CVE-2022-0516

Q: What is the severity of CVE-2022-0516?

CVE-2022-0516 has a CVSS score of 7.8 (HIGH). A local privilege escalation vulnerability in the KVM subsystem for s390 architecture in Linux kernel allows a local attacker with normal user privileges to gain unauthorized memory write access. This affects Linux kernel versions prior to 5.17-rc4. The flaw is in the kvm_s390_guest_sida_op function in arch/s390/kvm/kvm-s390.c.

7.8 HIGH

📋 TL;DR

A local privilege escalation vulnerability in the KVM subsystem for s390 architecture in Linux kernel allows a local attacker with normal user privileges to gain unauthorized memory write access. This affects Linux kernel versions prior to 5.17-rc4. The flaw is in the kvm_s390_guest_sida_op function in arch/s390/kvm/kvm-s390.c.

💻 Affected Systems

Products:

Linux kernel with KVM support for s390 architecture

Versions: Linux kernel versions prior to 5.17-rc4

Operating Systems: Linux distributions running affected kernel versions on s390/s390x architecture

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using KVM virtualization on IBM s390/s390x architecture. x86/ARM systems are not affected.

📦 What is this software?

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions by Redhat

View all CVEs affecting Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions →

Enterprise Linux Server Tus by Redhat

View all CVEs affecting Enterprise Linux Server Tus →

Enterprise Linux Server Update Services For Sap Solutions by Redhat

View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

H300e Firmware by Netapp

View all CVEs affecting H300e Firmware →

H300s Firmware by Netapp

View all CVEs affecting H300s Firmware →

H410c Firmware by Netapp

View all CVEs affecting H410c Firmware →

H410s Firmware by Netapp

View all CVEs affecting H410s Firmware →

H500e Firmware by Netapp

View all CVEs affecting H500e Firmware →

H500s Firmware by Netapp

View all CVEs affecting H500s Firmware →

H700e Firmware by Netapp

View all CVEs affecting H700e Firmware →

H700s Firmware by Netapp

View all CVEs affecting H700s Firmware →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Virtualization Host by Redhat

View all CVEs affecting Virtualization Host →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains kernel-level privileges, leading to full system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Local user escalates privileges to root, enabling unauthorized access to sensitive data and system resources.

🟢

If Mitigated

Impact limited to isolated environments with strict user privilege separation and no local untrusted users.

🌐 Internet-Facing: LOW (requires local access, not remotely exploitable)

🏢 Internal Only: HIGH (local users can exploit this to gain root privileges)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local user access and knowledge of s390 architecture. No public exploit code has been disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.17-rc4 and later

Vendor Advisory: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=09a93c1df3eafa43bcdfd7bf837c574911f12f55

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 5.17-rc4 or later. 2. For distributions: Apply vendor patches (Red Hat, Debian, etc.). 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable KVM on s390

linux

Disable KVM virtualization support if not required on s390 systems

modprobe -r kvm
echo 'blacklist kvm' >> /etc/modprobe.d/blacklist.conf

Restrict user access

all

Limit local user accounts and implement strict privilege separation

🧯 If You Can't Patch

Implement strict access controls to limit local user accounts
Monitor for privilege escalation attempts and unusual kernel activity

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r. If version is earlier than 5.17-rc4 and system uses s390 architecture with KVM enabled, it's vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is 5.17-rc4 or later: uname -r. Check that KVM module is loaded only if necessary.

📡 Detection & Monitoring

Log Indicators:

Failed privilege escalation attempts
Unusual kernel module activity
Suspicious access to /dev/kvm

Network Indicators:

None (local exploit only)

SIEM Query:

source="kernel" AND (event="privilege_escalation" OR module="kvm")

📊 Metadata

CVE ID: CVE-2022-0516

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-200

Published: March 10, 2022

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=2050237 Issue Tracking,Patch,Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=09a93c1df3eafa43bcdfd7bf837c574911f12f55 Mailing List,Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220331-0009/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5092 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2050237 Issue Tracking,Patch,Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=09a93c1df3eafa43bcdfd7bf837c574911f12f55 Mailing List,Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220331-0009/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5092 Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Codeready Linux Builder by Redhat

Debian Linux by Debian

Enterprise Linux by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux For Ibm Z Systems by Redhat

Enterprise Linux For Ibm Z Systems Eus by Redhat

Enterprise Linux For Power Little Endian by Redhat

Enterprise Linux For Power Little Endian Eus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Server Update Services For Sap Solutions by Redhat

Fedora by Fedoraproject

Fedora by Fedoraproject

H300e Firmware by Netapp

H300s Firmware by Netapp

H410c Firmware by Netapp

H410s Firmware by Netapp

H500e Firmware by Netapp

H500s Firmware by Netapp

H700e Firmware by Netapp

H700s Firmware by Netapp

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Virtualization Host by Redhat

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable KVM on s390

Restrict user access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities