LiveActive security incident?Get immediate response
CVE Record

CVE-2025-23141: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses Acquire a lock on kvm->srcu when userspace is getting MP state to handle a rather extreme edge case where "accepting" APIC events, i.e. processing pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP state will trigger a nested VM-Exit by way of ->check_nested_events(), and emuating the nested VM-Exit can access guest memory. The splat was originally hit by syzkaller on a Google-internal kernel, and reproduced on an upstream kernel by hacking the triple_fault_event_test selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario. ============================= WARNING: suspicious RCU usage 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted ----------------------------- include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by triple_fault_ev/1256: #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm] stack backtrace: CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: <TASK> dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x144/0x190 kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] read_and_check_msr_entry+0x2e/0x180 [kvm_intel] __nested_vmx_vmexit+0x550/0xde0 [kvm_intel] kvm_check_nested_events+0x1b/0x30 [kvm] kvm_apic_accept_events+0x33/0x100 [kvm] kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm] kvm_vcpu_ioctl+0x33e/0x9a0 [kvm] __x64_sys_ioctl+0x8b/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK>

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This Linux kernel KVM issue is a narrow virtualization bug. In an unusual nested-VM state, asking a vCPU for multiprocessing state can access guest memory without the expected SRCU protection. Sources show kernel stable fixes, but no CVSS score or active exploitation evidence.

Executive priority

Treat this as a targeted kernel maintenance item for virtualization infrastructure, not an internet-wide emergency. Patch KVM hosts through normal security update processes, with higher priority for shared virtualization, cloud, or nested-VM environments.

Technical view

KVM x86 KVM_GET_MP_STATE can process pending APIC INIT/SIPI events and nested VM-exit handling. In a specific L2 INIT plus TRIPLE_FAULT request scenario, VMX nested exit emulation may read guest memory without holding kvm->srcu, triggering suspicious RCU usage.

Likely exposure

Exposure is most relevant to Linux systems running KVM, especially hosts supporting nested virtualization or management tooling that calls KVM_GET_MP_STATE. Non-KVM systems are not indicated as exposed by the source bundle.

Exploitation context

The issue was found by syzkaller on a Google-internal kernel and reproduced with a modified upstream KVM selftest. The bundle does not cite public exploitation, weaponized proof-of-concept activity, KEV listing, or real-world incidents.

Researcher notes

The evidence describes a missing SRCU read-side lock around guest memory access reachable through KVM_GET_MP_STATE in an extreme nested event path. Impact beyond lockdep warning is not quantified in the provided sources, so severity and exploitability remain uncertain.

Mitigation direction

  • Apply vendor kernel updates that include the referenced KVM stable fixes.
  • Prioritize virtualization hosts and nested-virtualization test environments.
  • Check distribution advisories, including Debian LTS guidance where applicable.
  • Avoid ad hoc kernel patching without vendor validation.
  • Track upstream stable kernels for the relevant maintained branch.

Validation and detection

  • Inventory Linux hosts running KVM or nested virtualization.
  • Compare running kernel versions against vendor fixed packages or upstream stable commits.
  • Confirm CVE-2025-23141 is addressed in distribution security metadata.
  • Review hypervisor fleets for unsupported or stale kernel branches.
  • Run regression tests for VM lifecycle and nested virtualization after patching.
Prepared
Confidence
medium
Sources
10

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-23141 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
9Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux1c96dcceaeb3a99aaf0d548eef2223e0b02a7e40, 1c96dcceaeb3a99aaf0d548eef2223e0b02a7e40, 1c96dcceaeb3a99aaf0d548eef2223e0b02a7e40, 1c96dcceaeb3a99aaf0d548eef2223e0b02a7e40, 1c96dcceaeb3a99aaf0d548eef2223e0b02a7e40, 1c96dcceaeb3a99aaf0d548eef2223e0b02a7e40, 1c96dcceaeb3a99aaf0d548eef2223e0b02a7e40unaffected
LinuxLinux5.11, 0, 5.15.209, 6.1.135, 6.6.88, 6.12.24, 6.13.12, 6.14.3, 6.15affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.