{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-2196", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2022-06-24T13:29:09.969Z", "datePublished": "2023-01-09T10:59:53.099Z", "dateUpdated": "2025-02-13T16:28:57.097Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "KVM", "product": "Linux Kernel", "repo": "https://git.kernel.org/", "vendor": "Linux", "versions": [{"lessThan": "2e7eab81425a", "status": "affected", "version": "0", "versionType": "git"}, {"lessThan": "6.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2022-10-18T22:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit&nbsp;2e7eab81425a</span></span><br>"}], "value": "A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\u00a0L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB\u00a0after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit\u00a02e7eab81425a"}], "impacts": [{"capecId": "CAPEC-30", "descriptions": [{"lang": "en", "value": "CAPEC-30 Hijacking a Privileged Thread of Execution"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1188", "description": "CWE-1188 Insecure Default Initialization of Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2023-05-03T00:06:59.149Z"}, "references": [{"url": "https://kernel.dance/#2e7eab81425a"}, {"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"}], "source": {"discovery": "INTERNAL"}, "title": "Speculative execution attacks in KVM VMX", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20230223-0002/"}, {"url": "https://kernel.dance/#2e7eab81425a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:32:08.645Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-01T15:07:47.721131Z", "id": "CVE-2022-2196", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T15:08:01.626Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20230223-0002/"}, {"url": "https://kernel.dance/#2e7eab81425a", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:32:08.645Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-2196", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-01T15:07:47.721131Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T15:07:57.125Z"}}], "cna": {"title": "Speculative execution attacks in KVM VMX", "source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-30", "descriptions": [{"lang": "en", "value": "CAPEC-30 Hijacking a Privileged Thread of Execution"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://git.kernel.org/", "vendor": "Linux", "product": "Linux Kernel", "versions": [{"status": "affected", "version": "0", "lessThan": "2e7eab81425a", "versionType": "git"}, {"status": "affected", "version": "0", "lessThan": "6.2", "versionType": "custom"}], "packageName": "KVM", "defaultStatus": "unaffected"}], "datePublic": "2022-10-18T22:00:00.000Z", "references": [{"url": "https://kernel.dance/#2e7eab81425a"}, {"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\u00a0L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB\u00a0after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit\u00a02e7eab81425a", "supportingMedia": [{"type": "text/html", "value": "A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit&nbsp;2e7eab81425a</span></span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1188", "description": "CWE-1188 Insecure Default Initialization of Resource"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2023-05-03T00:06:59.149Z"}}}, "cveMetadata": {"cveId": "CVE-2022-2196", "state": "PUBLISHED", "dateUpdated": "2025-02-13T16:28:57.097Z", "dateReserved": "2022-06-24T13:29:09.969Z", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "datePublished": "2023-01-09T10:59:53.099Z", "assignerShortName": "Google"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D73442D9-8AEA-46EF-BDFE-A7DA3F4256CB", "versionEndExcluding": "5.4.233", "versionStartIncluding": "5.4.47", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D059EB4-CC70-4B73-A918-FCD19DD26EEF", "versionEndExcluding": "5.7", "versionStartIncluding": "5.6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A90F1F96-608E-46B6-848B-CAAA543D8E77", "versionEndExcluding": "5.10.170", "versionStartIncluding": "5.7.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0845BF9E-3498-4C4E-AE1E-2F4FD31B440E", "versionEndExcluding": "5.15.96", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5FED97E-E13D-4287-892D-F8A8C081B5EA", "versionEndExcluding": "6.1.14", "versionStartIncluding": "5.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\u00a0L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB\u00a0after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit\u00a02e7eab81425a"}, {"lang": "es", "value": "Existe una regresi\u00f3n en el kernel de Linux dentro de KVM: nVMX que permiti\u00f3 ataques de ejecuci\u00f3n especulativa. L2 puede llevar a cabo ataques Spectre v2 en L1 debido a que L1 piensa que no necesita retpolines o IBPB despu\u00e9s de ejecutar L2 debido a que KVM (L0) anuncia soporte eIBRS en L1. Un atacante en L2 con ejecuci\u00f3n de c\u00f3digo puede ejecutar c\u00f3digo en una rama indirecta en la m\u00e1quina host. Recomendamos actualizar al Kernel 6.2 o al commit anterior 2e7eab81425a"}], "id": "CVE-2022-2196", "lastModified": "2025-02-13T17:15:40.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 4.7, "source": "cve-coordination@google.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-09T11:15:10.583", "references": [{"source": "cve-coordination@google.com", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5"}, {"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://kernel.dance/#2e7eab81425a"}, {"source": "cve-coordination@google.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://kernel.dance/#2e7eab81425a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20230223-0002/"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1188"}], "source": "cve-coordination@google.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1188"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:2736", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-477.10.1.rt7.274.el8_8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-05-16T00:00:00Z"}, {"advisory": "RHSA-2023:2951", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-477.10.1.el8_8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-05-16T00:00:00Z"}, {"advisory": "RHSA-2024:0930", "cpe": "cpe:/o:redhat:rhel_eus:8.6", "package": "kernel-0:4.18.0-372.93.1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-02-21T00:00:00Z"}, {"advisory": "RHSA-2023:2458", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-284.11.1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}, {"advisory": "RHSA-2023:2148", "cpe": "cpe:/a:redhat:enterprise_linux:9::nfv", "package": "kernel-rt-0:5.14.0-284.11.1.rt14.296.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}, {"advisory": "RHSA-2023:2458", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-284.11.1.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}, {"advisory": "RHSA-2024:0930", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "kernel-0:4.18.0-372.93.1.el8_6", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2024-02-21T00:00:00Z"}], "bugzilla": {"description": "kernel: KVM: nVMX: missing IBPB when exiting from nested guest can lead to Spectre v2 attacks", "id": "2160023", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160023"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-1188", "details": ["A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.\u00a0L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB\u00a0after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit\u00a02e7eab81425a", "A flaw was found in the KVM's Intel nested virtualization feature (nVMX). Since L1 and L2 shared branch prediction modes (guest-user and guest-kernel), KVM did not protect indirect branches in L1 from steering by a malicious agent in L2. This could allow a malicious nested guest to carry out Spectre v2 attacks against L1 due to a missing IBPB at VM-exit time."], "mitigation": {"lang": "en:us", "value": "This vulnerability can be mitigated by disabling the nested virtualization feature:\n```\n# modprobe -r kvm_intel\n# modprobe kvm_intel nested=0\n```"}, "name": "CVE-2022-2196", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2022-09-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-2196\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2196"], "statement": "Red Hat currently provides the nested virtualization feature as a Technology Preview. Nested virtualization is therefore unsupported for production use. For more information please refer to https://access.redhat.com/solutions/21101 and https://access.redhat.com/support/offerings/techpreview.", "threat_severity": "Moderate"}