CVE-2025-71104: Linux Kernel KVM x86 DoS Vulnerability

CVE-2025-71104 Overview

CVE-2025-71104 is a Denial of Service vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) x86 subsystem. The flaw exists in the advance_periodic_target_expiration() function, which handles the guest's APIC timer in periodic mode. When advancing the target expiration for the timer, the code fails to properly handle scenarios where the target expiration is in the past, leading to a cascade of hrtimer IRQs that can cause hard lockups on the host system.

Critical Impact
This vulnerability can cause complete host system lockups when a virtual machine resumes after prolonged inactivity, potentially affecting all workloads running on the affected hypervisor.

Affected Products

Linux kernel KVM x86 subsystem (Intel CPUs with VMX preemption timer)
Virtualization hosts running KVM-based virtual machines
Systems using the hypervisor timer (HV timer) for APIC timer emulation

Discovery Timeline

2026-01-14 - CVE CVE-2025-71104 published to NVD
2026-01-19 - Last updated in NVD database

Technical Details for CVE-2025-71104

Vulnerability Analysis

The vulnerability stems from improper handling of timer expiration calculations in the KVM x86 APIC timer implementation. When a virtual machine is paused or suspended for an extended period and then resumed, the periodic HV timer mechanism fails to account for the large time gap between the original target expiration and the current time.

The advance_periodic_target_expiration() function blindly adds the period to the previous target expiration without checking if the resulting value is still in the past. This creates a feedback loop where KVM repeatedly programs expired timers, generating an unbounded number of hrtimer IRQs. Since the interrupt handler runs with IRQs disabled, this rapid-fire timer reprogramming can exhaust CPU resources and trigger the NMI watchdog to detect a hard lockup condition.

The issue specifically affects Intel CPUs when using the VMX preemption timer (hypervisor timer). Unlike the software timer (hrtimer), which continues running during exits to userspace, the HV timer only runs while the guest is active. This behavioral difference creates a timing discrepancy that amplifies the bug's impact after VM suspension.

Root Cause

The root cause is a missing boundary check in the advance_periodic_target_expiration() function. When calculating the next timer expiration, the code should set the expiration to "now" if the computed target is in the past, similar to the logic already present in update_target_expiration(). Without this check, the delta calculation can produce a negative value that, when cast to an unsigned u64 for tscdeadline, overflows and exceeds the VMX Preemption Timer's maximum programmable value (limited to cpu_preemption_timer_multi + 32 bits).

This overflow causes KVM to fall back from the HV timer to the software timer (hrtimers), which then honors requests for past expirations by immediately re-invoking KVM's callback, creating the lockup condition.

Attack Vector

This vulnerability is triggered through operational conditions rather than direct exploitation. The attack scenario involves:

A guest VM configured to use the APIC timer in periodic mode (common in Windows VMs)
The host pauses or suspends the VM for an extended duration
Upon resuming the VM, the large gap between the stored target expiration and current time triggers the bug
The host system experiences a hard lockup in the advance_periodic_target_expiration() function

The call trace during a lockup shows:

advance_periodic_target_expiration() in KVM module
apic_timer_fn() callback
__hrtimer_run_queues() and hrtimer_interrupt() in the kernel
smp_apic_timer_interrupt() handling the APIC timer interrupt

Since this is a Denial of Service condition triggered by VM lifecycle events rather than malicious input, the attack vector is considered local and requires control over VM suspension/resumption operations.

Detection Methods for CVE-2025-71104

Indicators of Compromise

NMI watchdog alerts indicating hard lockups on CPU cores, particularly those running KVM workloads
System logs showing "Watchdog detected hard LOCKUP on cpu" messages with stack traces pointing to advance_periodic_target_expiration in the KVM module
Elevated CPU utilization on virtualization hosts with no corresponding guest activity
Virtual machines becoming unresponsive after resuming from suspend or pause operations

Detection Strategies

Monitor for NMI watchdog events in kernel logs (dmesg) that reference KVM APIC timer functions
Implement alerting on system hard lockups using hardware monitoring tools
Track hrtimer interrupt rates for anomalous spikes that could indicate timer programming loops
Deploy kernel tracepoints on apic_timer_fn and advance_periodic_target_expiration to detect abnormal call frequencies

Monitoring Recommendations

Configure watchdog timers with appropriate thresholds to detect and recover from hard lockups
Monitor VM lifecycle events (pause, suspend, resume) and correlate with host CPU metrics
Use performance monitoring counters to track IRQ rates on virtualization hosts
Implement automated VM health checks after resume operations to detect stuck or unresponsive guests

How to Mitigate CVE-2025-71104

Immediate Actions Required

Apply the kernel patches from the stable branches as soon as they become available for your distribution
Consider temporarily avoiding long VM suspension periods on affected systems until patches are applied
Ensure NMI watchdog is enabled to detect and potentially recover from hard lockups
Review VM configurations and identify those using APIC timers in periodic mode (common in Windows guests)

Patch Information

Multiple patches have been committed to the Linux kernel stable branches to address this vulnerability. The fix ensures that when advancing the target expiration for the guest's APIC timer in periodic mode, the expiration is set to "now" if the calculated target is in the past. This prevents the unbounded hrtimer IRQ generation that causes host lockups.

