CVE-2022-45869 in Linux
Summary
by MITRE • 11/30/2022
A race condition in the x86 KVM subsystem in the Linux kernel through 6.1-rc6 allows guest OS users to cause a denial of service (host OS crash or host OS memory corruption) when nested virtualisation and the TDP MMU are enabled.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/17/2025
The vulnerability identified as CVE-2022-45869 represents a critical race condition within the x86 KVM (Kernel-based Virtual Machine) subsystem of the Linux kernel, affecting versions through 6.1-rc6. This flaw specifically manifests when nested virtualization is enabled alongside the Translation Directory Pointer (TDP) MMU feature, creating a dangerous scenario where guest operating systems can exploit timing inconsistencies to compromise host system stability. The race condition occurs at the intersection of virtual memory management and hardware virtualization controls, making it particularly insidious as it operates at the kernel level where system integrity is paramount.
The technical implementation of this vulnerability stems from improper synchronization mechanisms within the KVM subsystem's handling of nested virtualization contexts. When TDP MMU is active, the kernel maintains translation tables that map guest virtual addresses to host physical addresses through a hierarchical directory structure. The race condition emerges during the process of updating these translation tables while simultaneously managing nested page table walks, creating a window where concurrent operations can corrupt the memory structures used for address translation. This flaw falls under CWE-362, which specifically addresses race conditions in concurrent execution environments, and aligns with ATT&CK technique T1499.001 for network denial of service and T1059.003 for command and scripting interpreter, as attackers can leverage this vulnerability to cause system instability and potentially gain further control through subsequent exploitation attempts.
The operational impact of CVE-2022-45869 extends beyond simple denial of service scenarios, as it can lead to complete host OS crashes or memory corruption that may persist across system reboots. Host systems running virtualized environments with nested virtualization enabled become particularly vulnerable, affecting cloud providers, server farms, and enterprise deployments that rely on nested virtualization for resource isolation and testing environments. The vulnerability is especially concerning in multi-tenant cloud environments where guest VMs from different users can potentially exploit this race condition to affect other virtual machines sharing the same physical host. Memory corruption resulting from this vulnerability can manifest as kernel oops, page faults, or more severe system crashes that require complete host reboot for recovery, creating significant availability issues for virtualized workloads.
Mitigation strategies for CVE-2022-45869 should focus on both immediate patching and operational controls to reduce exposure risk. The most effective immediate solution involves upgrading to Linux kernel versions 6.1 or later where the race condition has been addressed through improved synchronization mechanisms and proper locking of translation table updates during nested virtualization operations. Organizations should also consider disabling nested virtualization and TDP MMU features on systems where these capabilities are not strictly required for operational purposes. Additionally, implementing monitoring solutions to detect unusual memory access patterns or system instability in virtualized environments can provide early warning signs of potential exploitation attempts. The vulnerability demonstrates the critical importance of proper concurrency control in kernel-level virtualization subsystems and highlights the need for comprehensive testing of virtualization features under stress conditions to identify similar race conditions before they can be exploited in production environments.