{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-40122", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-04-16T07:20:57.169Z", "datePublished": "2025-11-12T10:23:19.271Z", "dateUpdated": "2025-11-12T10:23:19.271Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-11-12T10:23:19.271Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error\n\nWhen running perf_fuzzer on PTL, sometimes the below \"unchecked MSR\n access error\" is seen when accessing IA32_PMC_x_CFG_B MSRs.\n\n[ 55.611268] unchecked MSR access error: WRMSR to 0x1986 (tried to write 0x0000000200000001) at rIP: 0xffffffffac564b28 (native_write_msr+0x8/0x30)\n[ 55.611280] Call Trace:\n[ 55.611282] <TASK>\n[ 55.611284] ? intel_pmu_config_acr+0x87/0x160\n[ 55.611289] intel_pmu_enable_acr+0x6d/0x80\n[ 55.611291] intel_pmu_enable_event+0xce/0x460\n[ 55.611293] x86_pmu_start+0x78/0xb0\n[ 55.611297] x86_pmu_enable+0x218/0x3a0\n[ 55.611300] ? x86_pmu_enable+0x121/0x3a0\n[ 55.611302] perf_pmu_enable+0x40/0x50\n[ 55.611307] ctx_resched+0x19d/0x220\n[ 55.611309] __perf_install_in_context+0x284/0x2f0\n[ 55.611311] ? __pfx_remote_function+0x10/0x10\n[ 55.611314] remote_function+0x52/0x70\n[ 55.611317] ? __pfx_remote_function+0x10/0x10\n[ 55.611319] generic_exec_single+0x84/0x150\n[ 55.611323] smp_call_function_single+0xc5/0x1a0\n[ 55.611326] ? __pfx_remote_function+0x10/0x10\n[ 55.611329] perf_install_in_context+0xd1/0x1e0\n[ 55.611331] ? __pfx___perf_install_in_context+0x10/0x10\n[ 55.611333] __do_sys_perf_event_open+0xa76/0x1040\n[ 55.611336] __x64_sys_perf_event_open+0x26/0x30\n[ 55.611337] x64_sys_call+0x1d8e/0x20c0\n[ 55.611339] do_syscall_64+0x4f/0x120\n[ 55.611343] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nOn PTL, GP counter 0 and 1 doesn't support auto counter reload feature,\nthus it would trigger a #GP when trying to write 1 on bit 0 of CFG_B MSR\nwhich requires to enable auto counter reload on GP counter 0.\n\nThe root cause of causing this issue is the check for auto counter\nreload (ACR) counter mask from user space is incorrect in\nintel_pmu_acr_late_setup() helper. It leads to an invalid ACR counter\nmask from user space could be set into hw.config1 and then written into\nCFG_B MSRs and trigger the MSR access warning.\n\ne.g., User may create a perf event with ACR counter mask (config2=0xcb),\nand there is only 1 event created, so \"cpuc->n_events\" is 1.\n\nThe correct check condition should be \"i + idx >= cpuc->n_events\"\ninstead of \"i + idx > cpuc->n_events\" (it looks a typo). Otherwise,\nthe counter mask would traverse twice and an invalid \"cpuc->assign[1]\"\nbit (bit 0) is set into hw.config1 and cause MSR accessing error.\n\nBesides, also check if the ACR counter mask corresponding events are\nACR events. If not, filter out these counter mask. If a event is not a\nACR event, it could be scheduled to an HW counter which doesn't support\nACR. It's invalid to add their counter index in ACR counter mask.\n\nFurthermore, remove the WARN_ON_ONCE() since it's easily triggered as\nuser could set any invalid ACR counter mask and the warning message\ncould mislead users."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/events/intel/core.c"], "versions": [{"version": "ec980e4facef8110f6fce27e5b6344660117f01f", "lessThan": "c6cca4213b618c92e4972919ee568f0fb87313b1", "status": "affected", "versionType": "git"}, {"version": "ec980e4facef8110f6fce27e5b6344660117f01f", "lessThan": "43796f30507802d93ead2dc44fc9637f34671a89", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/events/intel/core.c"], "versions": [{"version": "6.16", "status": "affected"}, {"version": "0", "lessThan": "6.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.17.3", "lessThanOrEqual": "6.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.17.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.18-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c6cca4213b618c92e4972919ee568f0fb87313b1"}, {"url": "https://git.kernel.org/stable/c/43796f30507802d93ead2dc44fc9637f34671a89"}], "title": "perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error\n\nWhen running perf_fuzzer on PTL, sometimes the below \"unchecked MSR\n access error\" is seen when accessing IA32_PMC_x_CFG_B MSRs.\n\n[ 55.611268] unchecked MSR access error: WRMSR to 0x1986 (tried to write 0x0000000200000001) at rIP: 0xffffffffac564b28 (native_write_msr+0x8/0x30)\n[ 55.611280] Call Trace:\n[ 55.611282] <TASK>\n[ 55.611284] ? intel_pmu_config_acr+0x87/0x160\n[ 55.611289] intel_pmu_enable_acr+0x6d/0x80\n[ 55.611291] intel_pmu_enable_event+0xce/0x460\n[ 55.611293] x86_pmu_start+0x78/0xb0\n[ 55.611297] x86_pmu_enable+0x218/0x3a0\n[ 55.611300] ? x86_pmu_enable+0x121/0x3a0\n[ 55.611302] perf_pmu_enable+0x40/0x50\n[ 55.611307] ctx_resched+0x19d/0x220\n[ 55.611309] __perf_install_in_context+0x284/0x2f0\n[ 55.611311] ? __pfx_remote_function+0x10/0x10\n[ 55.611314] remote_function+0x52/0x70\n[ 55.611317] ? __pfx_remote_function+0x10/0x10\n[ 55.611319] generic_exec_single+0x84/0x150\n[ 55.611323] smp_call_function_single+0xc5/0x1a0\n[ 55.611326] ? __pfx_remote_function+0x10/0x10\n[ 55.611329] perf_install_in_context+0xd1/0x1e0\n[ 55.611331] ? __pfx___perf_install_in_context+0x10/0x10\n[ 55.611333] __do_sys_perf_event_open+0xa76/0x1040\n[ 55.611336] __x64_sys_perf_event_open+0x26/0x30\n[ 55.611337] x64_sys_call+0x1d8e/0x20c0\n[ 55.611339] do_syscall_64+0x4f/0x120\n[ 55.611343] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nOn PTL, GP counter 0 and 1 doesn't support auto counter reload feature,\nthus it would trigger a #GP when trying to write 1 on bit 0 of CFG_B MSR\nwhich requires to enable auto counter reload on GP counter 0.\n\nThe root cause of causing this issue is the check for auto counter\nreload (ACR) counter mask from user space is incorrect in\nintel_pmu_acr_late_setup() helper. It leads to an invalid ACR counter\nmask from user space could be set into hw.config1 and then written into\nCFG_B MSRs and trigger the MSR access warning.\n\ne.g., User may create a perf event with ACR counter mask (config2=0xcb),\nand there is only 1 event created, so \"cpuc->n_events\" is 1.\n\nThe correct check condition should be \"i + idx >= cpuc->n_events\"\ninstead of \"i + idx > cpuc->n_events\" (it looks a typo). Otherwise,\nthe counter mask would traverse twice and an invalid \"cpuc->assign[1]\"\nbit (bit 0) is set into hw.config1 and cause MSR accessing error.\n\nBesides, also check if the ACR counter mask corresponding events are\nACR events. If not, filter out these counter mask. If a event is not a\nACR event, it could be scheduled to an HW counter which doesn't support\nACR. It's invalid to add their counter index in ACR counter mask.\n\nFurthermore, remove the WARN_ON_ONCE() since it's easily triggered as\nuser could set any invalid ACR counter mask and the warning message\ncould mislead users."}], "id": "CVE-2025-40122", "lastModified": "2025-11-12T16:19:12.850", "metrics": {}, "published": "2025-11-12T11:15:41.677", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/43796f30507802d93ead2dc44fc9637f34671a89"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c6cca4213b618c92e4972919ee568f0fb87313b1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error", "id": "2414508", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2414508"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nperf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error\nWhen running perf_fuzzer on PTL, sometimes the below \"unchecked MSR\naccess error\" is seen when accessing IA32_PMC_x_CFG_B MSRs.\n[ 55.611268] unchecked MSR access error: WRMSR to 0x1986 (tried to write 0x0000000200000001) at rIP: 0xffffffffac564b28 (native_write_msr+0x8/0x30)\n[ 55.611280] Call Trace:\n[ 55.611282] <TASK>\n[ 55.611284] ? intel_pmu_config_acr+0x87/0x160\n[ 55.611289] intel_pmu_enable_acr+0x6d/0x80\n[ 55.611291] intel_pmu_enable_event+0xce/0x460\n[ 55.611293] x86_pmu_start+0x78/0xb0\n[ 55.611297] x86_pmu_enable+0x218/0x3a0\n[ 55.611300] ? x86_pmu_enable+0x121/0x3a0\n[ 55.611302] perf_pmu_enable+0x40/0x50\n[ 55.611307] ctx_resched+0x19d/0x220\n[ 55.611309] __perf_install_in_context+0x284/0x2f0\n[ 55.611311] ? __pfx_remote_function+0x10/0x10\n[ 55.611314] remote_function+0x52/0x70\n[ 55.611317] ? __pfx_remote_function+0x10/0x10\n[ 55.611319] generic_exec_single+0x84/0x150\n[ 55.611323] smp_call_function_single+0xc5/0x1a0\n[ 55.611326] ? __pfx_remote_function+0x10/0x10\n[ 55.611329] perf_install_in_context+0xd1/0x1e0\n[ 55.611331] ? __pfx___perf_install_in_context+0x10/0x10\n[ 55.611333] __do_sys_perf_event_open+0xa76/0x1040\n[ 55.611336] __x64_sys_perf_event_open+0x26/0x30\n[ 55.611337] x64_sys_call+0x1d8e/0x20c0\n[ 55.611339] do_syscall_64+0x4f/0x120\n[ 55.611343] entry_SYSCALL_64_after_hwframe+0x76/0x7e\nOn PTL, GP counter 0 and 1 doesn't support auto counter reload feature,\nthus it would trigger a #GP when trying to write 1 on bit 0 of CFG_B MSR\nwhich requires to enable auto counter reload on GP counter 0.\nThe root cause of causing this issue is the check for auto counter\nreload (ACR) counter mask from user space is incorrect in\nintel_pmu_acr_late_setup() helper. It leads to an invalid ACR counter\nmask from user space could be set into hw.config1 and then written into\nCFG_B MSRs and trigger the MSR access warning.\ne.g., User may create a perf event with ACR counter mask (config2=0xcb),\nand there is only 1 event created, so \"cpuc->n_events\" is 1.\nThe correct check condition should be \"i + idx >= cpuc->n_events\"\ninstead of \"i + idx > cpuc->n_events\" (it looks a typo). Otherwise,\nthe counter mask would traverse twice and an invalid \"cpuc->assign[1]\"\nbit (bit 0) is set into hw.config1 and cause MSR accessing error.\nBesides, also check if the ACR counter mask corresponding events are\nACR events. If not, filter out these counter mask. If a event is not a\nACR event, it could be scheduled to an HW counter which doesn't support\nACR. It's invalid to add their counter index in ACR counter mask.\nFurthermore, remove the WARN_ON_ONCE() since it's easily triggered as\nuser could set any invalid ACR counter mask and the warning message\ncould mislead users."], "name": "CVE-2025-40122", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-11-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-40122\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40122\nhttps://lore.kernel.org/linux-cve-announce/2025111252-CVE-2025-40122-6893@gregkh/T"], "threat_severity": "Moderate"}