Cyber Resilience

CVE-2022-0171

Medium

Published: 26 August 2022

Published
26 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0016 36.4th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0171 is a medium-severity Incomplete Cleanup (CWE-459) vulnerability in Linux Linux Kernel. Its CVSS base score is 5.5 (Medium).

Operationally, ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD CPU that supports…

more

Secure Encrypted Virtualization (SEV).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

linux
linux kernel
5.18 · ≤ 5.18
redhat
enterprise linux
8.0, 9.0
debian
debian linux
10.0, 11.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-212 CWE-459

Retention policies enforce removal or sanitization of sensitive data before storage or transfer per regulatory requirements.

addresses: CWE-212 CWE-459

The generate-on-demand-and-delete requirement enforces removal of sensitive information before storage or transfer, preventing improper retention.

addresses: CWE-212 CWE-459

Requires explicit removal of sensitive information prior to component transfer or disposal, reducing exposure from retained data.

addresses: CWE-212

Eradication of spilled information from contaminated systems mitigates the effects of improper removal of sensitive data before storage or transfer.

addresses: CWE-212

The control requires verified removal of sensitive data before media is made available at a reduced classification level, directly addressing improper removal prior to storage or transfer.

addresses: CWE-212

Explicit procedures to delete inaccurate or outdated PII directly mitigate improper removal of sensitive information before storage or transfer.

addresses: CWE-459

Mandates complete sanitization during cleanup so that shared resources (memory, caches, buffers) do not retain data across subjects.

addresses: CWE-459

Termination of the non-persistent artifact guarantees cleanup of temporary state, directly countering incomplete cleanup weaknesses.

References