CVE-2022-49219
📋 TL;DR
A memory leak vulnerability in the Linux kernel's VFIO PCI driver allows attackers to cause denial of service through resource exhaustion. When PCI devices transition between power states (D3hot to D0) while using VFIO device reset operations, allocated memory isn't properly freed. This affects systems using VFIO for PCI device passthrough in virtualized environments.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Malicious users with VFIO device access can trigger repeated power state transitions and resets to exhaust kernel memory, causing system crashes or denial of service through OOM (Out of Memory) conditions.
Likely Case
Accidental triggering during normal operations could cause gradual memory exhaustion, leading to system instability or performance degradation over time.
If Mitigated
With proper access controls limiting VFIO device access to trusted users only, the impact is minimal as exploitation requires privileged access to VFIO device operations.
🎯 Exploit Status
Exploitation requires access to VFIO device IOCTLs (VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET) and ability to trigger power state transitions. Requires local access with appropriate device permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing commits: 26ddd196e9eb264da8e1bdc4df8a94d62581c8b5, 4319f17fb8264ba39352b611dfa913a4d8c1d1a0, c8a1f8bd586ee31020614b8d48b702ece3e2ae44, da426ad86027b849b877d4628b277ffbbd2f5325, eadf88ecf6ac7d6a9f47a76c6055d9a1987a8991
Vendor Advisory: https://git.kernel.org/stable/c/26ddd196e9eb264da8e1bdc4df8a94d62581c8b5
Restart Required: Yes
Instructions:
1. Update to a patched kernel version from your distribution vendor. 2. For custom kernels, apply the relevant commits from kernel.org. 3. Reboot the system to load the patched kernel.
🔧 Temporary Workarounds
Disable VFIO PCI device passthrough
linuxIf VFIO PCI device passthrough is not required, disable the feature to eliminate the vulnerability surface.
modprobe -r vfio_pci
modprobe -r vfio_pci_core
echo 'blacklist vfio_pci' >> /etc/modprobe.d/blacklist.conf
echo 'blacklist vfio_pci_core' >> /etc/modprobe.d/blacklist.conf
Restrict VFIO device access
linuxLimit VFIO device access to only trusted users and applications through proper permission controls.
chmod 600 /dev/vfio/*
setfacl -m u:trusteduser:rw /dev/vfio/*
🧯 If You Can't Patch
- Restrict VFIO device access to minimal necessary users only using file permissions and access controls.
- Monitor system memory usage and kernel logs for signs of memory exhaustion or OOM events related to VFIO operations.
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if VFIO modules are loaded: uname -r && lsmod | grep vfioCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched and check git commit history contains the fix commits: uname -r && zgrep -i 'CVE-2022-49219' /var/log/dpkg.log* /var/log/yum.log* /var/log/apt/history.log*📡 Detection & Monitoring
Log Indicators:
- Kernel OOM (Out of Memory) messages in /var/log/kern.log or dmesg
- Rapid memory consumption by kernel processes
- Repeated VFIO device reset operations in system logs
Network Indicators:
- No network indicators - this is a local memory leak vulnerability
SIEM Query:
source="kernel" AND ("out of memory" OR "OOM" OR "vfio" OR "memory leak")🔗 References
- https://git.kernel.org/stable/c/26ddd196e9eb264da8e1bdc4df8a94d62581c8b5
- https://git.kernel.org/stable/c/4319f17fb8264ba39352b611dfa913a4d8c1d1a0
- https://git.kernel.org/stable/c/c8a1f8bd586ee31020614b8d48b702ece3e2ae44
- https://git.kernel.org/stable/c/da426ad86027b849b877d4628b277ffbbd2f5325
- https://git.kernel.org/stable/c/eadf88ecf6ac7d6a9f47a76c6055d9a1987a8991
- https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html
