KVM Vulnerability in Arm64 Linux Kernel Affecting Userspace Access
CVE-2025-40102

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 30 October 2025

What is CVE-2025-40102?

A vulnerability in the Linux kernel KVM component allows userspace applications to pend vCPU events for uninitialized vCPUs, potentially causing the kernel to execute uninitialized data that could lead to illegal state transitions. This issue, documented in kernel code, emphasizes the need for strict access controls to ensure that events are not injected before a vCPU is properly initialized. The repercussions include possible kernel panics and instability due to error conditions triggered by erroneous event handling.

Affected Version(s)

Linux b7b27facc7b50a5fce0afaa3df56157136ce181a < 64a04e6320fc5affbadc59dc7024d79f909bfe84

Linux b7b27facc7b50a5fce0afaa3df56157136ce181a < 0aa1b76fe1429629215a7c79820e4b96233ac4a3

Linux 4.19

References

https://git.kernel.org/stable/c/64a04e6320fc5affbadc59dc7...

https://git.kernel.org/stable/c/0aa1b76fe1429629215a7c798...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2025
Vulnerability Reserved
Apr 16, 2025

JSON