Ubuntu
linux package

VMSCAPE CVE-2025-40300

Bug #2124105 reported by Massimiliano Pellizzer
26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Committed
High
Massimiliano Pellizzer
Trusty
Fix Committed
High
Cengiz Can
Xenial
Fix Committed
High
Cengiz Can
Bionic
Fix Committed
High
Cengiz Can
Focal
Fix Committed
High
Massimiliano Pellizzer
Jammy
Fix Released
High
Massimiliano Pellizzer
Noble
Fix Released
High
Massimiliano Pellizzer
Plucky
Fix Released
High
Massimiliano Pellizzer
Questing
Fix Committed
High
Massimiliano Pellizzer

Bug Description

[ Impact ]

VMSCAPE is a vulnerability, affecting a broad range of amd64 CPUs,
that may allow a guest to influence the branch prediction in host userspace.
It particularly affects hypervisors like QEMU.

Even if a hypervisor may not have any sensitive data like disk encryption keys,
guest-userspace may be able to attack the guest-kernel using the hypervisor
as a confused deputy.

[ Fix ]

Backport the following patchset to all affected series:
- 9969779d0803 Documentation/hw-vuln: Add VMSCAPE documentation
- a508cec6e521 x86/vmscape: Enumerate VMSCAPE bug
- 2f8f173413f1 x86/vmscape: Add conditional IBPB mitigation
- 556c1ad666ad x86/vmscape: Enable the mitigation
- 6449f5baf9c7 x86/bugs: Move cpu_bugs_smt_update() down
- b7cc98872315 x86/vmscape: Warn when STIBP is disabled with SMT
- 8a68d64bb103 x86/vmscape: Add old Intel CPUs to affected list

[ Test Plan ]

Boot the kernel on a system having a vulnerable CPU.
Fine tune the PoC (https://github.com/comsec-group/vmscape/tree/main/vmscape)
considering the CPU on which the kernel is running.
Run the PoC and make sure that it fails.

[ Regression Potential ]

The regression potential is moderate, since the patches add conditional
IBPB flushing on VMEXIT for the CPUs affected by the vulnerability.
Any issue would be limited to measurable performance regressions for
VM heavy workload that trigger frequent VMEXITs (due to IBPB overhead).

