CVE-2025-23135: 
Chainguard vulnerability analysis and mitigation

CVE-2025-23135 is a vulnerability discovered in the Linux kernel affecting RISC-V KVM implementation, specifically related to the teardown of RISC-V specific bits after kvm_exit. The vulnerability was disclosed on April 16, 2025, and affects the Linux kernel's KVM module (NVD).

The vulnerability occurs during module removal when kvm_exit invokes arch-specific disable call which disables AIA. The issue arises because aia_exit is invoked before kvm_exit, resulting in an inconsistent state of IRQ. This leads to a warning where percpu IRQ 31 remains enabled on CPU0. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (Red Hat).

The primary impact of this vulnerability is that the KVM kernel module cannot be inserted afterwards due to an inconsistent state of IRQ. This affects system stability and virtualization capabilities on RISC-V architectures (NVD).

The fix involves modifying the execution order to invoke aia_exit and other arch-specific cleanup functions after kvm_exit, ensuring that the disable call is executed first before the exit process (Debian Tracker).