CVE-2025-38560

EUVD-2025-27903

19.08.2025, 17:15

In the Linux kernel, the following vulnerability has been resolved:

x86/sev: Evict cache lines during SNP memory validation

An SNP cache coherency vulnerability requires a cache line eviction
mitigation when validating memory after a page state change to private.
The specific mitigation is to touch the first and last byte of each 4K
page that is being validated. There is no need to perform the mitigation
when performing a page state change to shared and rescinding validation.

CPUID bit Fn8000001F_EBX[31] defines the COHERENCY_SFW_NO CPUID bit
that, when set, indicates that the software mitigation for this
vulnerability is not needed.

Implement the mitigation and invoke it when validating memory (making it
private) and the COHERENCY_SFW_NO bit is not set, indicating the SNP
guest is vulnerable.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 7%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.19 ≤ 𝑥 < 6.1.148
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.102
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.42
linux	linux_kernel	6.13 ≤ 𝑥 < 6.15.10
linux	linux_kernel	6.16 ≤ 𝑥 < 6.16.1
linux	linux_kernel	6.17:rc1
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.172-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.251-5 fixed
forky	7.0.7-1 fixed
sid	7.0.7-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.88-1 fixed

linux-6.1

bullseye (security)

6.1.172-1~deb11u1

fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.121.2

fixed

dlm-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.121.2

fixed

gfs2-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.121.2

fixed

kernel-64kb

suse enterprise desktop 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.176.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.121.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.16.1 fixed

kernel-azure

suse enterprise sap 15 SP6	6.4.0-150600.8.52.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.20.15.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.8.52.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.15.2 fixed

kernel-default

suse enterprise desktop 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.176.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.121.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.16.1 fixed

kernel-default-base

suse enterprise desktop 15 SP6	6.4.0-150600.23.70.1.150600.12.30.2 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.16.1.150700.17.11.2 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.70.1.150600.12.30.2 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.16.1.150700.17.11.2 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.176.1.150400.24.90.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.121.2.150500.6.57.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.70.1.150600.12.30.2 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.16.1.150700.17.11.2 fixed

kernel-docs

suse enterprise desktop 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.176.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.121.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.16.1 fixed

kernel-macros

suse enterprise desktop 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.176.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.121.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.16.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.176.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.121.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.16.1 fixed

kernel-source

suse enterprise desktop 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.176.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.121.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.16.1 fixed

kernel-source-azure

suse enterprise sap 15 SP6	6.4.0-150600.8.52.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.20.15.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.8.52.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.15.2 fixed

kernel-syms

suse enterprise desktop 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.176.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.121.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.16.1 fixed

kernel-syms-azure

suse enterprise sap 15 SP6	6.4.0-150600.8.52.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.20.15.1 fixed
suse enterprise server 15 SP6	6.4.0-150600.8.52.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.15.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise desktop 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise sap 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.16.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.176.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.121.2 fixed
suse enterprise server 15 SP6	6.4.0-150600.23.70.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.16.1 fixed

ocfs2-kmp-default

suse enterprise server 15 SP5

5.14.21-150500.55.121.2

fixed

reiserfs-kmp-default

suse enterprise server 15 SP4	5.14.21-150400.24.176.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.121.2 fixed

References

https://git.kernel.org/stable/c/1fb873971e23c35c53823c62809a474a92bc3022

https://git.kernel.org/stable/c/1fec416c03d0a64cc21aa04ce4aa14254b017e6a

https://git.kernel.org/stable/c/7b306dfa326f70114312b320d083b21fa9481e1e

https://git.kernel.org/stable/c/a762a4c8d9e768b538b3cc60615361a8cf377de8

https://git.kernel.org/stable/c/aed15fc08f15dbb15822b2a0b653f67e76aa0fdf

https://git.kernel.org/stable/c/f92af52e6dbd8d066d77beba451e0230482dc45b

https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html