A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD CPU that supports Secure Encrypted Virtualization (SEV).
The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
| Link | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2038940 | patch third party advisory issue tracking |
| https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=683412ccf61294d727ead4a73d97397396e69a6b | patch vendor advisory mailing list |
| https://access.redhat.com/security/cve/CVE-2022-0171 | third party advisory |
| https://www.debian.org/security/2022/dsa-5257 | third party advisory vendor advisory |
| https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html | third party advisory mailing list |