CVE-2022-50707

Root

Cause

The vulnerability is a memory leak in the Linux kernel's virtio-crypto driver. Specifically, in the function virtio_crypto_alg_skcipher_close_session(), a control request structure (vc_ctrl_req) is allocated using kmalloc (or similar) for the purpose of sending a control message to the virtio device to close a session. However, in the error handling branch that checks the ctrl_status->status field, the allocated vc_ctrl_req is not freed before returning from the function. This oversight means that whenever the device returns an invalid status in this code path, the memory for vc_ctrl_req is leaked [1].

Attack

Surface and Exploitation

To trigger this bug, an attacker must have the ability to interact with the virtio-crypto device from within a guest VM that uses virtio-crypto acceleration. The vulnerability is reachable when the guest kernel closes a symmetric cipher (skcipher) session and the device (or backend) responds with an unexpected status. No special privileges beyond the ability to use virtio-crypto are required; it can be triggered by normal cryptographic operations followed by session teardown. The attacker does not need local root access if they can already control the guest's cryptographic workloads [1].

Impact

The memory leak gradually depletes kernel memory, leading to system instability, resource exhaustion, and potential denial of service on the affected guest system. Over time, repeated exploitation can exhaust the memory pool, causing the kernel to fail allocations for other processes or even crash. The impact is limited to the guest where the driver is running; the host is not directly affected [1].

Mitigation

The fix for this issue was committed to the Linux kernel stable tree. The commit b1d65f717cd6 adds the missing kfree(vc_ctrl_req) call in the error path. Users should update their kernel to a version containing this commit (e.g., Linux 6.2-rc1 and later stable releases). No workaround besides applying the patch is known [1].