CVE-2025-38670

arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()

Severity Score

7.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() `cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change
to different stacks along with the Shadow Call Stack if it is enabled.
Those two stack changes cannot be done atomically and both functions
can be interrupted by SErrors or Debug Exceptions which, though unlikely,
is very much broken : if interrupted, we can end up with mismatched stacks
and Shadow Call Stack leading to clobbered stacks. In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task,
but x18 stills points to the old task's SCS. When the interrupt handler
tries to save the task's SCS pointer, it will save the old task
SCS pointer (x18) into the new task struct (pointed to by SP_EL0),
clobbering it. In `call_on_irq_stack()`, it can happen when switching from the task stack
to the IRQ stack and when switching back. In both cases, we can be
interrupted when the SCS pointer points to the IRQ SCS, but SP points to
the task stack. The nested interrupt handler pushes its return addresses
on the IRQ SCS. It then detects that SP points to the task stack,
calls `call_on_irq_stack()` and clobbers the task SCS pointer with
the IRQ SCS pointer, which it will also use ! This leads to tasks returning to addresses on the wrong SCS,
or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK
or FPAC if enabled. This is possible on a default config, but unlikely.
However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and
instead the GIC is responsible for filtering what interrupts the CPU
should receive based on priority.
Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU
even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very*
frequently depending on the system configuration and workload, leading
to unpredictable kernel panics. Completely mask DAIF in `cpu_switch_to()` and restore it when returning.
Do the same in `call_on_irq_stack()`, but restore and mask around
the branch.
Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency
of behaviour between all configurations. Introduce and use an assembly macro for saving and masking DAIF,
as the existing one saves but only masks IF.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arm64/entry: Mask DAIF en cpu_switch_to(), call_on_irq_stack() `cpu_switch_to()` y `call_on_irq_stack()` manipulan SP para cambiar a diferentes pilas junto con Shadow Call Stack si está habilitado. Estos dos cambios de pila no se pueden realizar de forma automática y ambas funciones pueden ser interrumpidas por SErrors o Debug Exceptions, lo que, aunque poco probable, es muy problemático: si se interrumpe, podemos terminar con pilas desajustadas y Shadow Call Stack, lo que lleva a pilas dañadas. En `cpu_switch_to()`, puede ocurrir cuando SP_EL0 apunta a la nueva tarea, pero x18 todavía apunta al SCS de la tarea anterior. Cuando el manejador de interrupciones intenta guardar el puntero SCS de la tarea, guardará el antiguo puntero SCS de la tarea (x18) en la nueva estructura de la tarea (apuntada por SP_EL0), bloqueándola. En `call_on_irq_stack()`, puede suceder al cambiar de la pila de tareas a la pila de IRQ y al volver a cambiar. En ambos casos, podemos ser interrumpidos cuando el puntero SCS apunta al SCS de IRQ, pero SP apunta a la pila de tareas. El manejador de interrupciones anidado empuja sus direcciones de retorno en el SCS de IRQ. Luego detecta que SP apunta a la pila de tareas, llama a `call_on_irq_stack()` y bloquea el puntero SCS de la tarea con el puntero SCS de IRQ, ¡que también usará! Esto lleva a que las tareas regresen a direcciones en el SCS incorrecto, o incluso en el SCS de IRQ, lo que desencadena pánicos del kernel a través de CONFIG_VMAP_STACK o FPAC si está habilitado. Esto es posible en una configuración predeterminada, pero poco probable. Sin embargo, al habilitar CONFIG_ARM64_PSEUDO_NMI, DAIF se desenmascara y, en su lugar, el GIC se encarga de filtrar las interrupciones que la CPU debería recibir según su prioridad. Dado el objetivo de emular NMI, la CPU puede recibir pseudo-NMI incluso en `cpu_switch_to()` y `call_on_irq_stack()`, posiblemente con mucha frecuencia según la configuración del sistema y la carga de trabajo, lo que provoca pánicos de kernel impredecibles. Enmascare completamente DAIF en `cpu_switch_to()` y restáurelo al regresar. Haga lo mismo en `call_on_irq_stack()`, pero restáurelo y enmascare alrededor de la rama. Enmascare DAIF incluso si CONFIG_SHADOW_CALL_STACK no está habilitado para mantener la coherencia entre todas las configuraciones. Introduzca y utilice una macro de ensamblaje para guardar y enmascarar DAIF, ya que la existente guarda pero solo enmascara las interrupciones IF.

