{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49154","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T01:49:39.275Z","datePublished":"2025-02-26T01:55:19.245Z","dateUpdated":"2025-06-19T12:56:15.928Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-06-19T12:56:15.928Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: fix panic on out-of-bounds guest IRQ\n\nAs guest_irq is coming from KVM_IRQFD API call, it may trigger\ncrash in svm_update_pi_irte() due to out-of-bounds:\n\ncrash> bt\nPID: 22218  TASK: ffff951a6ad74980  CPU: 73  COMMAND: \"vcpu8\"\n #0 [ffffb1ba6707fa40] machine_kexec at ffffffff8565b397\n #1 [ffffb1ba6707fa90] __crash_kexec at ffffffff85788a6d\n #2 [ffffb1ba6707fb58] crash_kexec at ffffffff8578995d\n #3 [ffffb1ba6707fb70] oops_end at ffffffff85623c0d\n #4 [ffffb1ba6707fb90] no_context at ffffffff856692c9\n #5 [ffffb1ba6707fbf8] exc_page_fault at ffffffff85f95b51\n #6 [ffffb1ba6707fc50] asm_exc_page_fault at ffffffff86000ace\n    [exception RIP: svm_update_pi_irte+227]\n    RIP: ffffffffc0761b53  RSP: ffffb1ba6707fd08  RFLAGS: 00010086\n    RAX: ffffb1ba6707fd78  RBX: ffffb1ba66d91000  RCX: 0000000000000001\n    RDX: 00003c803f63f1c0  RSI: 000000000000019a  RDI: ffffb1ba66db2ab8\n    RBP: 000000000000019a   R8: 0000000000000040   R9: ffff94ca41b82200\n    R10: ffffffffffffffcf  R11: 0000000000000001  R12: 0000000000000001\n    R13: 0000000000000001  R14: ffffffffffffffcf  R15: 000000000000005f\n    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n #7 [ffffb1ba6707fdb8] kvm_irq_routing_update at ffffffffc09f19a1 [kvm]\n #8 [ffffb1ba6707fde0] kvm_set_irq_routing at ffffffffc09f2133 [kvm]\n #9 [ffffb1ba6707fe18] kvm_vm_ioctl at ffffffffc09ef544 [kvm]\n    RIP: 00007f143c36488b  RSP: 00007f143a4e04b8  RFLAGS: 00000246\n    RAX: ffffffffffffffda  RBX: 00007f05780041d0  RCX: 00007f143c36488b\n    RDX: 00007f05780041d0  RSI: 000000004008ae6a  RDI: 0000000000000020\n    RBP: 00000000000004e8   R8: 0000000000000008   R9: 00007f05780041e0\n    R10: 00007f0578004560  R11: 0000000000000246  R12: 00000000000004e0\n    R13: 000000000000001a  R14: 00007f1424001c60  R15: 00007f0578003bc0\n    ORIG_RAX: 0000000000000010  CS: 0033  SS: 002b\n\nVmx have been fix this in commit 3a8b0677fc61 (KVM: VMX: Do not BUG() on\nout-of-bounds guest IRQ), so we can just copy source from that to fix\nthis."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/kvm/svm/avic.c"],"versions":[{"version":"411b44ba80ab0023383fe3f377e903cb0cb7d8bb","lessThan":"0fb470eb48892e131d10aa3be6915239e65758f3","status":"affected","versionType":"git"},{"version":"411b44ba80ab0023383fe3f377e903cb0cb7d8bb","lessThan":"3fa2d747960521a646fc1aad7aea82e95e139a68","status":"affected","versionType":"git"},{"version":"411b44ba80ab0023383fe3f377e903cb0cb7d8bb","lessThan":"e4d153d53d9648513481eb4ef8c212e7f1f8173d","status":"affected","versionType":"git"},{"version":"411b44ba80ab0023383fe3f377e903cb0cb7d8bb","lessThan":"a6ffdebfb6a9c2ffeed902b544b96fe67498210e","status":"affected","versionType":"git"},{"version":"411b44ba80ab0023383fe3f377e903cb0cb7d8bb","lessThan":"a80ced6ea514000d34bf1239d47553de0d1ee89e","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/kvm/svm/avic.c"],"versions":[{"version":"4.9","status":"affected"},{"version":"0","lessThan":"4.9","status":"unaffected","versionType":"semver"},{"version":"5.10.110","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.33","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16.19","lessThanOrEqual":"5.16.*","status":"unaffected","versionType":"semver"},{"version":"5.17.2","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"5.10.110"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"5.15.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"5.16.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"5.17.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.9","versionEndExcluding":"5.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/0fb470eb48892e131d10aa3be6915239e65758f3"},{"url":"https://git.kernel.org/stable/c/3fa2d747960521a646fc1aad7aea82e95e139a68"},{"url":"https://git.kernel.org/stable/c/e4d153d53d9648513481eb4ef8c212e7f1f8173d"},{"url":"https://git.kernel.org/stable/c/a6ffdebfb6a9c2ffeed902b544b96fe67498210e"},{"url":"https://git.kernel.org/stable/c/a80ced6ea514000d34bf1239d47553de0d1ee89e"}],"title":"KVM: SVM: fix panic on out-of-bounds guest IRQ","x_generator":{"engine":"bippy-1.2.0"}}}}