_ioctl+0x14b0/0x3290 [kvm] __x64_sys_ioctl+0x129/0x1a0 do_syscall_64+0x5b/0x900 entry_SYSCALL_64_after_hwframe+0x4b/0x53

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel KVM allows clearing KVM_MEM_GUEST_MEMFD flag on existing memslot, leading to use-after-free via dangling guest_memfd reference.

Root

Cause

A flaw in the KVM memory management logic allows users to clear the KVM_MEM_GUEST_MEMFD flag on a memslot that was originally created with a guest_memfd binding. While enabling the flag on an existing memslot is correctly rejected, the kernel fails to validate the removal of the flag. This permits a memslot update (via KVM_SET_USER_MEMORY_REGION with flags-only change) to effectively orphan the guest_memfd reference without unbinding it from the memslot [1].

Exploitation

An attacker with the ability to issue KVM_SET_USER_MEMORY_REGION ioctls (i.e., with access to the KVM VM file descriptor) can trigger KASAN use-after-free by: 1. Creating a memslot with KVM_MEM_GUEST_MEMFD set and a valid guest_memfd fd. 2. Issuing a second KVM_SET_USER_MEMORY_REGION with the same slot number, flags lacking KVM_MEM_GUEST_MEMFD, and the same guest_memfd fd (or even zero fd). 3. The kernel accepts this as a legitimate flags-only update, leaving the guest_memfd reference intact but untracked. When the guest_memfd file is later closed, the KVM release callback (kvm_gmem_release) attempts to clean up stale internal structures, writing into freed slab memory [1].

Impact

Successful exploitation leads to kernel memory corruption, causing a denial of service (system crash) as demonstrated by the KASAN report. In controlled environments, this may be leveraged for privilege escalation if the attacker can trigger further memory manipulation following the use-after-free. The vulnerability is reachable from user mode via standard KVM_SET_USER_MEMORY_REGION ioctl calls [1].

Mitigation

The fix [1] disallows clearing the KVM_MEM_GUEST_MEMFD flag on an existing memslot entirely by rejecting any memslot update that would remove the flag. This prevents the dangling guest_memfd reference from persisting after a memslot update. The patch has been merged into the stable kernel trees (6.18-rc6 and later) [1].

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.