CVE-2025-21690 - Linux Kernel SCSI Storvsc Log Flood Leads to VM Denial of Service

CVE-2025-21690 uncovers a vulnerability in the Linux kernel's SCSI storvsc driver used in Hyper-V virtual machines. When the underlying hypervisor produces persistent errors, the storvsc driver floods the kernel log with warnings for each failed I/O. This non-stop error logging can force the virtual machine (VM) into high CPU usage, making it unresponsive and hard to troubleshoot from inside the VM. A ratelimit fix was issued to stop these logs from spamming and choking the VM.

Why This Vulnerability Matters

If you're running Linux on Microsoft Hyper-V (Azure or on-premise), you likely rely on the storvsc (Storage Virtual SCSI) driver. In cases where the hypervisor or storage backend has persistent issues, a rapid fire of error messages can fill kernel logs and consume CPU cycles, effectively denying service to the VM owner. This not only risks VM stability but also hampers investigation because the system gets too busy writing logs to be usable.

The Hyper-V host or its storage backend encounters a problem.

2. Every I/O operation that fails sends a warning to the kernel log via the storvsc driver.

Example Code Snippet

Here's a simplified version reflecting the old problematic section and the new ratelimited warning.

_Old, Vulnerable Code (before CVE-2025-21690 patch):_

if (error) {
    dev_warn(&host->shost_gendev, "SCSI I/O error: %d\n", error);
}

This line would execute *every* time an error happened, even thousands of times per second.

_Patched Code (with ratelimiting added):_

if (error) {
    dev_warn_ratelimited(&host->shost_gendev, "SCSI I/O error: %d\n", error);
}

The dev_warn_ratelimited macro ensures warning messages only appear at a safe frequency, e.g., once every few seconds even if errors persist.

Exploit Scenario

Attackers or misconfigured storage on a Hyper-V host can force repeated, persistent I/O errors on the VM’s SCSI devices. Since every error is logged without limit, these actions saturate the VM’s CPU, slowing it down or freezing it.

Real world impact:
- Attackers on the same physical host could (if given some control) intentionally trigger storage errors for tenants.

Fix and Patch Details

What was fixed?
The warning messages in the storvsc driver are now *rate limited*. Instead of endlessly spamming the log, only a set number of warnings are output per period.

Commit:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f990098755c8

Excerpt From the Commit

> scsi: storvsc: Ratelimit warning logs to prevent VM denial of service
>
> If there's a persistent error in the hypervisor, the SCSI warning for failed I/O can flood the kernel log and max out CPU utilization, preventing troubleshooting from the VM side. Ratelimit the warning so it doesn't DoS the VM.

References

- Kernel.org commit with the fix
- CVE-2025-21690 entry at cve.org (when available)
- storvsc driver documentation (Linux kernel)

Conclusion

CVE-2025-21690 highlights how something as simple as a flood of log messages can cripple a Linux virtual machine. With a one-line ratelimit patch, this risk is now squashed in recent Linux kernels. If you run Linux VMs on Hyper-V, make sure your kernel (or your distribution’s backports) includes this patch.

Timeline

Published on: 02/10/2025 16:15:38 UTC
Last modified on: 03/24/2025 15:38:57 UTC