CVE-2022-50517

MEDIUM
2025-10-07 416baaa9-dc9f-4396-8d5f-8c081fb06d67
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Oct 07, 2025 - 16:15 nvd
MEDIUM 5.5

Tags

Linux Denial Of Service Memory Corruption Use After Free Linux Kernel Redhat Suse

Description

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: do not clobber swp_entry_t during THP split The following has been observed when running stressng mmap since commit b653db77350c ("mm: Clear page->private when splitting or migrating a page") watchdog: BUG: soft lockup - CPU#75 stuck for 26s! [stress-ng:9546] CPU: 75 PID: 9546 Comm: stress-ng Tainted: G E 6.0.0-revert-b653db77-fix+ #29 0357d79b60fb09775f678e4f3f64ef0579ad1374 Hardware name: SGI.COM C2112-4GP3/X10DRT-P-Series, BIOS 2.0a 05/09/2016 RIP: 0010:xas_descend+0x28/0x80 Code: cc cc 0f b6 0e 48 8b 57 08 48 d3 ea 83 e2 3f 89 d0 48 83 c0 04 48 8b 44 c6 08 48 89 77 18 48 89 c1 83 e1 03 48 83 f9 02 75 08 <48> 3d fd 00 00 00 76 08 88 57 12 c3 cc cc cc cc 48 c1 e8 02 89 c2 RSP: 0018:ffffbbf02a2236a8 EFLAGS: 00000246 RAX: ffff9cab7d6a0002 RBX: ffffe04b0af88040 RCX: 0000000000000002 RDX: 0000000000000030 RSI: ffff9cab60509b60 RDI: ffffbbf02a2236c0 RBP: 0000000000000000 R08: ffff9cab60509b60 R09: ffffbbf02a2236c0 R10: 0000000000000001 R11: ffffbbf02a223698 R12: 0000000000000000 R13: ffff9cab4e28da80 R14: 0000000000039c01 R15: ffff9cab4e28da88 FS: 00007fab89b85e40(0000) GS:ffff9cea3fcc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fab84e00000 CR3: 00000040b73a4003 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> xas_load+0x3a/0x50 __filemap_get_folio+0x80/0x370 ? put_swap_page+0x163/0x360 pagecache_get_page+0x13/0x90 __try_to_reclaim_swap+0x50/0x190 scan_swap_map_slots+0x31e/0x670 get_swap_pages+0x226/0x3c0 folio_alloc_swap+0x1cc/0x240 add_to_swap+0x14/0x70 shrink_page_list+0x968/0xbc0 reclaim_page_list+0x70/0xf0 reclaim_pages+0xdd/0x120 madvise_cold_or_pageout_pte_range+0x814/0xf30 walk_pgd_range+0x637/0xa30 __walk_page_range+0x142/0x170 walk_page_range+0x146/0x170 madvise_pageout+0xb7/0x280 ? asm_common_interrupt+0x22/0x40 madvise_vma_behavior+0x3b7/0xac0 ? find_vma+0x4a/0x70 ? find_vma+0x64/0x70 ? madvise_vma_anon_name+0x40/0x40 madvise_walk_vmas+0xa6/0x130 do_madvise+0x2f4/0x360 __x64_sys_madvise+0x26/0x30 do_syscall_64+0x5b/0x80 ? do_syscall_64+0x67/0x80 ? syscall_exit_to_user_mode+0x17/0x40 ? do_syscall_64+0x67/0x80 ? syscall_exit_to_user_mode+0x17/0x40 ? do_syscall_64+0x67/0x80 ? do_syscall_64+0x67/0x80 ? common_interrupt+0x8b/0xa0 entry_SYSCALL_64_after_hwframe+0x63/0xcd The problem can be reproduced with the mmtests config config-workload-stressng-mmap. It does not always happen and when it triggers is variable but it has happened on multiple machines. The intent of commit b653db77350c patch was to avoid the case where PG_private is clear but folio->private is not-NULL. However, THP tail pages uses page->private for "swp_entry_t if folio_test_swapcache()" as stated in the documentation for struct folio. This patch only clobbers page->private for tail pages if the head page was not in swapcache and warns once if page->private had an unexpected value.

Analysis

A memory corruption vulnerability in the Linux kernel's huge page (THP) split handling causes a soft lockup and denial of service when page->private is incorrectly clobbered during transparent huge page operations. The vulnerability affects Linux kernel versions 5.19 through 6.1-rc1, and while it requires local privilege access to trigger via madvise syscalls, it can reliably cause system hangs under stress conditions such as memory pressure or aggressive swapping scenarios. The EPSS score of 0.02% and lack of widespread active exploitation indicate low real-world risk, though the availability of patches makes remediation straightforward.

Technical Context

The vulnerability stems from commit b653db77350c which attempted to clear PG_private flags during page splitting operations to prevent inconsistent state where PG_private was unset but folio->private remained non-NULL. However, transparent huge pages (THP) legitimately use page->private on tail pages to store swap entry information (swp_entry_t) when pages are in swap cache, as documented in the Linux kernel's struct folio specification. When the patched code unconditionally clobbered page->private during THP splitting without checking if the head page was in swapcache, it corrupted the swap entry data structure, causing subsequent xarray operations in __filemap_get_folio to encounter invalid pointers and enter infinite loops during swap map scanning. The root cause is a missing conditional check for swapcache status before clearing private data on tail pages. Affected products per CPE include Linux kernel versions 5.19 (all RC versions and stable), and 6.1-rc1, with the generic wildcard CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* indicating any kernel with the vulnerable code path.

Affected Products

The Linux kernel is the affected product across multiple versions. Specifically, Linux kernel 5.19 in all release candidate versions (RC4 through RC8) and stable releases are vulnerable, as well as Linux kernel 6.1-rc1. The vulnerability affects any kernel build incorporating commit b653db77350c without the subsequent fix commit 71e2d666ef85d51834d658830f823560c402b8b6 or 8cace0eeb03d6043827faa6cf6c9067a9f05cd9f. The generic CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* indicates broad kernel versions are theoretically affected, though practically only kernels between version 5.19 and early 6.1 are impacted. Vendor patches are available from kernel.org stable branches.

Remediation

Update the Linux kernel to a patched version containing commit 71e2d666ef85d51834d658830f823560c402b8b6 or 8cace0eeb03d6043827faa6cf6c9067a9f05cd9f from the stable kernel trees. For systems running 5.19.x kernels, upgrade to 5.19.11 or later; for systems running 6.0.x or early 6.1 kernels, upgrade to the next stable release containing the fix. Until patching is completed, users can reduce exposure by limiting non-essential memory pressure operations and avoiding stress-ng or similar memory manipulation tools in production environments. System administrators should prioritize patching systems experiencing frequent memory pressure or swap activity, as these conditions make the vulnerability more likely to trigger. Monitor kernel logs for soft lockup messages involving xas_descend or xas_load functions as an early warning sign.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Vendor Status

Share

CVE-2022-50517 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy