CVE-2022-49882 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
KVM: Reject attempts to consume or refresh inactive gfn_to_pfn_cache
Reject kvm_gpc_check() and kvm_gpc_refresh() if the cache is inactive. Not checking the active flag during refresh is particularly egregious, as KVM can end up with a valid, inactive cache, which can lead to a variety of use-after-free bugs, e.g. consuming a NULL kernel pointer or missing an mmu_notifier invalidation due to the cache not being on the list of gfns to invalidate.
Note, "active" needs to be set if and only if the cache is on the list of caches, i.e. is reachable via mmu_notifier events. If a relevant mmu_notifier event occurs while the cache is "active" but not on the list, KVM will not acquire the cache's lock and so will not serailize the mmu_notifier event with active users and/or kvm_gpc_refresh().
A race between KVM_XEN_ATTR_TYPE_SHARED_INFO and KVM_XEN_HVM_EVTCHN_SEND can be exploited to trigger the bug.
1. Deactivate shinfo cache:
kvm_xen_hvm_set_attr case KVM_XEN_ATTR_TYPE_SHARED_INFO kvm_gpc_deactivate kvm_gpc_unmap gpc->valid = false gpc->khva = NULL gpc->active = false
Result: active = false, valid = false
2. Cause cache refresh:
kvm_arch_vm_ioctl case KVM_XEN_HVM_EVTCHN_SEND kvm_xen_hvm_evtchn_send kvm_xen_set_evtchn kvm_xen_set_evtchn_fast kvm_gpc_check return -EWOULDBLOCK because !gpc->valid kvm_xen_set_evtchn_fast return -EWOULDBLOCK kvm_gpc_refresh hva_to_pfn_retry gpc->valid = true gpc->khva = not NULL
Result: active = false, valid = true
3. Race ioctl KVM_XEN_HVM_EVTCHN_SEND against ioctl KVM_XEN_ATTR_TYPE_SHARED_INFO:
kvm_arch_vm_ioctl case KVM_XEN_HVM_EVTCHN_SEND kvm_xen_hvm_evtchn_send kvm_xen_set_evtchn kvm_xen_set_evtchn_fast read_lock gpc->lock kvm_xen_hvm_set_attr case KVM_XEN_ATTR_TYPE_SHARED_INFO mutex_lock kvm->lock kvm_xen_shared_info_init kvm_gpc_activate gpc->khva = NULL kvm_gpc_check [ Check passes because gpc->valid is
still true, even though gpc->khva is already NULL. ] shinfo = gpc->khva pending_bits = shinfo->evtchn_pending CRASH: test_and_set_bit(..., pending_bits)
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/15/2026
The vulnerability CVE-2022-49882 resides within the Linux kernel's KVM subsystem, specifically affecting the handling of guest frame number to physical frame number cache operations. This flaw manifests as a race condition that can lead to use-after-free scenarios, particularly when managing the inactive state of gfn_to_pfn_cache structures. The core issue stems from insufficient validation of cache activity flags during critical operations such as kvm_gpc_check() and kvm_gpc_refresh(), which can result in the kernel operating on stale or invalid cache entries. This vulnerability aligns with CWE-362, which describes race conditions in concurrent systems, and represents a significant security concern due to the potential for arbitrary code execution or system crashes.
The technical implementation of this vulnerability exploits a fundamental flaw in cache state management where the active flag is not properly checked during cache refresh operations. When a cache is deactivated through kvm_gpc_deactivate(), the active flag is set to false while the valid flag is also cleared, but a subsequent kvm_gpc_refresh() operation can reset the valid flag to true without verifying that the cache remains active. This creates a window where the cache appears valid to the system but is actually inactive, leading to scenarios where kernel pointers may be dereferenced after being freed. The race condition occurs between KVM_XEN_ATTR_TYPE_SHARED_INFO and KVM_XEN_HVM_EVTCHN_SEND ioctls, where the timing of these operations can cause the system to access memory that has already been released, as demonstrated in the detailed sequence of operations.
The operational impact of this vulnerability extends beyond simple system instability, as it can potentially enable privilege escalation or denial of service attacks within virtualized environments. When a cache entry is marked as inactive but still contains valid data, the kernel may proceed with operations that assume the cache is fully functional, leading to memory corruption or invalid pointer dereferences. The vulnerability particularly affects Xen hypervisor integration within KVM, where shared information cache management is critical for proper inter-vm communication. This issue can be exploited through carefully timed ioctl operations that manipulate the cache state in a way that bypasses normal validation checks, making it particularly dangerous in multi-tenant virtualization environments where malicious guests could potentially compromise host systems.
Mitigation strategies for CVE-2022-49882 require immediate kernel updates that implement proper validation of cache activity flags during refresh operations. The fix involves ensuring that kvm_gpc_check() and kvm_gpc_refresh() functions verify the active status of caches before proceeding with operations, preventing the use of inactive caches that may have been freed but still appear valid. Organizations should also implement monitoring for suspicious ioctl patterns that could indicate exploitation attempts, particularly around the KVM_XEN_HVM_EVTCHN_SEND and KVM_XEN_ATTR_TYPE_SHARED_INFO operations. Additionally, system administrators should consider implementing runtime protections such as kernel lockdown modes and strict access controls for virtualization interfaces, as recommended by the ATT&CK framework's techniques for privilege escalation through kernel vulnerabilities. The vulnerability demonstrates the importance of proper state management in concurrent systems and highlights the need for comprehensive validation of cache consistency in virtualization environments.