CVE-2025-40300
Published Sep 11, 2025
Last updated 21 days ago
AI description
CVE-2025-40300, also known as VMSCAPE, is a Spectre-based vulnerability that affects AMD Zen CPUs (Zen 1 through Zen 5) and Intel Coffee Lake processors. It exploits incomplete branch predictor isolation in cloud environments, allowing a malicious guest user to potentially leak secrets from the hypervisor in the host domain. This attack is the first of its kind to enable a malicious guest VM to leak arbitrary memory from an unmodified hypervisor without requiring code modifications. The VMSCAPE attack targets the KVM/QEMU virtualization stack, demonstrating how attackers can extract cryptographic keys and other sensitive infrastructure secrets. Researchers have shown that VMSCAPE can leak memory data at a rate of 32 bytes per second, potentially extracting disk encryption keys in approximately 18 minutes on AMD Zen 4 processors. The vulnerability stems from the incomplete isolation of branch prediction state across virtualization boundaries, specifically between guest and host user processes. Linux kernel developers have released patches to mitigate VMSCAPE by adding an Indirect Branch Prediction Barrier (IBPB) on VMEXIT.
- Description
- In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]
- Source
- 416baaa9-dc9f-4396-8d5f-8c081fb06d67
- NVD status
- Awaiting Analysis
- Hype score
- Not currently trending
Critical Security Patch for #Ubuntu 22.04 LTS on AWS The USN-7861-4 advisory details patches for multiple Linux kernel vulnerabilities, including the high-severity VMSCAPE flaw (CVE-2025-40300). Read more: 👉 https://t.co/AiCVtMz1Gb #Security https://t.co/cz6WFVD9iO
@Cezar_H_Linux
20 Nov 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ CVE-2025-40300 - Ubuntu Xilinx ZynqMP VMSCAPE Info Exposure Ubuntu systems running on Xilinx ZynqMP SoCs are vulnerable to VMSCAPE side-channel attacks (CVE-2025-40300). What's clever: attackers exploit timing variations in the ARM TrustZone Secure Monitor Call interfac
@the_c_protocol
14 Nov 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-40300 In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing
@AnonOzzyDude
14 Nov 2025
175 Impressions
2 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
"vulnérable à BPI et VMScape (CVE-2025-40300) sur Coffee Lake+ ; patches microcode requis."
@Kraal11118
22 Oct 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-40300
@transilienceai
5 Oct 2025
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
VMScape: la nueva vulnerabilidad que rompe el aislamiento entre máquinas virtuales y el hipervisor https://t.co/PJzn0oo0nX Investigadores de la ETH de Zúrich dieron a conocer mediante una publicación de blog, un nuevo ataque denominado VMScape (CVE-2025-40300), capaz de eludir
@laboratoriolinu
27 Sept 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ VMScape (CVE-2025-40300) : une vulnérabilité de type Spectre permet à une VM de compromettre l’hyperviseur (hôte) sur CPU Intel & AMD via KVM/QEMU. Un patch Linux (IBPB-on-VMEXIT) est déjà dispo. #cybersécurité #Linux #Virtualisation 👉 https://t.co/FwNG
@Guardia_School
20 Sept 2025
259 Impressions
2 Retweets
3 Likes
1 Bookmark
0 Replies
0 Quotes
VMScape (CVE-2025-40300): Spectre-BTI Breaks VM Isolation — What Cloud & Virtualization Teams Must Do Now. Read the full report on - https://t.co/89mAWtoL5s https://t.co/usw0dQnfVi
@Iambivash007
15 Sept 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🗣️ VMScape (CVE-2025-40300): A New CPU Flaw Threatens Cloud Security https://t.co/fjIWR1Jch9
@fridaysecurity
15 Sept 2025
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
仮想マシンからホスト環境へ直接侵入する新たな投機的実行攻撃「VMSCAPE」が確認された。暗号鍵などの機密情報が盗まれる恐れがあり、クラウド基盤に深刻な影響を及ぼす。 この脆弱性(CVE-2025-40300)はAMD Z
@yousukezan
11 Sept 2025
5170 Impressions
15 Retweets
31 Likes
17 Bookmarks
0 Replies
0 Quotes
CVE-2025-40300 In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficie… https://t.co/4gW6S2WV2H
@CVEnew
11 Sept 2025
552 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
New VMScape attack breaks guest-host isolation on AMD, Intel CPUs / CVE-2025-40300 / AMD has released a security bulletin about the problem. intel?! https://t.co/FFq8LMWxQH
@JensHilbig
11 Sept 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes