CVE-2025-21977: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21977 affects the Linux kernel's hypervfb driver, specifically impacting Gen 2 Hyper-V VMs that boot via EFI. The vulnerability was discovered on April 1, 2025, and involves a system hang issue when running kdump kernel in Hyper-V Gen 2 VMs. The problem occurs due to incorrect framebuffer address handling when the hypervfb driver moves the framebuffer to a different MMIO address (NVD CVE, CVE MITRE).

The vulnerability manifests when the hypervfb driver in the original kernel moves the framebuffer to a different MMIO address due to conflicts with an already-running efifb or simplefb driver. While the hypervfb driver informs Hyper-V of this change through the Hyper-V FB VMBus device protocol, the kexecfileload() system call remains unaware of the framebuffer movement. This results in the kdump screen_info being set up with the original framebuffer address. Since the transition to kdump kernel bypasses the Hyper-V host, the framebuffer address isn't reset as it would be during a reboot (NVD CVE).

When the vulnerability is triggered, the efifb driver attempts to access a non-existent framebuffer address, causing traps to the Hyper-V host. After multiple such access attempts, the Hyper-V host interprets this as potentially malicious behavior and throttles the guest VM to the point where it appears to hang or runs extremely slowly (NVD CVE).

The fix involves reordering the steps in hypervfb so that conflicting framebuffers are removed before allocating an MMIO address. This approach ensures the default framebuffer MMIO address is always available, eliminating confusion about which framebuffer address the kdump kernel should use. This solution is consistent with the approach already implemented in the hypervdrm driver and aligns with the usage guidelines for the apertureremoveconflicting_devices() function (NVD CVE).