CVE-2022-21166
First published: Wed May 25 2022(Updated: )
A flaw was found in hw. Incomplete cleanup in specific special register write operations for some Intel® Processors may allow an authenticated user to enable information disclosure via local access.
Credit: secure@intel.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:3.10.0-1160.76.1.rt56.1220.el7 | 0:3.10.0-1160.76.1.rt56.1220.el7 |
| redhat/kernel | <0:3.10.0-1160.76.1.el7 | 0:3.10.0-1160.76.1.el7 |
| redhat/kernel-rt | <0:4.18.0-372.26.1.rt7.183.el8_6 | 0:4.18.0-372.26.1.rt7.183.el8_6 |
| redhat/kernel | <0:4.18.0-372.26.1.el8_6 | 0:4.18.0-372.26.1.el8_6 |
| redhat/kernel | <0:4.18.0-147.76.1.el8_1 | 0:4.18.0-147.76.1.el8_1 |
| redhat/kernel | <0:4.18.0-193.93.1.el8_2 | 0:4.18.0-193.93.1.el8_2 |
| redhat/kernel-rt | <0:4.18.0-193.93.1.rt13.143.el8_2 | 0:4.18.0-193.93.1.rt13.143.el8_2 |
| redhat/kernel-rt | <0:4.18.0-305.65.1.rt7.137.el8_4 | 0:4.18.0-305.65.1.rt7.137.el8_4 |
| redhat/kernel | <0:4.18.0-305.65.1.el8_4 | 0:4.18.0-305.65.1.el8_4 |
| redhat/kernel | <0:5.14.0-162.6.1.el9_1 | 0:5.14.0-162.6.1.el9_1 |
| redhat/kernel-rt | <0:5.14.0-162.6.1.rt21.168.el9_1 | 0:5.14.0-162.6.1.rt21.168.el9_1 |
| redhat/kernel | <0:5.14.0-70.36.1.el9_0 | 0:5.14.0-70.36.1.el9_0 |
| redhat/kernel-rt | <0:5.14.0-70.36.1.rt21.108.el9_0 | 0:5.14.0-70.36.1.rt21.108.el9_0 |
| debian/intel-microcode | 3.20240813.1~deb11u1 3.20241112.1~deb11u1 3.20241112.1~deb12u1 3.20231114.1~deb12u1 3.20241112.1 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.119-1 6.12.10-1 6.12.11-1 | |
| debian/xen | 4.14.6-1 4.14.5+94-ge49571868d-1 4.17.3+10-g091466ba55-1~deb12u1 4.17.5+23-ga4e5191dc0-1 4.19.1-1 | |
| Xen xen-unstable | ||
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Intel sgx dcap linux | <1.14.100.3 | |
| Intel sgx dcap windows | <1.14.100.3 | |
| Intel sgx psw windows | <2.16.100.3 | |
| Intel sgx psw linux | <2.17.100.3 | |
| Intel sgx sdk windows | <2.16.100.3 | |
| Intel sgx sdk linux | <2.17.100.3 | |
| VMware ESXi | =7.0 | |
| VMware ESXi | =7.0-beta | |
| VMware ESXi | =7.0-update_1 | |
| VMware ESXi | =7.0-update_1a | |
| VMware ESXi | =7.0-update_1b | |
| VMware ESXi | =7.0-update_1c | |
| VMware ESXi | =7.0-update_1d | |
| VMware ESXi | =7.0-update_2 | |
| VMware ESXi | =7.0-update_2a | |
| VMware ESXi | =7.0-update_2c | |
| VMware ESXi | =7.0-update_2d | |
| VMware ESXi | =7.0-update_3c | |
| VMware ESXi | =7.0-update_3d | |
| Debian GNU/Linux | =9.0 | |
| Debian GNU/Linux | =10.0 | |
| Debian GNU/Linux | =11.0 |
Remedy
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation baser or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-21166 https://nvd.nist.gov/vuln/detail/CVE-2022-21166 https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2090241
- https://access.redhat.com/errata/RHSA-2022:5939
- https://access.redhat.com/errata/RHSA-2022:5937
- https://access.redhat.com/errata/RHSA-2022:6437
- https://access.redhat.com/errata/RHSA-2022:6460
- https://access.redhat.com/errata/RHSA-2022:6872
- https://access.redhat.com/errata/RHSA-2022:7279
- https://access.redhat.com/errata/RHSA-2022:7280
- https://access.redhat.com/errata/RHSA-2022:6991
- https://access.redhat.com/errata/RHSA-2022:6983
- https://access.redhat.com/errata/RHSA-2022:8267
- https://access.redhat.com/errata/RHSA-2022:7933
- https://access.redhat.com/errata/RHSA-2022:8973
- https://access.redhat.com/errata/RHSA-2022:8974
- https://access.redhat.com/security/cve/cve-2022-21166
