CVE-2022-49219: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: vfio/pci: fix memory leak during D3hot to D0 transition If 'vfio_pci_core_device::needs_pm_restore' is set (PCI device does not have No_Soft_Reset bit set in its PMCSR config register), then the current PCI state will be saved locally in 'vfio_pci_core_device::pm_save' during D0->D3hot transition and same will be restored back during D3hot->D0 transition. For saving the PCI state locally, pci_store_saved_state() is being used and the pci_load_and_free_saved_state() will free the allocated memory. But for reset related IOCTLs, vfio driver calls PCI reset-related API's which will internally change the PCI power state back to D0. So, when the guest resumes, then it will get the current state as D0 and it will skip the call to vfio_pci_set_power_state() for changing the power state to D0 explicitly. In this case, the memory pointed by 'pm_save' will never be freed. In a malicious sequence, the state changing to D3hot followed by VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET can be run in a loop and it can cause an OOM situation. This patch frees the earlier allocated memory first before overwriting 'pm_save' to prevent the mentioned memory leak.
AI Analysis
Technical Summary
CVE-2022-49219 is a vulnerability in the Linux kernel's VFIO PCI driver subsystem, specifically related to power management state transitions and memory management. The VFIO (Virtual Function I/O) PCI driver allows safe, direct device access to user space, commonly used in virtualization environments to assign PCI devices to virtual machines. The vulnerability arises during the transition of PCI devices between power states D3hot (low power) and D0 (fully powered). When a PCI device does not have the No_Soft_Reset bit set in its PMCSR (Power Management Control and Status Register), the driver saves the PCI device state locally in a structure called 'pm_save' during the transition from D0 to D3hot. This saved state is intended to be restored during the reverse transition (D3hot to D0). The saving and freeing of this PCI state use kernel functions pci_store_saved_state() and pci_load_and_free_saved_state(), respectively, to manage allocated memory. However, during certain reset-related IOCTL calls (such as VFIO_DEVICE_RESET or VFIO_DEVICE_PCI_HOT_RESET), the PCI reset APIs internally change the device power state back to D0. This causes the guest system to observe the device as already in D0 state and skip the explicit call to vfio_pci_set_power_state() that would normally free the previously allocated memory for 'pm_save'. Consequently, the memory allocated for saving the PCI state is never freed, leading to a memory leak. An attacker with the ability to trigger a sequence of power state changes to D3hot followed by repeated reset IOCTLs can exploit this leak to exhaust system memory, potentially causing an out-of-memory (OOM) condition and denial of service. The patch for this vulnerability ensures that any previously allocated memory for 'pm_save' is freed before overwriting it, preventing the leak. This vulnerability affects Linux kernel versions containing the specified commit hashes prior to the patch and is relevant to systems using VFIO PCI device passthrough functionality.
Potential Impact
For European organizations, the impact of CVE-2022-49219 primarily concerns environments utilizing Linux virtualization with PCI device passthrough, such as cloud service providers, data centers, and enterprises running virtualized workloads on Linux hosts. Exploitation can lead to memory exhaustion on the host system, causing denial of service conditions that disrupt virtual machine availability and potentially impact critical services. This can affect confidentiality and integrity indirectly if service interruptions lead to fallback on less secure systems or loss of monitoring. The vulnerability requires the ability to issue specific IOCTL calls to the VFIO PCI driver, which typically implies local access or compromised guest VM privileges. While no known exploits are reported in the wild, the vulnerability could be leveraged by malicious insiders or attackers who have gained partial access to virtualized environments. The impact on availability is significant in environments with high PCI device usage and frequent power state transitions or resets. European organizations relying on Linux-based virtualization infrastructure, especially those in sectors such as finance, telecommunications, and critical infrastructure, could face operational disruptions if this vulnerability is exploited.
Mitigation Recommendations
To mitigate CVE-2022-49219, European organizations should: 1) Apply the official Linux kernel patches that address this vulnerability as soon as they become available, ensuring that the VFIO PCI driver correctly frees allocated memory during power state transitions and resets. 2) Restrict access to VFIO device interfaces and IOCTL calls to trusted users and processes only, minimizing the risk of malicious sequences triggering the memory leak. 3) Monitor system logs and resource usage for unusual patterns of PCI device resets or power state changes that could indicate exploitation attempts. 4) Implement strict access controls and isolation for virtual machines, limiting the ability of guest VMs to invoke VFIO reset IOCTLs unless explicitly required. 5) Use kernel security modules (e.g., SELinux, AppArmor) to enforce policies restricting VFIO device operations. 6) Regularly audit virtualization host configurations and update hypervisor and kernel components to the latest stable versions. 7) Consider deploying resource limits and memory usage monitoring tools to detect and respond to potential OOM conditions proactively. These measures go beyond generic advice by focusing on controlling VFIO interface access, monitoring specific kernel subsystem behavior, and ensuring timely patch application.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland
CVE-2022-49219: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: vfio/pci: fix memory leak during D3hot to D0 transition If 'vfio_pci_core_device::needs_pm_restore' is set (PCI device does not have No_Soft_Reset bit set in its PMCSR config register), then the current PCI state will be saved locally in 'vfio_pci_core_device::pm_save' during D0->D3hot transition and same will be restored back during D3hot->D0 transition. For saving the PCI state locally, pci_store_saved_state() is being used and the pci_load_and_free_saved_state() will free the allocated memory. But for reset related IOCTLs, vfio driver calls PCI reset-related API's which will internally change the PCI power state back to D0. So, when the guest resumes, then it will get the current state as D0 and it will skip the call to vfio_pci_set_power_state() for changing the power state to D0 explicitly. In this case, the memory pointed by 'pm_save' will never be freed. In a malicious sequence, the state changing to D3hot followed by VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET can be run in a loop and it can cause an OOM situation. This patch frees the earlier allocated memory first before overwriting 'pm_save' to prevent the mentioned memory leak.
