CVE-2022-48943: KVM: x86/mmu: make apf token non-zero to fix bug
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: make apf token non-zero to fix bug
In current async pagefault logic, when a page is ready, KVM relies on
kvm_arch_can_dequeue_async_page_present() to determine whether to deliver
a READY event to the Guest. This function test token value of struct
kvm_vcpu_pv_apf_data, which must be reset to zero by Guest kernel when a
READY event is finished by Guest. If value is zero meaning that a READY
event is done, so the KVM can deliver another.
But the kvm_arch_setup_async_pf() may produce a valid token with zero
value, which is confused with previous mention and may lead the loss of
this READY event.
This bug may cause task blocked forever in Guest:
INFO: task stress:7532 blocked for more than 1254 seconds.
Not tainted 5.10.0 #16
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:stress state:D stack: 0 pid: 7532 ppid: 1409
flags:0x00000080
Call Trace:
__schedule+0x1e7/0x650
schedule+0x46/0xb0
kvm_async_pf_task_wait_schedule+0xad/0xe0
? exit_to_user_mode_prepare+0x60/0x70
__kvm_handle_async_pf+0x4f/0xb0
? asm_exc_page_fault+0x8/0x30
exc_page_fault+0x6f/0x110
? asm_exc_page_fault+0x8/0x30
asm_exc_page_fault+0x1e/0x30
RIP: 0033:0x402d00
RSP: 002b:00007ffd31912500 EFLAGS: 00010206
RAX: 0000000000071000 RBX: ffffffffffffffff RCX: 00000000021a32b0
RDX: 000000000007d011 RSI: 000000000007d000 RDI: 00000000021262b0
RBP: 00000000021262b0 R08: 0000000000000003 R09: 0000000000000086
R10: 00000000000000eb R11: 00007fefbdf2baa0 R12: 0000000000000000
R13: 0000000000000002 R14: 000000000007d000 R15: 0000000000001000
Security readout for executives and security teams
Plain-English summary
This Linux kernel KVM flaw can make a virtual machine lose an async page-fault completion signal. The observed result is a guest task stuck indefinitely, creating an availability risk for workloads running on affected KVM hosts. The sources do not show data theft, code execution, privilege escalation, or active exploitation.
Executive priority
Treat this as a planned but real availability fix for KVM infrastructure. Escalate priority where customer-facing or business-critical VMs run on affected kernels, especially if unexplained guest hangs have occurred. There is no provided evidence of active exploitation or confidentiality impact.
Technical view
In KVM x86/mmu async page-fault handling, kvm_arch_setup_async_pf() could generate token value zero. KVM also treats zero in struct kvm_vcpu_pv_apf_data as the guest-finished marker, so a READY event can be skipped. The kernel fix makes APF tokens non-zero.
Likely exposure
Exposure is most likely on Linux systems using KVM x86 virtualization with affected Linux kernel versions or branches. The provided data names Linux 5.8 through pre-fixed stable releases including 5.10.103, 5.15.26, 5.16.12, and 5.17 context, but version range evidence is limited.
Exploitation context
No CISA KEV listing is provided and the source bundle does not cite active exploitation. The described impact is guest-side task hangs under async page-fault conditions, shown by a blocked stress process stack trace. Practical triggerability is not fully documented in the provided sources.
Researcher notes
The key condition is token value collision: zero can mean both a valid APF token and completed READY handling. The fix direction is narrow: ensure APF tokens are non-zero. The provided record lacks CVSS, CWE, detailed attacker model, and distribution-specific package status.
Mitigation direction
Update affected Linux KVM hosts to vendor kernels containing the referenced stable fixes.
Prioritize hosts running critical or latency-sensitive virtualized workloads.
Check distribution advisories for the exact fixed kernel package for each platform.
Use normal change control and staging for hypervisor kernel updates.
Monitor guest hangs while patch rollout is pending.
Validation and detection
Inventory Linux KVM x86 hosts and record running kernel versions.
Confirm whether deployed kernels include one of the referenced stable commits.
Review guest logs for blocked tasks involving kvm_async_pf_task_wait_schedule.
Check virtualization hosts for recurring guest availability incidents.
Validate patched hosts in staging with representative VM workloads.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
description · low confidence lookup
Credential and access behavior lookup
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.