{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-40026","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.152Z","datePublished":"2025-10-28T09:32:33.075Z","dateUpdated":"2026-05-11T21:41:03.028Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:41:03.028Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Don't (re)check L1 intercepts when completing userspace I/O\n\nWhen completing emulation of instruction that generated a userspace exit\nfor I/O, don't recheck L1 intercepts as KVM has already finished that\nphase of instruction execution, i.e. has already committed to allowing L2\nto perform I/O.  If L1 (or host userspace) modifies the I/O permission\nbitmaps during the exit to userspace,  KVM will treat the access as being\nintercepted despite already having emulated the I/O access.\n\nPivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.\nOf the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the\nintended \"recipient\") can reach the code in question.  gp_interception()'s\nuse is mutually exclusive with is_guest_mode(), and\ncomplete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with\nEMULTYPE_SKIP.\n\nThe bad behavior was detected by a syzkaller program that toggles port I/O\ninterception during the userspace I/O exit, ultimately resulting in a WARN\non vcpu->arch.pio.count being non-zero due to KVM no completing emulation\nof the I/O instruction.\n\n  WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm]\n  Modules linked in: kvm_intel kvm irqbypass\n  CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n  RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm]\n  PKRU: 55555554\n  Call Trace:\n   <TASK>\n   kvm_fast_pio+0xd6/0x1d0 [kvm]\n   vmx_handle_exit+0x149/0x610 [kvm_intel]\n   kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm]\n   kvm_vcpu_ioctl+0x244/0x8c0 [kvm]\n   __x64_sys_ioctl+0x8a/0xd0\n   do_syscall_64+0x5d/0xc60\n   entry_SYSCALL_64_after_hwframe+0x4b/0x53\n   </TASK>"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/kvm/emulate.c","arch/x86/kvm/kvm_emulate.h","arch/x86/kvm/x86.c"],"versions":[{"version":"8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9","lessThan":"a908eca437789589dd4624da428614c1275064dc","status":"affected","versionType":"git"},{"version":"8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9","lessThan":"00338255bb1f422642fb2798ebe92e93b6e4209b","status":"affected","versionType":"git"},{"version":"8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9","lessThan":"e0ce3ed1048a47986d15aef1a98ebda25560d257","status":"affected","versionType":"git"},{"version":"8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9","lessThan":"ba35a5d775799ce5ad60230be97336f2fefd518e","status":"affected","versionType":"git"},{"version":"8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9","lessThan":"3d3abf3f7e8b1abb082070a343de82d7efc80523","status":"affected","versionType":"git"},{"version":"8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9","lessThan":"e7177c7e32cb806f348387b7f4faafd4a5b32054","status":"affected","versionType":"git"},{"version":"8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9","lessThan":"3a062a5c55adc5507600b9ae6d911e247e2f1d6e","status":"affected","versionType":"git"},{"version":"8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9","lessThan":"7366830642505683bbe905a2ba5d18d6e4b512b8","status":"affected","versionType":"git"},{"version":"8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9","lessThan":"e750f85391286a4c8100275516973324b621a269","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/kvm/emulate.c","arch/x86/kvm/kvm_emulate.h","arch/x86/kvm/x86.c"],"versions":[{"version":"3.0","status":"affected"},{"version":"0","lessThan":"3.0","status":"unaffected","versionType":"semver"},{"version":"5.4.301","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.246","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.195","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.157","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.111","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.52","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.16.12","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17.2","lessThanOrEqual":"6.17.*","status":"unaffected","versionType":"semver"},{"version":"6.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"5.4.301"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"5.10.246"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"5.15.195"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"6.1.157"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"6.6.111"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"6.12.52"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"6.16.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"6.17.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0","versionEndExcluding":"6.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/a908eca437789589dd4624da428614c1275064dc"},{"url":"https://git.kernel.org/stable/c/00338255bb1f422642fb2798ebe92e93b6e4209b"},{"url":"https://git.kernel.org/stable/c/e0ce3ed1048a47986d15aef1a98ebda25560d257"},{"url":"https://git.kernel.org/stable/c/ba35a5d775799ce5ad60230be97336f2fefd518e"},{"url":"https://git.kernel.org/stable/c/3d3abf3f7e8b1abb082070a343de82d7efc80523"},{"url":"https://git.kernel.org/stable/c/e7177c7e32cb806f348387b7f4faafd4a5b32054"},{"url":"https://git.kernel.org/stable/c/3a062a5c55adc5507600b9ae6d911e247e2f1d6e"},{"url":"https://git.kernel.org/stable/c/7366830642505683bbe905a2ba5d18d6e4b512b8"},{"url":"https://git.kernel.org/stable/c/e750f85391286a4c8100275516973324b621a269"}],"title":"KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O","x_generator":{"engine":"bippy-1.2.0"}}}}