CVE-2022-50720 (GCVE-0-2022-50720)
Vulnerability from cvelistv5
Published
2025-12-24 12:22
Modified
2025-12-24 12:22
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: x86/apic: Don't disable x2APIC if locked The APIC supports two modes, legacy APIC (or xAPIC), and Extended APIC (or x2APIC). X2APIC mode is mostly compatible with legacy APIC, but it disables the memory-mapped APIC interface in favor of one that uses MSRs. The APIC mode is controlled by the EXT bit in the APIC MSR. The MMIO/xAPIC interface has some problems, most notably the APIC LEAK [1]. This bug allows an attacker to use the APIC MMIO interface to extract data from the SGX enclave. Introduce support for a new feature that will allow the BIOS to lock the APIC in x2APIC mode. If the APIC is locked in x2APIC mode and the kernel tries to disable the APIC or revert to legacy APIC mode a GP fault will occur. Introduce support for a new MSR (IA32_XAPIC_DISABLE_STATUS) and handle the new locked mode when the LEGACY_XAPIC_DISABLED bit is set by preventing the kernel from trying to disable the x2APIC. On platforms with the IA32_XAPIC_DISABLE_STATUS MSR, if SGX or TDX are enabled the LEGACY_XAPIC_DISABLED will be set by the BIOS. If legacy APIC is required, then it SGX and TDX need to be disabled in the BIOS. [1]: https://aepicleak.com/aepicleak.pdf
References
Impacted products
Vendor Product Version
Linux Linux Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "Documentation/admin-guide/kernel-parameters.txt",
            "arch/x86/Kconfig",
            "arch/x86/include/asm/cpu.h",
            "arch/x86/include/asm/msr-index.h",
            "arch/x86/kernel/apic/apic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "05785ba834f23272f9d23427ae4a80ac505a5296",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "dd1241e00addbf0b95f6cd6ce32152692820657e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b8d1d163604bd1e600b062fb00de5dc42baa355f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "Documentation/admin-guide/kernel-parameters.txt",
            "arch/x86/Kconfig",
            "arch/x86/include/asm/cpu.h",
            "arch/x86/include/asm/msr-index.h",
            "arch/x86/kernel/apic/apic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/apic: Don\u0027t disable x2APIC if locked\n\nThe APIC supports two modes, legacy APIC (or xAPIC), and Extended APIC\n(or x2APIC).  X2APIC mode is mostly compatible with legacy APIC, but\nit disables the memory-mapped APIC interface in favor of one that uses\nMSRs.  The APIC mode is controlled by the EXT bit in the APIC MSR.\n\nThe MMIO/xAPIC interface has some problems, most notably the APIC LEAK\n[1].  This bug allows an attacker to use the APIC MMIO interface to\nextract data from the SGX enclave.\n\nIntroduce support for a new feature that will allow the BIOS to lock\nthe APIC in x2APIC mode.  If the APIC is locked in x2APIC mode and the\nkernel tries to disable the APIC or revert to legacy APIC mode a GP\nfault will occur.\n\nIntroduce support for a new MSR (IA32_XAPIC_DISABLE_STATUS) and handle\nthe new locked mode when the LEGACY_XAPIC_DISABLED bit is set by\npreventing the kernel from trying to disable the x2APIC.\n\nOn platforms with the IA32_XAPIC_DISABLE_STATUS MSR, if SGX or TDX are\nenabled the LEGACY_XAPIC_DISABLED will be set by the BIOS.  If\nlegacy APIC is required, then it SGX and TDX need to be disabled in the\nBIOS.\n\n[1]: https://aepicleak.com/aepicleak.pdf"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T12:22:43.396Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/05785ba834f23272f9d23427ae4a80ac505a5296"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd1241e00addbf0b95f6cd6ce32152692820657e"
        },
        {
          "url": "https://git.kernel.org/stable/c/b8d1d163604bd1e600b062fb00de5dc42baa355f"
        }
      ],
      "title": "x86/apic: Don\u0027t disable x2APIC if locked",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50720",
    "datePublished": "2025-12-24T12:22:43.396Z",
    "dateReserved": "2025-12-24T12:20:40.329Z",
    "dateUpdated": "2025-12-24T12:22:43.396Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50720\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T13:15:58.667\",\"lastModified\":\"2025-12-24T13:15:58.667\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/apic: Don\u0027t disable x2APIC if locked\\n\\nThe APIC supports two modes, legacy APIC (or xAPIC), and Extended APIC\\n(or x2APIC).  X2APIC mode is mostly compatible with legacy APIC, but\\nit disables the memory-mapped APIC interface in favor of one that uses\\nMSRs.  The APIC mode is controlled by the EXT bit in the APIC MSR.\\n\\nThe MMIO/xAPIC interface has some problems, most notably the APIC LEAK\\n[1].  This bug allows an attacker to use the APIC MMIO interface to\\nextract data from the SGX enclave.\\n\\nIntroduce support for a new feature that will allow the BIOS to lock\\nthe APIC in x2APIC mode.  If the APIC is locked in x2APIC mode and the\\nkernel tries to disable the APIC or revert to legacy APIC mode a GP\\nfault will occur.\\n\\nIntroduce support for a new MSR (IA32_XAPIC_DISABLE_STATUS) and handle\\nthe new locked mode when the LEGACY_XAPIC_DISABLED bit is set by\\npreventing the kernel from trying to disable the x2APIC.\\n\\nOn platforms with the IA32_XAPIC_DISABLE_STATUS MSR, if SGX or TDX are\\nenabled the LEGACY_XAPIC_DISABLED will be set by the BIOS.  If\\nlegacy APIC is required, then it SGX and TDX need to be disabled in the\\nBIOS.\\n\\n[1]: https://aepicleak.com/aepicleak.pdf\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/05785ba834f23272f9d23427ae4a80ac505a5296\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b8d1d163604bd1e600b062fb00de5dc42baa355f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dd1241e00addbf0b95f6cd6ce32152692820657e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.