{"id":"CVE-2025-22013","summary":"KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state\n\nThere are several problems with the way hyp code lazily saves the host's\nFPSIMD/SVE state, including:\n\n* Host SVE being discarded unexpectedly due to inconsistent\n  configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to\n  result in QEMU crashes where SVE is used by memmove(), as reported by\n  Eric Auger:\n\n  https://issues.redhat.com/browse/RHEL-68997\n\n* Host SVE state is discarded *after* modification by ptrace, which was an\n  unintentional ptrace ABI change introduced with lazy discarding of SVE state.\n\n* The host FPMR value can be discarded when running a non-protected VM,\n  where FPMR support is not exposed to a VM, and that VM uses\n  FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR\n  before unbinding the host's FPSIMD/SVE/SME state, leaving a stale\n  value in memory.\n\nAvoid these by eagerly saving and \"flushing\" the host's FPSIMD/SVE/SME\nstate when loading a vCPU such that KVM does not need to save any of the\nhost's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is\nremoved and the necessary call to fpsimd_save_and_flush_cpu_state() is\nplaced in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr'\nshould not be used, they are set to NULL; all uses of these will be\nremoved in subsequent patches.\n\nHistorical problems go back at least as far as v5.17, e.g. erroneous\nassumptions about TIF_SVE being clear in commit:\n\n  8383741ab2e773a9 (\"KVM: arm64: Get rid of host SVE tracking/saving\")\n\n... and so this eager save+flush probably needs to be backported to ALL\nstable trees.","modified":"2026-02-04T02:22:06.984224Z","published":"2025-04-08T08:18:04Z","related":["MGASA-2025-0142","MGASA-2025-0146","SUSE-SU-2025:01707-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01967-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22013.json"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5289ac43b69c61a49c75720921f2008005a31c43"},{"type":"WEB","url":"https://git.kernel.org/stable/c/79e140bba70bcacc5fe15bf8c0b958793fd7d56f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/806d5c1e1d2e5502175a24bf70f251648d99c36a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/900b444be493b7f404898c785d6605b177a093d0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fbc7e61195e23f744814e78524b73b59faa54ab4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22013.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22013"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c4ab60a86c5ed7c0d727c6dc8cec352e16bc7f90"},{"fixed":"5289ac43b69c61a49c75720921f2008005a31c43"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d5f7d3833b534f9e43e548461dba1e60aa82f587"},{"fixed":"04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82e"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"93ae6b01bafee8fa385aa25ee7ebdb40057f6abe"},{"fixed":"806d5c1e1d2e5502175a24bf70f251648d99c36a"},{"fixed":"79e140bba70bcacc5fe15bf8c0b958793fd7d56f"},{"fixed":"900b444be493b7f404898c785d6605b177a093d0"},{"fixed":"fbc7e61195e23f744814e78524b73b59faa54ab4"}]}],"versions":["v6.1","v6.1-rc5","v6.1-rc6","v6.1-rc7","v6.1-rc8","v6.10","v6.10-rc1","v6.10-rc2","v6.10-rc3","v6.10-rc4","v6.10-rc5","v6.10-rc6","v6.10-rc7","v6.11","v6.11-rc1","v6.11-rc2","v6.11-rc3","v6.11-rc4","v6.11-rc5","v6.11-rc6","v6.11-rc7","v6.12","v6.12-rc1","v6.12-rc2","v6.12-rc3","v6.12-rc4","v6.12-rc5","v6.12-rc6","v6.12-rc7","v6.12.1","v6.12.10","v6.12.11","v6.12.12","v6.12.13","v6.12.14","v6.12.15","v6.12.16","v6.12.17","v6.12.18","v6.12.19","v6.12.2","v6.12.20","v6.12.3","v6.12.4","v6.12.5","v6.12.6","v6.12.7","v6.12.8","v6.12.9","v6.13","v6.13-rc1","v6.13-rc2","v6.13-rc3","v6.13-rc4","v6.13-rc5","v6.13-rc6","v6.13-rc7","v6.13.1","v6.13.2","v6.13.3","v6.13.4","v6.13.5","v6.13.6","v6.13.7","v6.13.8","v6.2","v6.2-rc1","v6.2-rc2","v6.2-rc3","v6.2-rc4","v6.2-rc5","v6.2-rc6","v6.2-rc7","v6.2-rc8","v6.3","v6.3-rc1","v6.3-rc2","v6.3-rc3","v6.3-rc4","v6.3-rc5","v6.3-rc6","v6.3-rc7","v6.4","v6.4-rc1","v6.4-rc2","v6.4-rc3","v6.4-rc4","v6.4-rc5","v6.4-rc6","v6.4-rc7","v6.5","v6.5-rc1","v6.5-rc2","v6.5-rc3","v6.5-rc4","v6.5-rc5","v6.5-rc6","v6.5-rc7","v6.6","v6.6-rc1","v6.6-rc2","v6.6-rc3","v6.6-rc4","v6.6-rc5","v6.6-rc6","v6.6-rc7","v6.6.1","v6.6.10","v6.6.11","v6.6.12","v6.6.13","v6.6.14","v6.6.15","v6.6.16","v6.6.17","v6.6.18","v6.6.19","v6.6.2","v6.6.20","v6.6.21","v6.6.22","v6.6.23","v6.6.24","v6.6.25","v6.6.26","v6.6.27","v6.6.28","v6.6.29","v6.6.3","v6.6.30","v6.6.31","v6.6.32","v6.6.33","v6.6.34","v6.6.35","v6.6.36","v6.6.37","v6.6.38","v6.6.39","v6.6.4","v6.6.40","v6.6.41","v6.6.42","v6.6.43","v6.6.44","v6.6.45","v6.6.46","v6.6.47","v6.6.48","v6.6.49","v6.6.5","v6.6.50","v6.6.51","v6.6.52","v6.6.53","v6.6.54","v6.6.55","v6.6.56","v6.6.57","v6.6.58","v6.6.59","v6.6.6","v6.6.60","v6.6.61","v6.6.62","v6.6.63","v6.6.64","v6.6.65","v6.6.66","v6.6.67","v6.6.68","v6.6.69","v6.6.7","v6.6.70","v6.6.71","v6.6.72","v6.6.73","v6.6.74","v6.6.75","v6.6.76","v6.6.77","v6.6.78","v6.6.79","v6.6.8","v6.6.80","v6.6.81","v6.6.82","v6.6.83","v6.6.84","v6.6.9","v6.7","v6.7-rc1","v6.7-rc2","v6.7-rc3","v6.7-rc4","v6.7-rc5","v6.7-rc6","v6.7-rc7","v6.7-rc8","v6.8","v6.8-rc1","v6.8-rc2","v6.8-rc3","v6.8-rc4","v6.8-rc5","v6.8-rc6","v6.8-rc7","v6.9","v6.9-rc1","v6.9-rc2","v6.9-rc3","v6.9-rc4","v6.9-rc5","v6.9-rc6","v6.9-rc7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22013.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.85"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.21"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.13.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22013.json"}}],"schema_version":"1.7.3"}