AI-Powered Analysis
Technical Analysis
CVE-2022-49219 is a vulnerability in the Linux kernel's VFIO PCI driver subsystem, specifically related to power management state transitions and memory management. The VFIO (Virtual Function I/O) PCI driver allows safe, direct device access to user space, commonly used in virtualization environments to assign PCI devices to virtual machines. The vulnerability arises during the transition of PCI devices between power states D3hot (low power) and D0 (fully powered). When a PCI device does not have the No_Soft_Reset bit set in its PMCSR (Power Management Control and Status Register), the driver saves the PCI device state locally in a structure called 'pm_save' during the transition from D0 to D3hot. This saved state is intended to be restored during the reverse transition (D3hot to D0). The saving and freeing of this PCI state use kernel functions pci_store_saved_state() and pci_load_and_free_saved_state(), respectively, to manage allocated memory. However, during certain reset-related IOCTL calls (such as VFIO_DEVICE_RESET or VFIO_DEVICE_PCI_HOT_RESET), the PCI reset APIs internally change the device power state back to D0. This causes the guest system to observe the device as already in D0 state and skip the explicit call to vfio_pci_set_power_state() that would normally free the previously allocated memory for 'pm_save'. Consequently, the memory allocated for saving the PCI state is never freed, leading to a memory leak. An attacker with the ability to trigger a sequence of power state changes to D3hot followed by repeated reset IOCTLs can exploit this leak to exhaust system memory, potentially causing an out-of-memory (OOM) condition and denial of service. The patch for this vulnerability ensures that any previously allocated memory for 'pm_save' is freed before overwriting it, preventing the leak. This vulnerability affects Linux kernel versions containing the specified commit hashes prior to the patch and is relevant to systems using VFIO PCI device passthrough functionality.
Potential Impact
For European organizations, the impact of CVE-2022-49219 primarily concerns environments utilizing Linux virtualization with PCI device passthrough, such as cloud service providers, data centers, and enterprises running virtualized workloads on Linux hosts. Exploitation can lead to memory exhaustion on the host system, causing denial of service conditions that disrupt virtual machine availability and potentially impact critical services. This can affect confidentiality and integrity indirectly if service interruptions lead to fallback on less secure systems or loss of monitoring. The vulnerability requires the ability to issue specific IOCTL calls to the VFIO PCI driver, which typically implies local access or compromised guest VM privileges. While no known exploits are reported in the wild, the vulnerability could be leveraged by malicious insiders or attackers who have gained partial access to virtualized environments. The impact on availability is significant in environments with high PCI device usage and frequent power state transitions or resets. European organizations relying on Linux-based virtualization infrastructure, especially those in sectors such as finance, telecommunications, and critical infrastructure, could face operational disruptions if this vulnerability is exploited.
Mitigation Recommendations
To mitigate CVE-2022-49219, European organizations should: 1) Apply the official Linux kernel patches that address this vulnerability as soon as they become available, ensuring that the VFIO PCI driver correctly frees allocated memory during power state transitions and resets. 2) Restrict access to VFIO device interfaces and IOCTL calls to trusted users and processes only, minimizing the risk of malicious sequences triggering the memory leak. 3) Monitor system logs and resource usage for unusual patterns of PCI device resets or power state changes that could indicate exploitation attempts. 4) Implement strict access controls and isolation for virtual machines, limiting the ability of guest VMs to invoke VFIO reset IOCTLs unless explicitly required. 5) Use kernel security modules (e.g., SELinux, AppArmor) to enforce policies restricting VFIO device operations. 6) Regularly audit virtualization host configurations and update hypervisor and kernel components to the latest stable versions. 7) Consider deploying resource limits and memory usage monitoring tools to detect and respond to potential OOM conditions proactively. These measures go beyond generic advice by focusing on controlling VFIO interface access, monitoring specific kernel subsystem behavior, and ensuring timely patch application.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-02-26T01:49:39.292Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982dc4522896dcbe52ec
Added to database: 5/21/2025, 9:09:01 AM
Last enriched: 6/30/2025, 4:26:06 AM
Last updated: 7/26/2025, 1:02:04 PM
Views: 10
Related Threats
CVE-2025-8834: Cross Site Scripting in JCG Link-net LW-N915R
MediumCVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.