vulnerability

Ubuntu: (Multiple Advisories) (CVE-2025-21779): Linux kernel vulnerabilities

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:L/AC:L/Au:S/C:N/I:N/A:C)	Feb 27, 2025	May 20, 2025	Jun 3, 2025

Severity

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:C)

Published

Feb 27, 2025

Added

May 20, 2025

Modified

Jun 3, 2025

Description

In the Linux kernel, the following vulnerability has been resolved:

KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel

Advertise support for Hyper-V's SEND_IPI and SEND_IPI_EX hypercalls if and
only if the local API is emulated/virtualized by KVM, and explicitly reject
said hypercalls if the local APIC is emulated in userspace, i.e. don't rely
on userspace to opt-in to KVM_CAP_HYPERV_ENFORCE_CPUID.

Rejecting SEND_IPI and SEND_IPI_EX fixes a NULL-pointer dereference if
Hyper-V enlightenments are exposed to the guest without an in-kernel local
APIC:

dump_stack+0xbe/0xfd
__kasan_report.cold+0x34/0x84
kasan_report+0x3a/0x50
__apic_accept_irq+0x3a/0x5c0
kvm_hv_send_ipi.isra.0+0x34e/0x820
kvm_hv_hypercall+0x8d9/0x9d0
kvm_emulate_hypercall+0x506/0x7e0
__vmx_handle_exit+0x283/0xb60
vmx_handle_exit+0x1d/0xd0
vcpu_enter_guest+0x16b0/0x24c0
vcpu_run+0xc0/0x550
kvm_arch_vcpu_ioctl_run+0x170/0x6d0
kvm_vcpu_ioctl+0x413/0xb20
__se_sys_ioctl+0x111/0x160
do_syscal1_64+0x30/0x40
entry_SYSCALL_64_after_hwframe+0x67/0xd1

Note, checking the sending vCPU is sufficient, as the per-VM irqchip_mode
can't be modified after vCPUs are created, i.e. if one vCPU has an
in-kernel local APIC, then all vCPUs have an in-kernel local APIC.

Solution(s)

