{
  "threat_severity" : "Low",
  "public_date" : "2026-01-05T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: s390/fpu: Fix false-positive kmsan report in fpu_vstl()",
    "id" : "2427120",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2427120"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-131",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ns390/fpu: Fix false-positive kmsan report in fpu_vstl()\nA false-positive kmsan report is detected when running ping command.\nAn inline assembly instruction 'vstl' can write varied amount of bytes\ndepending on value of 'index' argument. If 'index' > 0, 'vstl' writes\nat least 2 bytes.\nclang generates kmsan write helper call depending on inline assembly\nconstraints. Constraints are evaluated compile-time, but value of\n'index' argument is known only at runtime.\nclang currently generates call to __msan_instrument_asm_store with 1 byte\nas size. Manually call kmsan function to indicate correct amount of bytes\nwritten and fix false-positive report.\nThis change fixes following kmsan reports:\n[   36.563119] =====================================================\n[   36.563594] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70\n[   36.563852]  virtqueue_add+0x35c6/0x7c70\n[   36.564016]  virtqueue_add_outbuf+0xa0/0xb0\n[   36.564266]  start_xmit+0x288c/0x4a20\n[   36.564460]  dev_hard_start_xmit+0x302/0x900\n[   36.564649]  sch_direct_xmit+0x340/0xea0\n[   36.564894]  __dev_queue_xmit+0x2e94/0x59b0\n[   36.565058]  neigh_resolve_output+0x936/0xb40\n[   36.565278]  __neigh_update+0x2f66/0x3a60\n[   36.565499]  neigh_update+0x52/0x60\n[   36.565683]  arp_process+0x1588/0x2de0\n[   36.565916]  NF_HOOK+0x1da/0x240\n[   36.566087]  arp_rcv+0x3e4/0x6e0\n[   36.566306]  __netif_receive_skb_list_core+0x1374/0x15a0\n[   36.566527]  netif_receive_skb_list_internal+0x1116/0x17d0\n[   36.566710]  napi_complete_done+0x376/0x740\n[   36.566918]  virtnet_poll+0x1bae/0x2910\n[   36.567130]  __napi_poll+0xf4/0x830\n[   36.567294]  net_rx_action+0x97c/0x1ed0\n[   36.567556]  handle_softirqs+0x306/0xe10\n[   36.567731]  irq_exit_rcu+0x14c/0x2e0\n[   36.567910]  do_io_irq+0xd4/0x120\n[   36.568139]  io_int_handler+0xc2/0xe8\n[   36.568299]  arch_cpu_idle+0xb0/0xc0\n[   36.568540]  arch_cpu_idle+0x76/0xc0\n[   36.568726]  default_idle_call+0x40/0x70\n[   36.568953]  do_idle+0x1d6/0x390\n[   36.569486]  cpu_startup_entry+0x9a/0xb0\n[   36.569745]  rest_init+0x1ea/0x290\n[   36.570029]  start_kernel+0x95e/0xb90\n[   36.570348]  startup_continue+0x2e/0x40\n[   36.570703]\n[   36.570798] Uninit was created at:\n[   36.571002]  kmem_cache_alloc_node_noprof+0x9e8/0x10e0\n[   36.571261]  kmalloc_reserve+0x12a/0x470\n[   36.571553]  __alloc_skb+0x310/0x860\n[   36.571844]  __ip_append_data+0x483e/0x6a30\n[   36.572170]  ip_append_data+0x11c/0x1e0\n[   36.572477]  raw_sendmsg+0x1c8c/0x2180\n[   36.572818]  inet_sendmsg+0xe6/0x190\n[   36.573142]  __sys_sendto+0x55e/0x8e0\n[   36.573392]  __s390x_sys_socketcall+0x19ae/0x2ba0\n[   36.573571]  __do_syscall+0x12e/0x240\n[   36.573823]  system_call+0x6e/0x90\n[   36.573976]\n[   36.574017] Byte 35 of 98 is uninitialized\n[   36.574082] Memory access of size 98 starts at 0000000007aa0012\n[   36.574218]\n[   36.574325] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G    B            N  6.17.0-dirty #16 NONE\n[   36.574541] Tainted: [B]=BAD_PAGE, [N]=TEST\n[   36.574617] Hardware name: IBM 3931 A01 703 (KVM/Linux)\n[   36.574755] =====================================================\n[   63.532541] =====================================================\n[   63.533639] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70\n[   63.533989]  virtqueue_add+0x35c6/0x7c70\n[   63.534940]  virtqueue_add_outbuf+0xa0/0xb0\n[   63.535861]  start_xmit+0x288c/0x4a20\n[   63.536708]  dev_hard_start_xmit+0x302/0x900\n[   63.537020]  sch_direct_xmit+0x340/0xea0\n[   63.537997]  __dev_queue_xmit+0x2e94/0x59b0\n[   63.538819]  neigh_resolve_output+0x936/0xb40\n[   63.539793]  ip_finish_output2+0x1ee2/0x2200\n[   63.540784]  __ip_finish_output+0x272/0x7a0\n[   63.541765]  ip_finish_output+0x4e/0x5e0\n[   63.542791]  ip_output+0x166/0x410\n[   63.543771]  ip_push_pending_frames+0x1a2/0x470\n[   63.544753]  raw_sendmsg+0x1f06/0x2180\n[   63.545033]  inet_sendmsg+0xe6/0x190\n[   63.546006]  __sys_sendto+0x55e/0x8e0\n---truncated---", "A false-positive memory sanitizer (KMSAN) warning was found in the Linux kernel's s390 floating-point unit (FPU) code. The vstl inline assembly instruction writes a variable number of bytes depending on runtime values, but the compiler-generated KMSAN instrumentation incorrectly tracked only 1 byte of the write. This caused spurious \"uninitialized value\" warnings during normal network operations like ping, though no actual memory safety issue exists." ],
  "statement" : "This is a fix for false-positive KMSAN reports on s390 architecture, not a real security vulnerability. The underlying code was functioning correctly; only the sanitizer instrumentation was inaccurate. This affects only kernel developers running KMSAN-enabled debug builds on s390 systems.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-68751\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-68751\nhttps://lore.kernel.org/linux-cve-announce/2026010546-CVE-2025-68751-b3fa@gregkh/T" ],
  "name" : "CVE-2025-68751",
  "csaw" : false
}