github - ghsa-pc73-7j79-5x2x

GHSA-PC73-7J79-5X2X

Vulnerability from github – Published: 2025-12-24 15:30 – Updated: 2025-12-24 15:30

Details

In the Linux kernel, the following vulnerability has been resolved:

x86/apic: Don't disable x2APIC if locked

The APIC supports two modes, legacy APIC (or xAPIC), and Extended APIC (or x2APIC). X2APIC mode is mostly compatible with legacy APIC, but it disables the memory-mapped APIC interface in favor of one that uses MSRs. The APIC mode is controlled by the EXT bit in the APIC MSR.

The MMIO/xAPIC interface has some problems, most notably the APIC LEAK 1. This bug allows an attacker to use the APIC MMIO interface to extract data from the SGX enclave.

Introduce support for a new feature that will allow the BIOS to lock the APIC in x2APIC mode. If the APIC is locked in x2APIC mode and the kernel tries to disable the APIC or revert to legacy APIC mode a GP fault will occur.

Introduce support for a new MSR (IA32_XAPIC_DISABLE_STATUS) and handle the new locked mode when the LEGACY_XAPIC_DISABLED bit is set by preventing the kernel from trying to disable the x2APIC.

On platforms with the IA32_XAPIC_DISABLE_STATUS MSR, if SGX or TDX are enabled the LEGACY_XAPIC_DISABLED will be set by the BIOS. If legacy APIC is required, then it SGX and TDX need to be disabled in the BIOS.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-50720"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-24T13:15:58Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/apic: Don\u0027t disable x2APIC if locked\n\nThe APIC supports two modes, legacy APIC (or xAPIC), and Extended APIC\n(or x2APIC).  X2APIC mode is mostly compatible with legacy APIC, but\nit disables the memory-mapped APIC interface in favor of one that uses\nMSRs.  The APIC mode is controlled by the EXT bit in the APIC MSR.\n\nThe MMIO/xAPIC interface has some problems, most notably the APIC LEAK\n[1].  This bug allows an attacker to use the APIC MMIO interface to\nextract data from the SGX enclave.\n\nIntroduce support for a new feature that will allow the BIOS to lock\nthe APIC in x2APIC mode.  If the APIC is locked in x2APIC mode and the\nkernel tries to disable the APIC or revert to legacy APIC mode a GP\nfault will occur.\n\nIntroduce support for a new MSR (IA32_XAPIC_DISABLE_STATUS) and handle\nthe new locked mode when the LEGACY_XAPIC_DISABLED bit is set by\npreventing the kernel from trying to disable the x2APIC.\n\nOn platforms with the IA32_XAPIC_DISABLE_STATUS MSR, if SGX or TDX are\nenabled the LEGACY_XAPIC_DISABLED will be set by the BIOS.  If\nlegacy APIC is required, then it SGX and TDX need to be disabled in the\nBIOS.\n\n[1]: https://aepicleak.com/aepicleak.pdf",
  "id": "GHSA-pc73-7j79-5x2x",
  "modified": "2025-12-24T15:30:32Z",
  "published": "2025-12-24T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50720"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/05785ba834f23272f9d23427ae4a80ac505a5296"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b8d1d163604bd1e600b062fb00de5dc42baa355f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd1241e00addbf0b95f6cd6ce32152692820657e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2022-50720 (GCVE-0-2022-50720)

Vulnerability from cvelistv5 – Published: 2025-12-24 12:22 – Updated: 2025-12-24 12:22

