CVE-2022-1651 – A memory leak vulnerability in the Linux kernel... (How to Fix)

Q: What is the severity of CVE-2022-1651?

CVE-2022-1651 has a CVSS score of 7.1 (HIGH). A memory leak vulnerability in the Linux kernel's ACRN hypervisor device model allows local privileged attackers to leak kernel memory information, potentially leading to denial of service. This affects systems running Linux kernels with ACRN virtualization support enabled. Attackers need local access with sufficient privileges to exploit this flaw.

📋 TL;DR

A memory leak vulnerability in the Linux kernel's ACRN hypervisor device model allows local privileged attackers to leak kernel memory information, potentially leading to denial of service. This affects systems running Linux kernels with ACRN virtualization support enabled. Attackers need local access with sufficient privileges to exploit this flaw.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions before commit ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b

Operating Systems: Linux distributions with ACRN virtualization support

Default Config Vulnerable: ✅ No

Notes: Only affects systems with ACRN hypervisor and virtual NIC emulation enabled. Most standard Linux installations are not vulnerable by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privileged attacker leaks sensitive kernel memory contents, potentially exposing credentials or cryptographic keys, and causes kernel memory exhaustion leading to system crash.

🟠

Likely Case

Local attacker with appropriate privileges causes memory exhaustion and system instability or denial of service through repeated exploitation.

🟢

If Mitigated

With proper access controls limiting local privilege escalation, impact is minimal as only authorized users can trigger the vulnerability.

🌐 Internet-Facing: LOW - Requires local access to the system, cannot be exploited remotely.

🏢 Internal Only: MEDIUM - Local attackers with sufficient privileges can exploit this, but requires specific ACRN virtualization configuration.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and sufficient privileges to interact with ACRN device model interfaces. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kernel commit ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b and later

Vendor Advisory: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing commit ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b. 2. Reboot system to load new kernel. 3. Verify ACRN virtualization is not required or disable if not needed.

🔧 Temporary Workarounds

Disable ACRN virtualization

linux

Disable ACRN hypervisor support if not required for system functionality

modprobe -r acrn_hsm
echo 'blacklist acrn_hsm' >> /etc/modprobe.d/blacklist.conf

Restrict device access

linux

Limit access to ACRN device interfaces to prevent exploitation

chmod 600 /dev/acrn_hsm
setfacl -m u:root:rw- /dev/acrn_hsm

🧯 If You Can't Patch

Disable ACRN virtualization module if not required for operations
Implement strict access controls to limit which users can interact with ACRN device interfaces

🔍 How to Verify

Check if Vulnerable:

Check if ACRN module is loaded: lsmod | grep acrn_hsm. If loaded, check kernel version against patched commit.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel includes commit ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b: git log --oneline | grep ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b

📡 Detection & Monitoring

Log Indicators:

Kernel oom-killer messages
ACRN device model error logs
Memory allocation failures in kernel logs

Network Indicators:

No network indicators - local vulnerability only

SIEM Query:

source="kernel" AND ("acrn" OR "oom-killer" OR "memory allocation failure")

📊 Metadata

CVE ID: CVE-2022-1651

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-401

Published: July 26, 2022

Last Updated: November 21, 2024

🔗 References

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b Mailing List,Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20220901-0008/ Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b Mailing List,Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20220901-0008/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1651, you might also want to check these: