CVE-2022-26361 – This vulnerability affects systems using Intel ... (How to Fix)

Q: What is the severity of CVE-2022-26361?

CVE-2022-26361 has a CVSS score of 7.8 (HIGH). This vulnerability affects systems using Intel VT-d or AMD-Vi IOMMU technologies where PCI devices have Reserved Memory Regions (RMRR) or Unity Mapping ranges. When these memory mappings become inaccessible to devices after activation, subsequent DMA operations or interrupts can cause unpredictable behavior ranging from IOMMU faults to memory corruption. This primarily affects virtualization platforms like Xen and Linux systems with specific hardware configurations.

📋 TL;DR

This vulnerability affects systems using Intel VT-d or AMD-Vi IOMMU technologies where PCI devices have Reserved Memory Regions (RMRR) or Unity Mapping ranges. When these memory mappings become inaccessible to devices after activation, subsequent DMA operations or interrupts can cause unpredictable behavior ranging from IOMMU faults to memory corruption. This primarily affects virtualization platforms like Xen and Linux systems with specific hardware configurations.

💻 Affected Systems

Products:

Xen Hypervisor
Linux kernel with IOMMU support

Versions: Xen versions before XSA-400 patch; Linux kernel versions before fixes in 2022

Operating Systems: Linux distributions using affected kernel versions, Xen-based virtualization systems

Default Config Vulnerable: ✅ No

Notes: Only affects systems with Intel VT-d or AMD-Vi IOMMU enabled and PCI devices using RMRR/Unity Mapping (typically legacy USB emulation devices).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory corruption leading to system crashes, data loss, or potential privilege escalation through DMA attacks.

🟠

Likely Case

System instability, IOMMU faults causing device failures, or system crashes requiring reboots.

🟢

If Mitigated

Limited to specific hardware configurations with RMRR/Unity Mapping devices; proper patching prevents exploitation.

🌐 Internet-Facing: LOW - Requires local access to affected hardware and specific device configurations.

🏢 Internal Only: MEDIUM - Affects virtualization hosts and systems with specific PCI devices; requires local access or compromised guest VM.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires specific hardware configuration and understanding of IOMMU/RMRR mechanisms. No public exploits known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Xen XSA-400 patch; Linux kernel patches from 2022

Vendor Advisory: http://xenbits.xen.org/xsa/advisory-400.html

Restart Required: Yes

Instructions:

1. Update Xen to version with XSA-400 patch. 2. Update Linux kernel to version with IOMMU fixes from 2022. 3. Reboot system after patching.

🔧 Temporary Workarounds

Disable affected IOMMU features

all

Disable Intel VT-d or AMD-Vi IOMMU in BIOS/UEFI settings if not required

Remove RMRR/Unity Mapping devices

linux

Identify and remove PCI devices using RMRR/Unity Mapping features

lspci -v | grep -i rmrr
dmesg | grep -i unity

🧯 If You Can't Patch

Isolate affected systems from untrusted networks and users
Monitor for IOMMU fault messages in system logs and investigate any anomalies

🔍 How to Verify

Check if Vulnerable:

Check Xen version for XSA-400 patch or Linux kernel version for 2022 IOMMU fixes

Check Version:

xenversion -v (Xen) or uname -r (Linux)

Verify Fix Applied:

Verify Xen version includes XSA-400 or kernel includes IOMMU fixes; check dmesg for IOMMU-related errors

📡 Detection & Monitoring

Log Indicators:

IOMMU fault messages in dmesg/kernel logs
System crashes related to DMA operations
PCI device errors

Network Indicators:

None - local hardware vulnerability

SIEM Query:

Search for 'IOMMU fault', 'RMRR error', or 'DMA failure' in system logs

📊 Metadata

CVE ID: CVE-2022-26361

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: April 5, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/04/05/3 Mailing List,Patch,Third Party Advisory
http://xenbits.xen.org/xsa/advisory-400.html Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/
https://security.gentoo.org/glsa/202402-07
https://www.debian.org/security/2022/dsa-5117 Third Party Advisory
https://xenbits.xenproject.org/xsa/advisory-400.txt Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/04/05/3 Mailing List,Patch,Third Party Advisory
http://xenbits.xen.org/xsa/advisory-400.html Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ETPM2OVZZ6KOS2L7QO7SIW6XWT5OW3F/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHFSRVLM2JUCPDC2KGB7ETPQYJLCGBLD/
https://security.gentoo.org/glsa/202402-07
https://www.debian.org/security/2022/dsa-5117 Third Party Advisory
https://xenbits.xenproject.org/xsa/advisory-400.txt Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON