{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-48765", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-06-20T11:09:39.060Z", "datePublished": "2024-06-20T11:13:41.830Z", "dateUpdated": "2025-05-04T08:22:37.399Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:22:37.399Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: LAPIC: Also cancel preemption timer during SET_LAPIC\n\nThe below warning is splatting during guest reboot.\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5\n RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n Call Trace:\n <TASK>\n kvm_vcpu_ioctl+0x279/0x710 [kvm]\n __x64_sys_ioctl+0x83/0xb0\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7fd39797350b\n\nThis can be triggered by not exposing tsc-deadline mode and doing a reboot in\nthe guest. The lapic_shutdown() function which is called in sys_reboot path\nwill not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears\nAPIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode\nswitch between tsc-deadline and oneshot/periodic, which can result in preemption\ntimer be cancelled in apic_update_lvtt(). However, We can't depend on this when\nnot exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption\ntimer. Qemu will synchronise states around reset, let's cancel preemption timer\nunder KVM_SET_LAPIC."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kvm/lapic.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "54b3439c8e70e0bcfea59aeef9dd98908cbbf655", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "ce55f63f6cea4cab8ae9212f73285648a5baa30d", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "35fe7cfbab2e81f1afb23fc4212210b1de6d9633", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kvm/lapic.c"], "versions": [{"version": "5.15.19", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16.5", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.16.5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/54b3439c8e70e0bcfea59aeef9dd98908cbbf655"}, {"url": "https://git.kernel.org/stable/c/ce55f63f6cea4cab8ae9212f73285648a5baa30d"}, {"url": "https://git.kernel.org/stable/c/35fe7cfbab2e81f1afb23fc4212210b1de6d9633"}], "title": "KVM: LAPIC: Also cancel preemption timer during SET_LAPIC", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:00.534Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/54b3439c8e70e0bcfea59aeef9dd98908cbbf655", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ce55f63f6cea4cab8ae9212f73285648a5baa30d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/35fe7cfbab2e81f1afb23fc4212210b1de6d9633", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48765", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:10:12.992201Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:47.369Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/54b3439c8e70e0bcfea59aeef9dd98908cbbf655", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/ce55f63f6cea4cab8ae9212f73285648a5baa30d", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/35fe7cfbab2e81f1afb23fc4212210b1de6d9633", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:00.534Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48765", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T17:10:12.992201Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:25.917Z"}}], "cna": {"title": "KVM: LAPIC: Also cancel preemption timer during SET_LAPIC", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "54b3439c8e70e0bcfea59aeef9dd98908cbbf655", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "ce55f63f6cea4cab8ae9212f73285648a5baa30d", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "35fe7cfbab2e81f1afb23fc4212210b1de6d9633", "versionType": "git"}], "programFiles": ["arch/x86/kvm/lapic.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "5.15.19", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.16.5", "versionType": "semver", "lessThanOrEqual": "5.16.*"}, {"status": "unaffected", "version": "5.17", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["arch/x86/kvm/lapic.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/54b3439c8e70e0bcfea59aeef9dd98908cbbf655"}, {"url": "https://git.kernel.org/stable/c/ce55f63f6cea4cab8ae9212f73285648a5baa30d"}, {"url": "https://git.kernel.org/stable/c/35fe7cfbab2e81f1afb23fc4212210b1de6d9633"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: LAPIC: Also cancel preemption timer during SET_LAPIC\n\nThe below warning is splatting during guest reboot.\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5\n RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n Call Trace:\n <TASK>\n kvm_vcpu_ioctl+0x279/0x710 [kvm]\n __x64_sys_ioctl+0x83/0xb0\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7fd39797350b\n\nThis can be triggered by not exposing tsc-deadline mode and doing a reboot in\nthe guest. The lapic_shutdown() function which is called in sys_reboot path\nwill not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears\nAPIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode\nswitch between tsc-deadline and oneshot/periodic, which can result in preemption\ntimer be cancelled in apic_update_lvtt(). However, We can't depend on this when\nnot exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption\ntimer. Qemu will synchronise states around reset, let's cancel preemption timer\nunder KVM_SET_LAPIC."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.19"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.16.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.17"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:22:37.399Z"}}}, "cveMetadata": {"cveId": "CVE-2022-48765", "state": "PUBLISHED", "dateUpdated": "2025-05-04T08:22:37.399Z", "dateReserved": "2024-06-20T11:09:39.060Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-06-20T11:13:41.830Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "352EAFB1-3E7D-4674-A4A1-B9D1E5BE738E", "versionEndExcluding": "5.15.