CVE-2025-38169 in Linuxinfo

Summary

by MITRE • 07/03/2025

In the Linux kernel, the following vulnerability has been resolved:

arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP

On system with SME, a thread's kernel FPSIMD state may be erroneously clobbered during a context switch immediately after that state is restored. Systems without SME are unaffected.

If the CPU happens to be in streaming SVE mode before a context switch to a thread with kernel FPSIMD state, fpsimd_thread_switch() will restore the kernel FPSIMD state using fpsimd_load_kernel_state() while the CPU is still in streaming SVE mode. When fpsimd_thread_switch() subsequently calls fpsimd_flush_cpu_state(), this will execute an SMSTOP, causing an exit from streaming SVE mode. The exit from streaming SVE mode will cause the hardware to reset a number of FPSIMD/SVE/SME registers, clobbering the FPSIMD state.

Fix this by calling fpsimd_flush_cpu_state() before restoring the kernel FPSIMD state.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/18/2026

This vulnerability exists in the linux kernel's arm64 architecture implementation specifically affecting systems with Scalable Matrix Extension SME support. The flaw occurs during context switching operations when the kernel attempts to manage floating point and scalable vector extension state. The issue manifests when a thread's kernel FPSIMD state is being restored immediately after a context switch, but the cpu remains in streaming sve mode. This particular scenario creates a race condition where the restoration process inadvertently corrupts the kernel's floating point state through improper register management.

The technical root cause stems from the incorrect ordering of operations within the fpsimd_thread_switch function. When transitioning between threads on systems with SME support, the kernel first restores the kernel FPSIMD state using fpsimd_load_kernel_state() while the cpu is still operating in streaming SVE mode. Subsequently, the function calls fpsimd_flush_cpu_state() which executes an SMSTOP instruction to exit streaming SVE mode. This SMSTOP instruction triggers hardware-level register resets that overwrite the FPSIMD state that was just restored, effectively clobbering the kernel's floating point context. This represents a classic case of improper state management and execution ordering that violates fundamental principles of processor state preservation during context switches.

The operational impact of this vulnerability is significant for systems running linux kernels on arm64 architectures with SME support, as it can lead to data corruption, application crashes, and potential security implications. When the kernel's FPSIMD state becomes corrupted, any subsequent operations relying on floating point or vector processing may produce incorrect results or fail entirely. This affects system stability particularly in environments where high-performance computing workloads are common, as these systems heavily utilize the SME extension for accelerated matrix operations. The vulnerability is particularly concerning because it occurs during routine context switching operations which are fundamental to multitasking and process management in operating systems, making it a critical issue for system reliability.

The fix implemented addresses this by reordering the operations within the fpsimd_thread_switch function to call fpsimd_flush_cpu_state() before restoring the kernel FPSIMD state. This ensures that any necessary hardware state transitions occur prior to loading the kernel context, preventing the clobbering of registers during the restoration process. This solution aligns with the principle of proper state management and follows the established pattern of preparing system state before applying changes. The mitigation approach is consistent with industry best practices for handling processor state transitions and follows the guidance provided in the common weakness enumeration CWE-248, which addresses improper exception handling and state management issues in system software. This fix represents a targeted correction that maintains system functionality while preventing the specific race condition that leads to state corruption during context switches on SME-enabled arm64 systems.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/03/2025

Moderation

accepted

CPE

ready

EPSS

0.00136

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!