CVE-2022-48890 is a vulnerability identified in the Linux kernel's SCSI subsystem, specifically within the storvsc driver, which is used for storage virtualization in Microsoft Hyper-V environments. The flaw arises in the handling of scatter/gather lists during I/O operations in confidential virtual machines (VMs) or in non-confidential VMs when the kernel boot parameter swiotlb=force is set. The storvsc_queuecommand() function maps scatter/gather lists using scsi_dma_map(), which allocates swiotlb bounce buffers to facilitate DMA operations. When an I/O submission fails in storvsc_do_io(), typically due to a full VMBus channel ring buffer under high I/O load, the higher-level code retries the I/O but does not free the previously allocated bounce buffer memory. This results in a memory leak of bounce buffers. Over time, the leak exhausts available bounce buffer memory, causing the confidential VM to be unable to perform further I/O operations, effectively leading to a denial of service (DoS) condition. The vulnerability is fixed by ensuring that scsi_dma_unmap() is called to free bounce buffer memory upon I/O submission failure, preventing the leak. This issue is particularly relevant for Linux systems running as guests on Hyper-V with confidential VM features enabled or with swiotlb=force enabled, which forces the use of software bounce buffers for DMA. No known exploits are reported in the wild as of the publication date, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to those using Linux virtual machines on Microsoft Hyper-V infrastructure, especially when confidential VM features are enabled or swiotlb=force is used. The impact manifests as a denial of service due to exhaustion of bounce buffer memory, which can halt I/O operations within affected VMs. This can disrupt critical services hosted on these VMs, leading to downtime and potential operational losses. Confidential VMs are often used in environments requiring enhanced security and data protection, such as financial institutions, healthcare providers, and government agencies. A DoS in such environments could interrupt sensitive workloads and impact compliance with data protection regulations like GDPR. Although no direct data breach or integrity compromise is indicated, the availability impact can be significant, especially under high I/O load conditions. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers could develop exploits targeting this vulnerability to cause service disruption.

Organizations should promptly apply the Linux kernel patches that address CVE-2022-48890 to ensure that bounce buffer memory is correctly freed on I/O submission failures. For environments running confidential VMs on Hyper-V, verify that the Linux kernel version includes this fix. Additionally, monitor I/O performance and VMBus channel ring buffer utilization to detect abnormal conditions that could trigger this vulnerability. Avoid using the swiotlb=force kernel parameter unless necessary, as it can exacerbate the issue in non-confidential VMs. Implement proactive resource monitoring and alerting for bounce buffer memory usage to identify potential leaks early. In environments where patching is delayed, consider reducing I/O load or redistributing workloads to mitigate the risk of ring buffer saturation. Regularly review virtualization host and guest configurations to ensure compatibility and security best practices are followed. Engage with Linux distribution vendors for timely updates and security advisories related to this vulnerability.