CVE Catalog

CVE-2025-40300

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

25th percentile - higher than 25% of all known CVEs

Summary

In the Linux kernel, a conditional IBPB mitigation was added for the VMSCAPE vulnerability, which exploits weak branch predictor isolation between a guest and userspace hypervisor (e.g., QEMU). The patch issues an IBPB after VMexit before returning to userspace, improving security but potentially impacting performance in workloads with frequent hypervisor-userspace switches.

Risk Assessment

The organization is at risk of side-channel attacks where a malicious guest can influence the CPU branch predictor and then leak sensitive data from the hypervisor's userspace (e.g., QEMU). Without this patch, confidential information could be exposed between virtual machines and userspace processes.

Recommendation

Immediately update the Linux kernel to a version containing this patch (e.g., 6.13+ with appropriate backport). In environments with frequent hypervisor-userspace transitions, monitor performance and consider optimizations after the embargo lifts.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]

Vulnerability data from NVD (NIST) · CISA KEV · EPSS