LiveActive security incident?Get immediate response
CVE Record

CVE-2022-50224: KVM: x86/mmu: Treat NX as a valid SPTE bit for NPT

In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Treat NX as a valid SPTE bit for NPT Treat the NX bit as valid when using NPT, as KVM will set the NX bit when the NX huge page mitigation is enabled (mindblowing) and trigger the WARN that fires on reserved SPTE bits being set. KVM has required NX support for SVM since commit b26a71a1a5b9 ("KVM: SVM: Refuse to load kvm_amd if NX support is not available") for exactly this reason, but apparently it never occurred to anyone to actually test NPT with the mitigation enabled. ------------[ cut here ]------------ spte = 0x800000018a600ee7, level = 2, rsvd bits = 0x800f0000001fe000 WARNING: CPU: 152 PID: 15966 at arch/x86/kvm/mmu/spte.c:215 make_spte+0x327/0x340 [kvm] Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 10.48.0 01/27/2022 RIP: 0010:make_spte+0x327/0x340 [kvm] Call Trace: <TASK> tdp_mmu_map_handle_target_level+0xc3/0x230 [kvm] kvm_tdp_mmu_map+0x343/0x3b0 [kvm] direct_page_fault+0x1ae/0x2a0 [kvm] kvm_tdp_page_fault+0x7d/0x90 [kvm] kvm_mmu_page_fault+0xfb/0x2e0 [kvm] npf_interception+0x55/0x90 [kvm_amd] svm_invoke_exit_handler+0x31/0xf0 [kvm_amd] svm_handle_exit+0xf6/0x1d0 [kvm_amd] vcpu_enter_guest+0xb6d/0xee0 [kvm] ? kvm_pmu_trigger_event+0x6d/0x230 [kvm] vcpu_run+0x65/0x2c0 [kvm] kvm_arch_vcpu_ioctl_run+0x355/0x610 [kvm] kvm_vcpu_ioctl+0x551/0x610 [kvm] __se_sys_ioctl+0x77/0xc0 __x64_sys_ioctl+0x1d/0x20 do_syscall_64+0x44/0xa0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 </TASK> ---[ end trace 0000000000000000 ]---

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This is a Linux KVM virtualization bug on x86 AMD systems using nested page tables. A kernel warning can be triggered when KVM sets the NX bit as part of the NX huge page mitigation. The source describes a resolved kernel defect, not confirmed data theft or guest escape.

Executive priority

Treat as a targeted virtualization reliability issue, not a broad internet-facing emergency. Prioritize patching shared virtualization hosts because guest workloads may trigger host kernel warnings and possible disruption depending on local panic or monitoring policy.

Technical view

KVM x86/mmu incorrectly treated the NX bit as a reserved SPTE bit for NPT. With NX huge page mitigation enabled, KVM may set NX in a shadow page table entry and hit a WARN in make_spte during nested page fault handling on kvm_amd.

Likely exposure

Exposure is most relevant to Linux hosts running KVM on AMD SVM/NPT with NX support and NX huge page mitigation enabled. The CVE source lists Linux as affected across kernel version entries including 5.4, 5.19.2, and 6.0; downstream package status needs vendor confirmation.

Exploitation context

The provided sources do not show active exploitation, public exploit tooling, or KEV listing. The evidence shows a kernel WARN path reached during KVM guest execution. Business impact is most plausibly virtualization host instability or service disruption, especially where warnings are treated as fatal.

Researcher notes

The record is narrow and implementation-specific. It documents a reserved-SPTE validation bug around NX handling for NPT. No CVSS, CWE, exploit status, or detailed fixed release matrix is provided in the source bundle, so downstream kernel advisory review is required.

Mitigation direction

  • Apply Linux kernel updates that include the referenced stable fixes.
  • Check your distribution vendor advisory for exact fixed package versions.
  • Prioritize KVM virtualization hosts using AMD SVM/NPT.
  • Avoid changing NX mitigations without vendor-approved guidance.

Validation and detection

  • Inventory Linux KVM hosts and identify AMD SVM/NPT usage.
  • Check running kernel versions against vendor fixed-version guidance.
  • Review kernel logs for make_spte WARN traces involving kvm or kvm_amd.
  • Confirm updated kernels include the referenced stable commits.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2022-50224 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
3Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxb8e8c8303ff28c61046a4d0f6ea99aea609a7dc0, b8e8c8303ff28c61046a4d0f6ea99aea609a7dc0, a7ad7943b84fae87f5be18f05025c51ae103f732, bb16a6ba5d1ed79b40caea8d924e237f63205b7c, 5219505fcbb640e273a0d51c19c38de0100ec5a9, 78ffa84f00ff6b19f00c0e6dfe1870aba0db4025unaffected
LinuxLinux5.4, 0, 5.19.2, 6.0affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.