Login Sign Up

CVE-2022-49760

5.5 MEDIUM
Denial of Service

📋 TL;DR

A Linux kernel vulnerability in the hugetlb_change_protection() function mishandles PTE markers during userfaultfd write-protection operations on huge pages. This can cause kernel memory corruption leading to crashes or potential privilege escalation. Systems using Linux kernels with userfaultfd and huge pages are affected.

💻 Affected Systems

Products:
  • Linux Kernel
Versions: Kernel versions before the fix commits (specific versions vary by distribution; generally kernels before 6.0.12 with backported fixes needed)
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ✅ No
Notes: Requires CONFIG_HUGETLBFS and CONFIG_USERFAULTFD enabled, plus specific operations using userfaultfd write-protection on huge pages. Not all systems use these configurations.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Kernel panic leading to system crash, or potential privilege escalation if an attacker can manipulate memory corruption to execute arbitrary code in kernel context.

🟠

Likely Case

Kernel crash (VM_BUG_ON) causing system instability and denial of service, particularly when using QEMU/KVM with virtio-mem and userfaultfd for snapshots.

🟢

If Mitigated

No impact if userfaultfd is disabled or huge pages are not used with userfaultfd write-protection operations.

🌐 Internet-Facing: LOW - Requires local access or ability to run code on the system; not directly exploitable over network.
🏢 Internal Only: MEDIUM - Local users or processes with appropriate permissions could trigger the bug, potentially causing system instability in virtualized environments.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: HIGH

Exploitation requires specific conditions: userfaultfd operations on huge pages, and triggering the bug sequence (double protection or unprotection of PTE markers). Primarily a stability issue rather than easily weaponizable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in kernel commits 0e678153f5be7e6c8d28835f5a678618da4b7a9c and 6062c992e912df1eedad52cf64efb3d48e8d35c5

Vendor Advisory: https://git.kernel.org/stable/c/0e678153f5be7e6c8d28835f5a678618da4b7a9c

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fixes. 2. Check your distribution's security advisories for patched kernel packages. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable userfaultfd

linux

Prevent use of userfaultfd system call which is required to trigger the vulnerability

sysctl -w vm.unprivileged_userfaultfd=0
echo 0 > /proc/sys/vm/unprivileged_userfaultfd

Disable huge pages

linux

Avoid using huge pages which are required for the vulnerable code path

echo never > /sys/kernel/mm/transparent_hugepage/enabled

🧯 If You Can't Patch

  • Restrict userfaultfd usage to privileged users only
  • Avoid using userfaultfd write-protection operations on huge page memory regions

🔍 How to Verify

Check if Vulnerable:

Check kernel version and if userfaultfd and huge pages are enabled: 'uname -r' and check /proc/sys/vm/unprivileged_userfaultfd

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version includes the fix commits: 'uname -r' should show patched version from your distribution

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic messages with 'VM_BUG_ON_PAGE(compound && !PageHead(page))'
  • Kernel oops in hugetlb_change_protection or related functions

Network Indicators:

  • None - local vulnerability only

SIEM Query:

Search kernel logs for: 'VM_BUG_ON' AND ('hugetlb' OR 'page_remove_rmap')

📊 Metadata

CVE ID: CVE-2022-49760
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score: 0.07% exploit probability (22.2th percentile)
Published: March 27, 2025
Last Updated: October 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON