VMSCAPE

VMSCAPE, also referred to as the Branch Predictor Isolation (BPI) vulnerability and assigned CVE-2025-40300, is a vulnerability that affects virtual machine hypervisors that use the Linux kernel KVM subsystem (such as QEMU) on certain AMD®, Hygon® and Intel® processors. The vulnerability manifests on hypervisor hosts, as the exploitation mechanism is from within a virtual machine running under KVM.

Jean-Claude Graf, Sandro Rüegge, Ali Hajiabadi, and Kaveh Razavi of ETH Zurich have discovered that some of the existing mitigations against Spectre v2 in the Linux kernel KVM subsystem are insufficient to protect the userspace Virtual Machine Monitor (VMM) memory from a malicious guest on certain AMD®, Hygon® and Intel® processors. The Ubuntu Security Team is working on providing security updates for all supported releases.

The vulnerability affects the Linux kernel and could allow a threat actor with unprivileged access to a virtual machine to read the memory contents of the userspace VMM or, as theoretically postulated, other virtual machine guests running on the same hypervisor. The researchers have demonstrated a proof-of-concept that leaks 32 B/s from the host (hypervisor) QEMU userspace VMM to the guest kernelspace and have theorized other attack vectors, such as leaking other guests’ memory via the hypervisor’s VMM. While many deployments do not have confidentially-sensitive data in the VMM’s memory, certain configurations may have sensitive data, such as encryption keys for guests’ disks.

The response of the CPU vendors was that software mitigations are sufficient and no microcode updates are necessary.

Ubuntu kernels are being updated to address this vulnerability. The security updates would only need to be applied to hypervisor hosts, as the vulnerabilities assume a compromised guest. As security updates are made available, this page will be updated to reflect the fixed versions.

The following list is based on the CPUs for which the upstream Linux mitigation is applied. The security researchers have only evaluated the Coffee Lake and Raptor Lake Intel CPU families.

Installations are only vulnerable if the virtualization software makes use of the KVM subsystem in Linux. Deployments that use system emulation (where the KVM Linux kernel functionality is not used) are not affected. Other virtualization software that uses KVM are likely to also be affected.

The following table lists the affected Linux kernel image package variants and the version that contains the mitigation. The table below only lists the fixed versions for the generic and HWE kernel image packages. Fixes have been released for multiple affected variants – these are available on the CVE page.

• CVE-2025-40300 | Ubuntu
• https://comsec-files.ethz.ch/papers/vmscape_sp26.pdf
• https://www.cve.org/CVERecord?id=CVE-2025-40300
• https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7046.html
• https://www.intel.com/content/www/us/en/security-center/announcement/intel-security-announcement-2025-09-11-001.html
• https://lore.kernel.org/all/2025091125-clustered-tractor-13c0@gregkh/

• 2025 Sep 11: vulnerability publicly disclosed by AMD
• 2025 Oct 30: Fixes released for kernel versions 3.13 (Ubuntu 14.04 LTS) and 4.15 (Ubuntu 16.04 LTS HWE and Ubuntu 18.04 LTS)
• 2025 Nov 06: Fixes released for kernel versions 4.4 (Ubuntu 14.04 LTS HWE and Ubuntu 16.04 LTS), 5.15 (Ubuntu 20.04 LTS HWE and Ubuntu 22.04 LTS), 6.8 (Ubuntu 22.04 LTS HWE and Ubuntu 24.04 LTS) and 6.14 (Ubuntu 24.04 LTS HWE and Ubuntu 25.04).
• 2025 Nov 11: Fixes released for kernel 5.4 (Ubuntu 18.04 LTS HWE and Ubuntu 20.04 LTS)