CVE-2022-49568
Published: Feb 26, 2025
Modified: May 11, 2026
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: Don't null dereference ops->destroy A KVM device cleanup happens in either of two callbacks: 1) destroy() which is called when the VM is being destroyed; 2) release() which is called when a device fd is closed. Most KVM devices use 1) but Book3s's interrupt controller KVM devices (XICS, XIVE, XIVE-native) use 2) as they need to close and reopen during the machine execution. The error handling in kvm_ioctl_create_device() assumes destroy() is always defined which leads to NULL dereference as discovered by Syzkaller. This adds a checks for destroy!=NULL and adds a missing release(). This is not changing kvm_destroy_devices() as devices with defined release() should have been removed from the KVM devices list by then.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 852b6d57dc7fa378019786fa84727036e56839ea - < 170465715a60cbb7876e6b961b21bd3225469da8affected 852b6d57dc7fa378019786fa84727036e56839ea - < 3616776bc51cd3262bb1be60cc01c72e0a1959cfaffected 852b6d57dc7fa378019786fa84727036e56839ea - < e91665fbbf3ccb268b268a7d71a6513538d813acaffected 852b6d57dc7fa378019786fa84727036e56839ea - < d4a5a79b780891c5cbdfdc6124d46fdf8d13dba1affected 852b6d57dc7fa378019786fa84727036e56839ea - < e8bc2427018826e02add7b0ed0fc625a60390ae5 |
Linux | Linux | affected 3.10unaffected 0 - < 3.10unaffected 5.4.210 - <= 5.4.*unaffected 5.10.134 - <= 5.10.*unaffected 5.15.58 - <= 5.15.*+2 more versions |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now