{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49557", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T02:08:31.591Z", "datePublished": "2025-02-26T02:14:04.090Z", "dateUpdated": "2025-05-04T08:40:29.927Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:40:29.927Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)\n\nSet the starting uABI size of KVM's guest FPU to 'struct kvm_xsave',\ni.e. to KVM's historical uABI size. When saving FPU state for usersapce,\nKVM (well, now the FPU) sets the FP+SSE bits in the XSAVE header even if\nthe host doesn't support XSAVE. Setting the XSAVE header allows the VM\nto be migrated to a host that does support XSAVE without the new host\nhaving to handle FPU state that may or may not be compatible with XSAVE.\n\nSetting the uABI size to the host's default size results in out-of-bounds\nwrites (setting the FP+SSE bits) and data corruption (that is thankfully\ncaught by KASAN) when running on hosts without XSAVE, e.g. on Core2 CPUs.\n\nWARN if the default size is larger than KVM's historical uABI size; all\nfeatures that can push the FPU size beyond the historical size must be\nopt-in.\n\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in fpu_copy_uabi_to_guest_fpstate+0x86/0x130\n Read of size 8 at addr ffff888011e33a00 by task qemu-build/681\n CPU: 1 PID: 681 Comm: qemu-build Not tainted 5.18.0-rc5-KASAN-amd64 #1\n Hardware name: /DG35EC, BIOS ECG3510M.86A.0118.2010.0113.1426 01/13/2010\n Call Trace:\n <TASK>\n dump_stack_lvl+0x34/0x45\n print_report.cold+0x45/0x575\n kasan_report+0x9b/0xd0\n fpu_copy_uabi_to_guest_fpstate+0x86/0x130\n kvm_arch_vcpu_ioctl+0x72a/0x1c50 [kvm]\n kvm_vcpu_ioctl+0x47f/0x7b0 [kvm]\n __x64_sys_ioctl+0x5de/0xc90\n do_syscall_64+0x31/0x50\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n </TASK>\n Allocated by task 0:\n (stack is not available)\n The buggy address belongs to the object at ffff888011e33800\n which belongs to the cache kmalloc-512 of size 512\n The buggy address is located 0 bytes to the right of\n 512-byte region [ffff888011e33800, ffff888011e33a00)\n The buggy address belongs to the physical page:\n page:0000000089cd4adb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e30\n head:0000000089cd4adb order:2 compound_mapcount:0 compound_pincount:0\n flags: 0x4000000000010200(slab|head|zone=1)\n raw: 4000000000010200 dead000000000100 dead000000000122 ffff888001041c80\n raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n Memory state around the buggy address:\n ffff888011e33900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888011e33980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffff888011e33a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ^\n ffff888011e33a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888011e33b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ==================================================================\n Disabling lock debugging due to kernel taint"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kernel/fpu/core.c"], "versions": [{"version": "c60427dd50ba9b20063ccaed0e98d62e886d7a3b", "lessThan": "9cf15ebb7dedfe2f27120743b8ea8441c99ac73c", "status": "affected", "versionType": "git"}, {"version": "c60427dd50ba9b20063ccaed0e98d62e886d7a3b", "lessThan": "c181acbd1a427859d5fda543b95fbae28f7f6068", "status": "affected", "versionType": "git"}, {"version": "c60427dd50ba9b20063ccaed0e98d62e886d7a3b", "lessThan": "d187ba5312307d51818beafaad87d28a7d939adf", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kernel/fpu/core.c"], "versions": [{"version": "5.17", "status": "affected"}, {"version": "0", "lessThan": "5.17", "status": "unaffected", "versionType": "semver"}, {"version": "5.17.13", "lessThanOrEqual": "5.17.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.18.2", "lessThanOrEqual": "5.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "5.17.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "5.18.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "5.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9cf15ebb7dedfe2f27120743b8ea8441c99ac73c"}, {"url": "https://git.kernel.org/stable/c/c181acbd1a427859d5fda543b95fbae28f7f6068"}, {"url": "https://git.kernel.org/stable/c/d187ba5312307d51818beafaad87d28a7d939adf"}], "title": "x86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B9BB825-A808-4956-BB14-96D78971362C", "versionEndExcluding": "5.17.13", "versionStartIncluding": "5.17", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9FF255A1-64F4-4E31-AF44-C92FB8773BA2", "versionEndExcluding": "5.18.2", "versionStartIncluding": "5.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)\n\nSet the starting uABI size of KVM's guest FPU to 'struct kvm_xsave',\ni.e. to KVM's historical uABI size. When saving FPU state for usersapce,\nKVM (well, now the FPU) sets the FP+SSE bits in the XSAVE header even if\nthe host doesn't support XSAVE. Setting the XSAVE header allows the VM\nto be migrated to a host that does support XSAVE without the new host\nhaving to handle FPU state that may or may not be compatible with XSAVE.