CVE-2022-48797: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: mm: don't try to NUMA-migrate COW pages that have other uses Oded Gabbay reports that enabling NUMA balancing causes corruption with his Gaudi accelerator test load: "All the details are in the bug, but the bottom line is that somehow, this patch causes corruption when the numa balancing feature is enabled AND we don't use process affinity AND we use GUP to pin pages so our accelerator can DMA to/from system memory. Either disabling numa balancing, using process affinity to bind to specific numa-node or reverting this patch causes the bug to disappear" and Oded bisected the issue to commit 09854ba94c6a ("mm: do_wp_page() simplification"). Now, the NUMA balancing shouldn't actually be changing the writability of a page, and as such shouldn't matter for COW. But it appears it does. Suspicious. However, regardless of that, the condition for enabling NUMA faults in change_pte_range() is nonsensical. It uses "page_mapcount(page)" to decide if a COW page should be NUMA-protected or not, and that makes absolutely no sense. The number of mappings a page has is irrelevant: not only does GUP get a reference to a page as in Oded's case, but the other mappings migth be paged out and the only reference to them would be in the page count. Since we should never try to NUMA-balance a page that we can't move anyway due to other references, just fix the code to use 'page_count()'. Oded confirms that that fixes his issue. Now, this does imply that something in NUMA balancing ends up changing page protections (other than the obvious one of making the page inaccessible to get the NUMA faulting information). Otherwise the COW simplification wouldn't matter - since doing the GUP on the page would make sure it's writable. The cause of that permission change would be good to figure out too, since it clearly results in spurious COW events - but fixing the nonsensical test that just happened to work before is obviously the CorrectThing(tm) to do regardless.
AI Analysis
Technical Summary
CVE-2022-48797 is a vulnerability identified in the Linux kernel related to the handling of NUMA (Non-Uniform Memory Access) balancing and copy-on-write (COW) page migration. The issue arises from improper logic in the kernel's memory management subsystem, specifically in the function change_pte_range(), which incorrectly uses page_mapcount() to decide whether a COW page should be NUMA-protected. This is problematic because page_mapcount() reflects the number of mappings a page has, which is not a reliable indicator for whether a page can be migrated or not, especially when pages are pinned for DMA operations by accelerators like Gaudi. The bug was introduced in commit 09854ba94c6a, which simplified the do_wp_page() function. When NUMA balancing is enabled, this faulty logic can cause memory corruption, particularly in workloads that do not use process affinity and rely on get_user_pages (GUP) to pin pages for DMA. The root cause is that the kernel attempts to migrate COW pages that have other references, which it should not do. The fix involves changing the condition to use page_count() instead of page_mapcount(), ensuring that pages with multiple references are not migrated, thus preventing corruption. Although the exact mechanism by which NUMA balancing changes page protections leading to spurious COW events is not fully understood, the patch corrects the nonsensical test and stabilizes the behavior. This vulnerability affects Linux kernel versions containing the problematic commit and is relevant for systems with NUMA balancing enabled and workloads involving pinned pages for DMA. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and systems running Linux kernels with the affected commit and having NUMA balancing enabled. The impact is particularly significant for environments using hardware accelerators or devices that perform DMA operations requiring pinned memory pages, such as AI accelerators, network cards, or storage controllers. Memory corruption caused by improper NUMA page migration can lead to data integrity issues, application crashes, system instability, or kernel panics, potentially disrupting critical services. In high-availability or data-sensitive sectors like finance, healthcare, and telecommunications, such instability can result in operational downtime and data loss. Moreover, since the issue relates to kernel memory management, it could be exploited indirectly by attackers who gain local access to trigger conditions that cause corruption, although no direct exploit is known. European organizations relying on NUMA-enabled Linux systems with complex workloads should be aware of this risk, especially those deploying advanced hardware accelerators or running containerized or virtualized environments where process affinity is not strictly enforced.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the official Linux kernel patch that corrects the condition from page_mapcount() to page_count() in change_pte_range() as soon as it becomes available in their distribution's kernel updates. 2) Temporarily disable NUMA balancing if patching is not immediately feasible, especially on systems using hardware accelerators or pinned pages for DMA, to avoid triggering the corruption. 3) Enforce process affinity bindings to specific NUMA nodes for workloads involving pinned pages, which has been shown to prevent the issue. 4) Audit and monitor systems for unusual kernel errors, memory corruption symptoms, or crashes related to NUMA balancing and pinned memory usage. 5) Coordinate with hardware vendors to understand if their drivers or accelerators might be affected and require firmware or driver updates. 6) In virtualized environments, consider NUMA topology awareness and affinity settings to reduce exposure. These steps go beyond generic advice by focusing on the specific interaction between NUMA balancing, pinned pages, and process affinity that triggers the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain
CVE-2022-48797: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: mm: don't try to NUMA-migrate COW pages that have other uses Oded Gabbay reports that enabling NUMA balancing causes corruption with his Gaudi accelerator test load: "All the details are in the bug, but the bottom line is that somehow, this patch causes corruption when the numa balancing feature is enabled AND we don't use process affinity AND we use GUP to pin pages so our accelerator can DMA to/from system memory. Either disabling numa balancing, using process affinity to bind to specific numa-node or reverting this patch causes the bug to disappear" and Oded bisected the issue to commit 09854ba94c6a ("mm: do_wp_page() simplification"). Now, the NUMA balancing shouldn't actually be changing the writability of a page, and as such shouldn't matter for COW. But it appears it does. Suspicious. However, regardless of that, the condition for enabling NUMA faults in change_pte_range() is nonsensical. It uses "page_mapcount(page)" to decide if a COW page should be NUMA-protected or not, and that makes absolutely no sense. The number of mappings a page has is irrelevant: not only does GUP get a reference to a page as in Oded's case, but the other mappings migth be paged out and the only reference to them would be in the page count. Since we should never try to NUMA-balance a page that we can't move anyway due to other references, just fix the code to use 'page_count()'. Oded confirms that that fixes his issue. Now, this does imply that something in NUMA balancing ends up changing page protections (other than the obvious one of making the page inaccessible to get the NUMA faulting information). Otherwise the COW simplification wouldn't matter - since doing the GUP on the page would make sure it's writable. The cause of that permission change would be good to figure out too, since it clearly results in spurious COW events - but fixing the nonsensical test that just happened to work before is obviously the CorrectThing(tm) to do regardless.
