CVE-2025-38351: KVM Guest Crash via Malformed Hyper-V TLB Flush Requests

This blog post discusses a recently identified vulnerability, CVE-2025-38351, affecting the Linux kernel's KVM (Kernel-based Virtual Machine) module when running as a Hyper-V guest. A malicious guest operating system could exploit this flaw to trigger a denial-of-service condition.

Vulnerability Details

• CVE ID: CVE-2025-38351
• Description: The KVM implementation for Hyper-V hypercalls, specifically related to TLB (Translation Lookaside Buffer) flushing, lacks proper validation of guest-supplied addresses. When a guest requests a TLB flush using the HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST or HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX hypercalls with non-canonical addresses, the kernel attempts to process them, leading to an error and potential crash.
• CVSS Score and Vector: The CVSS score is not available at the time of writing, but based on the impact (denial of service) and exploitability (requires guest access), a MEDIUM severity is likely. A possible CVSS vector is CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L. This translates to: An attacker with local access (inside the guest) and high privileges can cause a limited impact on the availability of the host system.
• Exploit Requirements: Exploitation requires the ability to execute code within a KVM guest configured with Hyper-V hypercalls enabled, which typically necessitates administrative privileges within the guest OS.
• Affected Vendor, Product, Version: This vulnerability affects the Linux kernel. The fix has been backported to stable kernel versions. It is recommended to update to the latest stable kernel release.
• CWE: CWE-20 - Improper Input Validation. This means the software doesn't properly check if the input data is valid, which can lead to unexpected behavior, security vulnerabilities, or system crashes. In this case, the KVM module is not validating the guest-supplied virtual addresses before attempting to use them in TLB invalidation operations.

Timeline of Events

• 2025-07-19: CVE ID assigned and vulnerability details published.
• [Date]: Patch submitted to the Linux kernel mailing lists.
• [Date]: Patch merged into the mainline Linux kernel.
• [Date]: Stable kernel updates released with the fix.

Exploitability & Real-World Risk

While exploiting this vulnerability requires administrative access within a KVM guest, the impact can extend beyond the guest itself. A successful exploit can lead to a denial-of-service condition on the host machine, affecting other virtual machines running on the same host. In shared hosting environments or cloud infrastructure, this could potentially impact multiple users. This vulnerability could be chained with other guest-to-host escape techniques to achieve more severe consequences.

Recommendations

• Apply Patches: Update your Linux kernel to the latest stable release containing the fix for CVE-2025-38351. Check your distribution's security advisories for specific patch information.
• Monitor Guest Behavior: Implement monitoring mechanisms within your KVM environment to detect unusual hypercall activity or attempts to access invalid memory regions.
• Principle of Least Privilege: Apply the principle of least privilege within guest operating systems. Restrict administrative access to only necessary users and processes.

Technical Insight

The vulnerability stems from the KVM module's handling of Hyper-V hypercalls related to TLB flushing. The TLB is a cache used by the CPU to speed up virtual-to-physical address translation. When a guest OS requests a TLB flush, the KVM module is responsible for invalidating the appropriate entries in the TLB. However, the KVM module fails to properly validate the guest-supplied virtual addresses, and if the guest provides an invalid non-canonical address, the underlying hardware (Intel's INVVPID instruction) can trigger a VM-Fail, leading to a denial-of-service on the host.

Credit to Researcher(s)

The vulnerability was identified by kernel developers during routine code review and testing.

References

• Kernel Patch 1
• Kernel Patch 2

Tags

KVM, Hyper-V, TLB, Linux Kernel, Security, CVE-2025-38351, Denial of Service

Summary: CVE-2025-38351 is a vulnerability in the Linux kernel's KVM module allowing a malicious Hyper-V guest to cause a denial-of-service by triggering an invalid TLB flush. Update your kernel to the latest patched version to mitigate this risk.

CVE ID: CVE-2025-38351

Risk Analysis: Successful exploitation can lead to a denial-of-service condition on the host machine, potentially affecting other virtual machines. In shared hosting environments, this could impact multiple users.

Recommendation: Update the Linux kernel to the latest stable release containing the fix for CVE-2025-38351. Implement monitoring mechanisms within your KVM environment to detect unusual hypercall activity.

Timeline

• 2025-07-19: CVE ID assigned and vulnerability details published.

References

• https://git.kernel.org/stable/c/2d4dea3f76510c0afe3f18c910f647b816f7d566
• https://git.kernel.org/stable/c/fa787ac07b3ceb56dd88a62d1866038498e96230