Enabling VMScape mitigation [SOLVED]

Message

ExecutorElassus · Post by **ExecutorElassus** » Fri Oct 24, 2025 2:37 pm

I have a Ryzen 7 CPU, which apparently has a vulnerability to the VMScape exploit (see here). In the kernel options, it should be an available switch under "CPU Vulnerabilities", but I don't see it. `lscpu` reports that the CPU is vulnerable to the exploit. The Kernel setting depends on CPU_MITIGATIONS=y and KVM=n, which is the case.

Is there some setting I need to make to make this mitigation available? Is there some other setting I need? Current kernel is gentoo-linux-6.17.2.

Cheers,

EE

grknight · Post by **grknight** » Fri Oct 24, 2025 2:46 pm

Since KVM=n, you cannot be attacked as this is about a guest hypervisor attacking a host.

If you want the mitigation, set KVM=y and then MITIGATION_VMSCAPE=y

ExecutorElassus · Post by **ExecutorElassus** » Fri Oct 24, 2025 3:45 pm

Oh, my mistake then. I thought the dependency was on KVM being set to =n (which is how it's set on my system). I guess lscpu doesn't take into account whether the kernel configuration makes it possible to exploit the vulnerability in the first place.

Thanks for clarifying!

EE

Post by Hu » Fri Oct 24, 2025 5:44 pm

This is a common misreading of the presented data. The dependency was probably shown as KVM [=n]. This tells you that it requires KVM enabled, and that you presently have it set to =n. If it was telling you that the symbol required you to disable KVM, I think that it would be written as !KVM [=n]. This is from memory, so I might not have the text exactly right.