In the Linux kernel, the following vulnerability has been resolved: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() `cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change to different stacks along with the Shadow Call Stack if it is enabled. Those two stack changes cannot be done atomically and both functions can be interrupted by SErrors or Debug Exceptions which, though unlikely, is very much broken : if interrupted, we can end up with mismatched stacks and Shadow Call Stack leading to clobbered stacks. In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task, but x18 stills points to the old task's SCS. When the interrupt handler tries to save the task's SCS pointer, it will save the old task SCS pointer (x18) into the new task struct (pointed to by SP_EL0), clobbering it. In `call_on_irq_stack()`, it can happen when switching from the task stack to the IRQ stack and when switching back. In both cases, we can be interrupted when the SCS pointer points to the IRQ SCS, but SP points to the task stack. The nested interrupt handler pushes its return addresses on the IRQ SCS. It then detects that SP points to the task stack, calls `call_on_irq_stack()` and clobbers the task SCS pointer with the IRQ SCS pointer, which it will also use ! This leads to tasks returning to addresses on the wrong SCS, or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK or FPAC if enabled. This is possible on a default config, but unlikely. However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and instead the GIC is responsible for filtering what interrupts the CPU should receive based on priority. Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very* frequently depending on the system configuration and workload, leading to unpredictable kernel panics. Completely mask DAIF in `cpu_switch_to()` and restore it when returning. Do the same in `call_on_irq_stack()`, but restore and mask around the branch. Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency of behaviour between all configurations. Introduce and use an assembly macro for saving and masking DAIF, as the existing one saves but only masks IF.

It was discovered that improper initialization of CPU cache memory could allow a local attacker with hypervisor access to overwrite SEV-SNP guest memory resulting in loss of data integrity. Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi discovered that the Linux kernel contained insufficient branch predictor isolation between a guest and a userspace hypervisor for certain processors. This flaw is known as VMSCAPE. An attacker in a guest VM could possibly use this to expose sensitive information from the host OS.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Authentication

None

Confidentiality

None

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-04-16 CVE Reserved
2025-08-22 CVE Published
2025-12-23 CVE Updated
2026-01-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (12)

URL	Tag	Source
https://git.kernel.org/stable/c/3f225f29c69c13ce1cbdb1d607a42efeef080056	Vuln. Introduced
https://git.kernel.org/stable/c/402d2b1d54b7085d0c3bfd01fd50c2701dde64b3	Vuln. Introduced
https://git.kernel.org/stable/c/4403c7b7e5e1ad09a266b6e399fd7bf97931508e	Vuln. Introduced
https://git.kernel.org/stable/c/59b37fe52f49955791a460752c37145f1afdcad1	Vuln. Introduced
https://git.kernel.org/stable/c/e47ce4f11e26fa3ea99b09521da8b3ac3a7b578d	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/f7e0231eeaa33245c649fac0303cf97209605446	2024-02-23
https://git.kernel.org/stable/c/407047893a64399f2d2390ff35cc6061107d805d	2025-08-28
https://git.kernel.org/stable/c/a6b0cb523eaa01efe8a3f76ced493ba60674c6e6	2025-08-28
https://git.kernel.org/stable/c/9433a5f437b0948d6a2d8a02ad7a42ab7ca27a61	2025-08-01
https://git.kernel.org/stable/c/708fd522b86d2a9544c34ec6a86fa3fc23336525	2025-08-01
https://git.kernel.org/stable/c/0f67015d72627bad72da3c2084352e0aa134416b	2025-08-01
https://git.kernel.org/stable/c/d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb	2025-07-22

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.180 < 5.10.210 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.180 < 5.10.210"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.111 < 5.15.190 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.111 < 5.15.190"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.28 < 6.1.149 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.28 < 6.1.149"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.3 < 6.6.101 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.6.101"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.3 < 6.12.41 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.12.41"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.3 < 6.15.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.15.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.3 < 6.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.16"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.2.15 Search vendor "Linux" for product "Linux Kernel" and version "6.2.15"		en		Affected