\n\nSetting the uABI size to the host's default size results in out-of-bounds\nwrites (setting the FP+SSE bits) and data corruption (that is thankfully\ncaught by KASAN) when running on hosts without XSAVE, e.g. on Core2 CPUs.\n\nWARN if the default size is larger than KVM's historical uABI size; all\nfeatures that can push the FPU size beyond the historical size must be\nopt-in.\n\n ==================================================================\n BUG: KASAN: slab-out-of-bounds in fpu_copy_uabi_to_guest_fpstate+0x86/0x130\n Read of size 8 at addr ffff888011e33a00 by task qemu-build/681\n CPU: 1 PID: 681 Comm: qemu-build Not tainted 5.18.0-rc5-KASAN-amd64 #1\n Hardware name: /DG35EC, BIOS ECG3510M.86A.0118.2010.0113.1426 01/13/2010\n Call Trace:\n <TASK>\n dump_stack_lvl+0x34/0x45\n print_report.cold+0x45/0x575\n kasan_report+0x9b/0xd0\n fpu_copy_uabi_to_guest_fpstate+0x86/0x130\n kvm_arch_vcpu_ioctl+0x72a/0x1c50 [kvm]\n kvm_vcpu_ioctl+0x47f/0x7b0 [kvm]\n __x64_sys_ioctl+0x5de/0xc90\n do_syscall_64+0x31/0x50\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n </TASK>\n Allocated by task 0:\n (stack is not available)\n The buggy address belongs to the object at ffff888011e33800\n which belongs to the cache kmalloc-512 of size 512\n The buggy address is located 0 bytes to the right of\n 512-byte region [ffff888011e33800, ffff888011e33a00)\n The buggy address belongs to the physical page:\n page:0000000089cd4adb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e30\n head:0000000089cd4adb order:2 compound_mapcount:0 compound_pincount:0\n flags: 0x4000000000010200(slab|head|zone=1)\n raw: 4000000000010200 dead000000000100 dead000000000122 ffff888001041c80\n raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n Memory state around the buggy address:\n ffff888011e33900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff888011e33980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n >ffff888011e33a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ^\n ffff888011e33a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888011e33b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n ==================================================================\n Disabling lock debugging due to kernel taint"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: x86/fpu: KVM: Establecer el tama\u00f1o uABI de la FPU invitada base en sizeof(struct kvm_xsave) Establezca el tama\u00f1o uABI inicial de la FPU invitada de KVM en 'struct kvm_xsave', es decir, en el tama\u00f1o uABI hist\u00f3rico de KVM. Al guardar el estado de la FPU para el espacio de usuario, KVM (bueno, ahora la FPU) establece los bits FP+SSE en el encabezado XSAVE incluso si el host no admite XSAVE. Establecer el encabezado XSAVE permite migrar la VM a un host que admita XSAVE sin que el nuevo host tenga que gestionar el estado de la FPU que puede o no ser compatible con XSAVE. Establecer el tama\u00f1o uABI en el tama\u00f1o predeterminado del host da como resultado escrituras fuera de los l\u00edmites (establecer los bits FP+SSE) y corrupci\u00f3n de datos (que afortunadamente es detectada por KASAN) cuando se ejecuta en hosts sin XSAVE, por ejemplo, en CPU Core2. ADVERTENCIA si el tama\u00f1o predeterminado es mayor que el tama\u00f1o uABI hist\u00f3rico de KVM; todas las funciones que puedan aumentar el tama\u00f1o de FPU m\u00e1s all\u00e1 del tama\u00f1o hist\u00f3rico deben ser habilitadas. ===================================================================== ERROR: KASAN: slab-out-of-bounds in fpu_copy_uabi_to_guest_fpstate+0x86/0x130 Read of size 8 at addr ffff888011e33a00 by task qemu-build/681 CPU: 1 PID: 681 Comm: qemu-build Not tainted 5.18.0-rc5-KASAN-amd64 #1 Hardware name: /DG35EC, BIOS ECG3510M.86A.0118.2010.0113.1426 01/13/2010 Call Trace: dump_stack_lvl+0x34/0x45 print_report.cold+0x45/0x575 kasan_report+0x9b/0xd0 fpu_copy_uabi_to_guest_fpstate+0x86/0x130 kvm_arch_vcpu_ioctl+0x72a/0x1c50 [kvm] kvm_vcpu_ioctl+0x47f/0x7b0 [kvm] __x64_sys_ioctl+0x5de/0xc90 do_syscall_64+0x31/0x50 entry_SYSCALL_64_after_hwframe+0x44/0xae Allocated by task 0: (stack is not available) The buggy address belongs to the object at ffff888011e33800 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 0 bytes to the right of 512-byte region [ffff888011e33800, ffff888011e33a00) The buggy address belongs to the physical page: page:0000000089cd4adb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e30 head:0000000089cd4adb order:2 compound_mapcount:0 compound_pincount:0 flags: 0x4000000000010200(slab|head|zone=1) raw: 4000000000010200 dead000000000100 dead000000000122 