CVE-2022-0171 Overview
A flaw was found in the Linux kernel's KVM SEV API that allows a non-root (host) user-level application to crash the host kernel. The vulnerability exists in AMD CPUs that support Secure Encrypted Virtualization (SEV), where an attacker can trigger a denial of service condition by creating a confidential guest VM instance.
Critical Impact
Local attackers with user-level access can crash the host kernel on systems using AMD SEV, causing complete denial of service to all hosted virtual machines and services.
Affected Products
- Linux Kernel versions prior to 5.18 and release candidates 5.18-rc1 through 5.18-rc3
- Red Hat Enterprise Linux 8.0 and 9.0
- Debian Linux 10.0 and 11.0
Discovery Timeline
- 2022-08-26 - CVE CVE-2022-0171 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0171
Vulnerability Analysis
This vulnerability (CWE-459: Incomplete Cleanup, CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer) resides in the KVM (Kernel-based Virtual Machine) implementation for AMD Secure Encrypted Virtualization (SEV). The flaw allows a user-level application running on the host to exploit the SEV API and crash the entire host kernel.
AMD SEV is a hardware feature designed to encrypt virtual machine memory, protecting guest VMs from a potentially compromised hypervisor. However, improper handling within the KVM SEV API creates a condition where the host kernel can be destabilized through specific operations during confidential guest VM instance creation.
The vulnerability requires local access with user-level privileges, meaning an attacker must already have the ability to execute code on the host system. The impact is limited to availability—there is no data confidentiality or integrity compromise. However, the denial of service affects the entire host system, including all running virtual machines.
Root Cause
The root cause is traced to incomplete cleanup operations (CWE-459) and improper removal of sensitive information (CWE-212) within the KVM SEV API. When a confidential guest VM instance is created on AMD processors with SEV support, certain resources or state information are not properly managed or cleaned up, leading to a condition that can crash the host kernel.
Attack Vector
The attack requires local access to the host system with the ability to interact with the KVM SEV API. An attacker with user-level privileges can craft specific operations involving confidential guest VM creation that trigger the vulnerability. Since no user interaction is required once access is obtained, and the attack complexity is low, exploitation is straightforward for attackers who have local system access.
The attack flow involves:
- Attacker gains user-level access to a host system running on AMD SEV-capable hardware
- Attacker creates a malformed or specially crafted confidential guest VM instance using the KVM SEV API
- The improper handling triggers the vulnerability, crashing the host kernel
- All services and virtual machines on the host become unavailable
Detection Methods for CVE-2022-0171
Indicators of Compromise
- Unexpected host kernel crashes or panics on systems with AMD SEV enabled
- Kernel oops messages referencing KVM SEV-related functions in system logs
- Abnormal patterns of guest VM creation attempts from non-privileged users
- System instability coinciding with SEV API interactions
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for KVM SEV-related crash signatures
- Implement audit rules to track access to KVM device files (/dev/kvm)
- Deploy kernel live patching solutions to detect and prevent exploitation attempts
- Use system integrity monitoring to detect unexpected kernel state changes
Monitoring Recommendations
- Enable and monitor kernel audit subsystem for KVM-related system calls
- Configure alerting for unexpected system reboots or kernel panics on virtualization hosts
- Monitor for unusual VM creation patterns, especially from non-administrative users
- Review SEV-specific kernel module activity on AMD-based hypervisor hosts
How to Mitigate CVE-2022-0171
Immediate Actions Required
- Update the Linux kernel to version 5.18 or later containing the fix (commit 683412ccf61294d727ead4a73d97397396e69a6b)
- Apply vendor-specific security updates from Red Hat or Debian as applicable
- Restrict access to KVM device files to only trusted administrative users
- Consider temporarily disabling SEV functionality if patches cannot be immediately applied
Patch Information
The vulnerability has been addressed in the upstream Linux kernel. The fix is available in the Linux Kernel Commit Update (commit 683412ccf61294d727ead4a73d97397396e69a6b). Downstream distributions have released their own security advisories:
- Red Hat: Red Hat CVE-2022-0171 Advisory and Red Hat Bug Report #2038940
- Debian: Debian Security Advisory DSA-5257 and Debian LTS Announcement
Workarounds
- Restrict KVM device access using file permissions (chmod 600 /dev/kvm)
- Use SELinux or AppArmor policies to limit which processes can access KVM functionality
- Disable AMD SEV support in the kernel via boot parameters if not required (kvm_amd.sev=0)
- Implement strict access controls for virtualization management interfaces
# Restrict KVM device access to root only
chmod 600 /dev/kvm
chown root:root /dev/kvm
# Disable SEV support via kernel boot parameter (add to GRUB config)
# Edit /etc/default/grub and add to GRUB_CMDLINE_LINUX:
# kvm_amd.sev=0
# Apply GRUB changes
update-grub
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
