CVE-2022-48763: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Forcibly leave nested virt when SMM state is toggled Forcibly leave nested virtualization operation if userspace toggles SMM state via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS. If userspace forces the vCPU out of SMM while it's post-VMXON and then injects an SMI, vmx_enter_smm() will overwrite vmx->nested.smm.vmxon and end up with both vmxon=false and smm.vmxon=false, but all other nVMX state allocated. Don't attempt to gracefully handle the transition as (a) most transitions are nonsencial, e.g. forcing SMM while L2 is running, (b) there isn't sufficient information to handle all transitions, e.g. SVM wants access to the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede KVM_SET_NESTED_STATE during state restore as the latter disallows putting the vCPU into L2 if SMM is active, and disallows tagging the vCPU as being post-VMXON in SMM if SMM is not active. Abuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX due to failure to free vmcs01's shadow VMCS, but the bug goes far beyond just a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU in an architecturally impossible state. WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Modules linked in: CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Code: <0f> 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00 Call Trace: <TASK> kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123 kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline] kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460 kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline] kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline] kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250 kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273 __fput+0x286/0x9f0 fs/file_table.c:311 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xb29/0x2a30 kernel/exit.c:806 do_group_exit+0xd2/0x2f0 kernel/exit.c:935 get_signal+0x4b0/0x28c0 kernel/signal.c:2862 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae </TASK>
AI Analysis
Technical Summary
CVE-2022-48763 is a vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem specifically affecting nested virtualization on x86 architectures. The flaw arises when userspace forcibly toggles the System Management Mode (SMM) state of a virtual CPU (vCPU) using KVM ioctl commands such as KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS. If userspace forces the vCPU out of SMM while it is in a post-VMXON state and then injects a System Management Interrupt (SMI), the kernel function vmx_enter_smm() improperly overwrites the nested virtualization state variables, resulting in an inconsistent state where both vmxon and smm.vmxon flags are false but other nested VMX state remains allocated. This inconsistent state leads to architectural impossibilities, such as the vCPU being in an invalid nested virtualization state, which can cause kernel warnings, memory leaks due to failure to free shadow VMCS structures, and potentially unstable or undefined behavior in the hypervisor. The vulnerability stems from the kernel's inability to gracefully handle certain SMM state transitions during nested virtualization, compounded by the lack of sufficient information to manage all transition scenarios and the strict ordering requirements of KVM ioctl calls during state restoration. Exploitation requires userspace control over KVM ioctl commands, which typically implies privileged or guest VM access. While no known exploits are reported in the wild, the bug can lead to denial of service conditions or memory leaks within the host kernel's virtualization subsystem, potentially impacting the stability and security of virtualized environments relying on nested virtualization features.
Potential Impact
For European organizations, especially those operating cloud infrastructure, data centers, or virtualization-heavy environments, this vulnerability poses a risk to the stability and security of nested virtualization deployments. Organizations using Linux hosts with KVM to run nested virtual machines could experience kernel crashes, memory leaks, or corrupted virtualization states, leading to service interruptions or degraded performance. This could affect cloud service providers, research institutions, and enterprises leveraging nested virtualization for testing, development, or multi-tenant isolation. Although exploitation requires privileged access to the KVM interface, a compromised guest VM or malicious userspace process could trigger the vulnerability, potentially escalating impact within the host environment. The memory leak and inconsistent state could also be leveraged as part of a broader attack chain to destabilize hypervisor operations or facilitate denial of service. Given the widespread use of Linux and KVM in European IT infrastructure, the vulnerability could have significant operational impacts if left unpatched.
