CVE-2025-68751 in Linux
Summary
by MITRE • 01/05/2026
In the Linux kernel, the following vulnerability has been resolved:
s390/fpu: Fix false-positive kmsan report in fpu_vstl()
A false-positive kmsan report is detected when running ping command.
An inline assembly instruction 'vstl' can write varied amount of bytes depending on value of 'index' argument. If 'index' > 0, 'vstl' writes at least 2 bytes.
clang generates kmsan write helper call depending on inline assembly constraints. Constraints are evaluated compile-time, but value of 'index' argument is known only at runtime.
clang currently generates call to __msan_instrument_asm_store with 1 byte as size. Manually call kmsan function to indicate correct amount of bytes written and fix false-positive report.
This change fixes following kmsan reports:
[ 36.563119] =====================================================
[ 36.563594] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70
[ 36.563852] virtqueue_add+0x35c6/0x7c70
[ 36.564016] virtqueue_add_outbuf+0xa0/0xb0
[ 36.564266] start_xmit+0x288c/0x4a20
[ 36.564460] dev_hard_start_xmit+0x302/0x900
[ 36.564649] sch_direct_xmit+0x340/0xea0
[ 36.564894] __dev_queue_xmit+0x2e94/0x59b0
[ 36.565058] neigh_resolve_output+0x936/0xb40
[ 36.565278] __neigh_update+0x2f66/0x3a60
[ 36.565499] neigh_update+0x52/0x60
[ 36.565683] arp_process+0x1588/0x2de0
[ 36.565916] NF_HOOK+0x1da/0x240
[ 36.566087] arp_rcv+0x3e4/0x6e0
[ 36.566306] __netif_receive_skb_list_core+0x1374/0x15a0
[ 36.566527] netif_receive_skb_list_internal+0x1116/0x17d0
[ 36.566710] napi_complete_done+0x376/0x740
[ 36.566918] virtnet_poll+0x1bae/0x2910
[ 36.567130] __napi_poll+0xf4/0x830
[ 36.567294] net_rx_action+0x97c/0x1ed0
[ 36.567556] handle_softirqs+0x306/0xe10
[ 36.567731] irq_exit_rcu+0x14c/0x2e0
[ 36.567910] do_io_irq+0xd4/0x120
[ 36.568139] io_int_handler+0xc2/0xe8
[ 36.568299] arch_cpu_idle+0xb0/0xc0
[ 36.568540] arch_cpu_idle+0x76/0xc0
[ 36.568726] default_idle_call+0x40/0x70
[ 36.568953] do_idle+0x1d6/0x390
[ 36.569486] cpu_startup_entry+0x9a/0xb0
[ 36.569745] rest_init+0x1ea/0x290
[ 36.570029] start_kernel+0x95e/0xb90
[ 36.570348] startup_continue+0x2e/0x40
[ 36.570703]
[ 36.570798] Uninit was created at:
[ 36.571002] kmem_cache_alloc_node_noprof+0x9e8/0x10e0
[ 36.571261] kmalloc_reserve+0x12a/0x470
[ 36.571553] __alloc_skb+0x310/0x860
[ 36.571844] __ip_append_data+0x483e/0x6a30
[ 36.572170] ip_append_data+0x11c/0x1e0
[ 36.572477] raw_sendmsg+0x1c8c/0x2180
[ 36.572818] inet_sendmsg+0xe6/0x190
[ 36.573142] __sys_sendto+0x55e/0x8e0
[ 36.573392] __s390x_sys_socketcall+0x19ae/0x2ba0
[ 36.573571] __do_syscall+0x12e/0x240
[ 36.573823] system_call+0x6e/0x90
[ 36.573976]
[ 36.574017] Byte 35 of 98 is uninitialized
[ 36.574082] Memory access of size 98 starts at 0000000007aa0012
[ 36.574218]
[ 36.574325] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G B N 6.17.0-dirty #16 NONE
[ 36.574541] Tainted: [B]=BAD_PAGE, [N]=TEST
[ 36.574617] Hardware name: IBM 3931 A01 703 (KVM/Linux)
[ 36.574755] =====================================================
[ 63.532541] =====================================================
[ 63.533639] BUG: KMSAN: uninit-value in virtqueue_add+0x35c6/0x7c70
[ 63.533989] virtqueue_add+0x35c6/0x7c70
[ 63.534940] virtqueue_add_outbuf+0xa0/0xb0
[ 63.535861] start_xmit+0x288c/0x4a20
[ 63.536708] dev_hard_start_xmit+0x302/0x900
[ 63.537020] sch_direct_xmit+0x340/0xea0
[ 63.537997] __dev_queue_xmit+0x2e94/0x59b0
[ 63.538819] neigh_resolve_output+0x936/0xb40
[ 63.539793] ip_finish_output2+0x1ee2/0x2200
[ 63.540784] __ip_finish_output+0x272/0x7a0
[ 63.541765] ip_finish_output+0x4e/0x5e0
[ 63.542791] ip_output+0x166/0x410
[ 63.543771] ip_push_pending_frames+0x1a2/0x470
[ 63.544753] raw_sendmsg+0x1f06/0x2180
[ 63.545033] inet_sendmsg+0xe6/0x190
[ 63.546006] __sys_sendto+0x55e/0x8e0
