CVE-2022-48862: vhost: fix hung thread due to erroneous iotlb entries
In the Linux kernel, the following vulnerability has been resolved:
vhost: fix hung thread due to erroneous iotlb entries
In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when
start is 0 and last is ULONG_MAX. One instance where it can happen
is when userspace sends an IOTLB message with iova=size=uaddr=0
(vhost_process_iotlb_msg). So, an entry with size = 0, start = 0,
last = ULONG_MAX ends up in the iotlb. Next time a packet is sent,
iotlb_access_ok() loops indefinitely due to that erroneous entry.
Call Trace:
<TASK>
iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340
vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366
vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104
vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372
kthread+0x2e9/0x3a0 kernel/kthread.c:377
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>
Reported by syzbot at:
https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87
To fix this, do two things:
1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map
a range with size 0.
2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX]
by splitting it into two entries.
Security readout for executives and security teams
Plain-English summary
CVE-2022-48862 is a Linux kernel vhost bug that can make a vhost worker thread hang. In affected virtualization-related configurations, a malformed userspace IOTLB mapping can create an invalid zero-size entry, causing an endless loop during later packet handling.
Executive priority
Treat this as a reliability risk for Linux virtualization infrastructure. It is not listed as actively exploited in the supplied data, but a kernel thread hang can still disrupt hosted workloads, so patch during the next controlled maintenance window for exposed systems.
Technical view
The flaw is in Linux vhost IOTLB handling. vhost_iotlb_add_range_ctx() can overflow a full address range into size 0 after vhost_process_iotlb_msg accepts an all-zero mapping request. iotlb_access_ok() can then loop indefinitely on that erroneous entry. The kernel fix rejects zero-size mappings and splits the full ULONG range.
Likely exposure
Exposure is most relevant to Linux systems using vhost components, including virtualization or vsock paths. The source lists Linux 5.7, 5.15.29, 5.16.15, and 5.17-era affected versions, but distro backport status must be checked with the vendor.
Exploitation context
The bundle provides a syzbot report and kernel fix references, but no KEV listing and no cited evidence of active exploitation. The impact described is denial of service through a hung kernel vhost thread, not data theft or privilege escalation.
Researcher notes
Evidence comes from the Linux kernel CVE text and stable commit references. The root cause is integer overflow to a zero-size IOTLB entry, followed by indefinite looping in access validation. CVSS, CWE, and exploit-in-the-wild evidence are not provided.
Mitigation direction
Update to a kernel containing the referenced stable vhost fixes.
Prioritize virtualization hosts and systems using vhost or vsock functionality.
Check distribution advisories for backported fixes before relying on version numbers alone.
If patching is delayed, reduce exposure of affected virtualization workloads where practical.
Validation and detection
Inventory Linux kernel builds on hosts running virtualization or vhost workloads.
Confirm vendor packages include the referenced stable commits or equivalent backports.
Review kernel changelogs for zero-size IOTLB rejection in vhost_chr_write_iter().
Check whether vhost/vsock functionality is enabled on candidate systems.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-48862 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.