CVE-2025-40300: x86/vmscape: Add conditional IBPB mitigation

In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]

UnknownCVSS not scoredNot KEV-listed Updated Jun 11, 2026, 18:44 UTC (UTC+00:00)

Analyst readout for executives and security teams

Plain-English summary

CVE-2025-40300 is a Linux kernel issue affecting virtualization isolation. A malicious guest may influence CPU branch prediction used by a userspace hypervisor such as QEMU. The kernel fix adds a protective branch-predictor flush when returning from a VM exit. Business impact is mainly for organizations running untrusted or multi-tenant virtual machines.

Executive priority

Treat as a targeted virtualization-host priority, not a broad emergency. Patch shared or untrusted VM infrastructure promptly, while coordinating performance testing because the mitigation can add overhead in some workloads.

Technical view

VMSCAPE involves insufficient branch predictor isolation between a guest and userspace hypervisor. The resolved Linux change conditionally issues IBPB after VMexit and before returning to userspace. The CVE notes existing mitigations already protect kernel/KVM, while this change protects userspace consumers of poisoned predictors. VMexit-heavy workloads may see overhead.

Likely exposure

Exposure is most relevant on Linux virtualization hosts using userspace hypervisors like QEMU, especially where guests are untrusted or multi-tenant. General Linux systems not hosting VMs are less likely to be exposed based on the provided description.

Exploitation context

The provided sources do not show active exploitation, and the CVE is not listed as KEV. Exploitation would be specialized: a malicious guest attempting a branch-prediction side channel against userspace hypervisor context after VM exits.

Researcher notes

The fix is intentionally conditional and not integrated with existing IBPB sites. The CVE text notes possible duplicated IBPB with speculation-control prctl context-switch behavior, with optimization intended post-embargo. Affected-version details in the source bundle are incomplete and should be validated against vendor kernels.

Mitigation direction

Apply vendor Linux kernel updates that include the VMSCAPE conditional IBPB mitigation.
Prioritize multi-tenant virtualization hosts and systems running untrusted guest workloads.
Review Debian LTS advisories if using affected Debian kernel packages.
Plan performance testing for VMexit-heavy workloads after applying the mitigation.
For unsupported kernels, consult the OS or kernel vendor for backport guidance.

Validation and detection

Inventory Linux hosts running KVM/QEMU or similar userspace hypervisor stacks.
Compare installed kernel builds against vendor advisories and referenced stable commits.
Confirm the kernel includes the conditional IBPB after VMexit mitigation.
Check distribution security notices for package-specific fixed versions.
Monitor virtualization performance after patching, especially frequent VMexit workloads.

Prepared: Jun 11, 2026, 20:14 UTC (UTC+00:00)
Confidence: medium
Sources: 6

Public sources used

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2025-40300 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup

Vulnerability profile CVE Program record

Severity: Unknown
CVSS: Not scored
Known Exploited: No
Published: Sep 11, 2025, 16:49 UTC (UTC+00:00)

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0 CVSS vectors

3 Timeline events

3 ADP providers

22 Source links

SSVC decision data

Timestamp: Jun 10, 2026, 20:41 UTC (UTC+00:00)
Version: 2.0.3

Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

CVE reserved CVE Program

The CVE ID was reserved by the assigning CNA.
Apr 16, 2025, 07:20 UTC (UTC+00:00)
CVE published CVE Program

The CVE record was published.
Sep 11, 2025, 16:49 UTC (UTC+00:00)
CVE updated CVE Program

The CVE record metadata indicates this as the latest update time.
Jun 11, 2026, 18:44 UTC (UTC+00:00)

ADP provider summaries

other:ssvc

Source materials

CVE List V5 source CVE List V5
https://git.kernel.org/stable/c/ac60717f9a8d21c58617d0b34274babf24135835 CVE reference, Linux
https://git.kernel.org/stable/c/c08192b5d6730a914dee6175bc71092ee6a65f14 CVE reference, Linux
https://git.kernel.org/stable/c/d5490dfa35427a2967e00a4c7a1b95fdbc8ede34 CVE reference, Linux
https://git.kernel.org/stable/c/2f4f2f8f860cb4c3336a7435ebe8dcfded0c9c6e CVE reference, Linux
https://git.kernel.org/stable/c/15006289e5c38b2a830e1fba221977a27598176c CVE reference, Linux
https://git.kernel.org/stable/c/893387c18612bb452336a5881da0d015a7e8f4a2 CVE reference, Linux
https://git.kernel.org/stable/c/f866eef8d1c65504d30923c3f14082ad294d0e6d CVE reference, Linux
https://git.kernel.org/stable/c/34e5667041050711a947e260fc9ebebe08bddee5 CVE reference, Linux
https://git.kernel.org/stable/c/d7ddc93392e4a7ffcccc86edf6ef3e64c778db52 CVE reference, Linux
https://git.kernel.org/stable/c/459274c77b37ac63b78c928b4b4e748d1f9d05c8 CVE reference, Linux
https://git.kernel.org/stable/c/510603f504796c3535f67f55fb0b124a303b44c8 CVE reference, Linux
https://git.kernel.org/stable/c/9c23a90648e831d611152ac08dbcd1283d405e7f CVE reference, Linux
https://git.kernel.org/stable/c/2f8f173413f1cbf52660d04df92d0069c4306d25 CVE reference, Linux
https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html CVE reference, CVE
https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html CVE reference, CVE
http://www.openwall.com/lists/oss-security/2025/11/14/3 CVE reference, CVE
http://www.openwall.com/lists/oss-security/2025/11/14/4 CVE reference, CVE
http://www.openwall.com/lists/oss-security/2025/11/14/6 CVE reference, CVE
http://www.openwall.com/lists/oss-security/2025/11/17/2 CVE reference, CVE
http://www.openwall.com/lists/oss-security/2025/11/17/3 CVE reference, CVE
https://cert-portal.siemens.com/productcert/html/ssa-032379.html CVE reference, siemens-SADP

Affected products

Products and packages named in the record

Vendor Product Version / package Status

Linux Linux 15d45071523d89b3fb7372e2135fbd72f6af9506, 15d45071523d89b3fb7372e2135fbd72f6af9506, 15d45071523d89b3fb7372e2135fbd72f6af9506, 15d45071523d89b3fb7372e2135fbd72f6af9506, 15d45071523d89b3fb7372e2135fbd72f6af9506, 15d45071523d89b3fb7372e2135fbd72f6af9506, 15d45071523d89b3fb7372e2135fbd72f6af9506, 15d45071523d89b3fb7372e2135fbd72f6af9506, 15d45071523d89b3fb7372e2135fbd72f6af9506, 15d45071523d89b3fb7372e2135fbd72f6af9506, 15d45071523d89b3fb7372e2135fbd72f6af9506, 15d45071523d89b3fb7372e2135fbd72f6af9506, 15d45071523d89b3fb7372e2135fbd72f6af9506, c51f1e5f57cca88d8d5894b6fad1638f643a99d0, 4b3870c343a82cd2df7192cc5149c87205dcc611, 3.16.57, 4.4.168 unaffected

Linux Linux 4.16, 0, 5.10.244, 5.15.193, 6.1.152, 6.6.106, 6.12.47, 6.16.7, 6.17 affected

Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.