CVE-2025-40300
Published Sep 11, 2025
Last updated 2 days ago
AI description
CVE-2025-40300, also known as VMSCAPE, is a Spectre-based vulnerability that affects AMD Zen CPUs (Zen 1 through Zen 5) and Intel Coffee Lake processors. It exploits incomplete branch predictor isolation in cloud environments, allowing a malicious guest user to potentially leak secrets from the hypervisor in the host domain. This attack is the first of its kind to enable a malicious guest VM to leak arbitrary memory from an unmodified hypervisor without requiring code modifications. The VMSCAPE attack targets the KVM/QEMU virtualization stack, demonstrating how attackers can extract cryptographic keys and other sensitive infrastructure secrets. Researchers have shown that VMSCAPE can leak memory data at a rate of 32 bytes per second, potentially extracting disk encryption keys in approximately 18 minutes on AMD Zen 4 processors. The vulnerability stems from the incomplete isolation of branch prediction state across virtualization boundaries, specifically between guest and host user processes. Linux kernel developers have released patches to mitigate VMSCAPE by adding an Indirect Branch Prediction Barrier (IBPB) on VMEXIT.
- Description
- In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]
- Source
- 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- NVD status
- Received
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
12
仮想マシンからホスト環境へ直接侵入する新たな投機的実行攻撃「VMSCAPE」が確認された。暗号鍵などの機密情報が盗まれる恐れがあり、クラウド基盤に深刻な影響を及ぼす。 この脆弱性(CVE-2025-40300)はAMD Z
@yousukezan
11 Sept 2025
5170 Impressions
15 Retweets
31 Likes
17 Bookmarks
0 Replies
0 Quotes
CVE-2025-40300 In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficie… https://t.co/4gW6S2WV2H
@CVEnew
11 Sept 2025
552 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New VMScape attack breaks guest-host isolation on AMD, Intel CPUs / CVE-2025-40300 / AMD has released a security bulletin about the problem. intel?! https://t.co/FFq8LMWxQH
@JensHilbig
11 Sept 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes