CVE-2025-23135 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

RISC-V: KVM: Teardown riscv specific bits after kvm_exit

During a module removal, kvm_exit invokes arch specific disable call which disables AIA. However, we invoke aia_exit before kvm_exit resulting in the following warning. KVM kernel module can't be inserted afterwards due to inconsistent state of IRQ.

[25469.031389] percpu IRQ 31 still enabled on CPU0!
[25469.031732] WARNING: CPU: 3 PID: 943 at kernel/irq/manage.c:2476 __free_percpu_irq+0xa2/0x150
[25469.031804] Modules linked in: kvm(-)
[25469.031848] CPU: 3 UID: 0 PID: 943 Comm: rmmod Not tainted 6.14.0-rc5-06947-g91c763118f47-dirty #2
[25469.031905] Hardware name: riscv-virtio,qemu (DT)
[25469.031928] epc : __free_percpu_irq+0xa2/0x150
[25469.031976] ra : __free_percpu_irq+0xa2/0x150
[25469.032197] epc : ffffffff8007db1e ra : ffffffff8007db1e sp : ff2000000088bd50
[25469.032241] gp : ffffffff8131cef8 tp : ff60000080b96400 t0 : ff2000000088baf8
[25469.032285] t1 : fffffffffffffffc t2 : 5249207570637265 s0 : ff2000000088bd90
[25469.032329] s1 : ff60000098b21080 a0 : 037d527a15eb4f00 a1 : 037d527a15eb4f00
[25469.032372] a2 : 0000000000000023 a3 : 0000000000000001 a4 : ffffffff8122dbf8
[25469.032410] a5 : 0000000000000fff a6 : 0000000000000000 a7 : ffffffff8122dc10
[25469.032448] s2 : ff60000080c22eb0 s3 : 0000000200000022 s4 : 000000000000001f
[25469.032488] s5 : ff60000080c22e00 s6 : ffffffff80c351c0 s7 : 0000000000000000
[25469.032582] s8 : 0000000000000003 s9 : 000055556b7fb490 s10: 00007ffff0e12fa0
[25469.032621] s11: 00007ffff0e13e9a t3 : ffffffff81354ac7 t4 : ffffffff81354ac7
[25469.032664] t5 : ffffffff81354ac8 t6 : ffffffff81354ac7
[25469.032698] status: 0000000200000100 badaddr: ffffffff8007db1e cause: 0000000000000003
[25469.032738] [] __free_percpu_irq+0xa2/0x150
[25469.032797] [] free_percpu_irq+0x30/0x5e
[25469.032856] [] kvm_riscv_aia_exit+0x40/0x42 [kvm]
[25469.033947] [] cleanup_module+0x10/0x32 [kvm]
[25469.035300] [] __riscv_sys_delete_module+0x18e/0x1fc
[25469.035374] [] syscall_handler+0x3a/0x46
[25469.035456] [] do_trap_ecall_u+0x72/0x134
[25469.035536] [] handle_exception+0x148/0x156

Invoke aia_exit and other arch specific cleanup functions after kvm_exit so that disable gets a chance to be called first before exit.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability identified as CVE-2025-23135 affects the Linux kernel's handling of RISC-V Virtual Machine Monitor (KVM) module cleanup operations. This issue arises during the removal of the KVM kernel module when the system attempts to tear down RISC-V specific interrupt handling components. The core problem manifests in the improper sequencing of cleanup functions where arch specific disable calls are invoked before the necessary AIA (Advanced Interrupt Architecture) exit operations, leading to inconsistent interrupt state management.

The technical flaw stems from the incorrect order of function calls during module removal. Specifically, the system invokes `aia_exit` before `kvm_exit`, which results in a situation where the AIA interrupt controller remains in an inconsistent state. This improper sequence causes the kernel to generate warnings indicating that percpu IRQ 31 remains enabled on CPU0, signaling that interrupt resources have not been properly released. The error occurs in the kernel's interrupt management subsystem, specifically within the `__free_percpu_irq` function located at kernel/irq/manage.c:2476, which is part of the broader interrupt handling framework that follows the Linux kernel's interrupt management standards.

The operational impact of this vulnerability is significant as it renders the KVM kernel module unusable after removal. Once the module is unloaded and the inconsistent interrupt state occurs, subsequent attempts to insert the KVM module fail due to the corrupted interrupt controller state. This creates a persistent system issue where virtualization capabilities become permanently disabled until a system reboot occurs. The vulnerability affects systems running RISC-V architecture with KVM virtualization enabled, particularly those using QEMU-based virtualization environments, and represents a critical failure in kernel module lifecycle management.

The fix for this vulnerability involves reordering the cleanup operations to ensure that `kvm_exit` is called before `aia_exit` and other architecture-specific cleanup functions. This ensures that the disable operations are properly executed before the exit routines attempt to clean up interrupt resources. This remediation aligns with the ATT&CK framework's system binary exploitation tactics and follows established kernel development practices for proper resource cleanup. The solution addresses the root cause by ensuring proper function call sequencing, preventing the inconsistent interrupt state that leads to the module loading failure. This fix specifically targets the CWE-691 weakness category related to insufficient control flow management in kernel code, ensuring that interrupt controller state transitions occur in the correct order to maintain system stability and virtualization functionality. The corrected implementation ensures that all architecture-specific cleanup operations occur after the main `kvm_exit` function has completed its disable operations, thereby maintaining consistent interrupt controller state throughout the module lifecycle.

Responsible

Linux

Reservation

01/11/2025

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00152

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!