CVE CyberSecurity Database News

CVE-2022-2196 - Speculative Execution Vulnerability in Linux Kernel KVM nVMX (How L2 Can Attack L1 Using Spectre v2)

Poster -

*Published June 2024 — By Security Analyst*

Overview

CVE-2022-2196 is a critical vulnerability impacting the Linux Kernel's virtualization module (KVM), specifically in nested VMX (nVMX aka “nested virtualization”). This issue allows malicious code running inside a second-level guest (L2) to cause Spectre v2 attacks against its first-level guest (L1), by fooling L1 into relaxing its protection mechanisms. The root cause here is a regression where KVM (the host, L) wrongly signals to L1 that certain mitigations (like eIBRS) are active, even though that protection does not actually shield L1 from code running in L2.

In plain language: If you're running virtual machines inside other virtual machines (a setup common in cloud and development environments), code running in the inner VM can trick the outer VM into dropping its guard, and then steal secrets using a speculative execution attack.

What Is the Impact?

A successful attacker who has code execution inside L2 could trick L1 into thinking Spectre v2 mitigations are active and unnecessary, then use speculative attacks to leak kernel memory or other data on the VMM host (L) or in L1 itself. This breaks a key boundary in multi-tenant or nested-VM environments.

How Did It Happen? (The Technical Bit, Simple)

In modern CPUs, speculative execution bugs (like Spectre v2) let attackers see what the CPU is "guessing", and use that leaked info to steal data. To prevent this, guest VMs must use retpolines or IBPB after running untrusted code. But in this bug:

- KVM L tells L1 that it's safe and that "enhanced IBRS" (eIBRS) is present, which should block these attacks.

L1 then thinks it doesn't need to use retpolines or IBPB when it's about to resume from L2.

- But actually, L2 can still execute code that can perform Spectre v2 attacks, because the eIBRS support isn't enough to protect L1 from code in L2.
- The end result: An attacker in L2 can execute indirect branch code that can leak secrets from L1 or the host, using branch target buffer (BTB) poisoning.

Here's a simplified code scenario

// In L2 (attacker controls the code)
void attack_branch_predictor() {
    for (int i = ; i < 100; i++) {
        speculative_access(secret_data_addr);
    }
    // Use Fast VM-Exit to return to L1
}

// In L1 (victim VM)
// L1 assumes eIBRS is on, so it skips expensive mitigations
void handle_vm_exit_from_L2() {
    // No IBPB, no retpoline needed (bad!)
    process_sensitive_data();
}

- CVE-2022-2196 at NVD
- Linux Kernel Security Commit 2e7eab81425a
- Original Patch Discussion
- Spectre V2 Overview (Project Zero)

Attacker gets code execution inside L2 guest (a nested VM, which is a less-trusted user).

2. L2 runs code designed to poison the CPU's branch target buffer (BTB) and leak memory via speculative attacks (Spectre v2).
3. The L2 code triggers a VM-exit to L1 (for example, by executing a special instruction or causing an exception).
4. L1 resumes, assuming eIBRS is active, so L1 skips mitigations like retpoline or IBPB that would normally flush the BTB.
5. The BTB entries set up by L2 are still present, which can steer L1’s indirect branches speculatively to attacker-controlled code paths, leaking data to the attacker.

Visual flow

Attacker (L2) --> Poison BTB & trigger VM-Exit --> L1 resumes trusting eIBRS --> Attacker extracts secrets via Spectre v2

Real-World Example

Suppose the cloud provider allows users to run nested VMs (L1 under L, and then L2 under L1). If user A rents a nested VM (L2), they could potentially craft exploits to read sensitive data from user B's outer VM (L1) or even from parts of the host.

Upgrade your kernel to version 6.2 or later.

- Or, apply commit 2e7eab81425a.
- For cloud/vServer hosts: Disable nested virtualization if not needed, and use strict tenant isolation.

Quick check for eIBRS commit

git log --oneline | grep 2e7eab81425a

Final Words

CVE-2022-2196 is an example of how speculative execution bugs and virtualization complexities can intersect, making it easy for even experienced system admins to overlook dangerous vulnerabilities. Nested virtualization is powerful but risky; always keep your software up to date, especially the Linux kernel and hypervisor components.

Upgrade now. Share this with your team. Don’t let L2 own your cloud!

Exclusive post by Security Analyst | June 2024  
*Please attribute if quoting or referencing. Links last checked on June 10, 2024.*

Timeline

Published on: 01/09/2023 11:15:00 UTC
Last modified on: 01/13/2023 14:12:00 UTC