CVE-2025-40300

VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit.

Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB.

This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace.

The intent is to integrate and optimize these cases post-embargo.

[ dhansen: elaborate on suboptimal IBPB solution ]

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40300.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

15d45071523d89b3fb7372e2135fbd72f6af9506

Fixed

ac60717f9a8d21c58617d0b34274babf24135835

Fixed

c08192b5d6730a914dee6175bc71092ee6a65f14

Fixed

d5490dfa35427a2967e00a4c7a1b95fdbc8ede34

Fixed

2f4f2f8f860cb4c3336a7435ebe8dcfded0c9c6e

Fixed

15006289e5c38b2a830e1fba221977a27598176c

Fixed

893387c18612bb452336a5881da0d015a7e8f4a2

Fixed

f866eef8d1c65504d30923c3f14082ad294d0e6d

Fixed

34e5667041050711a947e260fc9ebebe08bddee5

Fixed

d7ddc93392e4a7ffcccc86edf6ef3e64c778db52

Fixed

459274c77b37ac63b78c928b4b4e748d1f9d05c8

Fixed

510603f504796c3535f67f55fb0b124a303b44c8

Fixed

9c23a90648e831d611152ac08dbcd1283d405e7f

Fixed

2f8f173413f1cbf52660d04df92d0069c4306d25

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

c51f1e5f57cca88d8d5894b6fad1638f643a99d0

Last affected

4b3870c343a82cd2df7192cc5149c87205dcc611

Affected versions

v2.*

v2.6.12-rc2

v2.6.12-rc3

v2.6.12-rc4

v2.6.13

v2.6.13-rc1

v2.6.13-rc2

v2.6.13-rc3

v2.6.13-rc4

v2.6.13-rc5

v2.6.13-rc6

v2.6.13-rc7

v2.6.14-rc1

v2.6.14-rc2

v2.6.14-rc3

v2.6.15-rc1

v2.6.15-rc2

v2.6.15-rc4

v2.6.15-rc5

v2.6.15-rc7

v2.6.16

v2.6.16-rc1

v2.6.16-rc2

v2.6.16-rc3

v2.6.16-rc4

v2.6.16-rc5

v2.6.16-rc6

v2.6.17

v2.6.17-rc1

v2.6.17-rc2

v2.6.17-rc3

v2.6.17-rc4

v2.6.17-rc5

v2.6.17-rc6

v2.6.18

v2.6.18-rc1

v2.6.18-rc2

v2.6.18-rc3

v2.6.18-rc5

v2.6.18-rc6

v2.6.19-rc1

v2.6.19-rc2

v2.6.20-rc1

v2.6.20-rc2

v2.6.20-rc3

v2.6.20-rc4

v2.6.20-rc5

v2.6.20-rc6

v2.6.20-rc7

v2.6.21

v2.6.21-rc1

v2.6.21-rc2

v2.6.21-rc3

v2.6.21-rc4

v2.6.21-rc5

v2.6.21-rc6

v2.6.21-rc7

v2.6.22

v2.6.22-rc1

v2.6.22-rc2

v2.6.22-rc3

v2.6.22-rc4

v2.6.22-rc5

v2.6.22-rc6

v2.6.22-rc7

v2.6.23

v2.6.23-rc1

v2.6.23-rc2

v2.6.23-rc3

v2.6.23-rc4

v2.6.23-rc5

v2.6.23-rc6

v2.6.23-rc7

v2.6.23-rc8

v2.6.23-rc9

v2.6.24

v2.6.24-rc1

v2.6.24-rc2

v2.6.24-rc3

v2.6.24-rc4

v2.6.24-rc5

v2.6.24-rc6

v2.6.24-rc7

v2.6.24-rc8

v2.6.25

v2.6.25-rc1

v2.6.25-rc2

v2.6.25-rc3

v2.6.25-rc4

v2.6.25-rc5

v2.6.25-rc6

v2.6.25-rc7

v2.6.25-rc8

v2.6.25-rc9

v2.6.26

v2.6.26-rc1

v2.6.26-rc2

v2.6.26-rc3

v2.6.26-rc4

v2.6.26-rc5

v2.6.26-rc6

v2.6.26-rc7

v2.6.26-rc8

v2.6.26-rc9

v2.6.27

v2.6.27-rc1

v2.6.27-rc2

v2.6.27-rc3

v2.6.27-rc4

v2.6.27-rc5

v2.6.27-rc6

v2.6.27-rc7

v2.6.27-rc8

v2.6.27-rc9

v2.6.28

v2.6.28-rc1

v2.6.28-rc2

v2.6.28-rc3

v2.6.28-rc4

v2.6.28-rc5

v2.6.28-rc6

v2.6.28-rc7

v2.6.28-rc8