---truncated---
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/13/2026
The vulnerability CVE-2025-68751 addresses a false-positive kernel memory sanitizer (KMSAN) report within the Linux kernel's s390/fpu subsystem, specifically in the function fpu_vstl(). This issue arises from a mismatch between compile-time constraint evaluation by the clang compiler and runtime behavior of inline assembly instructions. The vstl instruction, which is part of the vector instruction set architecture for IBM System/390, can write varying amounts of data depending on the value of the index argument. When index exceeds zero, the instruction writes at least two bytes, yet the compiler's static analysis incorrectly assumes a one-byte write size for instrumentation purposes.
The root cause lies in how clang handles inline assembly constraints and generates KMSAN instrumentation calls. During compilation, constraint evaluation occurs before runtime, but the actual value of the index parameter is only known during program execution. This discrepancy leads to incorrect instrumentation where __msan_instrument_asm_store is called with a size parameter of one byte, even though the actual memory write may span multiple bytes. The false-positive reports manifest as uninitialized memory access errors during network packet processing, particularly in functions like virtqueue_add which are part of the virtio network driver stack.
The operational impact of this vulnerability, while not introducing actual security flaws, significantly affects the reliability of kernel debugging and security analysis. The false-positive KMSAN reports create noise in security monitoring systems and can mask genuine memory corruption issues that require investigation. The reported stack traces show the error propagating through the network subsystem, specifically during ARP processing and packet transmission flows, indicating that any network-intensive workload running on s390 architecture systems may trigger these false positives. This affects systems using IBM System/390 or IBM z/Architecture platforms where the kernel's floating-point unit handling is utilized.
The fix implemented resolves this by manually calling the appropriate KMSAN function with the correct byte count rather than relying on the compiler-generated instrumentation. This approach ensures that memory access patterns are accurately tracked by the sanitizer, eliminating the false-positive reports while maintaining the security benefits of memory sanitization. The solution directly addresses the mismatch between compile-time constraint analysis and runtime behavior, aligning the instrumentation with the actual memory write operations performed by the vstl instruction. This fix aligns with the CWE-457 principle of avoiding uninitialized memory access patterns and supports the ATT&CK technique T1552.001 for credential access through memory dumps, as proper memory tracking prevents false positives that could interfere with legitimate security analysis.
This vulnerability demonstrates the complexity of modern kernel instrumentation and the challenges of maintaining accurate static analysis for dynamically executing code. The resolution reinforces the importance of manual verification of compiler-generated instrumentation in complex low-level systems where precise memory behavior is critical for both performance and security. The fix ensures that KMSAN remains a reliable tool for detecting actual memory corruption issues rather than being cluttered with false alarms that could impede security research and system debugging efforts. The changes specifically target the s390 architecture's FPU handling, making them relevant for mainframe and enterprise computing environments where such systems remain in production use.