LiveActive security incident?Get immediate response
CVE Record

CVE-2022-48943: KVM: x86/mmu: make apf token non-zero to fix bug

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: make apf token non-zero to fix bug In current async pagefault logic, when a page is ready, KVM relies on kvm_arch_can_dequeue_async_page_present() to determine whether to deliver a READY event to the Guest. This function test token value of struct kvm_vcpu_pv_apf_data, which must be reset to zero by Guest kernel when a READY event is finished by Guest. If value is zero meaning that a READY event is done, so the KVM can deliver another. But the kvm_arch_setup_async_pf() may produce a valid token with zero value, which is confused with previous mention and may lead the loss of this READY event. This bug may cause task blocked forever in Guest: INFO: task stress:7532 blocked for more than 1254 seconds. Not tainted 5.10.0 #16 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:stress state:D stack: 0 pid: 7532 ppid: 1409 flags:0x00000080 Call Trace: __schedule+0x1e7/0x650 schedule+0x46/0xb0 kvm_async_pf_task_wait_schedule+0xad/0xe0 ? exit_to_user_mode_prepare+0x60/0x70 __kvm_handle_async_pf+0x4f/0xb0 ? asm_exc_page_fault+0x8/0x30 exc_page_fault+0x6f/0x110 ? asm_exc_page_fault+0x8/0x30 asm_exc_page_fault+0x1e/0x30 RIP: 0033:0x402d00 RSP: 002b:00007ffd31912500 EFLAGS: 00010206 RAX: 0000000000071000 RBX: ffffffffffffffff RCX: 00000000021a32b0 RDX: 000000000007d011 RSI: 000000000007d000 RDI: 00000000021262b0 RBP: 00000000021262b0 R08: 0000000000000003 R09: 0000000000000086 R10: 00000000000000eb R11: 00007fefbdf2baa0 R12: 0000000000000000 R13: 0000000000000002 R14: 000000000007d000 R15: 0000000000001000

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This Linux kernel KVM flaw can make a virtual machine lose an async page-fault completion signal. The observed result is a guest task stuck indefinitely, creating an availability risk for workloads running on affected KVM hosts. The sources do not show data theft, code execution, privilege escalation, or active exploitation.

Executive priority

Treat this as a planned but real availability fix for KVM infrastructure. Escalate priority where customer-facing or business-critical VMs run on affected kernels, especially if unexplained guest hangs have occurred. There is no provided evidence of active exploitation or confidentiality impact.

Technical view

In KVM x86/mmu async page-fault handling, kvm_arch_setup_async_pf() could generate token value zero. KVM also treats zero in struct kvm_vcpu_pv_apf_data as the guest-finished marker, so a READY event can be skipped. The kernel fix makes APF tokens non-zero.

Likely exposure

Exposure is most likely on Linux systems using KVM x86 virtualization with affected Linux kernel versions or branches. The provided data names Linux 5.8 through pre-fixed stable releases including 5.10.103, 5.15.26, 5.16.12, and 5.17 context, but version range evidence is limited.

Exploitation context

No CISA KEV listing is provided and the source bundle does not cite active exploitation. The described impact is guest-side task hangs under async page-fault conditions, shown by a blocked stress process stack trace. Practical triggerability is not fully documented in the provided sources.

Researcher notes

The key condition is token value collision: zero can mean both a valid APF token and completed READY handling. The fix direction is narrow: ensure APF tokens are non-zero. The provided record lacks CVSS, CWE, detailed attacker model, and distribution-specific package status.

Mitigation direction

  • Update affected Linux KVM hosts to vendor kernels containing the referenced stable fixes.
  • Prioritize hosts running critical or latency-sensitive virtualized workloads.
  • Check distribution advisories for the exact fixed kernel package for each platform.
  • Use normal change control and staging for hypervisor kernel updates.
  • Monitor guest hangs while patch rollout is pending.

Validation and detection

  • Inventory Linux KVM x86 hosts and record running kernel versions.
  • Confirm whether deployed kernels include one of the referenced stable commits.
  • Review guest logs for blocked tasks involving kvm_async_pf_task_wait_schedule.
  • Check virtualization hosts for recurring guest availability incidents.
  • Validate patched hosts in staging with representative VM workloads.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2022-48943 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
5Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux2635b5c4a0e407b84f68e188c719f28ba0e9ae1b, 2635b5c4a0e407b84f68e188c719f28ba0e9ae1b, 2635b5c4a0e407b84f68e188c719f28ba0e9ae1b, 2635b5c4a0e407b84f68e188c719f28ba0e9ae1bunaffected
LinuxLinux5.8, 0, 5.10.103, 5.15.26, 5.16.12, 5.17affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.