v2.6.28-rc9

v2.6.29

v2.6.29-rc1

v2.6.29-rc2

v2.6.29-rc3

v2.6.29-rc4

v2.6.29-rc5

v2.6.29-rc6

v2.6.29-rc7

v2.6.29-rc8

v2.6.30

v2.6.30-rc1

v2.6.30-rc2

v2.6.30-rc3

v2.6.30-rc4

v2.6.30-rc5

v2.6.30-rc6

v2.6.30-rc7

v2.6.30-rc8

v2.6.31

v2.6.31-rc1

v2.6.31-rc2

v2.6.31-rc3

v2.6.31-rc4

v2.6.31-rc5

v2.6.31-rc6

v2.6.31-rc7

v2.6.31-rc8

v2.6.31-rc9

v2.6.32

v2.6.32-rc1

v2.6.32-rc2

v2.6.32-rc3

v2.6.32-rc4

v2.6.32-rc5

v2.6.32-rc6

v2.6.32-rc7

v2.6.32-rc8

v2.6.33

v2.6.33-rc1

v2.6.33-rc2

v2.6.33-rc3

v2.6.33-rc4

v2.6.33-rc5

v2.6.33-rc6

v2.6.33-rc7

v2.6.33-rc8

v2.6.34

v2.6.34-rc1

v2.6.34-rc2

v2.6.34-rc3

v2.6.34-rc4

v2.6.34-rc5

v2.6.34-rc6

v2.6.34-rc7

v2.6.35

v2.6.35-rc1

v2.6.35-rc2

v2.6.35-rc3

v2.6.35-rc4

v2.6.35-rc5

v2.6.35-rc6

v2.6.36

v2.6.36-rc1

v2.6.36-rc2

v2.6.36-rc3

v2.6.36-rc4

v2.6.36-rc5

v2.6.36-rc6

v2.6.36-rc7

v2.6.36-rc8

v2.6.37

v2.6.37-rc1

v2.6.37-rc2

v2.6.37-rc3

v2.6.37-rc4

v2.6.37-rc5

v2.6.37-rc6

v2.6.37-rc7

v2.6.37-rc8

v2.6.38

v2.6.38-rc1

v2.6.38-rc2

v2.6.38-rc3

v2.6.38-rc4

v2.6.38-rc5

v2.6.38-rc6

v2.6.38-rc7

v2.6.38-rc8

v2.6.39

v2.6.39-rc1

v2.6.39-rc2

v2.6.39-rc3

v2.6.39-rc4

v2.6.39-rc5

v2.6.39-rc6

v2.6.39-rc7

v3.*

v3.0

v3.0-rc1

v3.0-rc2

v3.0-rc3

v3.0-rc4

v3.0-rc5

v3.0-rc6

v3.0-rc7

v3.1

v3.1-rc1

v3.1-rc10

v3.1-rc2

v3.1-rc3

v3.1-rc4

v3.1-rc5

v3.1-rc6

v3.1-rc7

v3.1-rc8

v3.1-rc9

v3.10

v3.10-rc1

v3.10-rc2

v3.10-rc3

v3.10-rc4

v3.10-rc5

v3.10-rc6

v3.10-rc7

v3.11

v3.11-rc1

v3.11-rc2

v3.11-rc3

v3.11-rc4

v3.11-rc5

v3.11-rc6

v3.11-rc7

v3.12

v3.12-rc1

v3.12-rc2

v3.12-rc3

v3.12-rc4

v3.12-rc5

v3.12-rc6

v3.12-rc7

v3.13

v3.13-rc1

v3.13-rc2

v3.13-rc3

v3.13-rc4

v3.13-rc5

v3.13-rc6

v3.13-rc7

v3.13-rc8

v3.14

v3.14-rc1

v3.14-rc2

v3.14-rc3

v3.14-rc4

v3.14-rc5

v3.14-rc6

v3.14-rc7

v3.14-rc8

v3.15

v3.15-rc1

v3.15-rc2

v3.15-rc3

v3.15-rc4

v3.15-rc5

v3.15-rc6

v3.15-rc7

v3.15-rc8

v3.16

v3.16-rc1

v3.16-rc2

v3.16-rc3

v3.16-rc4

v3.16-rc5

v3.16-rc6

v3.16-rc7

v3.16.1

v3.16.2

v3.16.3

v3.16.35

v3.16.36

v3.16.37

v3.16.38

v3.16.39

v3.16.4

v3.16.40

v3.16.41

v3.16.42

v3.16.43

v3.16.44

v3.16.45

v3.16.46

v3.16.47

v3.16.48

v3.16.49

v3.16.5

v3.16.50

v3.16.51

v3.16.52

v3.16.53

v3.16.54

v3.16.55

v3.16.56

v3.16.6

v3.16.7

v3.17

v3.17-rc1

v3.17-rc2

v3.17-rc3

v3.17-rc4

v3.17-rc5

v3.17-rc6

v3.17-rc7

v3.18

v3.18-rc1

v3.18-rc2

v3.18-rc3

v3.18-rc4

v3.18-rc5

v3.18-rc6

v3.18-rc7

v3.19

v3.19-rc1

v3.19-rc2

v3.19-rc3

v3.19-rc4

v3.19-rc5

v3.19-rc6

v3.19-rc7

v3.2

v3.2-rc1

v3.2-rc2

v3.2-rc3

v3.2-rc4

v3.2-rc5

v3.2-rc6

v3.2-rc7

v3.3

v3.3-rc1

v3.3-rc2

v3.3-rc3

v3.3-rc4

v3.3-rc5

v3.3-rc6

v3.3-rc7

v3.4

v3.4-rc1

v3.4-rc2

v3.4-rc3

v3.4-rc4

v3.4-rc5

v3.4-rc6

v3.4-rc7

v3.5

v3.5-rc1

v3.5-rc2

v3.5-rc3

v3.5-rc4

