KVM L1 I/O Intercept Recheck Misclassifies Allowed I/O Exit
CVE-2025-40026 Published on October 28, 2025
KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O
When completing emulation of instruction that generated a userspace exit
for I/O, don't recheck L1 intercepts as KVM has already finished that
phase of instruction execution, i.e. has already committed to allowing L2
to perform I/O. If L1 (or host userspace) modifies the I/O permission
bitmaps during the exit to userspace, KVM will treat the access as being
intercepted despite already having emulated the I/O access.
Pivot on EMULTYPE_NO_DECODE to detect that KVM is completing emulation.
Of the three users of EMULTYPE_NO_DECODE, only complete_emulated_io() (the
intended "recipient") can reach the code in question. gp_interception()'s
use is mutually exclusive with is_guest_mode(), and
complete_emulated_insn_gp() unconditionally pairs EMULTYPE_NO_DECODE with
EMULTYPE_SKIP.
The bad behavior was detected by a syzkaller program that toggles port I/O
interception during the userspace I/O exit, ultimately resulting in a WARN
on vcpu->arch.pio.count being non-zero due to KVM no completing emulation
of the I/O instruction.
WARNING: CPU: 23 PID: 1083 at arch/x86/kvm/x86.c:8039 emulator_pio_in_out+0x154/0x170 [kvm]
Modules linked in: kvm_intel kvm irqbypass
CPU: 23 UID: 1000 PID: 1083 Comm: repro Not tainted 6.16.0-rc5-c1610d2d66b1-next-vm #74 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:emulator_pio_in_out+0x154/0x170 [kvm]
PKRU: 55555554
Call Trace:
<TASK>
kvm_fast_pio+0xd6/0x1d0 [kvm]
vmx_handle_exit+0x149/0x610 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xda8/0x1ac0 [kvm]
kvm_vcpu_ioctl+0x244/0x8c0 [kvm]
__x64_sys_ioctl+0x8a/0xd0
do_syscall_64+0x5d/0xc60
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
Products Associated with CVE-2025-40026
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Canonical Ubuntu Linux. Just hit a watch button to start following.
Affected Versions
Linux:- Version 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 and below a908eca437789589dd4624da428614c1275064dc is affected.
- Version 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 and below 00338255bb1f422642fb2798ebe92e93b6e4209b is affected.
- Version 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 and below e0ce3ed1048a47986d15aef1a98ebda25560d257 is affected.
- Version 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 and below ba35a5d775799ce5ad60230be97336f2fefd518e is affected.
- Version 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 and below 3d3abf3f7e8b1abb082070a343de82d7efc80523 is affected.
- Version 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 and below e7177c7e32cb806f348387b7f4faafd4a5b32054 is affected.
- Version 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 and below 3a062a5c55adc5507600b9ae6d911e247e2f1d6e is affected.
- Version 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 and below 7366830642505683bbe905a2ba5d18d6e4b512b8 is affected.
- Version 8a76d7f25f8f24fc5a328c8e15e4a7313cf141b9 and below e750f85391286a4c8100275516973324b621a269 is affected.
- Version 3.0 is affected.
- Before 3.0 is unaffected.
- Version 5.4.301, <= 5.4.* is unaffected.
- Version 5.10.246, <= 5.10.* is unaffected.
- Version 5.15.195, <= 5.15.* is unaffected.
- Version 6.1.157, <= 6.1.* is unaffected.
- Version 6.6.111, <= 6.6.* is unaffected.
- Version 6.12.52, <= 6.12.* is unaffected.
- Version 6.16.12, <= 6.16.* is unaffected.
- Version 6.17.2, <= 6.17.* is unaffected.
- Version 6.18, <= * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.