Cyber Resilience

CVE-2022-49556

High

Published: 26 February 2025

Published
26 February 2025
Modified
22 January 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0008 24.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-49556 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique OS Credential Dumping (T1003); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-49556 is a vulnerability in the Linux kernel's KVM SVM component, specifically affecting certain SEV ioctl interfaces. The issue occurs when the length parameter passed to these interfaces is less than or equal to SEV_FW_BLOB_MAX_SIZE but larger than the data returned by the PSP firmware. In such cases, kmalloc allocates memory sized to the input length, but the firmware does not fully overwrite the buffer, resulting in the leakage of uninitialized kernel slab memory to userspace.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) in an unchanged security scope (S:U). Exploitation enables high confidentiality impact through disclosure of sensitive kernel memory (C:H), with no integrity impact (I:N) but high availability impact (A:H), yielding a CVSS v3.1 base score of 7.1.

Mitigation involves patches that replace kmalloc with kzalloc for the affected SEV ioctl interfaces, ensuring zero-initialization of allocated memory to prevent uninitialized data leaks. These fixes are backported to stable kernel releases via commits such as 401bef1f95de92c3a8c6eece46e02fa88d7285ee, 57a01725339f9d82b099102ba2751621b1caab93, bbdcc644b59e01e98c68894a9fab42b9687f42b0, d22d2474e3953996f03528b84b7f52cc26a39403, and d8fdb4b24097472ff6b3c0559448200d420b1418.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Use kzalloc for sev ioctl interfaces to prevent kernel data leak For some sev ioctl interfaces, the length parameter that is passed maybe less than or equal to…

more

SEV_FW_BLOB_MAX_SIZE, but larger than the data that PSP firmware returns. In this case, kmalloc will allocate memory that is the size of the input rather than the size of the data. Since PSP firmware doesn't fully overwrite the allocated buffer, these sev ioctl interface may return uninitialized kernel slab memory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1003 OS Credential Dumping Credential Access
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Kernel memory disclosure directly enables OS credential dumping and access to unsecured credentials stored in slab allocations.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-57905Same product: Linux Linux Kernel
CVE-2022-49411Same product: Linux Linux Kernel
CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-31558Same product: Linux Linux Kernel
CVE-2026-23457Same product: Linux Linux Kernel
CVE-2022-49551Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2024-57910Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2022-49170Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.7 — 5.10.124 · 5.11 — 5.15.45 · 5.16 — 5.17.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely identification, reporting, and correction of kernel flaws like improper kmalloc usage in SEV ioctl interfaces, directly preventing uninitialized slab memory leaks through patches employing kzalloc.

prevent

SI-16 requires memory protection mechanisms that prevent unauthorized disclosure of kernel memory, comprehensively addressing leaks of uninitialized slab data to userspace via affected ioctls.

detect

RA-5 enables vulnerability scanning to identify kernel CVEs like CVE-2022-49556, facilitating remediation to mitigate exploitation of SEV ioctl memory leaks.

References