v3.5-rc5

v3.5-rc6

v3.5-rc7

v3.6

v3.6-rc1

v3.6-rc2

v3.6-rc3

v3.6-rc4

v3.6-rc5

v3.6-rc6

v3.6-rc7

v3.7

v3.7-rc1

v3.7-rc2

v3.7-rc3

v3.7-rc4

v3.7-rc5

v3.7-rc6

v3.7-rc7

v3.7-rc8

v3.8

v3.8-rc1

v3.8-rc2

v3.8-rc3

v3.8-rc4

v3.8-rc5

v3.8-rc6

v3.8-rc7

v3.9

v3.9-rc1

v3.9-rc2

v3.9-rc3

v3.9-rc4

v3.9-rc5

v3.9-rc6

v3.9-rc7

v3.9-rc8

v4.*

v4.0

v4.0-rc1

v4.0-rc2

v4.0-rc3

v4.0-rc4

v4.0-rc5

v4.0-rc6

v4.0-rc7

v4.1

v4.1-rc1

v4.1-rc2

v4.1-rc3

v4.1-rc4

v4.1-rc5

v4.1-rc6

v4.1-rc7

v4.1-rc8

v4.2

v4.2-rc1

v4.2-rc2

v4.2-rc3

v4.2-rc4

v4.2-rc5

v4.2-rc6

v4.2-rc7

v4.2-rc8

v4.3

v4.3-rc1

v4.3-rc2

v4.3-rc3

v4.3-rc4

v4.3-rc5

v4.3-rc6

v4.3-rc7

v4.4

v4.4-rc1

v4.4-rc2

v4.4-rc3

v4.4-rc4

v4.4-rc5

v4.4-rc6

v4.4-rc7

v4.4-rc8

v4.4.1

v4.4.10

v4.4.100

v4.4.101

v4.4.102

v4.4.103

v4.4.104

v4.4.105

v4.4.106

v4.4.107

v4.4.108

v4.4.109

v4.4.11

v4.4.110

v4.4.111

v4.4.112

v4.4.113

v4.4.114

v4.4.115

v4.4.116

v4.4.117

v4.4.118

v4.4.119

v4.4.12

v4.4.120

v4.4.121

v4.4.122

v4.4.123

v4.4.124

v4.4.125

v4.4.126

v4.4.127

v4.4.128

v4.4.129

v4.4.13

v4.4.130

v4.4.131

v4.4.132

v4.4.133

v4.4.134

v4.4.135

v4.4.136

v4.4.137

v4.4.138

v4.4.139

v4.4.14

v4.4.140

v4.4.141

v4.4.142

v4.4.143

v4.4.144

v4.4.145

v4.4.146

v4.4.147

v4.4.148

v4.4.149

v4.4.15

v4.4.150

v4.4.151

v4.4.152

v4.4.153

v4.4.154

v4.4.155

v4.4.156

v4.4.157

v4.4.158

v4.4.159

v4.4.16

v4.4.160

v4.4.161

v4.4.162

v4.4.163

v4.4.164

v4.4.165

v4.4.166

v4.4.167

v4.4.17

v4.4.18

v4.4.19

v4.4.2

v4.4.20

v4.4.21

v4.4.22

v4.4.23

v4.4.24

v4.4.25

v4.4.26

v4.4.27

v4.4.28

v4.4.29

v4.4.3

v4.4.30

v4.4.31

v4.4.32

v4.4.33

v4.4.34

v4.4.35

v4.4.36

v4.4.37

v4.4.38

v4.4.39

v4.4.4

v4.4.40

v4.4.41

v4.4.42

v4.4.43

v4.4.44

v4.4.45

v4.4.46

v4.4.47

v4.4.48

v4.4.49

v4.4.5

v4.4.50

v4.4.51

v4.4.52

v4.4.53

v4.4.54

v4.4.55

v4.4.56

v4.4.57

v4.4.58

v4.4.59

v4.4.6

v4.4.60

v4.4.61

v4.4.62

v4.4.63

v4.4.64

v4.4.65

v4.4.66

v4.4.67

v4.4.68

v4.4.69

v4.4.7

v4.4.70

v4.4.71

v4.4.72

v4.4.73

v4.4.74

v4.4.75

v4.4.76

v4.4.77

v4.4.78

v4.4.79

v4.4.8

v4.4.80

v4.4.81

v4.4.82

v4.4.83

v4.4.84

v4.4.85

v4.4.86

v4.4.87

v4.4.88

v4.4.89

v4.4.9

v4.4.90

v4.4.91

v4.4.92

v4.4.93

v4.4.94

v4.4.95

v4.4.96

v4.4.97

v4.4.98

v4.4.99

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40300.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.16.0

Fixed

5.10.244

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.193

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.152

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.106

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.47

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.16.7

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40300.json"