CVE-2022-1789

medium

Description

With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.

References

https://francozappa.github.io/about-bias/

https://kb.cert.org/vuls/id/647177/

https://bugzilla.redhat.com/show_bug.cgi?id=1832397

https://lists.fedoraproject.org/archives/list/[email protected]/message/H6JP355XFVAB33X4BNO3ERVTURFYEDB7/

https://lists.fedoraproject.org/archives/list/[email protected]/message/IBUOQTNTQ4ZCXHOCNKYIL2ZUIAZ675RD/

https://lists.fedoraproject.org/archives/list/[email protected]/message/KCEAPIVPRTJHKPF2A2HVF5XHD5XJT3MN/

https://www.debian.org/security/2022/dsa-5161

Details

Source: MITRE

Published: 2022-06-02

Updated: 2022-06-15

Type: CWE-476

Risk Information

CVSS v2

Base Score: 6.9

Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 3.4

Severity: MEDIUM

CVSS v3

Base Score: 6.8

Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 0.9

Severity: MEDIUM