VMSCAPE

VMSCAPE, also referred to as the Branch Predictor Isolation (BPI) vulnerability and assigned CVE-2025-40300, is a vulnerability that affects virtual machine hypervisors that use the Linux kernel KVM subsystem (such as QEMU) on certain AMD®, Hygon® and Intel® processors. The vulnerability manifests on hypervisor hosts, as the exploitation mechanism is from within a virtual machine running under KVM.

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi of ETH Zurich have discovered that some of the existing mitigations against Spectre v2 in the Linux kernel KVM subsystem are insufficient to protect the userspace Virtual Machine Monitor (VMM) memory from a malicious guest on certain AMD®, Hygon® and Intel® processors. The Ubuntu Security Team is working on providing security updates for all supported releases.

The vulnerability affects the Linux kernel and could allow a threat actor with unprivileged access to a virtual machine to read the memory contents of the userspace VMM or, as theoretically postulated, other virtual machine guests running on the same hypervisor. The researchers have demonstrated a proof-of-concept that leaks 32 B/s from the host (hypervisor) QEMU userspace VMM to the guest kernelspace and have theorized other attack vectors, such as leaking other guests’ memory via the hypervisor’s VMM. While many deployments do not have confidentially-sensitive data in the VMM’s memory, certain configurations may have sensitive data, such as encryption keys for guests’ disks.

The response of the CPU vendors was that software mitigations are sufficient and no microcode updates are necessary.

Ubuntu kernels are being updated to address this vulnerability. The security updates would only need to be applied to hypervisor hosts, as the vulnerabilities assume a compromised guest. As security updates are made available, this page will be updated to reflect the fixed versions.

The following list is based on the CPUs for which the upstream Linux mitigation is applied. The security researchers have only evaluated the Coffee Lake and Raptor Lake Intel CPU families.

Installations are only vulnerable if the virtualization software makes use of the KVM subsystem in Linux. Deployments that use system emulation (where the KVM Linux kernel functionality is not used) are not affected. Other virtualization software that uses KVM are likely to also be affected.

The following table lists the affected Linux kernel image package variants and the version that contains the mitigation. This table will be updated as security patches are made available.

• https://comsec-files.ethz.ch/papers/vmscape_sp26.pdf
• https://www.cve.org/CVERecord?id=CVE-2025-40300
• https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7046.html
• https://www.intel.com/content/www/us/en/security-center/announcement/intel-security-announcement-2025-09-11-001.html
• https://lore.kernel.org/all/2025091125-clustered-tractor-13c0@gregkh/

2025 Sep 11: vulnerability publicly disclosed by AMD