Mitigating CVE-2025-10263 (Arm TLBI Race) on Rocky Linux 8, 9, and 10 (arm64)
Introduction
CVE-2025-10263 is a race condition in the Linux kernel on Arm processors, in Translation Lookaside Buffer Invalidation (TLBI) handling during memory permission changes. On affected Arm cores, a broadcast TLBI on one processor may complete before the associated memory accesses on another processor are globally observed. A local attacker can use this window to write to memory after the kernel has changed the translation to forbid writes to that location, allowing an unprivileged local user to gain kernel privileges, or a guest VM to write into memory it no longer owns and escalate toward the hypervisor.
This is fundamentally an Arm hardware erratum, addressed in software by a kernel workaround. It affects only arm64 (aarch64) systems. x86_64 systems are not affected.
This article covers Rocky Linux 8, 9, and 10 on arm64, including the CIQ RLC Pro, RLC Pro LTS, FIPS, and CIQ Linux Kernel (CLK) variants. It explains what is affected, the current patch status, and why there is no software workaround short of the patched kernel.
Problem
The flaw stems from a documented Arm erratum: completion of a TLBI is not guaranteed to imply completion of affected memory accesses on other processing elements. In the kernel, this means that after a page's translation is changed to remove write permission and the change is broadcast with a TLBI, a store in flight on another core can still land in the now-protected page. An attacker who can arrange the timing can write to memory belonging to a higher privilege level.
The condition requires a multi-core Arm system. The affected Arm cores include the Cortex-X, Cortex-A (recent generations), and Neoverse families, among others. Single-core configurations and non-Arm architectures are not affected.
Treat the following as affected unless they are running a patched kernel (none is available yet, see Status):
- Rocky Linux 8, 9, and 10 on arm64 (aarch64)
- RLC Pro LTS 8.6, 9.2, 9.4, and 9.6 on arm64
- RLC Pro 8 (el8_10), RLC Pro 9 (el9_8), and RLC Pro 10 (el10_2) on arm64
- RLC Pro FIPS variants on 8.6 on arm64
- CIQ Linux Kernel (CLK) 6.12 and 6.18 on arm64
Systems that are not affected:
- All x86_64 systems
- Arm systems based on cores not listed in the Arm erratum advisory
Status
- No patched kernel is available yet, as of 2026-06-11. CIQ is tracking the kernel workaround for the affected Rocky Linux 8, 9, and 10 arm64 variants and the CLK kernels. This article will be updated with exact patched kernel versions and a Patched Kernels table once builds are released.
- There is no software mitigation for this flaw. It is a hardware erratum that must be worked around in the kernel. There is no module to block and no sysctl or boot parameter that closes the timing window without the kernel fix. The patched kernel is the resolution.
- x86_64 is not affected. If you run no arm64 systems, this CVE does not apply to your fleet.
- Open a support case if you need help confirming whether a given arm64 host uses an affected Arm core, or to be notified when the patched kernel for your variant is released.
Patched Kernels
No patched kernels are available yet. CIQ will populate the table below once builds are released for the affected Rocky Linux 8, 9, and 10 arm64 variants.
| Variant | Patched Kernel Version | Released |
|---|---|---|
| RLC Pro LTS 8.6 (arm64) | pending | pending |
| RLC Pro FIPS 8.6 (arm64) | pending | pending |
| RLC Pro LTS 9.2 (arm64) | pending | pending |
| RLC Pro LTS 9.4 (arm64) | pending | pending |
| RLC Pro LTS 9.6 (arm64) | pending | pending |
| RLC Pro 8 (el8_10, arm64) | pending | pending |
| RLC Pro 9 (el9_8, arm64) | pending | pending |
| RLC Pro 10 (el10_2, arm64) | pending | pending |
| CIQ Linux Kernel 6.12 (arm64) | pending | pending |
| CIQ Linux Kernel 6.18 (arm64) | pending | pending |
Confirm what is running on a given system with:
uname -r
uname -m
uname -m should report aarch64 for an affected system. On x86_64 this CVE does not apply.
Mitigation
There is no software mitigation for CVE-2025-10263. The vulnerability is an Arm hardware erratum, and the only fix is the kernel workaround delivered in a patched kernel. There is no module to unload, no sysctl to set, and no boot parameter that removes the exposure on an affected core.
What you can do in the interim:
-
Confirm which of your systems are arm64 and therefore in scope:
uname -m # aarch64 = potentially affected -
On affected arm64 hosts, apply your normal controls for limiting local code execution and untrusted workloads, since the exploit requires a local attacker (or, in virtualized environments, a guest) able to run code on the machine. This reduces opportunity but does not close the underlying flaw.
-
Prioritize the affected arm64 hosts for the kernel update as soon as the patched kernel is published.
Verification
Once a patched kernel is published and installed, confirm the running kernel matches (or is newer than) the patched version listed in the Patched Kernels table:
uname -r
There is no separate mitigation state to verify, since no software workaround applies.
Resolution
When CIQ publishes the patched kernel for your variant, install it and reboot:
sudo dnf update kernel*
sudo reboot
For RLC Pro LTS and FIPS variants the patched kernel comes from the long-term support repository with no additional configuration. After reboot, confirm with uname -r that the running kernel matches the published patched version.
Notes
- This is an Arm-only issue. x86_64 systems are not affected by CVE-2025-10263.
- Because it is a hardware erratum worked around in the kernel, vulnerability scanners may flag it on arm64 systems with no available remediation until the patched kernel ships. The accurate status during that window is "affected, fix in progress, no software mitigation," not "ignorable."
- It is unrelated to the Dirty Frag, Fragnesia, and ITScape vulnerabilities. Their mitigations do not apply here.