ghsa-v5qc-r96v-5v88
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
KVM: Unconditionally get a ref to /dev/kvm module when creating a VM
Unconditionally get a reference to the /dev/kvm module when creating a VM instead of using try_get_module(), which will fail if the module is in the process of being forcefully unloaded. The error handling when try_get_module() fails doesn't properly unwind all that has been done, e.g. doesn't call kvm_arch_pre_destroy_vm() and doesn't remove the VM from the global list. Not removing VMs from the global list tends to be fatal, e.g. leads to use-after-free explosions.
The obvious alternative would be to add proper unwinding, but the justification for using try_get_module(), "rmmod --wait", is completely bogus as support for "rmmod --wait", i.e. delete_module() without O_NONBLOCK, was removed by commit 3f2b9c9cdf38 ("module: remove rmmod --wait option.") nearly a decade ago.
It's still possible for try_get_module() to fail due to the module dying (more like being killed), as the module will be tagged MODULE_STATE_GOING by "rmmod --force", i.e. delete_module(..., O_TRUNC), but playing nice with forced unloading is an exercise in futility and gives a falsea sense of security. Using try_get_module() only prevents acquiring new references, it doesn't magically put the references held by other VMs, and forced unloading doesn't wait, i.e. "rmmod --force" on KVM is all but guaranteed to cause spectacular fireworks; the window where KVM will fail try_get_module() is tiny compared to the window where KVM is building and running the VM with an elevated module refcount.
Addressing KVM's inability to play nice with "rmmod --force" is firmly out-of-scope. Forcefully unloading any module taints kernel (for obvious reasons) and requires the kernel to be built with CONFIG_MODULE_FORCE_UNLOAD=y, which is off by default and comes with the amusing disclaimer that it's "mainly for kernel developers and desperate users". In other words, KVM is free to scoff at bug reports due to using "rmmod --force" while VMs may be running.
{
"affected": [],
"aliases": [
"CVE-2022-50081"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T11:15:37Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Unconditionally get a ref to /dev/kvm module when creating a VM\n\nUnconditionally get a reference to the /dev/kvm module when creating a VM\ninstead of using try_get_module(), which will fail if the module is in\nthe process of being forcefully unloaded. The error handling when\ntry_get_module() fails doesn\u0027t properly unwind all that has been done,\ne.g. doesn\u0027t call kvm_arch_pre_destroy_vm() and doesn\u0027t remove the VM\nfrom the global list. Not removing VMs from the global list tends to be\nfatal, e.g. leads to use-after-free explosions.\n\nThe obvious alternative would be to add proper unwinding, but the\njustification for using try_get_module(), \"rmmod --wait\", is completely\nbogus as support for \"rmmod --wait\", i.e. delete_module() without\nO_NONBLOCK, was removed by commit 3f2b9c9cdf38 (\"module: remove rmmod\n--wait option.\") nearly a decade ago.\n\nIt\u0027s still possible for try_get_module() to fail due to the module dying\n(more like being killed), as the module will be tagged MODULE_STATE_GOING\nby \"rmmod --force\", i.e. delete_module(..., O_TRUNC), but playing nice\nwith forced unloading is an exercise in futility and gives a falsea sense\nof security. Using try_get_module() only prevents acquiring _new_\nreferences, it doesn\u0027t magically put the references held by other VMs,\nand forced unloading doesn\u0027t wait, i.e. \"rmmod --force\" on KVM is all but\nguaranteed to cause spectacular fireworks; the window where KVM will fail\ntry_get_module() is tiny compared to the window where KVM is building and\nrunning the VM with an elevated module refcount.\n\nAddressing KVM\u0027s inability to play nice with \"rmmod --force\" is firmly\nout-of-scope. Forcefully unloading any module taints kernel (for obvious\nreasons) _and_ requires the kernel to be built with\nCONFIG_MODULE_FORCE_UNLOAD=y, which is off by default and comes with the\namusing disclaimer that it\u0027s \"mainly for kernel developers and desperate\nusers\". In other words, KVM is free to scoff at bug reports due to using\n\"rmmod --force\" while VMs may be running.",
"id": "GHSA-v5qc-r96v-5v88",
"modified": "2025-06-18T12:30:47Z",
"published": "2025-06-18T12:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50081"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/177bf354200962c6f0de6dd37c86a9bf3b54003a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/405294f29faee5de8c10cb9d4a90e229c2835279"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/865e08b77c244eed0b80439320e7e8440f61ebce"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.