{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-30T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: Linux kernel KVM: Denial of Service due to uninitialized vCPU event handling",
    "id" : "2407325",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2407325"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-909",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nKVM: arm64: Prevent access to vCPU events before init\nAnother day, another syzkaller bug. KVM erroneously allows userspace to\npend vCPU events for a vCPU that hasn't been initialized yet, leading to\nKVM interpreting a bunch of uninitialized garbage for routing /\ninjecting the exception.\nIn one case the injection code and the hyp disagree on whether the vCPU\nhas a 32bit EL1 and put the vCPU into an illegal mode for AArch64,\ntripping the BUG() in exception_target_el() during the next injection:\nkernel BUG at arch/arm64/kvm/inject_fault.c:40!\nInternal error: Oops - BUG: 00000000f2000800 [#1]  SMP\nCPU: 3 UID: 0 PID: 318 Comm: repro Not tainted 6.17.0-rc4-00104-g10fd0285305d #6 PREEMPT\nHardware name: linux,dummy-virt (DT)\npstate: 21402009 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\npc : exception_target_el+0x88/0x8c\nlr : pend_serror_exception+0x18/0x13c\nsp : ffff800082f03a10\nx29: ffff800082f03a10 x28: ffff0000cb132280 x27: 0000000000000000\nx26: 0000000000000000 x25: ffff0000c2a99c20 x24: 0000000000000000\nx23: 0000000000008000 x22: 0000000000000002 x21: 0000000000000004\nx20: 0000000000008000 x19: ffff0000c2a99c20 x18: 0000000000000000\nx17: 0000000000000000 x16: 0000000000000000 x15: 00000000200000c0\nx14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\nx11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\nx8 : ffff800082f03af8 x7 : 0000000000000000 x6 : 0000000000000000\nx5 : ffff800080f621f0 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : 000000000040009b x1 : 0000000000000003 x0 : ffff0000c2a99c20\nCall trace:\nexception_target_el+0x88/0x8c (P)\nkvm_inject_serror_esr+0x40/0x3b4\n__kvm_arm_vcpu_set_events+0xf0/0x100\nkvm_arch_vcpu_ioctl+0x180/0x9d4\nkvm_vcpu_ioctl+0x60c/0x9f4\n__arm64_sys_ioctl+0xac/0x104\ninvoke_syscall+0x48/0x110\nel0_svc_common.constprop.0+0x40/0xe0\ndo_el0_svc+0x1c/0x28\nel0_svc+0x34/0xf0\nel0t_64_sync_handler+0xa0/0xe4\nel0t_64_sync+0x198/0x19c\nCode: f946bc01 b4fffe61 9101e020 17fffff2 (d4210000)\nReject the ioctls outright as no sane VMM would call these before\nKVM_ARM_VCPU_INIT anyway. Even if it did the exception would've been\nthrown away by the eventual reset of the vCPU's state.", "A flaw was found in the Linux kernel's Kernel-based Virtual Machine (KVM) for ARM64 architectures. A local user can exploit this vulnerability by sending virtual CPU (vCPU) events to a vCPU that has not been properly initialized. This improper handling of uninitialized vCPU events can lead to the kernel interpreting garbage data, causing the vCPU to enter an illegal state and triggering a kernel bug, ultimately resulting in a denial of service." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-40102\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40102\nhttps://lore.kernel.org/linux-cve-announce/2025103017-CVE-2025-40102-c7d2@gregkh/T" ],
  "name" : "CVE-2025-40102",
  "mitigation" : {
    "value" : "If virtualization is not required on ARM64 systems, the `kvm_arm64` kernel module can be prevented from loading to mitigate this vulnerability. This can be achieved by creating a modprobe configuration file:\n```bash\necho \"install kvm_arm64 /bin/true\" > /etc/modprobe.d/disable-kvm_arm64.conf\n```\nAfter creating the file, a system reboot is required for the changes to take effect. This mitigation will prevent the system from hosting ARM64 virtual machines.",
    "lang" : "en:us"
  },
  "csaw" : false
}