CVE-2022-49556
Published: 26 February 2025
Summary
CVE-2022-49556 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique OS Credential Dumping (T1003); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-49556 is a vulnerability in the Linux kernel's KVM SVM component, specifically affecting certain SEV ioctl interfaces. The issue occurs when the length parameter passed to these interfaces is less than or equal to SEV_FW_BLOB_MAX_SIZE but larger than the data returned by the PSP firmware. In such cases, kmalloc allocates memory sized to the input length, but the firmware does not fully overwrite the buffer, resulting in the leakage of uninitialized kernel slab memory to userspace.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), requiring only local access (AV:L) in an unchanged security scope (S:U). Exploitation enables high confidentiality impact through disclosure of sensitive kernel memory (C:H), with no integrity impact (I:N) but high availability impact (A:H), yielding a CVSS v3.1 base score of 7.1.
Mitigation involves patches that replace kmalloc with kzalloc for the affected SEV ioctl interfaces, ensuring zero-initialization of allocated memory to prevent uninitialized data leaks. These fixes are backported to stable kernel releases via commits such as 401bef1f95de92c3a8c6eece46e02fa88d7285ee, 57a01725339f9d82b099102ba2751621b1caab93, bbdcc644b59e01e98c68894a9fab42b9687f42b0, d22d2474e3953996f03528b84b7f52cc26a39403, and d8fdb4b24097472ff6b3c0559448200d420b1418.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-54676
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Use kzalloc for sev ioctl interfaces to prevent kernel data leak For some sev ioctl interfaces, the length parameter that is passed maybe less than or equal to…
more
SEV_FW_BLOB_MAX_SIZE, but larger than the data that PSP firmware returns. In this case, kmalloc will allocate memory that is the size of the input rather than the size of the data. Since PSP firmware doesn't fully overwrite the allocated buffer, these sev ioctl interface may return uninitialized kernel slab memory.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel memory disclosure directly enables OS credential dumping and access to unsecured credentials stored in slab allocations.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely identification, reporting, and correction of kernel flaws like improper kmalloc usage in SEV ioctl interfaces, directly preventing uninitialized slab memory leaks through patches employing kzalloc.
SI-16 requires memory protection mechanisms that prevent unauthorized disclosure of kernel memory, comprehensively addressing leaks of uninitialized slab data to userspace via affected ioctls.
RA-5 enables vulnerability scanning to identify kernel CVEs like CVE-2022-49556, facilitating remediation to mitigate exploitation of SEV ioctl memory leaks.