CVE-2025-68751 Overview
CVE-2025-68751 is a vulnerability in the Linux kernel affecting the s390 architecture's floating-point unit (FPU) code. The issue involves a false-positive Kernel Memory Sanitizer (KMSAN) report triggered in the fpu_vstl() function when running network operations such as the ping command. This vulnerability stems from a mismatch between compile-time inline assembly constraints and runtime behavior of the vstl instruction, which writes a variable number of bytes depending on the index argument.
The clang compiler generates KMSAN write helper calls based on inline assembly constraints evaluated at compile time. However, since the actual number of bytes written by vstl is determined at runtime, clang incorrectly generates a call to __msan_instrument_asm_store with only 1 byte as the size, leading to false-positive uninitialized memory reports.
Critical Impact
False-positive KMSAN reports can mask real memory safety issues and cause system instability or crashes during network operations on s390 systems running with KMSAN enabled.
Affected Products
- Linux kernel with s390 architecture support
- Systems running KMSAN-enabled kernels on IBM z/Architecture hardware
- Linux kernel versions prior to the fix commits
Discovery Timeline
- 2026-01-05 - CVE CVE-2025-68751 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-68751
Vulnerability Analysis
The vulnerability resides in the s390 FPU subsystem, specifically in the fpu_vstl() function which utilizes the vstl (Vector Store with Length) inline assembly instruction. This instruction is designed to write a variable number of bytes to memory based on a runtime-determined index argument. When index is greater than 0, the instruction writes at least 2 bytes to the destination.
The root of the problem lies in how the clang compiler handles KMSAN instrumentation for inline assembly. The compiler generates memory sanitizer helper calls based on constraints that are evaluated at compile time, but the actual byte count written by vstl depends on the runtime value of the index parameter. This disconnect causes clang to generate a call to __msan_instrument_asm_store specifying only 1 byte as the write size, regardless of the actual bytes written.
This mismatch triggers false-positive KMSAN "uninit-value" reports during legitimate network operations. The kernel logs show the issue manifesting in the virtqueue_add() function within the virtio subsystem during packet transmission, causing spurious warnings that can obscure genuine memory safety issues.
Root Cause
The root cause is the compile-time evaluation of inline assembly constraints by clang when generating KMSAN instrumentation code. The vstl instruction's variable-length write behavior cannot be accurately represented through static constraints, leading to incorrect memory sanitizer annotations. The fix manually invokes the KMSAN function with the correct byte count calculated at runtime, ensuring accurate memory tracking.
Attack Vector
This vulnerability does not represent a direct security exploit vector. Instead, it causes false-positive memory sanitizer reports that can:
- Generate excessive kernel log noise during normal network operations
- Potentially mask legitimate uninitialized memory access bugs
- Cause confusion during security audits and debugging sessions
- Impact system stability on KMSAN-enabled development or testing kernels
The issue is triggered during standard network operations such as ICMP ping requests, where the affected code path is exercised through the virtio network stack on s390 virtualized environments.
Detection Methods for CVE-2025-68751
Indicators of Compromise
- KMSAN "BUG: KMSAN: uninit-value" reports in kernel logs referencing virtqueue_add() during network operations
- Stack traces showing the path through start_xmit, dev_hard_start_xmit, and network transmission functions on s390 systems
- False-positive reports triggered specifically when running ping or other ICMP operations on affected kernels
Detection Strategies
- Monitor kernel logs for KMSAN reports containing the virtqueue_add+0x35c6/0x7c70 signature or similar addresses in the virtio subsystem
- Check for stack traces including fpu_vstl() or s390 FPU-related functions in KMSAN reports
- Audit systems running Linux kernels on IBM z/Architecture with KMSAN enabled for spurious uninitialized memory warnings
Monitoring Recommendations
- Enable kernel log monitoring for KMSAN warnings on s390 development and testing systems
- Review kernel version and compare against patched releases referenced in the fix commits
- Track network-related KMSAN reports to distinguish between this false-positive and genuine memory safety issues
How to Mitigate CVE-2025-68751
Immediate Actions Required
- Update the Linux kernel to a version containing the fix commits for s390 FPU KMSAN instrumentation
- Review recent KMSAN reports on affected systems to identify any that may have been incorrectly flagged
- Prioritize patching on development and testing environments where KMSAN is actively used
Patch Information
The vulnerability has been resolved through multiple kernel commits that manually invoke the KMSAN function with the correct byte count for the vstl instruction. The following commits address this issue:
System administrators should apply the appropriate patch based on their kernel version branch.
Workarounds
- Temporarily disable KMSAN on affected s390 systems if immediate patching is not feasible
- Filter or suppress KMSAN reports matching the known false-positive signature in virtqueue_add() until the patch can be applied
- Consider using production kernels without KMSAN instrumentation, as KMSAN is typically intended for development and testing environments
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