Available patches:

Workarounds

Minimize VM suspension duration to reduce the likelihood of triggering the timing gap condition
For critical systems, consider using live migration instead of VM pause/suspend operations
On AMD systems, this vulnerability does not apply as it specifically affects Intel's VMX preemption timer implementation
Monitor for hard lockup conditions and implement automated host recovery procedures (such as kernel panic on hard lockup)

bash

# Enable panic on hard lockup detection for automated recovery
echo 1 > /proc/sys/kernel/hardlockup_panic

# Check current NMI watchdog status
cat /proc/sys/kernel/nmi_watchdog

# Enable NMI watchdog if disabled
echo 1 > /proc/sys/kernel/nmi_watchdog

CVE-2025-71104 Overview

Critical Impact
This vulnerability can cause complete host system lockups when a virtual machine resumes after prolonged inactivity, potentially affecting all workloads running on the affected hypervisor.

Affected Products

Linux kernel KVM x86 subsystem (Intel CPUs with VMX preemption timer)
Virtualization hosts running KVM-based virtual machines
Systems using the hypervisor timer (HV timer) for APIC timer emulation

Discovery Timeline

2026-01-14 - CVE CVE-2025-71104 published to NVD
2026-01-19 - Last updated in NVD database

Technical Details for CVE-2025-71104

Vulnerability Analysis

Root Cause

Attack Vector

This vulnerability is triggered through operational conditions rather than direct exploitation. The attack scenario involves:

A guest VM configured to use the APIC timer in periodic mode (common in Windows VMs)
The host pauses or suspends the VM for an extended duration
Upon resuming the VM, the large gap between the stored target expiration and current time triggers the bug
The host system experiences a hard lockup in the advance_periodic_target_expiration() function

The call trace during a lockup shows:

advance_periodic_target_expiration() in KVM module
apic_timer_fn() callback
__hrtimer_run_queues() and hrtimer_interrupt() in the kernel
smp_apic_timer_interrupt() handling the APIC timer interrupt

Detection Methods for CVE-2025-71104

Indicators of Compromise

NMI watchdog alerts indicating hard lockups on CPU cores, particularly those running KVM workloads
System logs showing "Watchdog detected hard LOCKUP on cpu" messages with stack traces pointing to advance_periodic_target_expiration in the KVM module
Elevated CPU utilization on virtualization hosts with no corresponding guest activity
Virtual machines becoming unresponsive after resuming from suspend or pause operations

Detection Strategies

Monitor for NMI watchdog events in kernel logs (dmesg) that reference KVM APIC timer functions
Implement alerting on system hard lockups using hardware monitoring tools
Track hrtimer interrupt rates for anomalous spikes that could indicate timer programming loops
Deploy kernel tracepoints on apic_timer_fn and advance_periodic_target_expiration to detect abnormal call frequencies

Monitoring Recommendations

Configure watchdog timers with appropriate thresholds to detect and recover from hard lockups
Monitor VM lifecycle events (pause, suspend, resume) and correlate with host CPU metrics
Use performance monitoring counters to track IRQ rates on virtualization hosts
Implement automated VM health checks after resume operations to detect stuck or unresponsive guests

How to Mitigate CVE-2025-71104

Immediate Actions Required

Apply the kernel patches from the stable branches as soon as they become available for your distribution
Consider temporarily avoiding long VM suspension periods on affected systems until patches are applied
Ensure NMI watchdog is enabled to detect and potentially recover from hard lockups
Review VM configurations and identify those using APIC timers in periodic mode (common in Windows guests)

Patch Information

Available patches:

Workarounds

Minimize VM suspension duration to reduce the likelihood of triggering the timing gap condition
For critical systems, consider using live migration instead of VM pause/suspend operations
On AMD systems, this vulnerability does not apply as it specifically affects Intel's VMX preemption timer implementation
Monitor for hard lockup conditions and implement automated host recovery procedures (such as kernel panic on hard lockup)

bash

# Enable panic on hard lockup detection for automated recovery
echo 1 > /proc/sys/kernel/hardlockup_panic

# Check current NMI watchdog status
cat /proc/sys/kernel/nmi_watchdog

# Enable NMI watchdog if disabled
echo 1 > /proc/sys/kernel/nmi_watchdog

CVE-2025-71104: Linux Kernel KVM x86 DoS Vulnerability

CVE-2025-71104 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-71104

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-71104

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-71104

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-71104: Linux Kernel KVM x86 DoS Vulnerability

CVE-2025-71104 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-71104

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-71104

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-71104

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform