CVE-2022-49932

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.0.0-rc7+

Description A NULL pointer dereference bug has been identified in the Linux kernel, specifically in the KVM (Kernel-based Virtual Machine) module. The issue arises when the kvm init() function is called before all setup is complete, allowing userspace to create VMs and potentially leading to a NULL pointer dereference. This can occur when userspace is able to create a VM before vmx init() configures the per-CPU loaded vmcss on cpu list. The bug can cause a kernel crash, with symptoms including a supervisor write access in kernel mode and a not-present page error.

Recommendations For Linux kernel versions prior to 6.0.0-rc7+, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the kvm init() function until a patch is available. Restrict access to the /dev/kvm device file to minimize the risk of exploitation.