CVE-2022-49154 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
KVM: SVM: fix panic on out-of-bounds guest IRQ
As guest_irq is coming from KVM_IRQFD API call, it may trigger crash in svm_update_pi_irte() due to out-of-bounds:
crash> bt PID: 22218 TASK: ffff951a6ad74980 CPU: 73 COMMAND: "vcpu8" #0 [ffffb1ba6707fa40] machine_kexec at ffffffff8565b397
#1 [ffffb1ba6707fa90] __crash_kexec at ffffffff85788a6d
#2 [ffffb1ba6707fb58] crash_kexec at ffffffff8578995d
#3 [ffffb1ba6707fb70] oops_end at ffffffff85623c0d
#4 [ffffb1ba6707fb90] no_context at ffffffff856692c9
#5 [ffffb1ba6707fbf8] exc_page_fault at ffffffff85f95b51
#6 [ffffb1ba6707fc50] asm_exc_page_fault at ffffffff86000ace
[exception RIP: svm_update_pi_irte+227]
RIP: ffffffffc0761b53 RSP: ffffb1ba6707fd08 RFLAGS: 00010086 RAX: ffffb1ba6707fd78 RBX: ffffb1ba66d91000 RCX: 0000000000000001 RDX: 00003c803f63f1c0 RSI: 000000000000019a RDI: ffffb1ba66db2ab8 RBP: 000000000000019a R8: 0000000000000040 R9: ffff94ca41b82200 R10: ffffffffffffffcf R11: 0000000000000001 R12: 0000000000000001 R13: 0000000000000001 R14: ffffffffffffffcf R15: 000000000000005f ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ffffb1ba6707fdb8] kvm_irq_routing_update at ffffffffc09f19a1 [kvm]
#8 [ffffb1ba6707fde0] kvm_set_irq_routing at ffffffffc09f2133 [kvm]
#9 [ffffb1ba6707fe18] kvm_vm_ioctl at ffffffffc09ef544 [kvm]
RIP: 00007f143c36488b RSP: 00007f143a4e04b8 RFLAGS: 00000246 RAX: ffffffffffffffda RBX: 00007f05780041d0 RCX: 00007f143c36488b RDX: 00007f05780041d0 RSI: 000000004008ae6a RDI: 0000000000000020 RBP: 00000000000004e8 R8: 0000000000000008 R9: 00007f05780041e0 R10: 00007f0578004560 R11: 0000000000000246 R12: 00000000000004e0 R13: 000000000000001a R14: 00007f1424001c60 R15: 00007f0578003bc0 ORIG_RAX: 0000000000000010 CS: 0033 SS: 002b
Vmx have been fix this in commit 3a8b0677fc61 (KVM: VMX: Do not BUG() on out-of-bounds guest IRQ), so we can just copy source from that to fix this.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/24/2025
The vulnerability described in CVE-2022-49154 represents a critical kernel panic condition within the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically affecting systems utilizing AMD's SVM (Secure Virtual Machine) virtualization technology. This flaw manifests when guest IRQ (Interrupt Request) values are processed through the KVM_IRQFD API call, which allows userspace applications to inject interrupts into virtual machines. The vulnerability occurs in the svm_update_pi_irte() function where out-of-bounds guest IRQ values can trigger a kernel crash, leading to system instability and potential denial of service conditions.
The technical implementation of this vulnerability stems from insufficient input validation within the SVM virtualization layer. When the KVM_IRQFD API receives guest_irq values that exceed expected boundaries, the svm_update_pi_irte() function fails to properly handle these invalid inputs, resulting in a page fault exception that ultimately causes the kernel to panic and crash. The stack trace reveals the execution path leading to the crash, showing the fault occurring at svm_update_pi_irte+227 with the instruction pointer pointing directly to the problematic function. This represents a classic buffer overflow or out-of-bounds access scenario where the kernel does not properly validate input parameters before processing them, creating a condition that can be exploited to cause system-wide crashes.
The operational impact of this vulnerability extends beyond simple system instability, as it affects the reliability and security of virtualized environments running on AMD hardware. The vulnerability can be triggered through malicious or malformed KVM_IRQFD API calls, potentially allowing attackers to cause denial of service against virtual machines or even compromise the host system if proper isolation is not maintained. The fact that VMX (Intel's VT-x) had already been patched with similar fixes in commit 3a8b0677fc61 demonstrates that this is a well-understood class of vulnerability that requires consistent application across different virtualization technologies. This vulnerability directly maps to CWE-129, which describes "Improper Validation of Array Index" and aligns with ATT&CK technique T1499.001, which covers "Network Denial of Service" through system resource exhaustion or corruption.
The mitigation strategy for CVE-2022-49154 involves implementing proper bounds checking in the svm_update_pi_irte() function to validate guest_irq values before processing them, similar to the approach already implemented for VMX virtualization. This fix ensures that any out-of-bounds IRQ values are handled gracefully rather than causing kernel panics. System administrators should prioritize applying the relevant kernel patches that contain the fix, particularly those addressing the specific bounds checking implementation that prevents invalid IRQ values from causing system crashes. The fix essentially mirrors the established pattern used in VMX implementations, ensuring consistency across virtualization technologies and reducing the attack surface for similar vulnerabilities. Organizations running virtualized environments should also implement monitoring for anomalous KVM_IRQFD API usage patterns that might indicate attempted exploitation of this vulnerability.