{
  "threat_severity" : "Moderate",
  "public_date" : "2025-05-01T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: KVM: Reject attempts to consume or refresh inactive gfn_to_pfn_cache",
    "id" : "2363408",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2363408"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nKVM: Reject attempts to consume or refresh inactive gfn_to_pfn_cache\nReject kvm_gpc_check() and kvm_gpc_refresh() if the cache is inactive.\nNot checking the active flag during refresh is particularly egregious, as\nKVM can end up with a valid, inactive cache, which can lead to a variety\nof use-after-free bugs, e.g. consuming a NULL kernel pointer or missing\nan mmu_notifier invalidation due to the cache not being on the list of\ngfns to invalidate.\nNote, \"active\" needs to be set if and only if the cache is on the list\nof caches, i.e. is reachable via mmu_notifier events.  If a relevant\nmmu_notifier event occurs while the cache is \"active\" but not on the\nlist, KVM will not acquire the cache's lock and so will not serailize\nthe mmu_notifier event with active users and/or kvm_gpc_refresh().\nA race between KVM_XEN_ATTR_TYPE_SHARED_INFO and KVM_XEN_HVM_EVTCHN_SEND\ncan be exploited to trigger the bug.\n1. Deactivate shinfo cache:\nkvm_xen_hvm_set_attr\ncase KVM_XEN_ATTR_TYPE_SHARED_INFO\nkvm_gpc_deactivate\nkvm_gpc_unmap\ngpc->valid = false\ngpc->khva = NULL\ngpc->active = false\nResult: active = false, valid = false\n2. Cause cache refresh:\nkvm_arch_vm_ioctl\ncase KVM_XEN_HVM_EVTCHN_SEND\nkvm_xen_hvm_evtchn_send\nkvm_xen_set_evtchn\nkvm_xen_set_evtchn_fast\nkvm_gpc_check\nreturn -EWOULDBLOCK because !gpc->valid\nkvm_xen_set_evtchn_fast\nreturn -EWOULDBLOCK\nkvm_gpc_refresh\nhva_to_pfn_retry\ngpc->valid = true\ngpc->khva = not NULL\nResult: active = false, valid = true\n3. Race ioctl KVM_XEN_HVM_EVTCHN_SEND against ioctl\nKVM_XEN_ATTR_TYPE_SHARED_INFO:\nkvm_arch_vm_ioctl\ncase KVM_XEN_HVM_EVTCHN_SEND\nkvm_xen_hvm_evtchn_send\nkvm_xen_set_evtchn\nkvm_xen_set_evtchn_fast\nread_lock gpc->lock\nkvm_xen_hvm_set_attr case\nKVM_XEN_ATTR_TYPE_SHARED_INFO\nmutex_lock kvm->lock\nkvm_xen_shared_info_init\nkvm_gpc_activate\ngpc->khva = NULL\nkvm_gpc_check\n[ Check passes because gpc->valid is\nstill true, even though gpc->khva\nis already NULL. ]\nshinfo = gpc->khva\npending_bits = shinfo->evtchn_pending\nCRASH: test_and_set_bit(..., pending_bits)" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6583",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-362.8.1.el9_3"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49882\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49882\nhttps://lore.kernel.org/linux-cve-announce/2025050155-CVE-2022-49882-6046@gregkh/T" ],
  "name" : "CVE-2022-49882",
  "csaw" : false
}