CVE-2025-21779
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's KVM hypervisor allows a malicious guest VM to crash the host kernel when Hyper-V enlightenments are enabled without an in-kernel local APIC. This affects systems running Linux with KVM virtualization where Hyper-V features are exposed to guests. The vulnerability can lead to denial of service on the host system.
💻 Affected Systems
- Linux kernel with KVM virtualization
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Host kernel panic leading to complete system crash and denial of service for all VMs and services running on the host.
Likely Case
Guest VM can crash the host kernel, causing downtime for all VMs on that host until the host is rebooted.
If Mitigated
No impact if Hyper-V enlightenments are disabled or if in-kernel local APIC is properly configured.
🎯 Exploit Status
Requires guest VM access and specific Hyper-V configuration. The vulnerability is triggered through Hyper-V hypercalls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 45fa526b0f5a, 5393cf223124, 61224533f2b6, 874ff13c73c4, a8de7f100bb5
Vendor Advisory: https://git.kernel.org/stable/c/45fa526b0f5a34492ed0536c3cdf88b78380e4de
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Reboot the host system. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable Hyper-V enlightenments
linuxPrevent exposure of Hyper-V features to guest VMs
Edit VM configuration to remove Hyper-V enlightenments or set kvm.hv.enforce_cpuid=1
Ensure in-kernel local APIC
linuxConfigure KVM to use in-kernel local APIC emulation
Verify KVM configuration uses kernel-mode APIC emulation
🧯 If You Can't Patch
- Disable Hyper-V enlightenments on all guest VMs
- Isolate potentially malicious guest VMs on separate physical hosts
🔍 How to Verify
Check if Vulnerable:
Check if running affected kernel version and if Hyper-V enlightenments are enabled without in-kernel APICCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes the fix commits and test Hyper-V hypercalls in guest VMs📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- NULL pointer dereference errors in kernel logs
- KVM hypercall failure logs
Network Indicators:
- Sudden loss of connectivity to host
SIEM Query:
Search for 'kasan_report', '__apic_accept_irq', or 'kvm_hv_send_ipi' in kernel logs🔗 References
- https://git.kernel.org/stable/c/45fa526b0f5a34492ed0536c3cdf88b78380e4de
- https://git.kernel.org/stable/c/5393cf22312418262679eaadb130d608c75fe690
- https://git.kernel.org/stable/c/61224533f2b61e252b03e214195d27d64b22989a
- https://git.kernel.org/stable/c/874ff13c73c45ecb38cb82191e8c1d523f0dc81b
- https://git.kernel.org/stable/c/a8de7f100bb5989d9c3627d3a223ee1c863f3b69
- https://git.kernel.org/stable/c/aca8be4403fb90db7adaf63830e27ebe787a76e8
- https://git.kernel.org/stable/c/ca29f58ca374c40a0e69c5306fc5c940a0069074
- https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