AI-Powered Analysis
Technical Analysis
CVE-2022-48797 is a vulnerability identified in the Linux kernel related to the handling of NUMA (Non-Uniform Memory Access) balancing and copy-on-write (COW) page migration. The issue arises from improper logic in the kernel's memory management subsystem, specifically in the function change_pte_range(), which incorrectly uses page_mapcount() to decide whether a COW page should be NUMA-protected. This is problematic because page_mapcount() reflects the number of mappings a page has, which is not a reliable indicator for whether a page can be migrated or not, especially when pages are pinned for DMA operations by accelerators like Gaudi. The bug was introduced in commit 09854ba94c6a, which simplified the do_wp_page() function. When NUMA balancing is enabled, this faulty logic can cause memory corruption, particularly in workloads that do not use process affinity and rely on get_user_pages (GUP) to pin pages for DMA. The root cause is that the kernel attempts to migrate COW pages that have other references, which it should not do. The fix involves changing the condition to use page_count() instead of page_mapcount(), ensuring that pages with multiple references are not migrated, thus preventing corruption. Although the exact mechanism by which NUMA balancing changes page protections leading to spurious COW events is not fully understood, the patch corrects the nonsensical test and stabilizes the behavior. This vulnerability affects Linux kernel versions containing the problematic commit and is relevant for systems with NUMA balancing enabled and workloads involving pinned pages for DMA. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to servers and systems running Linux kernels with the affected commit and having NUMA balancing enabled. The impact is particularly significant for environments using hardware accelerators or devices that perform DMA operations requiring pinned memory pages, such as AI accelerators, network cards, or storage controllers. Memory corruption caused by improper NUMA page migration can lead to data integrity issues, application crashes, system instability, or kernel panics, potentially disrupting critical services. In high-availability or data-sensitive sectors like finance, healthcare, and telecommunications, such instability can result in operational downtime and data loss. Moreover, since the issue relates to kernel memory management, it could be exploited indirectly by attackers who gain local access to trigger conditions that cause corruption, although no direct exploit is known. European organizations relying on NUMA-enabled Linux systems with complex workloads should be aware of this risk, especially those deploying advanced hardware accelerators or running containerized or virtualized environments where process affinity is not strictly enforced.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Apply the official Linux kernel patch that corrects the condition from page_mapcount() to page_count() in change_pte_range() as soon as it becomes available in their distribution's kernel updates. 2) Temporarily disable NUMA balancing if patching is not immediately feasible, especially on systems using hardware accelerators or pinned pages for DMA, to avoid triggering the corruption. 3) Enforce process affinity bindings to specific NUMA nodes for workloads involving pinned pages, which has been shown to prevent the issue. 4) Audit and monitor systems for unusual kernel errors, memory corruption symptoms, or crashes related to NUMA balancing and pinned memory usage. 5) Coordinate with hardware vendors to understand if their drivers or accelerators might be affected and require firmware or driver updates. 6) In virtualized environments, consider NUMA topology awareness and affinity settings to reduce exposure. These steps go beyond generic advice by focusing on the specific interaction between NUMA balancing, pinned pages, and process affinity that triggers the vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-16T11:38:08.895Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ec4522896dcbe61d8
Added to database: 5/21/2025, 9:09:02 AM
Last enriched: 6/30/2025, 9:41:10 PM
Last updated: 7/29/2025, 3:13:05 AM
Views: 10
Related Threats
Plex warns users to patch security vulnerability immediately
HighCVE-2025-9019: Heap-based Buffer Overflow in tcpreplay
LowCVE-2025-9017: Cross Site Scripting in PHPGurukul Zoo Management System
MediumCVE-2025-9051: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-1929: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Risk Yazılım Teknolojileri Ltd. Şti. Reel Sektör Hazine ve Risk Yönetimi Yazılımı
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.