CVE-2025-40300— x86/vmscape: Add conditional IBPB mitigation
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-40300
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
x86/vmscape: Add conditional IBPB mitigation
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于分支预测器隔离不足,可能导致跨用户空间虚拟机攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-40300
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-40300
请登录查看更多情报信息。
Same Patch Batch · Linux · 2025-09-11 · 54 CVEs total
| CVE-2025-39774 | iio: adc: rzg2l_adc: Set driver data before enabling runtime PM | |
| CVE-2025-39791 | dm: dm-crypt: Do not partially accept write BIOs with zoned targets | |
| CVE-2025-39785 | drm/hisilicon/hibmc: fix irq_request()'s irq name variable is local | |
| CVE-2025-39788 | scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE | |
| CVE-2025-39787 | soc: qcom: mdt_loader: Ensure we don't read past the ELF header | |
| CVE-2025-39786 | iio: adc: ad7173: fix channels index for syscalib_mode | |
| CVE-2025-39789 | crypto: x86/aegis - Add missing error checks | |
| CVE-2025-39777 | crypto: acomp - Fix CFI failure due to type punning | |
| CVE-2025-39776 | mm/debug_vm_pgtable: clear page table entries at destroy_args() | |
| CVE-2025-39775 | mm/mremap: fix WARN with uffd that has remap events disabled | |
| CVE-2025-39779 | btrfs: subpage: keep TOWRITE tag until folio is cleaned | |
| CVE-2025-39773 | net: bridge: fix soft lockup in br_multicast_query_expired() | |
| CVE-2025-39772 | drm/hisilicon/hibmc: fix the hibmc loaded failed bug | |
| CVE-2025-39771 | regulator: pca9450: Use devm_register_sys_off_handler | |
| CVE-2025-39770 | net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM | |
| CVE-2025-39769 | bnxt_en: Fix lockdep warning during rmmod | |
| CVE-2025-39768 | net/mlx5: HWS, fix complex rules rehash error flow | |
| CVE-2025-39766 | net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit | |
| CVE-2025-39767 | LoongArch: Optimize module load time by optimizing PLT/GOT counting | |
| CVE-2025-39765 | ALSA: timer: fix ida_free call while not allocated |
Showing top 20 of 54 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2025-40300
No comments yet