CVE-2022-50224: KVM: x86/mmu: Treat NX as a valid SPTE bit for NPT
In the Linux kernel, the following vulnerability has been resolved:
KVM: x86/mmu: Treat NX as a valid SPTE bit for NPT
Treat the NX bit as valid when using NPT, as KVM will set the NX bit when
the NX huge page mitigation is enabled (mindblowing) and trigger the WARN
that fires on reserved SPTE bits being set.
KVM has required NX support for SVM since commit b26a71a1a5b9 ("KVM: SVM:
Refuse to load kvm_amd if NX support is not available") for exactly this
reason, but apparently it never occurred to anyone to actually test NPT
with the mitigation enabled.
------------[ cut here ]------------
spte = 0x800000018a600ee7, level = 2, rsvd bits = 0x800f0000001fe000
WARNING: CPU: 152 PID: 15966 at arch/x86/kvm/mmu/spte.c:215 make_spte+0x327/0x340 [kvm]
Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 10.48.0 01/27/2022
RIP: 0010:make_spte+0x327/0x340 [kvm]
Call Trace:
<TASK>
tdp_mmu_map_handle_target_level+0xc3/0x230 [kvm]
kvm_tdp_mmu_map+0x343/0x3b0 [kvm]
direct_page_fault+0x1ae/0x2a0 [kvm]
kvm_tdp_page_fault+0x7d/0x90 [kvm]
kvm_mmu_page_fault+0xfb/0x2e0 [kvm]
npf_interception+0x55/0x90 [kvm_amd]
svm_invoke_exit_handler+0x31/0xf0 [kvm_amd]
svm_handle_exit+0xf6/0x1d0 [kvm_amd]
vcpu_enter_guest+0xb6d/0xee0 [kvm]
? kvm_pmu_trigger_event+0x6d/0x230 [kvm]
vcpu_run+0x65/0x2c0 [kvm]
kvm_arch_vcpu_ioctl_run+0x355/0x610 [kvm]
kvm_vcpu_ioctl+0x551/0x610 [kvm]
__se_sys_ioctl+0x77/0xc0
__x64_sys_ioctl+0x1d/0x20
do_syscall_64+0x44/0xa0
entry_SYSCALL_64_after_hwframe+0x46/0xb0
</TASK>
---[ end trace 0000000000000000 ]---
Security readout for executives and security teams
Plain-English summary
This is a Linux KVM virtualization bug on x86 AMD systems using nested page tables. A kernel warning can be triggered when KVM sets the NX bit as part of the NX huge page mitigation. The source describes a resolved kernel defect, not confirmed data theft or guest escape.
Executive priority
Treat as a targeted virtualization reliability issue, not a broad internet-facing emergency. Prioritize patching shared virtualization hosts because guest workloads may trigger host kernel warnings and possible disruption depending on local panic or monitoring policy.
Technical view
KVM x86/mmu incorrectly treated the NX bit as a reserved SPTE bit for NPT. With NX huge page mitigation enabled, KVM may set NX in a shadow page table entry and hit a WARN in make_spte during nested page fault handling on kvm_amd.
Likely exposure
Exposure is most relevant to Linux hosts running KVM on AMD SVM/NPT with NX support and NX huge page mitigation enabled. The CVE source lists Linux as affected across kernel version entries including 5.4, 5.19.2, and 6.0; downstream package status needs vendor confirmation.
Exploitation context
The provided sources do not show active exploitation, public exploit tooling, or KEV listing. The evidence shows a kernel WARN path reached during KVM guest execution. Business impact is most plausibly virtualization host instability or service disruption, especially where warnings are treated as fatal.
Researcher notes
The record is narrow and implementation-specific. It documents a reserved-SPTE validation bug around NX handling for NPT. No CVSS, CWE, exploit status, or detailed fixed release matrix is provided in the source bundle, so downstream kernel advisory review is required.
Mitigation direction
Apply Linux kernel updates that include the referenced stable fixes.
Check your distribution vendor advisory for exact fixed package versions.
Prioritize KVM virtualization hosts using AMD SVM/NPT.
Avoid changing NX mitigations without vendor-approved guidance.
Validation and detection
Inventory Linux KVM hosts and identify AMD SVM/NPT usage.
Check running kernel versions against vendor fixed-version guidance.
Review kernel logs for make_spte WARN traces involving kvm or kvm_amd.
Confirm updated kernels include the referenced stable commits.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-50224 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
3Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Jun 18, 2025, 11:03 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.