CVE-2022-48765: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: LAPIC: Also cancel preemption timer during SET_LAPIC The below warning is splatting during guest reboot. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm] CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5 RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm] Call Trace: <TASK> kvm_vcpu_ioctl+0x279/0x710 [kvm] __x64_sys_ioctl+0x83/0xb0 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd39797350b This can be triggered by not exposing tsc-deadline mode and doing a reboot in the guest. The lapic_shutdown() function which is called in sys_reboot path will not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears APIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode switch between tsc-deadline and oneshot/periodic, which can result in preemption timer be cancelled in apic_update_lvtt(). However, We can't depend on this when not exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption timer. Qemu will synchronise states around reset, let's cancel preemption timer under KVM_SET_LAPIC.
AI Analysis
Technical Summary
CVE-2022-48765 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically related to the Local Advanced Programmable Interrupt Controller (LAPIC) timer handling during guest virtual machine reboot sequences. The issue arises because the preemption timer, which is used to emulate timer modes such as oneshot or periodic timers in the guest, is not properly cancelled during the SET_LAPIC ioctl operation. When a guest VM reboots without exposing the tsc-deadline timer mode, the lapic_shutdown() function invoked during the reboot process masks the Local Vector Table Timer (LVTT) but does not disarm the flying preemption timer. This leads to a timer-mode switch between tsc-deadline and oneshot/periodic modes that can cause the preemption timer to be cancelled incorrectly in the apic_update_lvtt() function. The improper handling results in kernel warnings and potentially unstable behavior in the guest VM environment, as indicated by the kernel warning logs during guest reboot. The root cause is the asynchronous state synchronization between QEMU and KVM regarding LAPIC timer states, which is not fully handled unless the preemption timer is explicitly cancelled during the KVM_SET_LAPIC ioctl call. The fix involves ensuring that the preemption timer is cancelled properly to maintain consistent timer state and avoid kernel warnings or instability during guest reboot cycles. This vulnerability is relevant to Linux kernel versions around 5.17.0-rc1 and affects KVM-based virtualization environments running x86 architectures. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations relying on Linux-based virtualization infrastructure, especially those using KVM for hosting virtual machines, this vulnerability could lead to guest VM instability or unexpected behavior during reboot operations. While the vulnerability does not appear to allow direct privilege escalation or remote code execution, the improper timer handling could cause guest VMs to crash or hang, impacting availability of critical services hosted on virtualized environments. This is particularly significant for cloud service providers, data centers, and enterprises running private clouds or virtualized workloads on Linux servers. Disruptions in VM availability could affect business continuity, especially in sectors like finance, healthcare, and telecommunications where uptime is critical. Additionally, kernel warnings and instability might complicate troubleshooting and increase operational overhead. Although no active exploits are known, the vulnerability highlights a subtle kernel timing and synchronization issue that could be leveraged in complex attack scenarios or cause denial-of-service conditions in multi-tenant environments. European organizations with compliance requirements for high availability and secure virtualization should consider this vulnerability seriously to maintain operational integrity.
Mitigation Recommendations
To mitigate CVE-2022-48765, European organizations should: 1) Apply the latest Linux kernel patches that address this LAPIC timer handling issue as soon as they become available from trusted Linux distribution vendors or kernel maintainers. 2) Ensure that virtualization management tools such as QEMU are updated to versions that correctly synchronize LAPIC timer states with KVM, preventing inconsistent timer cancellations. 3) Monitor guest VM reboot logs for kernel warnings related to KVM and LAPIC timers to detect potential exploitation or instability early. 4) Implement robust VM lifecycle management and automated rollback procedures to quickly recover from guest VM crashes or hangs caused by this issue. 5) For critical production environments, consider temporarily avoiding guest configurations that disable tsc-deadline timer mode until patches are applied, as this mode exposure affects the vulnerability trigger. 6) Conduct thorough testing of VM reboot sequences in staging environments after patch deployment to confirm stability. 7) Maintain strict access controls on hosts running KVM to reduce risk of malicious attempts to exploit subtle kernel timer bugs. These targeted actions go beyond generic advice by focusing on patch management, configuration adjustments, and operational monitoring specific to the vulnerability's technical context.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2022-48765: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: LAPIC: Also cancel preemption timer during SET_LAPIC The below warning is splatting during guest reboot. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm] CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5 RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm] Call Trace: <TASK> kvm_vcpu_ioctl+0x279/0x710 [kvm] __x64_sys_ioctl+0x83/0xb0 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd39797350b This can be triggered by not exposing tsc-deadline mode and doing a reboot in the guest. The lapic_shutdown() function which is called in sys_reboot path will not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears APIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode switch between tsc-deadline and oneshot/periodic, which can result in preemption timer be cancelled in apic_update_lvtt(). However, We can't depend on this when not exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption timer. Qemu will synchronise states around reset, let's cancel preemption timer under KVM_SET_LAPIC.
