Login Sign Up

CVE-2025-23135

5.5 MEDIUM
Denial of Service

📋 TL;DR

A race condition in the Linux kernel's RISC-V KVM module causes improper cleanup during module removal, leading to IRQ state inconsistency and preventing KVM module reloading. This affects Linux systems with RISC-V architecture using KVM virtualization. The vulnerability requires local access and module removal privileges.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Kernel versions with the vulnerable RISC-V KVM AIA implementation, specifically around 6.14.0-rc5 and related versions
Operating Systems: Linux distributions with RISC-V architecture support
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with RISC-V architecture using KVM virtualization. Requires kernel module removal privileges.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service preventing KVM virtualization from being used after module removal, requiring system reboot to restore functionality.

🟠

Likely Case

Kernel warning messages during module removal and inability to reload the KVM module until system reboot.

🟢

If Mitigated

Minor disruption requiring reboot to restore KVM functionality if module is removed.

🌐 Internet-Facing: LOW - Requires local access and module removal privileges.
🏢 Internal Only: MEDIUM - Could disrupt virtualization services if privileged users remove the KVM module.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and module removal privileges. The issue is triggered during normal module removal operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in kernel commits 1521cc04f0b6e737ff30105aa57fa9dde8493231, 1edb2de48616b11ee05e9a65d74c70abcb6d9939, 2d117e67f318303f6ab699a5511d1fac3f170545

Vendor Advisory: https://git.kernel.org/stable/c/1521cc04f0b6e737ff30105aa57fa9dde8493231

Restart Required: Yes

Instructions:

1. Update to a kernel version containing the fix commits. 2. Reboot the system to load the patched kernel.

🔧 Temporary Workarounds

Avoid KVM module removal

linux

Prevent removal of the KVM module to avoid triggering the vulnerability

🧯 If You Can't Patch

  • Restrict module removal privileges to prevent unauthorized users from removing the KVM module
  • Monitor for kernel warning messages related to IRQ state inconsistencies

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if running on RISC-V architecture with KVM enabled. Look for kernel commits in the version history.

Check Version:

uname -r

Verify Fix Applied:

Verify the kernel version contains the fix commits or is newer than the patched versions.

📡 Detection & Monitoring

Log Indicators:

  • Kernel warning messages about 'percpu IRQ still enabled' during module removal
  • Error messages about KVM module insertion failures after removal

SIEM Query:

source="kernel" AND ("percpu IRQ still enabled" OR "kvm_exit" OR "aia_exit")

📊 Metadata

CVE ID: CVE-2025-23135
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score: 0.06% exploit probability (19th percentile)
Published: April 16, 2025
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON