{"id":"CVE-2025-22013","summary":"KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state\n\nThere are several problems with the way hyp code lazily saves the host's\nFPSIMD/SVE state, including:\n\n* Host SVE being discarded unexpectedly due to inconsistent\n  configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to\n  result in QEMU crashes where SVE is used by memmove(), as reported by\n  Eric Auger:\n\n  https://issues.redhat.com/browse/RHEL-68997\n\n* Host SVE state is discarded *after* modification by ptrace, which was an\n  unintentional ptrace ABI change introduced with lazy discarding of SVE state.\n\n* The host FPMR value can be discarded when running a non-protected VM,\n  where FPMR support is not exposed to a VM, and that VM uses\n  FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR\n  before unbinding the host's FPSIMD/SVE/SME state, leaving a stale\n  value in memory.\n\nAvoid these by eagerly saving and \"flushing\" the host's FPSIMD/SVE/SME\nstate when loading a vCPU such that KVM does not need to save any of the\nhost's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is\nremoved and the necessary call to fpsimd_save_and_flush_cpu_state() is\nplaced in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr'\nshould not be used, they are set to NULL; all uses of these will be\nremoved in subsequent patches.\n\nHistorical problems go back at least as far as v5.17, e.g. erroneous\nassumptions about TIF_SVE being clear in commit:\n\n  8383741ab2e773a9 (\"KVM: arm64: Get rid of host SVE tracking/saving\")\n\n... and so this eager save+flush probably needs to be backported to ALL\nstable trees.","modified":"2026-05-28T03:54:55.136313165Z","published":"2025-04-08T08:18:04Z","related":["SUSE-SU-2025:01614-1","SUSE-SU-2025:01707-1","SUSE-SU-2025:01919-1","SUSE-SU-2025:01951-1","SUSE-SU-2025:01964-1","SUSE-SU-2025:01967-1","SUSE-SU-2025:20192-1","SUSE-SU-2025:20206-1","SUSE-SU-2025:20270-1","SUSE-SU-2025:20283-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22013.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5289ac43b69c61a49c75720921f2008005a31c43"},{"type":"WEB","url":"https://git.kernel.org/stable/c/79e140bba70bcacc5fe15bf8c0b958793fd7d56f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/806d5c1e1d2e5502175a24bf70f251648d99c36a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/900b444be493b7f404898c785d6605b177a093d0"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fbc7e61195e23f744814e78524b73b59faa54ab4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22013.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22013"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"c4ab60a86c5ed7c0d727c6dc8cec352e16bc7f90"},{"fixed":"5289ac43b69c61a49c75720921f2008005a31c43"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d5f7d3833b534f9e43e548461dba1e60aa82f587"},{"fixed":"04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82e"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"93ae6b01bafee8fa385aa25ee7ebdb40057f6abe"},{"fixed":"806d5c1e1d2e5502175a24bf70f251648d99c36a"},{"fixed":"79e140bba70bcacc5fe15bf8c0b958793fd7d56f"},{"fixed":"900b444be493b7f404898c785d6605b177a093d0"},{"fixed":"fbc7e61195e23f744814e78524b73b59faa54ab4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22013.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.85"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.21"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.13.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22013.json"}}],"schema_version":"1.7.5"}