CVE-2022-48991

EPSS 0.05%
Published 21.10.2024 20:15:11
Last modified 07.11.2024 19:36:33
Source 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Open
Login

In the Linux kernel, the following vulnerability has been resolved:

mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths

Any codepath that zaps page table entries must invoke MMU notifiers to
ensure that secondary MMUs (like KVM) don't keep accessing pages which
aren't mapped anymore.  Secondary MMUs don't hold their own references to
pages that are mirrored over, so failing to notify them can lead to page
use-after-free.

I'm marking this as addressing an issue introduced in commit f3f0e1d2150b
("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of
the security impact of this only came in commit 27e1f8273113 ("khugepaged:
enable collapse pmd for pte-mapped THP"), which actually omitted flushes
for the removal of present PTEs, not just for the removal of empty page
tables.

Affected products Warnungen 0 Metrics 2 CWE 1 References 11

Data is provided by the National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 4.8 < 4.9.337

Linux ≫ Linux Kernel Version >= 4.10 < 4.14.303

Linux ≫ Linux Kernel Version >= 4.15 < 4.19.270

Linux ≫ Linux Kernel Version >= 4.20 < 5.4.227

Linux ≫ Linux Kernel Version >= 5.5 < 5.10.159

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.83

Linux ≫ Linux Kernel Version >= 5.16 < 6.0.13

Linux ≫ Linux Kernel Version6.1 Updaterc1

Linux ≫ Linux Kernel Version6.1 Updaterc2

Linux ≫ Linux Kernel Version6.1 Updaterc3

Linux ≫ Linux Kernel Version6.1 Updaterc4

Linux ≫ Linux Kernel Version6.1 Updaterc5

Linux ≫ Linux Kernel Version6.1 Updaterc6

Linux ≫ Linux Kernel Version6.1 Updaterc7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.05%	0.152

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/1a3f8c6cd29d9078cc81b29d39d0e9ae1d6a03c3

Patch

https://git.kernel.org/stable/c/275c626c131cfe141beeb6c575e31fa53d32da19

Patch

https://git.kernel.org/stable/c/5450535901d89a5dcca5fbbc59a24fe89caeb465

Patch

https://git.kernel.org/stable/c/5ffc2a75534d9d74d49760f983f8eb675fa63d69

Patch

https://git.kernel.org/stable/c/7f445ca2e0e59c7971d0b7b853465e50844ab596

Patch

https://git.kernel.org/stable/c/c23105673228c349739e958fa33955ed8faddcaf

Patch