Mitigation Recommendations
To mitigate CVE-2022-48763, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available, ensuring that all hosts running KVM with nested virtualization support are updated. 2) Restrict access to KVM ioctl interfaces to trusted and authenticated users only, minimizing the risk of malicious userspace processes exploiting the vulnerability. 3) Monitor virtualization hosts for unusual kernel warnings or memory leak symptoms related to vmx and nested virtualization components, enabling early detection of exploitation attempts or instability. 4) Consider disabling nested virtualization if it is not required for operational needs, thereby reducing the attack surface. 5) Implement strict guest VM isolation and security controls to prevent compromised guests from issuing malicious KVM ioctl commands. 6) Conduct thorough testing of virtualization environments after patching to ensure stability and correct nested virtualization behavior. These steps go beyond generic advice by emphasizing access control to KVM interfaces, monitoring for specific kernel warnings, and operational decisions about nested virtualization usage.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Italy, Spain
CVE-2022-48763: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Forcibly leave nested virt when SMM state is toggled Forcibly leave nested virtualization operation if userspace toggles SMM state via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS. If userspace forces the vCPU out of SMM while it's post-VMXON and then injects an SMI, vmx_enter_smm() will overwrite vmx->nested.smm.vmxon and end up with both vmxon=false and smm.vmxon=false, but all other nVMX state allocated. Don't attempt to gracefully handle the transition as (a) most transitions are nonsencial, e.g. forcing SMM while L2 is running, (b) there isn't sufficient information to handle all transitions, e.g. SVM wants access to the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede KVM_SET_NESTED_STATE during state restore as the latter disallows putting the vCPU into L2 if SMM is active, and disallows tagging the vCPU as being post-VMXON in SMM if SMM is not active. Abuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX due to failure to free vmcs01's shadow VMCS, but the bug goes far beyond just a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU in an architecturally impossible state. WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Modules linked in: CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 Code: <0f> 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00 Call Trace: <TASK> kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123 kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline] kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460 kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline] kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline] kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250 kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273 __fput+0x286/0x9f0 fs/file_table.c:311 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xb29/0x2a30 kernel/exit.c:806 do_group_exit+0xd2/0x2f0 kernel/exit.c:935 get_signal+0x4b0/0x28c0 kernel/signal.c:2862 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae </TASK>
AI-Powered Analysis
Technical Analysis
CVE-2022-48763 is a vulnerability in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem specifically affecting nested virtualization on x86 architectures. The flaw arises when userspace forcibly toggles the System Management Mode (SMM) state of a virtual CPU (vCPU) using KVM ioctl commands such as KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS. If userspace forces the vCPU out of SMM while it is in a post-VMXON state and then injects a System Management Interrupt (SMI), the kernel function vmx_enter_smm() improperly overwrites the nested virtualization state variables, resulting in an inconsistent state where both vmxon and smm.vmxon flags are false but other nested VMX state remains allocated. This inconsistent state leads to architectural impossibilities, such as the vCPU being in an invalid nested virtualization state, which can cause kernel warnings, memory leaks due to failure to free shadow VMCS structures, and potentially unstable or undefined behavior in the hypervisor. The vulnerability stems from the kernel's inability to gracefully handle certain SMM state transitions during nested virtualization, compounded by the lack of sufficient information to manage all transition scenarios and the strict ordering requirements of KVM ioctl calls during state restoration. Exploitation requires userspace control over KVM ioctl commands, which typically implies privileged or guest VM access. While no known exploits are reported in the wild, the bug can lead to denial of service conditions or memory leaks within the host kernel's virtualization subsystem, potentially impacting the stability and security of virtualized environments relying on nested virtualization features.
Potential Impact
For European organizations, especially those operating cloud infrastructure, data centers, or virtualization-heavy environments, this vulnerability poses a risk to the stability and security of nested virtualization deployments. Organizations using Linux hosts with KVM to run nested virtual machines could experience kernel crashes, memory leaks, or corrupted virtualization states, leading to service interruptions or degraded performance. This could affect cloud service providers, research institutions, and enterprises leveraging nested virtualization for testing, development, or multi-tenant isolation. Although exploitation requires privileged access to the KVM interface, a compromised guest VM or malicious userspace process could trigger the vulnerability, potentially escalating impact within the host environment. The memory leak and inconsistent state could also be leveraged as part of a broader attack chain to destabilize hypervisor operations or facilitate denial of service. Given the widespread use of Linux and KVM in European IT infrastructure, the vulnerability could have significant operational impacts if left unpatched.
Mitigation Recommendations
To mitigate CVE-2022-48763, European organizations should: 1) Apply the latest Linux kernel patches that address this vulnerability as soon as they become available, ensuring that all hosts running KVM with nested virtualization support are updated. 2) Restrict access to KVM ioctl interfaces to trusted and authenticated users only, minimizing the risk of malicious userspace processes exploiting the vulnerability. 3) Monitor virtualization hosts for unusual kernel warnings or memory leak symptoms related to vmx and nested virtualization components, enabling early detection of exploitation attempts or instability. 4) Consider disabling nested virtualization if it is not required for operational needs, thereby reducing the attack surface. 5) Implement strict guest VM isolation and security controls to prevent compromised guests from issuing malicious KVM ioctl commands. 6) Conduct thorough testing of virtualization environments after patching to ensure stability and correct nested virtualization behavior. These steps go beyond generic advice by emphasizing access control to KVM interfaces, monitoring for specific kernel warnings, and operational decisions about nested virtualization usage.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-20T11:09:39.060Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe60d3
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 8:43:28 PM
Last updated: 8/13/2025, 8:12:46 PM
Views: 18
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.