ubuntu-upgrade-linux-image-5-15-0-1026-nvidia-tegra-igxubuntu-upgrade-linux-image-5-15-0-1026-nvidia-tegra-igx-rtubuntu-upgrade-linux-image-5-15-0-1037-nvidia-tegraubuntu-upgrade-linux-image-5-15-0-1037-nvidia-tegra-rtubuntu-upgrade-linux-image-5-15-0-1066-gkeopubuntu-upgrade-linux-image-5-15-0-1076-ibmubuntu-upgrade-linux-image-5-15-0-1077-intel-iot-realtimeubuntu-upgrade-linux-image-5-15-0-1078-nvidiaubuntu-upgrade-linux-image-5-15-0-1078-nvidia-lowlatencyubuntu-upgrade-linux-image-5-15-0-1078-raspiubuntu-upgrade-linux-image-5-15-0-1079-intel-iotgubuntu-upgrade-linux-image-5-15-0-1080-kvmubuntu-upgrade-linux-image-5-15-0-1081-gkeubuntu-upgrade-linux-image-5-15-0-1081-oracleubuntu-upgrade-linux-image-5-15-0-1083-gcpubuntu-upgrade-linux-image-5-15-0-1083-gcp-fipsubuntu-upgrade-linux-image-5-15-0-1084-awsubuntu-upgrade-linux-image-5-15-0-1084-aws-fipsubuntu-upgrade-linux-image-5-15-0-1084-realtimeubuntu-upgrade-linux-image-5-15-0-1089-azureubuntu-upgrade-linux-image-5-15-0-1089-azure-fipsubuntu-upgrade-linux-image-5-15-0-140-fipsubuntu-upgrade-linux-image-5-15-0-140-genericubuntu-upgrade-linux-image-5-15-0-140-generic-64kubuntu-upgrade-linux-image-5-15-0-140-generic-lpaeubuntu-upgrade-linux-image-5-15-0-140-lowlatencyubuntu-upgrade-linux-image-5-15-0-140-lowlatency-64kubuntu-upgrade-linux-image-6-11-0-1010-realtimeubuntu-upgrade-linux-image-6-11-0-1013-raspiubuntu-upgrade-linux-image-6-11-0-1014-awsubuntu-upgrade-linux-image-6-11-0-1014-lowlatencyubuntu-upgrade-linux-image-6-11-0-1014-lowlatency-64kubuntu-upgrade-linux-image-6-11-0-1015-azureubuntu-upgrade-linux-image-6-11-0-1015-azure-fdeubuntu-upgrade-linux-image-6-11-0-1015-gcpubuntu-upgrade-linux-image-6-11-0-1015-gcp-64kubuntu-upgrade-linux-image-6-11-0-1016-oracleubuntu-upgrade-linux-image-6-11-0-1016-oracle-64kubuntu-upgrade-linux-image-6-11-0-1022-oemubuntu-upgrade-linux-image-6-11-0-26-genericubuntu-upgrade-linux-image-6-11-0-26-generic-64kubuntu-upgrade-linux-image-awsubuntu-upgrade-linux-image-aws-fipsubuntu-upgrade-linux-image-aws-lts-22-04ubuntu-upgrade-linux-image-azureubuntu-upgrade-linux-image-azure-cvmubuntu-upgrade-linux-image-azure-fdeubuntu-upgrade-linux-image-azure-fipsubuntu-upgrade-linux-image-azure-lts-22-04ubuntu-upgrade-linux-image-fipsubuntu-upgrade-linux-image-gcpubuntu-upgrade-linux-image-gcp-64kubuntu-upgrade-linux-image-gcp-fipsubuntu-upgrade-linux-image-gcp-lts-22-04ubuntu-upgrade-linux-image-genericubuntu-upgrade-linux-image-generic-64kubuntu-upgrade-linux-image-generic-64k-hwe-24-04ubuntu-upgrade-linux-image-generic-hwe-24-04ubuntu-upgrade-linux-image-generic-lpaeubuntu-upgrade-linux-image-gkeubuntu-upgrade-linux-image-gke-5-15ubuntu-upgrade-linux-image-gkeopubuntu-upgrade-linux-image-gkeop-5-15ubuntu-upgrade-linux-image-ibmubuntu-upgrade-linux-image-intelubuntu-upgrade-linux-image-intel-iot-realtimeubuntu-upgrade-linux-image-intel-iotgubuntu-upgrade-linux-image-kvmubuntu-upgrade-linux-image-lowlatencyubuntu-upgrade-linux-image-lowlatency-64kubuntu-upgrade-linux-image-lowlatency-64k-hwe-20-04ubuntu-upgrade-linux-image-lowlatency-64k-hwe-24-04ubuntu-upgrade-linux-image-lowlatency-hwe-20-04ubuntu-upgrade-linux-image-lowlatency-hwe-24-04ubuntu-upgrade-linux-image-nvidiaubuntu-upgrade-linux-image-nvidia-lowlatencyubuntu-upgrade-linux-image-nvidia-tegraubuntu-upgrade-linux-image-nvidia-tegra-igxubuntu-upgrade-linux-image-nvidia-tegra-igx-rtubuntu-upgrade-linux-image-nvidia-tegra-rtubuntu-upgrade-linux-image-oem-24-04bubuntu-upgrade-linux-image-oracleubuntu-upgrade-linux-image-oracle-64kubuntu-upgrade-linux-image-oracle-lts-22-04ubuntu-upgrade-linux-image-raspiubuntu-upgrade-linux-image-raspi-nolpaeubuntu-upgrade-linux-image-realtimeubuntu-upgrade-linux-image-virtualubuntu-upgrade-linux-image-virtual-hwe-24-04

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today