Title

x86/apic: Don't disable x2APIC if locked

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/apic: Don't disable x2APIC if locked The APIC supports two modes, legacy APIC (or xAPIC), and Extended APIC (or x2APIC). X2APIC mode is mostly compatible with legacy APIC, but it disables the memory-mapped APIC interface in favor of one that uses MSRs. The APIC mode is controlled by the EXT bit in the APIC MSR. The MMIO/xAPIC interface has some problems, most notably the APIC LEAK [1]. This bug allows an attacker to use the APIC MMIO interface to extract data from the SGX enclave. Introduce support for a new feature that will allow the BIOS to lock the APIC in x2APIC mode. If the APIC is locked in x2APIC mode and the kernel tries to disable the APIC or revert to legacy APIC mode a GP fault will occur. Introduce support for a new MSR (IA32_XAPIC_DISABLE_STATUS) and handle the new locked mode when the LEGACY_XAPIC_DISABLED bit is set by preventing the kernel from trying to disable the x2APIC. On platforms with the IA32_XAPIC_DISABLE_STATUS MSR, if SGX or TDX are enabled the LEGACY_XAPIC_DISABLED will be set by the BIOS. If legacy APIC is required, then it SGX and TDX need to be disabled in the BIOS. [1]: https://aepicleak.com/aepicleak.pdf

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/05785ba834f23272f…
	https://git.kernel.org/stable/c/dd1241e00addbf0b9…
	https://git.kernel.org/stable/c/b8d1d163604bd1e60…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 05785ba834f23272f9d23427ae4a80ac505a5296 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < dd1241e00addbf0b95f6cd6ce32152692820657e (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b8d1d163604bd1e600b062fb00de5dc42baa355f (git)

Linux

Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "Documentation/admin-guide/kernel-parameters.txt",
            "arch/x86/Kconfig",
            "arch/x86/include/asm/cpu.h",
            "arch/x86/include/asm/msr-index.h",
            "arch/x86/kernel/apic/apic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "05785ba834f23272f9d23427ae4a80ac505a5296",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "dd1241e00addbf0b95f6cd6ce32152692820657e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b8d1d163604bd1e600b062fb00de5dc42baa355f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "Documentation/admin-guide/kernel-parameters.txt",
            "arch/x86/Kconfig",
            "arch/x86/include/asm/cpu.h",
            "arch/x86/include/asm/msr-index.h",
            "arch/x86/kernel/apic/apic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/apic: Don\u0027t disable x2APIC if locked\n\nThe APIC supports two modes, legacy APIC (or xAPIC), and Extended APIC\n(or x2APIC).  X2APIC mode is mostly compatible with legacy APIC, but\nit disables the memory-mapped APIC interface in favor of one that uses\nMSRs.  The APIC mode is controlled by the EXT bit in the APIC MSR.\n\nThe MMIO/xAPIC interface has some problems, most notably the APIC LEAK\n[1].  This bug allows an attacker to use the APIC MMIO interface to\nextract data from the SGX enclave.\n\nIntroduce support for a new feature that will allow the BIOS to lock\nthe APIC in x2APIC mode.  If the APIC is locked in x2APIC mode and the\nkernel tries to disable the APIC or revert to legacy APIC mode a GP\nfault will occur.\n\nIntroduce support for a new MSR (IA32_XAPIC_DISABLE_STATUS) and handle\nthe new locked mode when the LEGACY_XAPIC_DISABLED bit is set by\npreventing the kernel from trying to disable the x2APIC.\n\nOn platforms with the IA32_XAPIC_DISABLE_STATUS MSR, if SGX or TDX are\nenabled the LEGACY_XAPIC_DISABLED will be set by the BIOS.  If\nlegacy APIC is required, then it SGX and TDX need to be disabled in the\nBIOS.\n\n[1]: https://aepicleak.com/aepicleak.pdf"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T12:22:43.396Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/05785ba834f23272f9d23427ae4a80ac505a5296"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd1241e00addbf0b95f6cd6ce32152692820657e"
        },
        {
          "url": "https://git.kernel.org/stable/c/b8d1d163604bd1e600b062fb00de5dc42baa355f"
        }
      ],
      "title": "x86/apic: Don\u0027t disable x2APIC if locked",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50720",
    "datePublished": "2025-12-24T12:22:43.396Z",
    "dateReserved": "2025-12-24T12:20:40.329Z",
    "dateUpdated": "2025-12-24T12:22:43.396Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-PC73-7J79-5X2X

CVE-2022-50720 (GCVE-0-2022-50720)

Tags

Sightings

Nomenclature