{"uuid": "c6a00747-27dc-4199-aa1c-14a79b0eea8b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-22013", "type": "seen", "source": "https://t.me/cvedetector/22450", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-22013 - KVM: arm64: FPSIMD/SVE/SME State Eager Save and Flush Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2025-22013 \nPublished : April 8, 2025, 9:15 a.m. | 2\u00a0hours, 10\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \nKVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state  \n  \nThere are several problems with the way hyp code lazily saves the host's  \nFPSIMD/SVE state, including:  \n  \n* Host SVE being discarded unexpectedly due to inconsistent  \n  configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to  \n  result in QEMU crashes where SVE is used by memmove(), as reported by  \n  Eric Auger:  \n  \n    \n  \n* Host SVE state is discarded *after* modification by ptrace, which was an  \n  unintentional ptrace ABI change introduced with lazy discarding of SVE state.  \n  \n* The host FPMR value can be discarded when running a non-protected VM,  \n  where FPMR support is not exposed to a VM, and that VM uses  \n  FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR  \n  before unbinding the host's FPSIMD/SVE/SME state, leaving a stale  \n  value in memory.  \n  \nAvoid these by eagerly saving and \"flushing\" the host's FPSIMD/SVE/SME  \nstate when loading a vCPU such that KVM does not need to save any of the  \nhost's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is  \nremoved and the necessary call to fpsimd_save_and_flush_cpu_state() is  \nplaced in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr'  \nshould not be used, they are set to NULL; all uses of these will be  \nremoved in subsequent patches.  \n  \nHistorical problems go back at least as far as v5.17, e.g. erroneous  \nassumptions about TIF_SVE being clear in commit:  \n  \n  8383741ab2e773a9 (\"KVM: arm64: Get rid of host SVE tracking/saving\")  \n  \n... and so this eager save+flush probably needs to be backported to ALL  \nstable trees. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"08 Apr 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-04-08T14:00:02.000000Z"}