- http://www.openwall.com/lists/oss-security/2022/06/16/1
- https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FHTEW3RXU2GW6S3RCPQG4VNCZGI3TOSV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MCVOMHBQRH4KP7IN6U24CW7F2D2L5KBS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4P2KJYL74KGLHE4JZETVW7PZH6ZIABA/
- https://security.gentoo.org/glsa/202208-23
- https://security.netapp.com/advisory/ntap-20220624-0008/
- https://www.debian.org/security/2022/dsa-5173
- https://www.debian.org/security/2022/dsa-5178
- https://www.debian.org/security/2022/dsa-5184
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html
- https://launchpad.net/bugs/cve/CVE-2022-21166
- https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FHTEW3RXU2GW6S3RCPQG4VNCZGI3TOSV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4P2KJYL74KGLHE4JZETVW7PZH6ZIABA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MCVOMHBQRH4KP7IN6U24CW7F2D2L5KBS/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RKRXZ4LHGCGMOG24ZCEJNY6R2BTS4S2Q/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21166
- https://nvd.nist.gov/vuln/detail/CVE-2022-21166
- https://security-tracker.debian.org/tracker/CVE-2022-21166
- https://ubuntu.com/security/CVE-2022-21166
- https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html#DRPW
- https://git.kernel.org/linus/4419470191386456e0b8ed4eb06a70b0021798a6
- https://xenbits.xen.org/xsa/advisory-404.html
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2022-21166?
CVE-2022-21166 is considered a medium severity vulnerability due to potential information disclosure risks.
How do I fix CVE-2022-21166?
To fix CVE-2022-21166, ensure that you update to the latest kernel versions provided by Red Hat as specified in the advisory.
Who is affected by CVE-2022-21166?
CVE-2022-21166 affects certain Intel processors and may impact systems running specific versions of the Red Hat kernel.
What potential impact does CVE-2022-21166 have?
CVE-2022-21166 can potentially allow an authenticated user to gain access to sensitive information due to incomplete cleanup processes.
Is CVE-2022-21166 exploitable remotely?
CVE-2022-21166 is not remotely exploitable as it requires local authenticated access to the affected systems.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-21166
- agent/weakness
- agent/severity
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/trending
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/description
- agent/source
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/redhat
- package-manager/debian
- vendor/xen
- canonical/xen xen-unstable
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- vendor/intel
- canonical/intel sgx dcap linux
- canonical/intel sgx dcap windows
- canonical/intel sgx psw windows
- canonical/intel sgx psw linux
- canonical/intel sgx sdk windows
- canonical/intel sgx sdk linux
- vendor/vmware
- canonical/vmware esxi
- version/vmware esxi/7.0
- version/vmware esxi/7.0-beta
- version/vmware esxi/7.0-update_1
- version/vmware esxi/7.0-update_1a
- version/vmware esxi/7.0-update_1b
- version/vmware esxi/7.0-update_1c
- version/vmware esxi/7.0-update_1d
- version/vmware esxi/7.0-update_2
- version/vmware esxi/7.0-update_2a
- version/vmware esxi/7.0-update_2c
- version/vmware esxi/7.0-update_2d
- version/vmware esxi/7.0-update_3c
- version/vmware esxi/7.0-update_3d
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/9.0
- version/debian gnu/linux/10.0
- version/debian gnu/linux/11.0