ffff888001041c80 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888011e33900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888011e33980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 &gt;ffff888011e33a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888011e33a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888011e33b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ======================================================================= Desactivar bloqueo depuraci\u00f3n debido a la corrupci\u00f3n del kernel"}], "id": "CVE-2022-49557", "lastModified": "2025-10-22T17:30:30.237", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-26T07:01:31.503", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9cf15ebb7dedfe2f27120743b8ea8441c99ac73c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c181acbd1a427859d5fda543b95fbae28f7f6068"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d187ba5312307d51818beafaad87d28a7d939adf"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:6460", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-372.26.1.el8_6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-09-13T00:00:00Z"}, {"advisory": "RHSA-2022:8267", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-162.6.1.el9_1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-11-15T00:00:00Z"}, {"advisory": "RHSA-2022:8267", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-162.6.1.el9_1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-11-15T00:00:00Z"}, {"advisory": "RHSA-2022:6460", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "kernel-0:4.18.0-372.26.1.el8_6", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2022-09-13T00:00:00Z"}], "bugzilla": {"description": "kernel: x86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)", "id": "2348183", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2348183"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nx86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)\nSet the starting uABI size of KVM's guest FPU to 'struct kvm_xsave',\ni.e. to KVM's historical uABI size. When saving FPU state for usersapce,\nKVM (well, now the FPU) sets the FP+SSE bits in the XSAVE header even if\nthe host doesn't support XSAVE. Setting the XSAVE header allows the VM\nto be migrated to a host that does support XSAVE without the new host\nhaving to handle FPU state that may or may not be compatible with XSAVE.\nSetting the uABI size to the host's default size results in out-of-bounds\nwrites (setting the FP+SSE bits) and data corruption (that is thankfully\ncaught by KASAN) when running on hosts without XSAVE, e.g. on Core2 CPUs.\nWARN if the default size is larger than KVM's historical uABI size; all\nfeatures that can push the FPU size beyond the historical size must be\nopt-in.\n==================================================================\nBUG: KASAN: slab-out-of-bounds in fpu_copy_uabi_to_guest_fpstate+0x86/0x130\nRead of size 8 at addr ffff888011e33a00 by task qemu-build/681\nCPU: 1 PID: 681 Comm: qemu-build Not tainted 5.18.0-rc5-KASAN-amd64 #1\nHardware name: /DG35EC, BIOS ECG3510M.86A.0118.2010.0113.1426 01/13/2010\nCall Trace:\n<TASK>\ndump_stack_lvl+0x34/0x45\nprint_report.cold+0x45/0x575\nkasan_report+0x9b/0xd0\nfpu_copy_uabi_to_guest_fpstate+0x86/0x130\nkvm_arch_vcpu_ioctl+0x72a/0x1c50 [kvm]\nkvm_vcpu_ioctl+0x47f/0x7b0 [kvm]\n__x64_sys_ioctl+0x5de/0xc90\ndo_syscall_64+0x31/0x50\nentry_SYSCALL_64_after_hwframe+0x44/0xae\n</TASK>\nAllocated by task 0:\n(stack is not available)\nThe buggy address belongs to the object at ffff888011e33800\nwhich belongs to the cache kmalloc-512 of size 512\nThe buggy address is located 0 bytes to the right of\n512-byte region [ffff888011e33800, ffff888011e33a00)\nThe buggy address belongs to the physical page:\npage:0000000089cd4adb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e30\nhead:0000000089cd4adb order:2 compound_mapcount:0 compound_pincount:0\nflags: 0x4000000000010200(slab|head|zone=1)\nraw: 4000000000010200 dead000000000100 dead000000000122 ffff888001041c80\nraw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\nffff888011e33900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nffff888011e33980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffff888011e33a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n^\nffff888011e33a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\nffff888011e33b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc\n==================================================================\nDisabling lock debugging due to kernel taint"], "name": "CVE-2022-49557", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49557\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49557\nhttps://lore.kernel.org/linux-cve-announce/2025022617-CVE-2022-49557-f9a3@gregkh/T"], "threat_severity": "Low"}