CVE-2022-50226: crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak
For some sev ioctl interfaces, input may be passed that is less than or
equal to SEV_FW_BLOB_MAX_SIZE, but larger than the data that PSP
firmware returns. In this case, kmalloc will allocate memory that is the
size of the input rather than the size of the data. Since PSP firmware
doesn't fully overwrite the buffer, the sev ioctl interfaces with the
issue may return uninitialized slab memory.
Currently, all of the ioctl interfaces in the ccp driver are safe, but
to prevent future problems, change all ioctl interfaces that allocate
memory with kmalloc to use kzalloc and memset the data buffer to zero
in sev_ioctl_do_platform_status.
Security readout for executives and security teams
Plain-English summary
This Linux kernel issue concerns AMD SEV-related ioctl handling in the ccp driver. Under certain size mismatches, a buffer could return uninitialized kernel slab memory. The source bundle does not provide CVSS, CWE, or confirmed exploitation evidence, so urgency should be based on kernel exposure and SEV usage.
Executive priority
Treat as a targeted kernel information-disclosure risk for AMD SEV-capable Linux environments. It should be remediated through routine kernel patching, with higher priority for virtualization hosts or confidential-computing infrastructure.
Technical view
The fix changes SEV ioctl allocations from kmalloc to kzalloc and explicitly zeroes a platform-status data buffer. The described risk is disclosure of uninitialized slab memory when PSP firmware returns less data than the allocated input-sized buffer. The record notes current ccp ioctl interfaces were considered safe, making this partly preventive.
Likely exposure
Exposure is most relevant to Linux systems with the AMD ccp driver and SEV/PSP firmware ioctl paths in use. The bundle identifies Linux kernel versions and stable commits, but distribution backport status must be checked through each OS vendor.
Exploitation context
The bundle marks KEV as false and provides no cited evidence of active exploitation, public exploit use, or weaponized tooling. The issue is an information disclosure class bug, not described as remote code execution or privilege escalation in the provided sources.
Researcher notes
The strongest source detail is the upstream fix rationale: zero allocations and platform-status buffers to prevent uninitialized slab memory returns. The record lacks CVSS, CWE, exploitability analysis, and distribution-specific affected package data, limiting precision.
Mitigation direction
Apply vendor kernel updates that include the referenced Linux stable fixes.
Map distribution kernel packages to the listed upstream stable commits.
Review access to SEV management interfaces on virtualization hosts.
Prioritize systems using AMD SEV or PSP-backed kernel functionality.
Monitor Linux and distribution advisories for corrected package versions.
Validation and detection
Inventory Linux kernel versions across affected server fleets.
Identify hosts loading or using the AMD ccp driver.
Confirm whether AMD SEV or PSP firmware features are enabled.
Verify patched kernels include one relevant referenced stable commit.
Check vendor advisories for backported fixes with unchanged version numbers.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2022-50226 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
6Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Jun 18, 2025, 11:03 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.