AI-Powered Analysis
Technical Analysis
CVE-2022-48765 is a vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically related to the Local Advanced Programmable Interrupt Controller (LAPIC) timer handling during guest virtual machine reboot sequences. The issue arises because the preemption timer, which is used to emulate timer modes such as oneshot or periodic timers in the guest, is not properly cancelled during the SET_LAPIC ioctl operation. When a guest VM reboots without exposing the tsc-deadline timer mode, the lapic_shutdown() function invoked during the reboot process masks the Local Vector Table Timer (LVTT) but does not disarm the flying preemption timer. This leads to a timer-mode switch between tsc-deadline and oneshot/periodic modes that can cause the preemption timer to be cancelled incorrectly in the apic_update_lvtt() function. The improper handling results in kernel warnings and potentially unstable behavior in the guest VM environment, as indicated by the kernel warning logs during guest reboot. The root cause is the asynchronous state synchronization between QEMU and KVM regarding LAPIC timer states, which is not fully handled unless the preemption timer is explicitly cancelled during the KVM_SET_LAPIC ioctl call. The fix involves ensuring that the preemption timer is cancelled properly to maintain consistent timer state and avoid kernel warnings or instability during guest reboot cycles. This vulnerability is relevant to Linux kernel versions around 5.17.0-rc1 and affects KVM-based virtualization environments running x86 architectures. No known exploits are reported in the wild at this time.
Potential Impact
For European organizations relying on Linux-based virtualization infrastructure, especially those using KVM for hosting virtual machines, this vulnerability could lead to guest VM instability or unexpected behavior during reboot operations. While the vulnerability does not appear to allow direct privilege escalation or remote code execution, the improper timer handling could cause guest VMs to crash or hang, impacting availability of critical services hosted on virtualized environments. This is particularly significant for cloud service providers, data centers, and enterprises running private clouds or virtualized workloads on Linux servers. Disruptions in VM availability could affect business continuity, especially in sectors like finance, healthcare, and telecommunications where uptime is critical. Additionally, kernel warnings and instability might complicate troubleshooting and increase operational overhead. Although no active exploits are known, the vulnerability highlights a subtle kernel timing and synchronization issue that could be leveraged in complex attack scenarios or cause denial-of-service conditions in multi-tenant environments. European organizations with compliance requirements for high availability and secure virtualization should consider this vulnerability seriously to maintain operational integrity.
Mitigation Recommendations
To mitigate CVE-2022-48765, European organizations should: 1) Apply the latest Linux kernel patches that address this LAPIC timer handling issue as soon as they become available from trusted Linux distribution vendors or kernel maintainers. 2) Ensure that virtualization management tools such as QEMU are updated to versions that correctly synchronize LAPIC timer states with KVM, preventing inconsistent timer cancellations. 3) Monitor guest VM reboot logs for kernel warnings related to KVM and LAPIC timers to detect potential exploitation or instability early. 4) Implement robust VM lifecycle management and automated rollback procedures to quickly recover from guest VM crashes or hangs caused by this issue. 5) For critical production environments, consider temporarily avoiding guest configurations that disable tsc-deadline timer mode until patches are applied, as this mode exposure affects the vulnerability trigger. 6) Conduct thorough testing of VM reboot sequences in staging environments after patch deployment to confirm stability. 7) Maintain strict access controls on hosts running KVM to reduce risk of malicious attempts to exploit subtle kernel timer bugs. These targeted actions go beyond generic advice by focusing on patch management, configuration adjustments, and operational monitoring specific to the vulnerability's technical context.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-06-20T11:09:39.060Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe60e6
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 8:55:53 PM
Last updated: 7/26/2025, 9:47:19 PM
Views: 10
Related Threats
CVE-2025-49568: Use After Free (CWE-416) in Adobe Illustrator
MediumCVE-2025-49567: NULL Pointer Dereference (CWE-476) in Adobe Illustrator
MediumCVE-2025-49564: Stack-based Buffer Overflow (CWE-121) in Adobe Illustrator
HighCVE-2025-49563: Out-of-bounds Write (CWE-787) in Adobe Illustrator
HighCVE-2025-32086: Escalation of Privilege in Intel(R) Xeon(R) 6 Processors when using Intel(R) SGX or Intel(R) TDX
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.