See original description
Massimiliano Pellizzer (mpellizzer)
Changed in linux (Ubuntu Plucky):
status: New → In Progress
Changed in linux (Ubuntu Noble):
status: New → In Progress
Changed in linux (Ubuntu Plucky):
assignee: nobody → Massimiliano Pellizzer (mpellizzer)
Changed in linux (Ubuntu Noble):
assignee: nobody → Massimiliano Pellizzer (mpellizzer)
Changed in linux (Ubuntu Jammy):
status: New → In Progress
assignee: nobody → Massimiliano Pellizzer (mpellizzer)
Changed in linux (Ubuntu Plucky):
importance: Undecided → High
Changed in linux (Ubuntu Noble):
importance: Undecided → High
Changed in linux (Ubuntu Jammy):
importance: Undecided → High
Ubuntu Kernel Bot (ubuntu-kernel-bot)
tags: added: kernel-daily-bug
Massimiliano Pellizzer (mpellizzer)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu Bionic):
status: New → Confirmed
Changed in linux (Ubuntu Focal):
status: New → Confirmed
Changed in linux (Ubuntu Xenial):
status: New → Confirmed
Cengiz Can (cengizcan)
Changed in linux (Ubuntu Bionic):
assignee: nobody → Cengiz Can (cengizcan)
Changed in linux (Ubuntu Xenial):
assignee: nobody → Cengiz Can (cengizcan)
Changed in linux (Ubuntu Focal):
importance: Undecided → High
Changed in linux (Ubuntu Bionic):
importance: Undecided → High
Changed in linux (Ubuntu Xenial):
importance: Undecided → High
Changed in linux (Ubuntu Bionic):
status: Confirmed → In Progress
Changed in linux (Ubuntu Focal):
assignee: nobody → Cengiz Can (cengizcan)
status: Confirmed → In Progress
Changed in linux (Ubuntu Xenial):
status: Confirmed → In Progress
Cengiz Can (cengizcan)
Changed in linux (Ubuntu Focal):
assignee: Cengiz Can (cengizcan) → nobody
assignee: nobody → Massimiliano Pellizzer (mpellizzer)
Manuel Diewald (diewald)
Changed in linux (Ubuntu Trusty):
importance: Undecided → High
assignee: nobody → Cengiz Can (cengizcan)
status: New → Fix Committed
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.15.0-161.171 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux' to 'verification-done-jammy-linux'. If the problem still exists, change the tag 'verification-needed-jammy-linux' to 'verification-failed-jammy-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-v2 verification-needed-jammy-linux
Massimiliano Pellizzer (mpellizzer)
Changed in linux (Ubuntu Jammy):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Noble):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Plucky):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Questing):
status: In Progress → Fix Released
status: Fix Released → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.4.0-223.243 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux' to 'verification-done-focal-linux'. If the problem still exists, change the tag 'verification-needed-focal-linux' to 'verification-failed-focal-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-v2 verification-needed-focal-linux
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/6.8.0-87.88 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux' to 'verification-done-noble-linux'. If the problem still exists, change the tag 'verification-needed-noble-linux' to 'verification-failed-noble-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-v2 verification-needed-noble-linux
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/6.14.0-35.35 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-plucky-linux' to 'verification-done-plucky-linux'. If the problem still exists, change the tag 'verification-needed-plucky-linux' to 'verification-failed-plucky-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-plucky-linux-v2 verification-needed-plucky-linux
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/4.15.0-243.255 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic-linux' to 'verification-done-bionic-linux'. If the problem still exists, change the tag 'verification-needed-bionic-linux' to 'verification-failed-bionic-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-bionic-linux-v2 verification-needed-bionic-linux
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/3.13.0-208.259 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty-linux' to 'verification-done-trusty-linux'. If the problem still exists, change the tag 'verification-needed-trusty-linux' to 'verification-failed-trusty-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-trusty-linux-v2 verification-needed-trusty-linux
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/4.4.0-274.308 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial-linux' to 'verification-done-xenial-linux'. If the problem still exists, change the tag 'verification-needed-xenial-linux' to 'verification-failed-xenial-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-xenial-linux-v2 verification-needed-xenial-linux
Massimiliano Pellizzer (mpellizzer)
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure-fde-6.8/6.8.0-1042.49~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-azure-fde-6.8' to 'verification-done-jammy-linux-azure-fde-6.8'. If the problem still exists, change the tag 'verification-needed-jammy-linux-azure-fde-6.8' to 'verification-failed-jammy-linux-azure-fde-6.8'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-azure-fde-6.8-v2 verification-needed-jammy-linux-azure-fde-6.8
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-tegra/6.8.0-1012.12 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-nvidia-tegra' to 'verification-done-noble-linux-nvidia-tegra'. If the problem still exists, change the tag 'verification-needed-noble-linux-nvidia-tegra' to 'verification-failed-noble-linux-nvidia-tegra'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-nvidia-tegra-v2 verification-needed-noble-linux-nvidia-tegra
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 6.14.0-35.35

---------------
linux (6.14.0-35.35) plucky; urgency=medium

  * plucky/linux: 6.14.0-35.35 -proposed tracker (LP: #2127468)

  * VMSCAPE CVE-2025-40300 (LP: #2124105) // CVE-2025-40300
    - Documentation/hw-vuln: Add VMSCAPE documentation
    - x86/vmscape: Enumerate VMSCAPE bug
    - x86/vmscape: Add conditional IBPB mitigation
    - x86/vmscape: Enable the mitigation
    - x86/bugs: Move cpu_bugs_smt_update() down
    - x86/vmscape: Warn when STIBP is disabled with SMT
    - x86/vmscape: Add old Intel CPUs to affected list

  * VMSCAPE CVE-2025-40300 (LP: #2124105)
    - [Config] Enable MITIGATION_VMSCAPE config

 -- Manuel Diewald <email address hidden> Fri, 10 Oct 2025 21:09:58 +0200

Changed in linux (Ubuntu Plucky):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 6.8.0-87.88

---------------
linux (6.8.0-87.88) noble; urgency=medium

  * noble/linux: 6.8.0-87.88 -proposed tracker (LP: #2127436)

  * CVE-2025-37838
    - HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol
      Driver Due to Race Condition

  * VMSCAPE CVE-2025-40300 (LP: #2124105) // CVE-2025-40300
    - Documentation/hw-vuln: Add VMSCAPE documentation
    - x86/vmscape: Enumerate VMSCAPE bug
    - x86/vmscape: Add conditional IBPB mitigation
    - x86/vmscape: Enable the mitigation
    - x86/bugs: Move cpu_bugs_smt_update() down
    - x86/vmscape: Warn when STIBP is disabled with SMT
    - x86/vmscape: Add old Intel CPUs to affected list

  * VMSCAPE CVE-2025-40300 (LP: #2124105)
    - [Config] Enable MITIGATION_VMSCAPE config

  * CVE-2025-38352
    - posix-cpu-timers: fix race between handle_posix_cpu_timers() and
      posix_cpu_timer_del()

  * CVE-2025-38118
    - Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
    - Bluetooth: MGMT: Fix sparse errors

 -- Manuel Diewald <email address hidden> Fri, 10 Oct 2025 20:20:13 +0200

Changed in linux (Ubuntu Noble):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.15.0-161.171

---------------
linux (5.15.0-161.171) jammy; urgency=medium

  * jammy/linux: 5.15.0-161.171 -proposed tracker (LP: #2127389)

  * VMSCAPE CVE-2025-40300 (LP: #2124105) // CVE-2025-40300
    - Documentation/hw-vuln: Add VMSCAPE documentation
    - x86/vmscape: Enumerate VMSCAPE bug
    - x86/vmscape: Add conditional IBPB mitigation
    - x86/vmscape: Enable the mitigation
    - x86/bugs: Move cpu_bugs_smt_update() down
    - x86/vmscape: Warn when STIBP is disabled with SMT
    - x86/vmscape: Add old Intel CPUs to affected list

  * VMSCAPE CVE-2025-40300 (LP: #2124105)
    - [Config] Enable MITIGATION_VMSCAPE config

 -- Manuel Diewald <email address hidden> Fri, 10 Oct 2025 20:13:58 +0200

Changed in linux (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-6.14/6.14.0-1013.13 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-nvidia-6.14' to 'verification-done-noble-linux-nvidia-6.14'. If the problem still exists, change the tag 'verification-needed-noble-linux-nvidia-6.14' to 'verification-failed-noble-linux-nvidia-6.14'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-nvidia-6.14-v2 verification-needed-noble-linux-nvidia-6.14
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-bluefield/6.8.0-1013.17 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-bluefield' to 'verification-done-noble-linux-bluefield'. If the problem still exists, change the tag 'verification-needed-noble-linux-bluefield' to 'verification-failed-noble-linux-bluefield'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-bluefield-v2 verification-needed-noble-linux-bluefield
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure-fde-6.14/6.14.0-1017.17~24.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-azure-fde-6.14' to 'verification-done-noble-linux-azure-fde-6.14'. If the problem still exists, change the tag 'verification-needed-noble-linux-azure-fde-6.14' to 'verification-failed-noble-linux-azure-fde-6.14'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-noble-linux-azure-fde-6.14-v2 verification-needed-noble-linux-azure-fde-6.14
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure-5.4/5.4.0-1156.163~18.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic-linux-azure-5.4' to 'verification-done-bionic-linux-azure-5.4'. If the problem still exists, change the tag 'verification-needed-bionic-linux-azure-5.4' to 'verification-failed-bionic-linux-azure-5.4'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-bionic-linux-azure-5.4-v2 verification-needed-bionic-linux-azure-5.4
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure-5.15/5.15.0-1102.111~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux-azure-5.15' to 'verification-done-focal-linux-azure-5.15'. If the problem still exists, change the tag 'verification-needed-focal-linux-azure-5.15' to 'verification-failed-focal-linux-azure-5.15'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-azure-5.15-v2 verification-needed-focal-linux-azure-5.15
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.