{"id":"CVE-2025-40026","summary":"KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Don't (re)check L1 intercepts when completing userspace I/O\n\nWhen completing emulation of instruction that generated a userspace exit\nfor I/O, don't recheck L1 intercepts as KVM has already finished that\nphase of instruction execution, i.e. has already committed to allowing L2\nto perform I/O.  If L1 (or host userspace) modifies the I/O permission\nbitmaps during the exit to userspace,  KVM will treat the access as being\nintercepted despite already having emulated the I/O access.\n\nPivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.\nOf the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the\nintended \"recipient\") can reach the code in question.  gp_interception()'s\nuse is mutually exclusive with is_guest_mode(), and\ncomplete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with\nEMULTYPE_SKIP.\n\nThe bad behavior was detected by a syzkaller program that toggles port I/O\ninterception during the userspace I/O exit, ultimately resulting in a WARN\non vcpu-\u003earch.pio.count being non-zero due to KVM no completing emulation\nof the I/O instruction.\n\n  WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm]\n  Modules linked in: kvm_intel kvm irqbypass\n  CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n  RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm]\n  PKRU: 55555554\n  Call Trace:\n   \u003cTASK\u003e\n   kvm_fast_pio+0xd6/0x1d0 [kvm]\n   vmx_handle_exit+0x149/0x610 [kvm_intel]\n   kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm]\n   kvm_vcpu_ioctl+0x244/0x8c0 [kvm]\n   __x64_sys_ioctl+0x8a/0xd0\n   do_syscall_64+0x5d/0xc60\n   entry_SYSCALL_64_after_hwframe+0x4b/0x53\n   \u003c/TASK\u003e","modified":"2026-05-18T05:56:20.857446191Z","published":"2025-10-28T09:32:33.075Z","related":["openSUSE-SU-2025:15702-1","openSUSE-SU-2026:10301-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40026.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/00338255bb1f422642fb2798ebe92e93b6e4209b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3a062a5c55adc5507600b9ae6d911e247e2f1d6e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3d3abf3f7e8b1abb082070a343de82d7efc80523"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7366830642505683bbe905a2ba5d18d6e4b512b8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a908eca437789589dd4624da428614c1275064dc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ba35a5d775799ce5ad60230be97336f2fefd518e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e0ce3ed1048a47986d15aef1a98ebda25560d257"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e7177c7e32cb806f348387b7f4faafd4a5b32054"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e750f85391286a4c8100275516973324b621a269"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/40xxx/CVE-2025-40026.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-40026"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9"},{"fixed":"a908eca437789589dd4624da428614c1275064dc"},{"fixed":"00338255bb1f422642fb2798ebe92e93b6e4209b"},{"fixed":"e0ce3ed1048a47986d15aef1a98ebda25560d257"},{"fixed":"ba35a5d775799ce5ad60230be97336f2fefd518e"},{"fixed":"3d3abf3f7e8b1abb082070a343de82d7efc80523"},{"fixed":"e7177c7e32cb806f348387b7f4faafd4a5b32054"},{"fixed":"3a062a5c55adc5507600b9ae6d911e247e2f1d6e"},{"fixed":"7366830642505683bbe905a2ba5d18d6e4b512b8"},{"fixed":"e750f85391286a4c8100275516973324b621a269"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40026.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.0.0"},{"fixed":"5.4.301"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.246"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.195"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.157"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.111"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.52"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.16.12"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.17.0"},{"fixed":"6.17.2"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-40026.json"}}],"schema_version":"1.7.5"}