CVE-2022-2196
linux-5.10 - security update
8.8
HIGH
CVSS 3.1
EPSS 0.03%
Description
A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a
How to fix CVE-2022-2196
To remediate CVE-2022-2196, upgrade the affected package to a fixed version below.
- —upgrade to 5.10.178-1 or later
- —upgrade to 5.10.178-3~deb10u1 or later
Is CVE-2022-2196 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 5.10.178-1
- from 0, < 5.10.178-3~deb10u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |