Linux Kernel Vulnerability in KVM Affecting Guest-Controlled Indices
CVE-2025-39823

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 16 September 2025

What is CVE-2025-39823?

This vulnerability within the Linux kernel involves the KVM (Kernel-based Virtual Machine) and relates to guest-controlled indices, specifically 'min' and 'dest_id'. It was identified that these indices could lead to speculative execution side-channel attacks. To prevent this, the function array_index_nospec() has been employed with bounds checks to limit the values of these indices, thereby reducing the attack surface and enhancing system security. The sophisticated handling of these indices is essential for maintaining the integrity of virtualized environments against potential exploits.

Affected Version(s)

Linux 4180bf1b655a791a0a6ef93a2ffffc762722c782 < 72777fc31aa7ab2ce00f44bfa3929c6eabbeaf48

Linux 4180bf1b655a791a0a6ef93a2ffffc762722c782 < 31a0ad2f60cb4816e06218b63e695eb72ce74974

Linux 4180bf1b655a791a0a6ef93a2ffffc762722c782

References

https://git.kernel.org/stable/c/72777fc31aa7ab2ce00f44bfa...

https://git.kernel.org/stable/c/31a0ad2f60cb4816e06218b63...

https://git.kernel.org/stable/c/d51e381beed5e2f50f85f49f6...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 16, 2025
Vulnerability Reserved
Apr 16, 2025