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1AD9E77E-B27E-450C-8FD8-B64EC5FB002D", "versionEndExcluding": "5.16.5", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*", "matchCriteriaId": "7BD5F8D9-54FA-4CB0-B4F0-CB0471FDDB2D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: LAPIC: Also cancel preemption timer during SET_LAPIC\n\nThe below warning is splatting during guest reboot.\n\n ------------[ cut here ]------------\n WARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n CPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5\n RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\n Call Trace:\n <TASK>\n kvm_vcpu_ioctl+0x279/0x710 [kvm]\n __x64_sys_ioctl+0x83/0xb0\n do_syscall_64+0x3b/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7fd39797350b\n\nThis can be triggered by not exposing tsc-deadline mode and doing a reboot in\nthe guest. The lapic_shutdown() function which is called in sys_reboot path\nwill not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears\nAPIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode\nswitch between tsc-deadline and oneshot/periodic, which can result in preemption\ntimer be cancelled in apic_update_lvtt(). However, We can't depend on this when\nnot exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption\ntimer. Qemu will synchronise states around reset, let's cancel preemption timer\nunder KVM_SET_LAPIC."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: KVM: LAPIC: cancele tambi\u00e9n el temporizador de preferencia durante SET_LAPIC La siguiente advertencia aparece durante el reinicio del invitado. ------------[ cortar aqu\u00ed ]------------ ADVERTENCIA: CPU: 0 PID: 1931 en arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+ 0x874/0x880 [kvm] CPU: 0 PID: 1931 Comm: qemu-system-x86 Contaminado: GI 5.17.0-rc1+ #5 RIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm] Seguimiento de llamadas: 79 /0x710 [kvm] __x64_sys_ioctl+0x83/0xb0 do_syscall_64+0x3b/0xc0 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fd39797350b Esto se puede activar al no exponer el modo tsc-deadline y reiniciar el invitado. La funci\u00f3n lapic_shutdown() que se llama en la ruta sys_reboot no desarmar\u00e1 el temporizador de vuelo, simplemente enmascara el LVTT. lapic_shutdown() borra el estado de APIC con LVT_MASKED y el bit del modo de temporizador es 0, esto puede activar el cambio del modo de temporizador entre tsc-deadline y oneshot/peri\u00f3dico, lo que puede provocar que el temporizador de preferencia se cancele en apic_update_lvtt(). Sin embargo, no podemos depender de esto cuando no exponemos el modo tsc-deadline y los modos oneshot/peri\u00f3dico emulados por el temporizador de preferencia. Qemu sincronizar\u00e1 los estados alrededor del reinicio, cancelemos el temporizador de preferencia en KVM_SET_LAPIC."}], "id": "CVE-2022-48765", "lastModified": "2025-09-29T18:36:45.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-20T12:15:14.530", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/35fe7cfbab2e81f1afb23fc4212210b1de6d9633"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/54b3439c8e70e0bcfea59aeef9dd98908cbbf655"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ce55f63f6cea4cab8ae9212f73285648a5baa30d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/35fe7cfbab2e81f1afb23fc4212210b1de6d9633"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/54b3439c8e70e0bcfea59aeef9dd98908cbbf655"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ce55f63f6cea4cab8ae9212f73285648a5baa30d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:7683", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-425.3.1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-11-08T00:00:00Z"}, {"advisory": "RHSA-2022:8267", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-162.6.1.el9_1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-11-15T00:00:00Z"}, {"advisory": "RHSA-2022:8267", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-162.6.1.el9_1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-11-15T00:00:00Z"}], "bugzilla": {"description": "kernel: KVM: LAPIC: Also cancel preemption timer during SET_LAPIC", "id": "2293344", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293344"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-99", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nKVM: LAPIC: Also cancel preemption timer during SET_LAPIC\nThe below warning is splatting during guest reboot.\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 1931 at arch/x86/kvm/x86.c:10322 kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\nCPU: 0 PID: 1931 Comm: qemu-system-x86 Tainted: G I 5.17.0-rc1+ #5\nRIP: 0010:kvm_arch_vcpu_ioctl_run+0x874/0x880 [kvm]\nCall Trace:\n<TASK>\nkvm_vcpu_ioctl+0x279/0x710 [kvm]\n__x64_sys_ioctl+0x83/0xb0\ndo_syscall_64+0x3b/0xc0\nentry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fd39797350b\nThis can be triggered by not exposing tsc-deadline mode and doing a reboot in\nthe guest. The lapic_shutdown() function which is called in sys_reboot path\nwill not disarm the flying timer, it just masks LVTT. lapic_shutdown() clears\nAPIC state w/ LVT_MASKED and timer-mode bit is 0, this can trigger timer-mode\nswitch between tsc-deadline and oneshot/periodic, which can result in preemption\ntimer be cancelled in apic_update_lvtt(). However, We can't depend on this when\nnot exposing tsc-deadline mode and oneshot/periodic modes emulated by preemption\ntimer. Qemu will synchronise states around reset, let's cancel preemption timer\nunder KVM_SET_LAPIC."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-48765", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-06-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48765\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48765\nhttps://lore.kernel.org/linux-cve-announce/2024062009-CVE-2022-48765-ddb8@gregkh/T"], "threat_severity": "Moderate"}