{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2022-49610", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T02:21:30.417Z", "datePublished": "2025-02-26T02:23:33.299Z", "dateUpdated": "2026-05-23T15:22:32.065Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-23T15:22:32.065Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Prevent RSB underflow before vmenter\n\nOn VMX, there are some balanced returns between the time the guest's\nSPEC_CTRL value is written, and the vmenter.\n\nBalanced returns (matched by a preceding call) are usually ok, but it's\nat least theoretically possible an NMI with a deep call stack could\nempty the RSB before one of the returns.\n\nFor maximum paranoia, don't allow *any* returns (balanced or otherwise)\nbetween the SPEC_CTRL write and the vmenter.\n\n [ bp: Fix 32-bit build. ]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kernel/asm-offsets.c", "arch/x86/kernel/cpu/bugs.c", "arch/x86/kvm/vmx/capabilities.h", "arch/x86/kvm/vmx/vmenter.S", "arch/x86/kvm/vmx/vmx.c", "arch/x86/kvm/vmx/vmx.h", "arch/x86/kvm/vmx/vmx_ops.h"], "versions": [{"version": "d28b387fb74da95d69d2615732f50cceb38e9a4d", "lessThan": "afd743f6dde87296c6f3414706964c491bb85862", "status": "affected", "versionType": "git"}, {"version": "d28b387fb74da95d69d2615732f50cceb38e9a4d", "lessThan": "07853adc29a058c5fd143c14e5ac528448a72ed9", "status": "affected", "versionType": "git"}, {"version": "44491a23b73789c0a914af4ea55ccf8968adf90b", "status": "affected", "versionType": "git"}, {"version": "fc6aae9f407810cb153a9133c28735871f9f0a16", "status": "affected", "versionType": "git"}, {"version": "3.16.57", "lessThan": "3.17", "status": "affected", "versionType": "semver"}, {"version": "4.4.168", "lessThan": "4.5", "status": "affected", "versionType": "semver"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/kernel/asm-offsets.c", "arch/x86/kernel/cpu/bugs.c", "arch/x86/kvm/vmx/capabilities.h", "arch/x86/kvm/vmx/vmenter.S", "arch/x86/kvm/vmx/vmx.c", "arch/x86/kvm/vmx/vmx.h", "arch/x86/kvm/vmx/vmx_ops.h"], "versions": [{"version": "4.16", "status": "affected"}, {"version": "0", "lessThan": "4.16", "status": "unaffected", "versionType": "semver"}, {"version": "5.18.14", "lessThanOrEqual": "5.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "5.18.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.16", "versionEndExcluding": "5.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.16.57"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.168"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/afd743f6dde87296c6f3414706964c491bb85862"}, {"url": "https://git.kernel.org/stable/c/07853adc29a058c5fd143c14e5ac528448a72ed9"}], "title": "KVM: VMX: Prevent RSB underflow before vmenter", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "F6958CFC-F1AB-4F94-BDC7-685D623EE2B4", "versionEndExcluding": "5.18.14", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "A8C30C2D-F82D-4D37-AB48-D76ABFBD5377", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "BF8547FC-C849-4F1B-804B-A93AE2F04A92", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F3068028-F453-4A1C-B80F-3F5609ACEF60", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "2E9C0DB0-D349-489F-A3D6-B77214E93A8A", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "1A0DE3B7-0FFB-45AA-9BD6-19870CA7C6FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "00AE778B-BAEE-49EB-9F84-003B73D7862A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Prevent RSB underflow before vmenter\n\nOn VMX, there are some balanced returns between the time the guest's\nSPEC_CTRL value is written, and the vmenter.\n\nBalanced returns (matched by a preceding call) are usually ok, but it's\nat least theoretically possible an NMI with a deep call stack could\nempty the RSB before one of the returns.\n\nFor maximum paranoia, don't allow *any* returns (balanced or otherwise)\nbetween the SPEC_CTRL write and the vmenter.\n\n [ bp: Fix 32-bit build. ]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: KVM: VMX: Evitar el desbordamiento de RSB antes de vmenter En VMX, hay algunos retornos equilibrados entre el momento en que se escribe el valor SPEC_CTRL del invitado y el vmenter. Los retornos equilibrados (que coinciden con una llamada anterior) suelen ser correctos, pero al menos es te\u00f3ricamente posible que un NMI con una pila de llamadas profunda pueda vaciar el RSB antes de uno de los retornos. Para m\u00e1xima paranoia, no permita *ning\u00fan* retorno (equilibrado o de otro tipo) entre la escritura de SPEC_CTRL y el vmenter. [ bp: Arreglar compilaci\u00f3n de 32 bits. ]"}], "id": "CVE-2022-49610", "lastModified": "2025-10-23T12:08:23.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-26T07:01:36.463", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/07853adc29a058c5fd143c14e5ac528448a72ed9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/afd743f6dde87296c6f3414706964c491bb85862"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: KVM: VMX: Prevent RSB underflow before vmenter", "id": "2347926", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347926"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nKVM: VMX: Prevent RSB underflow before vmenter\nOn VMX, there are some balanced returns between the time the guest's\nSPEC_CTRL value is written, and the vmenter.\nBalanced returns (matched by a preceding call) are usually ok, but it's\nat least theoretically possible an NMI with a deep call stack could\nempty the RSB before one of the returns.\nFor maximum paranoia, don't allow *any* returns (balanced or otherwise)\nbetween the SPEC_CTRL write and the vmenter.\n[ bp: Fix 32-bit build. ]"], "name": "CVE-2022-49610", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49610\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49610\nhttps://lore.kernel.org/linux-cve-announce/2025022613-CVE-2022-49610-5628@gregkh/T"], "threat_severity": "Moderate"}

{"created": "2025-07-12T22:45:17.005024+00:00", "updated": "2025-07-12T22:45:17.005126+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}