CVE-2022-2196 — Initialization of a Resource with an Insecure Default in Kernel
Severity
8.8HIGHNVD
OSV5.5
EPSS
0.0%
top 87.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 9
Latest updateFeb 14
Description
A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 2.0 | Impact: 6.0
Affected Packages13 packages
Also affects: Debian Linux 10.0
Patches
🔴Vulnerability Details
14OSV▶
linux-aws-5.4, linux-azure-5.4, linux-gcp-5.4, linux-hwe-5.4, linux-ibm-5.4, linux-oracle-5.4, linux-raspi-5.4 vulnerabilities↗2023-03-29