CVE-2022-49883 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86: smm: number of GPRs in the SMRAM image depends on the image format
On 64 bit host, if the guest doesn't have X86_FEATURE_LM, KVM will access 16 gprs to 32-bit smram image, causing out-ouf-bound ram access.
On 32 bit host, the rsm_load_state_64/enter_smm_save_state_64 is compiled out, thus access overflow can't happen.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/11/2025
The vulnerability described in CVE-2022-49883 represents a critical memory access issue within the Linux kernel's KVM (Kernel-based Virtual Machine) implementation, specifically affecting the x86 architecture's System Management Mode (SMM) handling. This flaw exists in the interaction between the virtualization layer and the hardware's system management features, creating a potential pathway for unauthorized memory access that could compromise system integrity. The vulnerability manifests when KVM processes SMM state management for virtual machines, particularly in scenarios involving different host architecture configurations and guest operating system capabilities.
The technical root cause of this vulnerability lies in the improper handling of General Purpose Registers (GPRs) within the SMRAM (System Management RAM) image during SMM transitions. When a 64-bit host system runs a guest virtual machine that lacks the X86_FEATURE_LM (Long Mode) capability, KVM incorrectly attempts to access 16 general purpose registers within a 32-bit SMRAM image. This mismatch creates an out-of-bounds memory access pattern where the virtualization layer tries to read or write beyond the allocated memory boundaries of the 32-bit SMM image structure. The flaw specifically targets the architectural differences between 32-bit and 64-bit execution modes, where the expected memory layout and register usage differ significantly.
The operational impact of this vulnerability extends beyond simple memory corruption, potentially enabling attackers to exploit the out-of-bounds access for privilege escalation or information disclosure within virtualized environments. Systems running KVM with 64-bit hosts and 32-bit guest operating systems are particularly vulnerable, as the memory access violation could allow malicious code to overwrite critical system data or potentially execute arbitrary instructions within the hypervisor context. This represents a significant concern for cloud environments and server virtualization deployments where multiple tenants share the same physical hardware, as the vulnerability could be leveraged to compromise the isolation between virtual machines or gain elevated privileges within the host system.
The vulnerability demonstrates characteristics consistent with CWE-121, which addresses stack-based buffer overflow conditions, and aligns with ATT&CK techniques related to privilege escalation and hypervisor exploitation. The issue specifically affects the SMM handling code path within KVM's x86 implementation, where the conditional compilation of functions like rsm_load_state_64 and enter_smm_save_state_64 on 32-bit hosts prevents the overflow from occurring in those configurations. This selective compilation behavior creates an asymmetric vulnerability where the same code path behaves differently based on host architecture, making the issue more complex to detect and remediate. The resolution addresses this inconsistency by ensuring proper bounds checking and register access validation regardless of the host architecture or guest feature set, maintaining consistent memory access patterns across all supported configurations.