DEBIAN-CVE-2022-2196

Advisory lineage Upstream: 1 Downstream: 1

Upstream

CVE-2022-2196

Downstream

DLA-3404-1

Published: 09 Jan 2023, 11:15

Last modified:28 Apr 2026, 20:23

Vulnerability Summary

Overall Risk (default)

medium

35/100

CVSS Score

8.8 HIGH

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

09 Jan 2023, 11:15

Published

Vulnerability first disclosed

28 Apr 2026, 20:23

Last Modified

Vulnerability information updated

Description

A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks. L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a

CVSS Metrics

v3.1•HIGH•Score: 8.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Systems

debian•linux
< 5.10.178-1 | < 6.1.15-1 | < 6.1.15-1 | < 6.1.15-1

References (1)

https://security-tracker.debian.org/tracker/CVE-2022-2196