{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-22013","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.806Z","datePublished":"2025-04-08T08:18:04.000Z","dateUpdated":"2026-05-11T21:10:57.780Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:10:57.780Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state\n\nThere are several problems with the way hyp code lazily saves the host's\nFPSIMD/SVE state, including:\n\n* Host SVE being discarded unexpectedly due to inconsistent\n  configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to\n  result in QEMU crashes where SVE is used by memmove(), as reported by\n  Eric Auger:\n\n  https://issues.redhat.com/browse/RHEL-68997\n\n* Host SVE state is discarded *after* modification by ptrace, which was an\n  unintentional ptrace ABI change introduced with lazy discarding of SVE state.\n\n* The host FPMR value can be discarded when running a non-protected VM,\n  where FPMR support is not exposed to a VM, and that VM uses\n  FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR\n  before unbinding the host's FPSIMD/SVE/SME state, leaving a stale\n  value in memory.\n\nAvoid these by eagerly saving and \"flushing\" the host's FPSIMD/SVE/SME\nstate when loading a vCPU such that KVM does not need to save any of the\nhost's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is\nremoved and the necessary call to fpsimd_save_and_flush_cpu_state() is\nplaced in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr'\nshould not be used, they are set to NULL; all uses of these will be\nremoved in subsequent patches.\n\nHistorical problems go back at least as far as v5.17, e.g. erroneous\nassumptions about TIF_SVE being clear in commit:\n\n  8383741ab2e773a9 (\"KVM: arm64: Get rid of host SVE tracking/saving\")\n\n... and so this eager save+flush probably needs to be backported to ALL\nstable trees."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/arm64/kernel/fpsimd.c","arch/arm64/kvm/fpsimd.c"],"versions":[{"version":"c4ab60a86c5ed7c0d727c6dc8cec352e16bc7f90","lessThan":"5289ac43b69c61a49c75720921f2008005a31c43","status":"affected","versionType":"git"},{"version":"d5f7d3833b534f9e43e548461dba1e60aa82f587","lessThan":"04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82e","status":"affected","versionType":"git"},{"version":"93ae6b01bafee8fa385aa25ee7ebdb40057f6abe","lessThan":"806d5c1e1d2e5502175a24bf70f251648d99c36a","status":"affected","versionType":"git"},{"version":"93ae6b01bafee8fa385aa25ee7ebdb40057f6abe","lessThan":"79e140bba70bcacc5fe15bf8c0b958793fd7d56f","status":"affected","versionType":"git"},{"version":"93ae6b01bafee8fa385aa25ee7ebdb40057f6abe","lessThan":"900b444be493b7f404898c785d6605b177a093d0","status":"affected","versionType":"git"},{"version":"93ae6b01bafee8fa385aa25ee7ebdb40057f6abe","lessThan":"fbc7e61195e23f744814e78524b73b59faa54ab4","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/arm64/kernel/fpsimd.c","arch/arm64/kvm/fpsimd.c"],"versions":[{"version":"6.2","status":"affected"},{"version":"0","lessThan":"6.2","status":"unaffected","versionType":"semver"},{"version":"6.6.85","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.21","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13.9","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.85"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.12.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.13.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.14"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/5289ac43b69c61a49c75720921f2008005a31c43"},{"url":"https://git.kernel.org/stable/c/04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82e"},{"url":"https://git.kernel.org/stable/c/806d5c1e1d2e5502175a24bf70f251648d99c36a"},{"url":"https://git.kernel.org/stable/c/79e140bba70bcacc5fe15bf8c0b958793fd7d56f"},{"url":"https://git.kernel.org/stable/c/900b444be493b7f404898c785d6605b177a093d0"},{"url":"https://git.kernel.org/stable/c/fbc7e61195e23f744814e78524b73b59faa54ab4"}],"title":"KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state","x_generator":{"engine":"bippy-1.2.0"}}}}